Rs 500 to breach entire UIDAI database shows Aadhaar is a national security disaster

Angshukanta Chakraborty
Angshukanta ChakrabortyJan 04, 2018 | 17:51

Rs 500 to breach entire UIDAI database shows Aadhaar is a national security disaster

For two years now, digital rights and security activists have been holding a placard with the warning about the Aadhaar database, carrying the unique biometric identity of almost one billion Indians, being a hornet’s nest of security lapses, willing breaches, oversights and human errors. Reports on rising incidents of Aadhaar-based exclusions, most heartbreaking of them being the 11-year-old Jharkhand girl Santoshi’s death from starvation, have been filed aplenty. However, neither does the government acknowledge the enormous threat to social justice and digital security that Aadhaar poses, nor does the UIDAI, or the Unique Identification Authority of India, admit that there have been lapses.

While incremental breaches have been reported with government websites leaking data, or Aadhaar data being sold to third parties for commercial purposes without the consent of the users, or banks force-linking Aadhaar with accounts, once again without consent of the customer, despite the deadline being postponed by the Supreme Court itself, the latest investigation into the loophole-ridden rotten structure of Aadhaar is nothing short of explosive.

An investigation by The Tribune, the Chandigarh-based English daily, has claimed that just by giving Rs 500 to an anonymous source can yield access to the entire UIDAI database carrying the Aadhaar numbers and linked details of one billion Indians at the click of one’s fingers. The viral story says that all it takes is 10 minutes to breach the Bastille that government of India, the Union law minister Ravi Shankar Prasad, the UIDAI, its head Nandan Nilekani, his friends in the Indian media, and in the international media, claim the Aadhaar database is.

The Tribune investigation shows how Rs 500 paid via Paytm to an “agent” running a racket that “created a gateway” for the correspondent by giving her a login ID and a password to access the Aadhaar numbers stored in the portal. In fact, the portal stored the entire UIDAI database, or had connection to the UIDAI central database, and the gateway could summon up any Aadhaar number, as well as name, address, postcal code, photo, phone number and email with one click of the mouse.

While The Tribune story says that the UIDAI authorities in Chandigarh “expressed shock” over the full data being accessed, therefore opening the floodgates of an enormous national security disaster waiting to happen, the shock is both misplaced and hypocritical to say the least. In fact, The Tribune team paid an additional Rs 300 to access a software that could print the entire Aadhaar card of any individual once the Aadhaar number is provided by looking up the portal. This means anyone with access to any portal – something that can be bought or arranged for a sum as paltry as Rs 500 – could be using the Aadhaar details of virtually any individual, hack in at ease, and mess around with the precious and confidential identity details, when not stealing from the bank account, or causing other grievous injuries.

In fact, The Tribune claims that a commercial group tapping UIDAI may have sold access to one lakh service providers, and that means all these commercial service providers are, through highly questionable and possibly illegal means, are sitting on the goldmine of user data as collated in the UIDAI database.

That the government has been forcing the citizens to link Aadhaar to everything, from mobile numbers, to bank accounts, to making this voluntary proof of identity into a mandatory requirement for availing rations via PDS, social benefits, pensions, hospitalisation and medical care, to draw salaries, to mark attendance, to all financial transactions, among other things, makes the UIDAI database a veritable super treasure trove of customer information.

This, it seems has already started a scramble for user information, encouraging large-scale surreptitious digital thefts, tendencies that are in-built in the Aadhaar system. This is something that activists and watchers in the media have been repeatedly raising an alarm about, to the extent that the Supreme Court itself has created a Constitution bench to hear the matter and pronounce a verdict later this month.

It’s but obvious that the UIDAI has given a brazen and expected response, denying the entire incident, saying the breach never happened. This is exactly how they organisation behaved when data breach from Reliance Jio and other portals were reported, when telecom companies and commercial bodies seemed to have a free run at access the confidential UIDAI database.

However, this is no longer going to be an easy ride with the political Opposition now woken up to the dangers of Aadhaar and publicly talking about the grave problems and in-built security crisis within the UIDAI system. From Congress’ Shashi Tharoor to Randeep Surjewala, to CPI(M)’s Sitaram Yechury, to Lok Sabha MP and Biju Janata Dal (BJD) leader Tathagata Sathpathy, among others, have become vocal opponents of Aadhaar and lending their voice to the largely citizens-driven movement against being “biometricked” by the government.

In fact, Tathagata Satpathy has been one of early voices of resistance, and his furious piece of writing against treating citizens’ digital lives as mere “data” and saying “data is the new oil” has been well received as an important intervention in this concerted attempt to reduce citizens to digital shadows of themselves, chained to Aadhaar and the surveillance state it’s creating for the government and its corporate backers in the country.

However, as a wise soul noted, the irony lies in the fact that even a surveillance state couldn’t be competently built by those at the helm. And, we should be thankful that these alarm bells are being regularly sounded to alert and prepare the digital citizens of India and safeguard their fundamental right to privacy.

Last updated: January 05, 2018 | 16:30
Please log in
I agree with DailyO's privacy policy