Don’t shoot the messenger
UIDAI must review its security set-up
On January 4, The Tribune newspaper carried a report on how anonymous sellers over WhatsApp were allegedly providing access to Aadhaar numbers for a paltry sum of ~500. The report claimed that personal details such as names, addresses, phone numbers, etc of a whole host of people could be easily accessed by logging into the portal of the Unique Identification Authority of India (UIDAI), and that printouts of all these details were being made available for another ~300. This was shocking enough; what was appalling was the response of the UIDAI, which first accepted this was a massive breach, and then denied it, and finally settled on filing a first information report (FIR) against the newspaper and the reporter.
According to the FIR, the newspaper “purchased” a service being offered illegally and which provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India. The FIR also details how the reporter got in touch with a few persons who unauthorisedly accessed the Aadhaar ecosystem, and concludes this was all part of a criminal conspiracy. While the socalled sting journalism does raise some ethical questions, the fact is that the report report focuses on a critical issue concerning millions of India’s citizens — how the Aadhaar numbers are being mined for money. The report also sought and received a response from the UIDAI before going to print and did not publish any of the Aadhaar numbers or other details. The UIDAI’s decision, thus, is a desperate reaction by an organisation refusing to face the facts. Most importantly, the FIR is a direct attack on the freedom of the press, contrary to the UIDAI’s claim that it should not be viewed as such. The minimum the UIDAI should have done is to withdraw the FIR and order a thorough internal investigation into the alleged breach and make its findings public. Union Law and Justice Minister Ravi Shankar Prasad’s tweet that the central government is fully committed to media freedom, a day after various press bodies condemned the lodging of the FIR, is a welcome move, though it has still not been withdrawn by the UIDAI for some inexplicable reasons.
Since its foundation, the UIDAI has repeatedly held that Aadhaar data is secure. In fact, in this present case also, the UIDAI is correct in stating that mere information such as phone numbers and addresses — most of it is already available to telemarketers and others from other databases — cannot be misused without biometric data. However, many have always been sceptical about such claims as technology changes rapidly, allowing for the possibility of a hack. Moreover, even as this data is being collected, India still does not have an effective private data protection regime. Overall, the UIDAI’s ham-fisted response to the newspaper report only betrays its disregard for personal data and its possible abuse. The UIDAI has been entrusted with the most personal identification data of a billion strong people, most of whom have linked their other details, such as bank accounts, to the Aadhaar number. The whole system is based on the people’s trust in the UIDAI. It must not fail them.