Telecom Minister Ravi Shankar Prasad tried to calm some nerves on Monday, following allegations that his government is attempting to gag the press from reporting on security vulnerabilities connected to Aadhaar. Prasad posted a tweet saying the government is committed to a free press and asked the body that oversees Aadhaar to get help from a newspaper that had revealed those security weaknesses through an investigation. The Unique Identification Authority of India promptly responded, also on Twitter, saying it too was committed to freedom of the press and asked the Tribune for “any constructive suggestion”.

As far as some were concerned, the story ended there and can now leave the headlines, makings pace for the next political event that will dominate the news for a day and then disappear. In reality, however, the two tweets barely addressed the matter at hand and have left a host of questions remaining regarding Aadhaar, the UIDAI, Prasad’s attitude to the matter and what lessons news organisations, and indeed anyone critical of the UID, can take away from the incident.

Last week, the Tribune had revealed in an investigation that it was able to buy demographic details connected to any Aadhaar number across the entire database for just Rs 500. Moreover, it could print out anyone’s Aadhaar card for just Rs 300 more. Easy availability of this data has been called a “goldmine” for criminals, but UIDAI promptly denied that anything had happened, following that up by claiming the leak of demographic data is not dangerous. It then proceeded to file a complaint with the Delhi Police against Tribune reporter Rachna Khaira, the newspaper and the agents named in the investigative story.

This action, and the subsequent First Information Report from the Delhi Police, prompted condemnation from many, who said that the government was simply trying to shoot the messenger, a tactic it has used against those critical of Aadhaar in the past. This response led to Prasad’s tweet in which he insisted that the FIR is “against unknown” and asked the UIDAI to take help from the Tribune in investigating “real offenders.” The authority then tweeted to say it would write to the paper and the reporter asking for assistance to “nab the real culprits”.

This alone is a positive development, considering UIDAI’s attitude toward journalists revealing vulnerabilities in the Aadhaar systems in the past. The minister’s intervention should nudge the authority to be more responsible in its behaviour. But several questions remain:

  • Why file a complaint against the newspaper in the first place?
    Even if Delhi Police did not add Khaira, the reporter, and the Tribune, among the accused, the UIDAI’s complaint specifically names them as having violated sections of the Aadhaar Act, the Indian Penal Code and the Information Technology Act and asks the police to register a case against them. The UIDAI even defended its actions the following day, in a press release that said it was “duty bound” to name everyone involved in the commission of a crime, even if it was in pursuit of a whistle-blowing newspaper report. When Prasad tweets that the FIR is “against unknown”, he does not acknowledge that the authority wanted it to be against the reporter and newspaper.
  • What about the others who were named in complaints for revealing vulnerabilities in Aadhaar systems?
    The UIDAI has filed at least two other complaints against people whose only crime appears to be exposing weaknesses in the UID ecosystem for the benefit of the public. Writer-entrepreneur Sameer Kochar and News18’s Debayan Roy have not received interventions from the telecom minister, but their cases are essentially the same as the one against the Tribune. Will the UIDAI also work with them to capture the “real culprits”? The next time a news organisation reports on Aadhaar vulnerabilities, can it expect to not be named in a complaint?
  • What about those who have actively misused Aadhaar?
    One of the most disturbing stories about Aadhaar in recent times was the Airtel case, in which the telecom company opened bank accounts for those who had linked their UID with Airtel SIMs even if they did not have explicit consent. Because Aadhaar-connected subsidies automatically go to the most recently linked bank account, Airtel effectively was able to rout money into its accounts without the customer asking for this change. Despite the seriousness of the crime, unnamed sources have so far told reporters that the telecom company will simply face a fine from UIDAI – which, as per the Aadhaar Act, is the only body empowered to take action.
  • What about the massive vulnerability that the Tribune reported on in the first place?
    UIDAI’s condemnable criminal complaint turned the story into one of press freedom, but one should not take eyes off the matter at hand. Its report revealed that those who had formerly been tasked with enrolling people onto Aadhaar still had access to the entire database and, were even selling that data to anyone who was willing to pay. In response, the UIDAI admitted that this was an extant tool that they were just misusing. The body basically admitted that, by design, huge numbers of people had access to specific, authenticated demographic details – photos, addresses, parents’ names, phone numbers – of every single individual in the billion-strong Aadhaar database.
    It might now take help from the Tribune to pursue the individuals involved in this case, but the cat seems out of the bag. Can UIDAI trace everyone who illegally accessed the database and downloaded information? Does it even know if a search in its system was legal or illicit? And what does this careless design involving giving away huge amounts of demographic data mean for a project that is being challenged over whether it violates a fundamental right to privacy?