Mainstream and social media have carried several reports about security issues in Aadhaar, India’s 12-digit biometrics-based unique identification number. Any organisation holding so much sensitive information of individuals (including yours) should ideally host a bug bounty program for independent security researchers, to receive and process bug reports in a secure manner.

Certain features of Aadhaar  –  like eKYC  –  share sensitive personal information, including your photo, to third parties. The Aadhaar Act and regulations were introduced to enforce control around this shared information. But the Aadhaar Act only applies within the jurisdiction of India. A cybercriminal from another country cannot be brought to justice under the Act (unless extradition treaties apply). Besides, cybersecurity issues can’t be controlled by law alone. They need sane architecture and design choices to be made upfront, backed by continuous technological improvements.

Section 1, Clause 2 of the Aadhaar Act recognises any offence committed outside India
Section 1, Clause 2 of the Aadhaar Act recognises any offence committed outside India

Security researchers, journalists, and writers like Sameer Kochhar have been gagged with criminal complaints for bringing issues to public attention.

Last year, Ajay Bhushan Pandey, the Chief Executive Officer of Unique Identification Authority of India, promised a legal and safe bug-reporting mechanism for researchers to report issues directly to the UIDAI. It has been months since, but with no such policy in place, it is hard for security researchers to report actual issues with Aadhaar.

Reply from CEO of UIDAI to Anand Venkatanarayanan

It is pertinent to note that the Government of India does have cybersecurity reporting procedures via the Computer Emergency Response Team of India and the National Critical Information Infrastructure Protection Centre.

But the UIDAI not having such a process for itself is a problem because the Authority is the custodian of the Aadhaar project and need to be the primary responder. Twitter Direct Messages and phone calls to a call centre are not secure channels for reporting issues.

When an organisation lacks an official procedure, many researchers define their own ethical framework for reporting security issues. For example, Datameet, a community of data enthusiasts, offers these guidelines:

Citizens complaints often go unresolved by UIDAI, and they can be seen expressing frustration on Twitter. UIDAI does respond on Twitter some of the time, but using Twitter DM for sharing enrolment ID (EID) and UID is not safe. The Twitter company retains access to all private messages, and may be obliged to share with security agencies such as the NSA in its host country, the United States.

For an organisation that claims a billion active users, refusing to engage with security researchers is strange. But not even having a secure bug-reporting policy is in the realm of bizarre. The very least that the UIDAI must do to recover its credibility is to publish an official policy  –  assuming it cares about its credibility, that is.

The Aadhaar project is receiving international attention for its claims on foolproof security and mishandling of data of a billion people. Thus more and more foreign researchers are attacking the ecosystem, finding loopholes. These researchers and hackers are posting them in public before the bugs are fixed as the UIDAI refuses to acknowledge there are security issues. This is causing more harm to Indian citizens as more people are mining this publicly available Aadhaar information. It is no secret, Aadhaar data is a Google search away.

This article first appeared on Medium.