Plug Aadhaar loopholes, make it more secure
India needs to quickly realise that given the nation’s increasing reliance on Aadhaar without doing adequate homework on the security of the Aadhaar ecosystem, we are really playing with fire
India had started a unique programme called Aadhaar way back in 2009. What initially started as a voluntary scheme got legal sanction for the first time in March 2016, when the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 was passed. However, Aadhaar was still considered to be primarily voluntary in nature. However, after that, the government started changing its course midway and began to connect various services to Aadhaar. Aadhaar soon started becoming mandatory.
With a detailed ecosystem developing around Aadhaar, cybersecurity has become the biggest casualty. Each passing week draws attention to tremendous loopholes concerning cybersecurity in the Aadhaar ecosystem. In the past one year, we have seen numerous FIRs being filed by the Unique Identification Authority of India (UIDAI) concerning breaches in the Aadhaar ecosystem.
However, the recent case reported by The Tribune of significant leakage of sensitive Aadhaar data is far more dangerous in its ramifications. This is the first time that we have seen massive leakage of Aadhaar numbers in such a huge magnitude. This has itself cast a big shadow on the security procedures in the Aadhaar ecosystem.
Today, with massive breaches of cybersecurity emerging, it is extremely clear that the Aadhaar ecosystem is not at all safe. More and more cybersecurity breaches are now being disclosed with each passing day. There is no denying the fact that Aadhaar is no normal information, but it is personally identifiable data, as well as being sensitive personal data. In fact, the Aadhaar ecosystem can be classified as India’s critical information infrastructure.
Any breach of the Aadhaar data is not a normal breach but constitutes a breach into India’s critical information infrastructure, which has the potential of prejudicially impacting the sovereignty, security and integrity of the nation, apart from impacting the confidence and trust of a huge chunk of its citizens in a detrimental manner.
Further, as per the Supreme Court’s landmark judgment in the case of Justice Puttaswami vs Union of India, the right to privacy is now an integral part of our fundamental right to life under Article 21 of the Constitution. In such a scenario, any breach of information on the Aadhaar ecosystem will prejudicially impact not just the privacy of an individual, but it will also have a bearing upon the citizen’s enjoyment of other fundamental rights.
It is, therefore, imperative to examine the security and privacy ramifications of Aadhaar before moving in a great amount of hurry. India needs to quickly realise that given the nation’s increasing reliance on Aadhaar without doing adequate homework on the security of the Aadhaar ecosystem, we are really playing with fire.
I am of the firm opinion that given the huge defects over the cybersecurity loopholes that exists in the Aadhaar ecosystem, in the context of Aadhaar, India as a nation is sitting on top of a volcano which is about to burst. It is thus imperative that the country must rework and relook at the Aadhaar architecture, ground realities and security protocols, rather than just coming up an ostrichlike approach of trying to close its eyes to existing realities.
Given that the Aadhaar card is now getting increasingly mandatory to avail of a wide range of services both from the government as well as the private sector, it is imperative for the government to amend and update the Aadhaar (Targeted Delivery of Financial and Other. Subsidies, Benefits and Services) Act 2016 (in short, the Aadhaar Act 2016). This law was passed with the basic assumption that Aadhaar would be largely voluntary. However, as the government is working towards making Aadhaar mandatory and towards joining various elements of Aadhaar into the national mainstream, India needs to take all precautions to make the Aadhaar ecosystem more safe and secure.
Needless to say, if not properly handled, Aadhaar could potentially open up the doors for state and non-state actors to interfere in the Aadhaar ecosystem and hence trying to impact India’s sovereignty and cyber sovereignty.
A couple of months back, Wikileaks published a story reporting on how large chunks of the Aadhaar database was with various foreign agencies. Rather than addressing these challenges in a cogent manner, India has chosen to remain silent on such disclosures. The Supreme Court judgment on the issue of whether Aadhaar violates the right to privacy is eagerly awaited across the country.
If India really wants to harness the benefits and positives of Aadhaar, it is imperative that the issues concerning cybersecurity breaches, existing architecture loopholes and privacy contravention and violations must be addressed at the earliest before going forward. India must not act in a hurry now. It is absolutely necessary to revisit the existing legal, technical and cybersecurity frameworks concerning Aadhaar before relying upon Aadhaar as a de facto national vehicle and platform for the purposes of transforming India into a knowledge society and economy.
Aadhaar represents a journey. Let us all take steps to make this journey more enjoyable and less cumbersome. Let us start taking steps towards blocking all loopholes and removing all roadblocks in terms of cybersecurity and privacy violations and other concerns regarding Aadhaar in a cogent, cohesive manner, before India as a nation can move forward for the purposes of enjoying the fruits and benefits of Aadhaar. The writer, a Supreme Court advocate, is a renowned cybersecurity law expert, and is the chairman of the International Commission on Cybersecurity Law. He can be reached at pavan@pavanduggal.com