The Unique Identification Authority of India has said it will act on the alleged leak of Aadhar-linked user information from mobile network operator Reliance Jio Infocomm Limited’s database only after the police complete its investigations.
The alleged leaks were reported on July 9, after a website called magikapk.com put up a searchable database of what they claimed were phone numbers, names and addresses of Jio’s subscribers. In some cases, the Aadhaar numbers of the subscribers were also reportedly shown. The website was taken down soon the media reported on the alleged leaks. However, by then the news had spread and concerns were raised over the potential misuse of Aadhaar details.
The telecom company had initially informed the government that there had been no data breach, Ajay Bhushan Pandey, the CEO of the UIDAI said. However, on July 10, Reliance Jio Infocomm Ltd filed a police complaint alleging “unlawful access to its systems” based on which a man was detained in Rajasthan on on suspicion of involvement in the purported breach, Reuters reported.
Publicly, Jio continues to claim that its database was not breached. Responding to detailed queries from Scroll.in, Jio repeated that “there has been no data leak”. The company declined to answer other questions regarding the incident.
This was Jio’s position to the UIDAI too. “We made an official inquiry with the company when news floated about this website,” Pandey said. “We were told that there had been no breach. The company also confirmed to us that as per their information, there were no leaks from their side. If new facts or information emerges out of the ongoing [police] investigation in the case or through any other medium, at that time we will definitely look into this and take appropriate action.”
While the UIDAI has chosen to wait and watch, experts on cyber law and policy are worried about the damage such leaks can cause. The Aadhaar Act states that companies that use the 12-digit number should not make it public. As an increasing number of services are linked to Aadhaar, knowledge of someone’s unique identity number could give someone access to a host of other information about them.
Experts are particularly worried about the existence of parallel databases as an increasing number of private companies used Aadhaar numbers for authentication. This is particularly worrying as much of Jio’s 1.2 crore subscribers registered for the service using their Aadhaar numbers. There is also no clear legal recourse for people in case of a data breach by these companies.
Cyber security researcher Bhairav Acharya, who is a programme fellow at think tank New America, said he had lost faith in the UIDAI’s capability to plug the gaps in the Aadhaar system and sought the services of an independent regulator.
“We can say that UIDAI should be more strict with the data but by now, the whole country knows that this is not going to happen,” Acharya told Scroll.in over the phone. “Ideally, we need a regulator to lay down minimum standards for this ecosystem. I don’t know if UIDAI is eligible for this because regulation should come from third parties, not from the administrator themselves.”
This, however, isn’t stopping companies from using Aadhaar-based authentification, as they claim it reduces cost and time. Abhishek Sinha, Chief Executive Officer of financial services firm Eko, which uses Aadhaar to authenticate its clients, said he has his faith in the Aadhaar ecosystem but agreed that there needs to be some regulatory intervention at the industry level so that citizen data remains safe.
“I am a big believer in the Aadhaar ecosystem,” Sinha said. “In this world, I doubt there is any system which is perfect.”
Sinha said the current case could have more to do with lax security on Jio’s end and was not a reflection of the UIDAI’s systems. “Whenever there is a large scale disruption like Aadhaar, there will be risks,” he said. “It could potentially be excesses from the government or enterprises but those need to be addressed.”
The UIDAI chief also told Scroll.in in an interview earlier that Aadhaar number is “not a secret number like your password or PIN” that can materially affect someone’s life if disclosed in public. However, later in the interview he conceded that, “If everyone starts publishing Aadhaar numbers, there is a danger that someone will make a 360-degree profile of you.”
Technology lawyer Apar Gupta from Delhi said that databases like that of Jio, which are built on top of information gathered through the Aadhaar databases, are a goldmine for identity theft and fraud. Speaking to Scroll.in, Gupta said that as more parallel databases are created, the leaks are likely to become an everyday incident which puts people’s personal and biometric information at risk.
Gupta said that since any private operator can choose to use Aadhaar-based authentication for their customers, multiple players can seek access to the UDAI’s database which covers almost all of India’s population. “This results in more leak potential since there’s so much information to be queried,” Gupta said.
For now, however, nothing much can be done about data breaches except waiting for a privacy law to come into place, according to Gupta.
“Authentication is done at local offices throughout the country, so your leakage points are innumerable,” he said. “This is a design problem...Claims of Aadhaar being fool proof or watertight are mere exaggerations which one should avoid falling for.”