‘CIVIL DEATH’ WARNING AS INDIA’S NATIONAL ID SCHEME LEAKS DATA
▶ Privacy activists say poor safeguards leave Aadhaar programme open to abuse
India has warned Facebook to protect the data of its citizens, while its government is struggling to control leaks from its universal identity scheme.
On Thursday, Ravi Shankar Prasad, India’s Minister of Communications and Information Technology, said that Facebook was welcome but there would be no compromise over data security.
Two days later, ZDNet, an American technology website, published details of how a state-owned cooking gas provider’s website allows anyone to gain information about citizens from the government’s Aadhaar database.
Aadhaar, the world’s largest biometric identity programme, has enrolled more than a billion Indians, promising to make delivery of welfare benefits easier and reduce the need for verifying their identities with other agencies.
Other arms of the government, such as the exposed gas utility Indane, and companies such as mobile service providers, routinely ask for Aadhaar numbers to verify identities against the database.
Privacy activists are engaged in a lawsuit against the government in India’s supreme court, arguing that Aadhaar can breach fundamental rights to privacy.
The activists say Aadhaar information is poorly protected and is vulnerable to hackers or to misuse by the government.
Karan Saini, a cyber-security consultant in New Delhi, discovered exactly how weak the protection was when he tested the Indane website.
Because the site is linked to Aadhaar, Mr Saini could tap into it, run cycles of random 12-digit numbers and hit on Aadhaar numbers.
When those numbers came up, Mr Saini told ZDNet, so did the names and addresses of their holders. He was also able to see bank accounts to which the Aadhaar numbers were linked.
Mr Saini’s revelations are only the latest in a long line of problems with the management of Aadhaar data.
Over a few weeks on Twitter, an anonymous IT security researcher – claiming to be based in France and calling himself Elliot Alderson – has exposed similar security flaws.
In apps and websites that use or process Aadhaar data, Mr Alderson found breaches through which he could access Aadhaar information.
In January, an investigation by the Tribune newspaper claimed that it had been able to buy a log-in and password for 500 rupees (Dh28).
With those credentials, it could enter any Aadhaar number into the official portal and access associated information.
The government has responded to these revelations by denying that these breaches are dangerous. “Aadhaar remains safe and secure,” the government authority administering the database said on Saturday.
But Indane took its link to the Aadhaar database offline after ZDNet published its report, just as other government agencies did after Mr Alderson’s exposures on Twitter.
Other diversions of Aadhaar data appear to be deliberate. Amit Goel, an executive at an IT company in Bengaluru, signed up for Aadhaar 18 months ago.
Mr Goel told The National, that over the past six months as concerns about data have increased, he has logged into his Aadhaar portal and browsed through the list of agencies that check his identity, as every user can.
On Friday, Mr Goel found that a company named Experian had been able to validate his Aadhaar credentials. Experian, he knew, processes consumer information to generate credit ratings. It was founded in the US and is now based in Ireland.
“Aadhaar should not be allowing this,” he said. “By checking my Aadhaar they now know that my information – my address, my phone number – is accurate. They can then sell this on to other companies. It becomes a goldmine for them.”
Yet anyone living in India has no choice but to submit to the Aadhaar system. Although the scheme is technically not mandatory, the government and several companies have made it impossible to access services without providing the details.
This coerced linking of the database “to all public services is designed to cause civil death”, said Gopal Krishna, a member of the Citizens Forum for Civil Liberties. “Civil death is the loss of all or almost all civil rights.”