The Unique Identification Authority of India does not take kindly to criticism. The body, which issues India’s 12-digit unique identity numbers known as Aadhaar and administers the centralised database with biometric scans of more than 100 crore Indians, has in the past filed complaints against a journalist and a think tank head for pointing to flaws in the storage of Aadhaar details. This week, UIDAI sent a letter to Bangalore-based Centre for Internet & Society suggesting that its report, which revealed that government websites were giving easy access to 13 crore Aadhaar numbers, was in fact potential evidence to prove that the Centre had been involved in illegal hacking.
The letter from UIDAI asked for CIS’ help in bringing to justice those involved in “hacking such sensitive information,” and said that it had asked for the centre to respond to UIDAI by May 30. The letter also asked CIS to specify “how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know.”
The Centre for Internet & Society had on May 1 published a report claiming that around 13 crore Aadhaar numbers and 10 crore bank account numbers were easily accessible on four government portals connected to welfare schemes. The report pointed out that, though the Aadhaar Act makes it illegal to publish a citizen’s Aadhaar number, government websites were making it easy for just about anyone to access a vast number of these numbers as well as other data such as bank account numbers. It added that this sort of information could be used for financial fraud and profiling, among other things.
Although access to the numbers may not have been as simple as just going to the portals, the report pointed out that anyone with a basic awareness of technology would easily be able to get to the documents storing these Aadhaar details. “Sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away and suggest how poorly conceived these initiatives are,” the report said.
The report was officially published and publicised, with the aim of bringing to the attention of the state and the wider public the fact that such information was readily available, and that too on government websites. The letter from UIDAI, however, seems to suggest that, far from being concerned about the lax standards at government websites, the authority instead wanted to go after CIS for pointing to these weaknesses in the Aadhaar architecture.
This is not the first time UIDAI has chosen to act this way. When CNN-News18 journalist Debayan Roy attempted to demonstrate that a person could obtain two separate Aadhaar enrollment numbers with the same biometrics, the Delhi Police filed a First Information Report against him. And when think tank head Sameer Kochhar pointed to the potential use of stored biometric data to carry out unauthorised transactions, the UIDAI registered a complaint against him as well.
It seems evident that the authority does not recognise the difference between public interest efforts to point out weaknesses in the government’s massive scheme, which involves biometric data of more than 100 crore Indians, and actually malicious hacking. Indeed, it would be hard for the government to argue that the CIS’ work, which was published in an official report, could possibly be analogous to that of a hacker who was trying to grab data that should otherwise be secret.
CIS added an update to its report on May 16, clarifying some of the questions that had been raised about its effort. It pointed to a number of reasons why it cannot be said to have violated the hacking sections of the Information Technology Act. Those reasons include
- the fact that CIS informed all the government departments mentioned, including UIDAI, about the data that was easily accessible, before publishing its report.
- the fact that the datasets had been uploaded by the government departments themselves and were publicly available via search engines,
- and that they were not guarded by any passwords or access protocols. In one case, anyone could just change the URL from ‘nologin’ to ‘login’, to access details, even without the use of a password.
“If what CIS researchers did violates the law, then every single person visiting a government website without taking prior approval from the site’s owner would be violating the law as well. Clearly this is not what the law is meant to do and has not been done in this case.”
UIDAI’s behaviour seems likely to have a chilling effect on anyone who raises concerns about the very genuine security problems that have plagued one of the largest government-mandated data collection and storage efforts in history. Its decision to pursue criminal cases, rather than work with an organisation that, in CIS’ case, even gave it prior information about the problematic websites, makes it clear that the authority has little interest in ensuring the secrecy of Aadhaar numbers, despite the Aadhaar Act making it illegal for them to be displayed.
The body’s behaviour seems even more egregious because it came around the time of two other news breaks. There were allegations that one of the influential think tanks closely associated with the UIDAI was resorting to trolling critics of the Aadhaar project through anonymous Twitter profiles.
The other was the news of a massive data breach at Zomato, a company that lists restaurants and allows people to order food online.
There was much credible criticism of Zomato’s security standards and even its initial response to the hack, in which passwords and details of millions of its users had been breached. Soon after that criticism, however, the company posted additional details about exactly what had happened. Moreover, it said that it had contacted the hacker and was working with the person to plug the security vulnerabilities. It added that it was starting a bug-bounty program, which actually rewards individuals for pointing to security flaws, an approach that helps big technological companies notice gaps intheir architecture that they might have been blind to.
Consider the contrast with UIDAI. In Zomato’s case, a potentially malicious hacker actually got past its security systems and managed to steal huge amounts of data that was then put up for sale on the dark web. Although it took some criticism before it provided more details and announced that it was working with the hacker, Zomato quickly informed its users of the breach and encouraged more people to find security flaws in its systems.
The UIDAI continues to insist there hasn’t been a breach of its biometric database, which is true. It also insists there have not been any leaks. This is only true because government websites are voluntarily putting up details of Aadhaar numbers of huge numbers of people, even though it is a crime. And far from working with the people who pointed out this dangerous governmental behaviour, informed it in advance and then published an academic paper about the matter, the UIDAI has instead decided to go after these people alleging that they did something illegal.
A for-profit company has managed to be more responsive to public criticism than a taxpayer-funded body that was built to be the steward of crucial information about the Indian public.