India’s Aadhaar system for issuing every citizen an ID number has been in the news for all the wrong reasons in the past couple of years, from being made mandatory without the necessary legal backing, to having its data leaked willy-nilly multiple times.
The most recent incident to shock people keeping score comes from The Tribune, a Chandigarh, India-based paper which reported last week that it was possible to purchase any registered citizen’s Aadhaar data by contacting an agent and paying them Rs. 500 ($8). The outlet noted that about 100,000 people are believed to have unrestricted access to this pool of data.
This flies in the face of the Unique Identification Authority of India’s (UIDAI – the agency responsible for building and maintaining the Aadhaar database) assertion from last November that Aadhaar data is completely “safe and secure and there has been no data leak or breach at UIDAI.”
Sadly, it’s also riled up the agency into investigating the matter in a manner that can be described as clumsy at best, and nefarious at worst: it’s filed a First Information Report, or a complaint, with the police, accusing the journalist and the paper of a number of offences, including cheating by impersonation, and forgery.
I say clumsy, because I’m trying to give the government the benefit of the doubt here: the country’s Minister for IT, RS Prasad noted in a tweet:
The UIDAI also issued a statement in which it noted that the FIR and the associated criminal proceedings have been initiated in connection with the act of unauthorized access of Aadhaar data.
So, the best-case scenario is that the the government will only seek The Tribune’s assistance in cracking down on this data racket. But surely there are other ways to go about asking for help. Prasad noted that the case has been filed against the ‘unknown’ data providers, but the FIR clearly names The Tribune’s journalist and others who helped with the story.
What’s more, according to The Tribune, a village-level entrepreneur (one who works with the Indian government to help dispense services to end consumers) tried to report the issue of data being easily available through agents, but the UIDAI’s support center was unable to parse his calls and patch him through to senior officials who may have been able to address the problem.
It’s also worth noting that the Aadhaar Act explicitly denies citizens the right to go to court to seek damages for the release of their personal data. Essentially, only the UIDAI can sue the UIDAI.
The problem here isn’t just one of a failure to properly implement a secure national ID system, but rather of the government’s misguided stance in maintaining security. As with anything made of 0s and 1s, security can’t simply be enabled by flipping a switch; the standard for security changes constantly as new flaws are discovered.
And with a massive machine that’s designed to house data for more than a billion people, there are several moving parts to worry about – and doing that well means approaching it with equal parts paranoia and humility. Instead, we have the UIDAI parroting statements about how foolproof its system is – all while maintaining absolute indemnity.
Following The Tribune’s big reveal, the UIDAI promptly repeated its assertion about Aadhaar data being safe, and called the story “a case of misreporting.”
Last July, India’s administration admitted that 210 government sites had leaked or openly published Aadhaar number holders’ personal information. That doesn’t qualify as a breach, sure – but it underscores “a flaw of the understanding of what needs to be done to demonstrate transparency,” noted lawyer Rahul Matthan in a related story on Livemint.
No one ever said that implementing Aadhaar would be easy – but the way its flaws are being handled leaves little room for citizens to empathize with the people responsible for securing it.