Aadhaar: Data of 78.2 million Persons Breached. Is UIDAI as Impenetrable as It Claimed to the SC?
The Unique Identification Authority of India (UIDAI), the agency that issues Aadhaar, has been emphatic in its claim that Aadhaar data is protected by a 13 feet wall. And yet, UIDAI has registered a first information report (FIR) regarding data theft of 7.82 crore people from Andhra Pradesh and Telangana. How did this happen?
The Cyberabad Police in Madhapur, on the request of UIDAI, had registered the FIR against Hyderabad-based IT Grids (India) Pvt Ltd. While there already is a complaint filed against IT Grids about using Aadhaar data for voter profiling, the new FIR, for the first time, asks for forensic investigation in the data breach, says Srinivas Kodali, an Internet researcher and alumnus of IIT Madras.
The FIR states, "...investigation so far has revealed that Seva Mitra application is suspected to be using stolen voter information along with Aadhaar data of the state governments of Telangana and Andhra Pradesh for voter profiling, targeted campaigning and even deletion of votes."
On 2nd and 3rd March, the Cyberabad police seized seven hard disks and other digital evidence during search on the premises of IT Grids. This evidence was sent to Telangana State Forensic Science Laboratory (TSFSL) for forensic examination. The examination by TSFSL found that "the structure and size of the database is surprisingly similar to that of the databases that could have been originally owned by UIDAI".
"The presence of enrolment identification number (EID_NUM) raises a strong suspicion that the data could have been obtained either from the Central Identities Data Repository (CIDR) or one of the state resident data hubs (SRDH) aligned to CIDR. Availability of such unique information of an Aadhaar number indicates that the accused (IT Grid) might have illegally accessed CIDR or SRDH and has used such information or data for wrongful gain," the FIR says, adding, "...the directors of IT Grids are suspected to have hosted databases related to Aadhaar number and related identity information in Amazon web service (AWS), which is in clear contravention of Aadhaar Regulations."
"There is every possibility that sensitive data of Indian citizens could be accessed and used by countries hostile to India or international organised crime syndicates in a manner which could be seriously detrimental to the national security," the FIR registered on request of UIDAI states.
Isn’t all this contrary to what UIDAI's chief executive (CEO) Ajay Bhushan Pandey had told the Supreme Court when his presentation talked about 'sufficient safeguard mechanism' and 'almost fool proof public key infrastructure (PKI)-2048 encryption...virtually impossible to decipher'. The September 2018 judgement appears to have accepted this claim, but the action of filing the FIR and the data breach suggest otherwise.
Over the years, Moneylife has been raising similar issues associated with the Aadhaar numbering scheme and role played by UIDAI. Dr Anupam Saraph, a renowned expert in governance of complex systems, had even warned on how benami voters and Aadhaar could be used to launder elections.
In one of his articles, Dr Saraph had said
, "The use of Aadhaar by governments fits the classical definition of electoral malpractice as it constitutes manipulation of electoral processes and outcomes so as to substitute personal or partisan benefit for the public interest. Such malpractice threatens the integrity of an election as it is extensive, systematic and decisive."
"Unlike the Voter ID, that is certified by the registration officer in accordance with Rule 28(3)(d), the Aadhaar 'card' or the biometric or demographic data associated with any Aadhaar number is not certified by the UIDAI. Unlike the process of revising the electoral rolls, there is no process of revising Aadhaar database. In fact, there is no process for objecting to assigning an Aadhaar number to any combination of biometric or demographic data in the Aadhaar database. In the absence of such a process to clean the database, no verification or audit of the Aadhaar database has happened either," Dr Saraph says.
IT Grids, which provides information technology (IT) services to Andhra Pradesh's ruling Telugu Desam Party (TDP), is facing allegations of having stolen data of 37 million voters from the state government database through its Seva Mitra app.
Calling Andhra Pradesh as "true digital nightmare, all thanks to Aadhaar", Mr Kodali says, the state government publishes Aadhaar everywhere from electricity bills to even in auto-rickshaws.
Coming back to the presentation in the Supreme Court by Mr Pandey, the CEO of UIDAI, the majority judgement seemed to have relied on the PowerPoint in its ruling.
On 21 March 2018, requesting the five-judge Constitutional bench headed by Chief Justice Dipak Misra, comprising Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan, to allow UIDAI CEO make a technical presentation, Attorney General (AG) KK Venugopal contended that this would explain how security is protected at every step in CIDR.
“Many doubts and fears that have been raised (by the petitioners) will be clarified by the presentation (from the UIDAI CEO). There is also a four minute video showing the thirteen foot wall around the CIDR,” the AG had told the bench.
In the majority judgement, the five-judge bench (on page 242/567) stated...
"153) After going through the Aadhaar structure, as demonstrated by the respondents in the PowerPoint presentation from the provisions of the Aadhaar Act and the machinery which the Authority has created for data protection, we are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR. Insofar as authentication is concerned, the respondents rightly pointed out that there are sufficient safeguard mechanisms. To recapitulate, it was specifically submitted that there were security technologies in place (slide 28 of Dr Pandey’s presentation), 24/7 security monitoring, data leak prevention, vulnerability management programme and independent audits (slide 29) as well as the Authority’s defence mechanism (slide 30). It was further pointed out that the Authority has taken appropriate proactive protection measures, which included disaster recovery plan, data backup and availability and media response plan (slide 31). The respondents also pointed out that all security principles are followed inasmuch as: (a) there is PKI-2048 encryption from the time of capture, meaning thereby, as soon as data is given at the time of enrolment, there is an end to end encryption thereof and it is transmitted to the Authority in encrypted form. The said encryption is almost fool proof and it is virtually impossible to decipher the same; (b) adoption of best-in-class security standards and practices; and (c) strong audit and traceability as well as fraud detection. Above all, there is an oversight of Technology and Architecture Review Board (TARB) and Security Review Committee. This Board and Committee consist of very high profiled officers. Therefore, the Act has endeavoured to provide safeguards."
Refuting the contention of the petitioners on the use of Aadhaar by third parties or by the State for mass surveillance, AG Mr Venugopal and UIDAI counsel Rakesh Dwivedi had submitted to the apex court (as mentioned in the SC judgement on page 243/567) that "...given the architecture of the Aadhaar Act, there are no such possibilities and in any event, submission based on imaginary possibility do not provide any basis for questioning the validity of Aadhaar Act."
The IT Grids episode of exposing data and profile of 78.2 million people from Telangana and Andhra Pradesh has brought forward a stark reality. This exactly is the scenario that the petitioners in the Aadhaar case were trying to point out.
In this case, there are a number of violations from the private entity such as data breach, storage of data on servers located overseas and exploitation of Aadhaar number holders by creating their demographic profile and using it for political means.
As pointed out by Justice DY Chandrachud in his (dissenting) judgement, the Aadhaar Act, these violations also hampers right to privacy, as defined by the apex court, of the individual. “When Aadhaar is seeded into every database, it becomes a bridge across discreet data silos, which allows anyone with access to this information to re-construct a profile of an individual’s life. This is
contrary to the right to privacy and poses severe threats due to potential surveillance,” Justice Chandrachud had said in his judgement. (page 1043/1448)
These revelations raise several serious and important questions on linking Aadhaar with everything under the sun by government and exploitation of the Aadhaar data by private entities. Important to note, when the Supreme Court in its order last year discarded Section 57 of the Aadhaar Act that allowed use of the UID by private entities, the Union government brought out an ordinance to allow such usage.
This means, citizens will need to be on constant vigil and protect own personal data that is vulnerable and exploited through linking of Aadhaar with everything, either legally or illegally by almost anyone.
Also under the new circumstances, where it is proved that Aadhaar data can be used to create demographic profile that can be exploited for profit, will the Supreme Court consider speedy hearing of review petitions filed by petitioners in the Aadhaar case?