Aadhaar: Data of 78.2 million Persons Breached. Is UIDAI as Impenetrable as It Claimed to the SC?
The Unique Identification Authority of India (UIDAI), the agency that issues Aadhaar, has been emphatic in its claim that Aadhaar data is protected by a 13 feet wall. And yet, UIDAI has registered a first information report (FIR) regarding data theft of 7.82 crore people from Andhra Pradesh and Telangana. How did this happen?
The Cyberabad Police in Madhapur, on the request of UIDAI, had registered the FIR against Hyderabad-based IT Grids (India) Pvt Ltd. While there already is a complaint filed against IT Grids about using Aadhaar data for voter profiling, the new FIR, for the first time, asks for forensic investigation in the data breach, says Srinivas Kodali, an Internet researcher and alumnus of IIT Madras. 
The FIR states, "...investigation so far has revealed that Seva Mitra application is suspected to be using stolen voter information along with Aadhaar data of the state governments of Telangana and Andhra Pradesh for voter profiling, targeted campaigning and even deletion of votes."
On 2nd and 3rd March, the Cyberabad police seized seven hard disks and other digital evidence during search on the premises of IT Grids. This evidence was sent to Telangana State Forensic Science Laboratory (TSFSL) for forensic examination. The examination by TSFSL found that "the structure and size of the database is surprisingly similar to that of the databases that could have been originally owned by UIDAI". 
"The presence of enrolment identification number (EID_NUM) raises a strong suspicion that the data could have been obtained either from the Central Identities Data Repository (CIDR) or one of the state resident data hubs (SRDH) aligned to CIDR. Availability of such unique information of an Aadhaar number indicates that the accused (IT Grid) might have illegally accessed CIDR or SRDH and has used such information or data for wrongful gain," the FIR says, adding, "...the directors of IT Grids are suspected to have hosted databases related to Aadhaar number and related identity information in Amazon web service (AWS), which is in clear contravention of Aadhaar Regulations."
"There is every possibility that sensitive data of Indian citizens could be accessed and used by countries hostile to India or international organised crime syndicates in a manner which could be seriously detrimental to the national security," the FIR registered on request of UIDAI states.
Isn’t all this contrary to what UIDAI's chief executive (CEO) Ajay Bhushan Pandey had told the Supreme Court when his presentation talked about 'sufficient safeguard mechanism' and 'almost fool proof public key infrastructure (PKI)-2048 encryption...virtually impossible to decipher'. The September 2018 judgement appears to have accepted this claim, but the action of filing the FIR and the data breach suggest otherwise. 
Over the years, Moneylife has been raising similar issues associated with the Aadhaar numbering scheme and role played by UIDAI. Dr Anupam Saraph, a renowned expert in governance of complex systems, had even warned on how benami voters and Aadhaar could be used to launder elections. 
In one of his articles, Dr Saraph had said, "The use of Aadhaar by governments fits the classical definition of electoral malpractice as it constitutes manipulation of electoral processes and outcomes so as to substitute personal or partisan benefit for the public interest. Such malpractice threatens the integrity of an election as it is extensive, systematic and decisive."
"Unlike the Voter ID, that is certified by the registration officer in accordance with Rule 28(3)(d), the Aadhaar 'card' or the biometric or demographic data associated with any Aadhaar number is not certified by the UIDAI. Unlike the process of revising the electoral rolls, there is no process of revising Aadhaar database. In fact, there is no process for objecting to assigning an Aadhaar number to any combination of biometric or demographic data in the Aadhaar database. In the absence of such a process to clean the database, no verification or audit of the Aadhaar database has happened either," Dr Saraph says.
IT Grids, which provides information technology (IT) services to Andhra Pradesh's ruling Telugu Desam Party (TDP), is facing allegations of having stolen data of 37 million voters from the state government database through its Seva Mitra app. 
Calling Andhra Pradesh as "true digital nightmare, all thanks to Aadhaar", Mr Kodali says, the state government publishes Aadhaar everywhere from electricity bills to even in auto-rickshaws. 
Coming back to the presentation in the Supreme Court by Mr Pandey, the CEO of UIDAI, the majority judgement seemed to have relied on the PowerPoint in its ruling. 
On 21 March 2018, requesting the five-judge Constitutional bench headed by Chief Justice Dipak Misra, comprising Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan, to allow UIDAI CEO make a technical presentation, Attorney General (AG) KK Venugopal contended that this would explain how security is protected at every step in CIDR.
“Many doubts and fears that have been raised (by the petitioners) will be clarified by the presentation (from the UIDAI CEO). There is also a four minute video showing the thirteen foot wall around the CIDR,” the AG had told the bench. 
In the majority judgement, the five-judge bench (on page 242/567) stated...
"153) After going through the Aadhaar structure, as demonstrated by the respondents in the PowerPoint presentation from the provisions of the Aadhaar Act and the machinery which the Authority has created for data protection, we are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR. Insofar as authentication is concerned, the respondents rightly pointed out that there are sufficient safeguard mechanisms. To recapitulate, it was specifically submitted that there were security technologies in place (slide 28 of Dr Pandey’s presentation), 24/7 security monitoring, data leak prevention, vulnerability management programme and independent audits (slide 29) as well as the Authority’s defence mechanism (slide 30). It was further pointed out that the Authority has taken appropriate proactive protection measures, which included disaster recovery plan, data backup and availability and media response plan (slide 31). The respondents also pointed out that all security principles are followed inasmuch as: (a) there is PKI-2048 encryption from the time of capture, meaning thereby, as soon as data is given at the time of enrolment, there is an end to end encryption thereof and it is transmitted to the Authority in encrypted form. The said encryption is almost fool proof and it is virtually impossible to decipher the same; (b) adoption of best-in-class security standards and practices; and (c) strong audit and traceability as well as fraud detection. Above all, there is an oversight of Technology and Architecture Review Board (TARB) and Security Review Committee. This Board and Committee consist of very high profiled officers. Therefore, the Act has endeavoured to provide safeguards."
Refuting the contention of the petitioners on the use of Aadhaar by third parties or by the State for mass surveillance, AG Mr Venugopal and UIDAI counsel Rakesh Dwivedi had submitted to the apex court (as mentioned in the SC judgement on page 243/567) that "...given the architecture of the Aadhaar Act, there are no such possibilities and in any event, submission based on imaginary possibility do not provide any basis for questioning the validity of Aadhaar Act."
The IT Grids episode of exposing data and profile of 78.2 million people from Telangana and Andhra Pradesh has brought forward a stark reality. This exactly is the scenario that the petitioners in the Aadhaar case were trying to point out.
In this case, there are a number of violations from the private entity such as data breach, storage of data on servers located overseas and exploitation of Aadhaar number holders by creating their demographic profile and using it for political means. 
As pointed out by Justice DY Chandrachud in his (dissenting) judgement, the Aadhaar Act, these violations also hampers right to privacy, as defined by the apex court, of the individual. “When Aadhaar is seeded into every database, it becomes a bridge across discreet data silos, which allows anyone with access to this information to re-construct a profile of an individual’s life. This is
contrary to the right to privacy and poses severe threats due to potential surveillance,” Justice Chandrachud had said in his judgement. (page 1043/1448)
These revelations raise several serious and important questions on linking Aadhaar with everything under the sun by government and exploitation of the Aadhaar data by private entities. Important to note, when the Supreme Court in its order last year discarded Section 57 of the Aadhaar Act that allowed use of the UID by private entities, the Union government brought out an ordinance to allow such usage. 
This means, citizens will need to be on constant vigil and protect own personal data that is vulnerable and exploited through linking of Aadhaar with everything, either legally or illegally by almost anyone.
Also under the new circumstances, where it is proved that Aadhaar data can be used to create demographic profile that can be exploited for profit, will the Supreme Court consider speedy hearing of review petitions filed by petitioners in the Aadhaar case? 
  • Like this story? Get our top stories by email.



    Jayaram M

    4 months ago

    Horribly implemented, without any planning. The data itself perhaps may be compromised as the payment for the "services" of recording was so (is) minimum, that the quality of equipment / tools and manpower was equally, worse ? The main target population, farmers, work people, et al; use their "hands" and work outside, in the open; thereby affecting the very "bio metrics" that should identify them. The "agents", who carried out the initial 'recording", perhaps were all - connected - to politicians and therefore had no qualms in passing on the recorded data for a fee, to earn ? In its present avatar, it is but a Rube Goldberg item and a possible tool of oppression in the hands of the state. Sad, true.

    Aadhaar: Start Paying Rs20 for Each eKYC, 50 paisa for Yes/No Authentication Now!
    Unique Identification Authority of India (UIDAI), the authority tasked for the Aadhaar scheme, has now decided to levy charges for authentication service from requesting entities. 
    Since, none of the entities, including private players and government owned, who want to use this authentication from UIDAI, would pay the charges from their own pockets, it would be passed on the all Aadhaar holders. 
    So every time an Aadhaar number holder wants to do an eKYC or even yes or no authentication, she will have to pay the money. And this includes paying charges for availing ration from the public distribution system (PDS) shops as well since the buyer is required to undergo biometric-based Aadhaar authentication. This is because these shops, which are part of the PDS are still private entities, who are mandated to use Aadhaar authentication.  
    In a gazette notification issued on 6 March 2019, UIDAI says, "Aadhaar authentication services shall be charged @ Rs20 (including taxes) for each e-KYC transaction and Rs0.50 (including taxes) for each yes/ no authentication transaction from requesting entities; and government entities and the department of posts shall be exempt from authentication transaction charges."
    As rightly predicted by Dr Usha Ramanathan, an independent law researcher, Aadhaar has become an attempt by technocrats (and politician and bureaucrats) to turn everyone into a customer for financial technology-related products that are based on the UID data of over 1.21 billion Indian residents. 
    UIDAI already charges Rs100 for successful generation of Aadhaar, Rs100 mandatory biometric update, Rs50 for updating demographic or biometric and Rs30 for Aadhaar search using eKYC and colour printout on A4 sheet. These charges were paid by the users to registrant entities.
    UIDAI, in the latest gazette notification also appears to be playing a role of regulator for banks. It says those banks who are providing Aadhaar enrolment and update facilities would be exempt from the authentication transaction charges. "However, such banks, which fall short of the Aadhaar enrolment and update targets, as communicated from time to time, will be charged in proportion to the shortfall in achieving the target."
    In addition, Ajay Bhushan Pandey, who is chief executive of UIDAI as well as revenue secretary, through this notification mandates entities who are using eKYC and yes/no authentication to deposit transactions charges within 15 days from the invoice issued.
    “The delay in payment beyond 15 days shall attract interest compounded @1.5% per month and discontinuation of authentication and e-KYC services,” he warns. 
    Those who does not want to pay authentication charges to UIDAI are asked to inform the authority and surrender their access. 
    The ‘paid’ scheme from UIDAI, however is not new. In fact, as early as in January 2011 a report from the Nandan Nilekani-chaired Technology Advisory Group on Unique Projects (TAG-UP) elaborated and explained framework for private ownership of databases. (Read: Aadhaar: Private ownership of UID data- Part I https://www.moneylife.in/article/aadhaar-private-ownership-of-uid-data-part-i/32430.html
    The 2011 report had brought out true intentions of the Nilekani led TAG-UP and UIDAI. For example, it says, 
    • Governmental data and databases are to be privatised through the creation of National Information Utilities (NIUs), which will then `own’ the data;


    • NIUs will be natural monopolies;


    • NIUs will use the data and the database to be profit-making and not profit-maximising, and the definition of these terms may, of course, vary;


    • Government will support the NIUs through funding them till they reach a steady state, and by doing what is needed to gather the data and create the database using governmental authority;


    • Once the NIU reaches steady state, the government will reappear as the customer of the NIU;


    • Government officers will be deployed in NIUs and be paid 30% over their salaries, which, even if the report does not say it explicitly, is expected to forge loyalties and vested interests;


    • The notion of holding citizens’ data in a fiduciary capacity cedes place to the vesting of ownership over citizens’ data in an entity, which will then have the government as their customer.
    In short, what is happening today regarding levying charges for authentication has been in the pipeline for long. After the Supreme Court explicitly prohibited use of Aadhaar by private parties by declaring Section 57 of the Aadhaar Act, 2016, as unconstitutional, the government had tried to bring a new amendment in the Act for this. 
    The government introduced an amendment in the Aadhaar Bill to allow private entities to use Aadhaar. In January 2019, the Aadhaar and Other Laws (Amendment) Bill was passed in the Lok Sabha with very little debate or scrutiny. However, with the Rajya Sabha adjourned sine die, the Bill could not go through and has now lapsed. 
    This is when the government decided to bring an ordinance to allow private entities use Aadhaar for e-KYC and other purposes. The ordinance, “Allows the use of Aadhaar number for authentication on voluntary basis as acceptable KYC document under the Telegraph Act, 1885 and the Prevention of Money-laundering Act, 2002.”
    The truth is the government seems to be under pressure from private entities, especially from finance and telecom sector to allow them use of Aadhaar eKYC for onboarding of customers.
    The Supreme Court, in its judgement dated 26 September 2018, in Justice KS Puttaswamy vs Union of India (the Aadhaar judgement) in WP Civil No. 494 of 2012 explicitly prohibited use of Aadhaar by private parties by declaring Section 57 of the Aadhaar Act, 2016, as unconstitutional. This Section had provided grounds for Aadhaar-based authentication by private entities like telecom and insurance companies. 
    At that time, legal scholar Dr Ramanathan had pointed out that after the judgement of the apex court, the use of the Aadhaar system by private and business interests should be prohibited. "Using 'voluntary' and 'consent' as a cover does not make it right. In Para 367 of the majority judgment, the judges had only said, 'if such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem'. That does not allow the use of the Aadhaar system, not even voluntarily," Dr Ramanathan had said. 
    However, before being banned by the apex court, when private entities were using Aadhaar-based e-KYC, there were several reports of fraudulent transactions and scamming of citizens' personal data as well as their money. 
    In fact, last month, even the Insurance Regulatory and Development Authority of India (IRDAI) has directed insurance companies not to mandatorily ask for the Aadhaar details for know-you-customer (KYC) requirement or carry out authentication using e-KYC from UIDAI. 
    In a circular (IRDAI/SDD/ClR/MISC/020/01/2019) issued on 29 January 2019, the insurance regulator had said, "The proposer or policyholder voluntarily offers Aadhaar as one of the documents for KYC purpose. This includes physical copy of e-Aadhaar, masked Aadhaar and offline Aadhaar XML. However, the insurers will under no circumstances do the authentication either using e-KYC facility or yes/no authentication facility of UIDAI. Insurers should ensure that the first 8 digits of the Aadhaar number are properly/appropriately masked. At no point in time, more than last four digits of the Aadhaar number of any individual should be stored by the insurers in physical or digital form". (Read: Aadhaar: Insurance Companies Cannot Ask for the UID for KYC, Says IRDAI  https://www.moneylife.in/article/aadhaar-insurance-companies-cannot-ask-for-the-uid-for-kyc-says-irdai/56356.html)
    Earlier while speaking at Moneylife Foundation event on “Why We Need to Worry about the UID (Aadhaar) Project", Dr Ramanathan had termed Aadhaar as an attempt to turn every one into a customer. “These days, we often hear the term ‘disruptive change’. However, in the case of UID, this is disruption for destruction, where ambitious persons are using every means to allot a random number to every Indian citizen whose profiles, once created, can be exploited for offering a number of services or products,” she had said. (Read: “Aadhaar is an attempt to turn everyone into a customer”
    Last year in April, Siddharth Sekhar Singh and Ashwini Chhatre from Indian School of Business (ISB) did a study to find out Aadhaar authentication failure in PDS of Andhra Pradesh. "It should be understood that the Aadhaar authentication system is not a 100% accurate system, irrespective of the modality selected for authentication. Aadhaar authentication attempts may result in failure due to several reasons. Several reasons were identified for the failure of Aadhaar authentication, including biometric mis-match, invalid Aadhaar number, invalid biometric status and missing biometric data in Central Identity Data Repository (CIDR). Among these, about 92% of the authentication failures were caused solely due to biometric mismatch(92%), placing it as the leading cause of authentication failure in the state," the study says.
    You may also want to read...
  • Like this story? Get our top stories by email.



    Aditya G

    6 months ago

    This is absolutely bollocks! Why isn't there outrage over this?

    Aadhar not mandatory for second installment of PM-KISAN
    In a measure to woo farmers ahead of the Lok Sabha polls, the Union Cabinet, chaired by Prime Minister Narendra Modi, on Thursday approved waiving, in the interim, Aadhaar seeding for farmers to receive the second instalment of the income support scheme under the Pradhan Mantri Kisan Samman Nidhi (PM-KISAN).
    Union Minister Ravi Shankar Prasad said the one-time waiver of the mandatory quoting of Aadhaar to avail benefits under PM-KISAN was made due to paucity of time as the second instalment is to be given on April 1 as promised by the Modi government. 
    "The PM-KISAN was launched in Gorakhpur (Uttar Pradesh) on February 24 by the Prime Minister and the first instalment of the income to the tune of Rs 2,021 crore has already been transferred to the beneficiaries. 
    "For the second instalment which is to be paid on April 1, the cabinet has decided that Aadhaar quoting will not be mandatory," said Prasad. 
    The PM-KISAN entailing a direct cash support of Rs 6,000 for farmers was announced in the Interim Budget 2019. 
    The cabinet also approved promulgation of the Aadhaar and Other Laws (Amendment) Ordinance, 2019. The Aadhaar and Other Laws (Amendment) Bill, 2018 was passed by the Lok Sabha in its sitting held on January 4. However, before the bill could be considered and passed by the Rajya Sabha, the House was adjourned sine die. 
    Prasad also said the voluntary use of Aadhaar will be considered in either electronic or physical form. 
    "Any entity that takes Aadhaar will follow the privacy standards. Aadhaar can be used on voluntary basis for KYC documents for Telegraph Act and the Prevention of Money Laundering Act," he said
    Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.
  • User

    We are listening!

    Solve the equation and enter in the Captcha field.

    To continue

    Sign Up or Sign In


    To continue

    Sign Up or Sign In



    online financial advisory
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 3 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)