Aadhaar Data Theft: UIDAI Busts its Own Claim, Flags ‘National Security’ Concern

New Delhi: A First Information Report (FIR) has been registered by the Cyberabad Police in Madhapur on request by The Unique Identification Authority of India (UIDAI), the agency that issues Aadhaar, regarding data theft of 7.82 crore people from Andhra Pradesh and Telangana for alleged voter profiling. The UIDAI has filed the complaint against IT Grids Pvt. Ltd, a company that reportedly does work for Telugu Desam Party (TDP).

The FIR  busts earlier claims by UIDAI that Aadhaar data is fully safe and protected by a ’13 feet wall’, as its own complaint can be termed as an admission of huge breach of privacy, even as it continues to push citizens to enroll for Aadhaar to ger services and benefits.

According to MirrorNow, IT Grids Pvt. Ltd. was allegedly hired by TDP for developing an app called Seva Mitra. After the UIDAI’s complaint, the Cyberabad Police conducted a series of raids on the office of IT Grids in Madhapur and forensic investigations were conducted on the material seized in the raids. The company was allegedly found to have the data of 7.82 crore citizens of Andhra Pradesh and Telangana which was being stored by the company with cloud storage services of Amazon Web Services.

As per reports, Telangana State Forensic Science Laboratory (TSFSL) has in its initial probe confirmed that the data came from the Aadhaar database as its structure was same as that with UIDAI. This was confirmed because the data parameters that IT Grids was storing, was very similar to the format used by Aadhaar-centric databases like the state resident data hubs (SRDH) and the central identities data repository (CIDR), report said.

UIDAI in its FIR has claimed that the App was using the ‘stolen data’ for profiling voters, to target campaigns and to delete names of voters from the list. The alleged presence of Enrolment Identification Numbers (EID) in the data that has been examined has also reportedly strengthened this suspicion of the UIDAI.

The FIR states, "...investigation so far has revealed that Seva Mitra application is suspected to be using stolen voter information along with Aadhaar data of the state governments of Telangana and Andhra Pradesh for voter profiling, targeted campaigning and even deletion of votes."

"The presence of enrolment identification number (EID_NUM) raises a strong suspicion that the data could have been obtained either from the Central Identities Data Repository (CIDR) or one of the State Resident Data Hubs (SRDH) aligned to CIDR. Availability of such unique information of an Aadhaar number indicates that the accused (IT Grid) might have illegally accessed CIDR or SRDH and has used such information or data for wrongful gain," the FIR says, adding, "...the directors of IT Grids are suspected to have hosted databases related to Aadhaar number and related identity information in Amazon web service (AWS), which is in clear contravention of Aadhaar Regulations."

At a time when Prime Minister Narendra Modi is addressing rally after rally during the election campaign, harping on ‘national security’ and cashing in on Pulwama and Balakot, many citizens have raised serious questions on the government’s accountability on this grave national security threat, by UIDAI’s own admission.

"There is every possibility that sensitive data of Indian citizens could be accessed and used by countries hostile to India or international organised crime syndicates in a manner which could be seriously detrimental to the national security," the FIR registered on request of UIDAI states.

Reacting to the UIDAI’s complaint, Nikhi Pahwa, co-founder of savetheinternet.in  and tweeted: “If someone could steal data from the database, it means that it's not secure. How is that "jumping to conclusions"? Data once lost is lost forever. It's going to be shared, used, & can be sold easily to enemy countries for microtargeting. Aadhaar is national security nightmare.”

The UIDAI’s complaint runs contrary to what UIDAI's chief executive (CEO) Ajay Bhushan Pandey had told the Supreme Court when his presentation talked about 'sufficient safeguard mechanism' and 'almost foolproof public key infrastructure (PKI)-2048 encryption...virtually impossible to decipher'. The September 2018 judgement had also accepted this claim, but the action of filing the FIR and the data breach, suggests otherwise.

On March 21, 2018, requesting the five-judge Constitutional bench headed by the then Chief Justice Dipak Misra, comprising Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan, to allow UIDAI CEO make a technical presentation, Attorney General KK Venugopal contended that this would explain how security is protected at every step in CIDR.

“Many doubts and fears that have been raised (by the petitioners) will be clarified by the presentation (from the UIDAI CEO). There is also a four-minute video showing the thirteen foot wall around the CIDR,” the AG had told the bench.

Refuting the contention of petitions on use of Aadhaar by third parties or by the state for mass surveillance, Attorney General Venugopal and UIDAI counsel Rakesh Dwivedi had submitted to the apex court that "...given the architecture of the Aadhaar Act, there are no such possibilities and in any event, submission based on imaginary possibility do not provide any basis for questioning the validity of Aadhaar Act."

This IT Grids episode of exposing data and profile of 7.82 crore people from Telangana and Andhra Pradesh has brought forward a stark reality. This is perhaps, exactly the scenario that the petitioners in Aadhaar case were trying to point out.

In this case, there are number of violations from the private entity such as data breach, storage of data on servers located overseas and exploitation of Aadhaar number holders by creating their demographic profile and using it for political means.

Justice DY Chandrachud had pointed out in his (dissenting) judgement, the Aadhaar Act,that these violations also hamper right to privacy, as defined by the apex court, of the individual. “When Aadhaar is seeded into every database, it becomes a bridge across discrete data silos, which allows anyone with access to this information to re-construct a profile of an individual’s life. This is contrary to the right to privacy and poses severe threats due to potential surveillance,” Justice Chandrachud had said in his judgement.

In a press conference held after the raids on IT Grids’ offices, Chandrababu Naidu’s trusted bureaucrat Ahmed Babu and the IT secretary of AP contradicted the initial claims of Cyberabad Police and publicly reported Aadhaar data leaks from Andhra Pradesh.