India’s government counts on high-tech encryption, multi-layered authentication, and even 13-feet high walls to protect the world’s largest biometric database.
But there’s no measure that prevents careless officials at government agencies from publishing the sensitive information online, exposing citizens to fraudsters and data misuse.
The official website boasting Prime Minister Narendra Modi’s efforts to connect all Indian villages with electricity published several residents’ ‘Aadhaar’ — a unique 12-digit number along with identity and demographic details — as seen by Bloomberg last month.
Access to data on the portal, including the names of villages, residents’ identity details, and their photographs, was later blocked.
This follows an incident last month in which the southern state of Andhra Pradesh published online over 130,000 Aadhaar numbers along with demographic and some bank details. It only removed the details after reports in the local media. Several states and even the federal Central Bureau of Investigation have put out Aadhaar details online, flouting a government directive last year to not make the data public.
The program has the biometric data — iris, fingerprint and photographs — of over a billion Indians and is key to Modi’s ‘Digital India’ plans. In a country where 22 percent of the 1.3 billion population is poor, the government has pushed to make Aadhaar the single identifier for all benefits and services ranging from free food to opening bank accounts and using mobile phones.
Constant lapses raise security concerns over the data trove, which the tech giants, like Microsoft Corp. and Samsung Electronics Co. want to use for a host of services like authenticating job seekers and payments.
“Apart from the possibility of financial frauds, it is also a privacy issue,” said Nachiket Udupa, an engineer helping farmers form collectives to market their produce and one of the petitioners in the Supreme Court contesting Aadhaar’s legality. “All that data is available to anyone for profiling and it can then be used for targeted advertising or political campaigns.”
The slippages undermine the government’s case in the top court, which is expected to give a verdict in coming months on petitions challenging Aadhaar.
Lawyers and activists claim the system lays a framework for real-time surveillance, while the government called Aadhaar “an enabler” to check siphoning of welfare funds and ensure food and other subsidies reach the poor. The government says the data cannot be used for surveillance.
In response to questions from Bloomberg, Rural Electrification Chairman P.V. Ramesh said the organization respects people’s right to privacy and had ordered the data to be taken down as soon as it was identified during a “routine verification.”
The data was part of the information that was collected to authenticate the village’s electrification, he said over the phone from New Delhi. This information was gathered and uploaded by local distribution companies.
Andhra Pradesh’s information technology minister had ordered an audit of all the state’s websites after the reports of Aadhaar numbers and data being made public, according to reports. Emails sent to CBI and Unique Identification Authority of India remained unanswered. CBI, however, removed the data from its website when alerted to it by Bloomberg News.
Responding to a question in upper house of the Parliament in February, country’s finance ministry acknowledged that state-owned banks had reported “incidents of money being fraudulently withdrawn from bank accounts using the customers’ Aadhaar number”.
The Unique Identification Authority of India, or UIDAI, the agency responsible for collection and storage of data, denies any security breach. Its chief claimed during a presentation to the top court in March that the fastest computers on Earth would take “the age of the universe” to crack Aadhaar’s encryption key.
The authority also says the Aadhaar number, “though personal sensitive information, is not a secret number” and its availability is not a security threat because biometric authentication is required for any transaction.
Making Aadhaar data public is illegal and government websites flouting the law diminishes the confidence and trust that people have in using Aadhaar, said Pavan Duggal, a cyber law expert. Individuals have little redress as the law bars courts from taking up such cases unless the complaint is made by the authority.
“There is a need for India to come out of the ostrich approach” Duggal said. “Rather than adopting the philosophy of shooting the messenger or pushing the problems under the carpet, it is imperative to start dealing with the challenges facing Aadhaar before making it mandatory.”