India struggles to control information distribution from its own identity scheme

Privacy activists argue that identity programme Aadhaar is insufficiently protected

epa06159523 A retina scanner is used for a young boy's unique identification card, or 'Aadhaar' in New Delhi, India, 24 August 2017. Unique 12-digit ID numbers are being issued by the Indian Government to Indian residents as proof of identity.India's Supreme Court on the verdict on unique identification card declared that 'Right to privacy' is a fundamental right.  EPA/RAJAT GUPTA
Powered by automated translation

India has warned Facebook to protect the data of its citizens, but its government is struggling to control the leakage and distribution of information from its own universal identity scheme.

On Thursday, Ravi Shankar Prasad, India’s information technology minister, said that Facebook was welcome in the country but that as far as its data security was concerned, “there shall be no compromise.”

Two days later, ZDNet, an American technology web site, published details of how a state-owned cooking-gas provider’s web site permits anyone to extract information about citizens from the government’s Aadhaar database.

Aadhaar, the world’s largest biometric identity programme has enrolled more than a billion Indians, promising to streamline delivery of welfare benefits and to ease the need for identity verification with other agencies.

Apart from welfare agencies, other arms of the government — such as Indane, the cooking-gas utility exposed by ZDNet — as well as companies such as mobile service providers routinely ask for Aadhaar numbers to verify people’s identities against the state-created database.

Privacy activists are embroiled in a lawsuit against the government, in the Supreme Court, arguing that Aadhaar can unlock various aspects of a person’s identity and violate fundamental rights to privacy.

Among other contentions, the activists have made the case that Aadhaar information is insufficiently protected, leaving the database vulnerable to hackers or to misuse by the government.

Karan Saini, a cyber-security consultant in New Delhi, discovered exactly how weak the protection was when he tested the Indane web site. Since the web site itself is linked to the Aadhaar database to verify customers, Mr Saini could tap into the database, run cycles of random 12-digit numbers, and hit upon valid Aadhaar numbers.

When the Aadhaar numbers came up, Mr Saini told ZDNet, they brought with them, from the database, the names and addresses of their holders. He was also able to see details of other services, such as bank accounts, to which the Aadhaar number were linked.

Mr Saini’s revelations are only the latest in a long line of problems with the management of Aadhaar data.


Read more:

Amid Facebook data mishandling crisis, Apple's Tim Cook calls for more regulations

Whistleblower Christopher Wylie reveals Cambridge Analytica’s dark arts


On Twitter, over a matter of weeks, an anonymous IT security researcher — claiming to be based in France and calling himself Elliot Alderson, after the hacker in the TV show “Mr Robot” - has been calling attention to similar security flaws.

In numerous apps and web sites that use or process Aadhaar data, Alderson found breaches through which he could pull Aadhaar information.

In January, an investigation by the online Tribune newspaper claimed that a reporter was able to buy a log-in and password for just 500 rupees (Dh28). With those credentials, he could enter any Aadhaar number into the official Aadhaar portal and pull up all associated information.

The government has responded to these revelations by denying that these breaches are dangerous. “Aadhaar remains safe and secure,” a statement from the government authority administering Aadhaar said on Saturday.

But Indane also took its link to the Aadhaar database offline after ZDNet published its report, just as other government agencies did after Alderson’s exposures on Twitter.

Other diversions of Aadhaar data appear to be deliberate. Amit Goel, a senior executive at an IT company in Bengaluru, signed up for his Aadhaar a year and a half ago. He told The National that over the past six months, as concerns about data have built, he took to logging into his Aadhaar portal and browsing through the list of agencies that vet his identity — a service available to every user.

On Friday, Mr Goel found that a company named Experian had been able to validate his Aadhaar credentials. Experian, he knew, processes consumer information to generate credit ratings; the firm was founded in the United States and is now based in Ireland.

“Aadhaar should not be allowing this,” Mr Goel said. “By checking my Aadhaar, they now know that my information — my address, my phone number — is accurate. They can then sell this on to other companies. It becomes a gold mine for them.”

Yet anyone living in India has no choice but to submit to the Aadhaar system. Although the scheme is technically not mandatory, the government as well as several companies have made it impossible to access their services without providing Aadhaar details.

This “coerced” linking of Aadhaar “to all public services is designed to cause civil death,” Gopal Krishna, a member of the Citizens Forum for Civil Liberties, said. “Civil death is [a person’s] loss of all or almost all civil rights.”

“People are being compelled to share their personal and [biometric] information,” he said.