Aadhaar Can Potentially Destroy Lives, Indicate The Latest Data Leaks

The dystopian future that detractors of Aadhaar warned us about is closer than many might imagine.

In the latest instances of Aadhaar data leaks — between 23 and 26 April — cybersecurity researcher Srinivas Kodali flagged three instances of personal data linked to Aadhaar of millions of citizens being published online by Andhra Pradesh government agencies.

On 23 April, Kodali highlighted how the Aadhaar numbers of more than 1.34 lakh people was being leaked online — along with highly sensitive personal and financial information such as their religions, castes, occupations, bank details (complete with bank name, branch, account number and IFSC code), etc!

One can only imagine the consequences of all of such sensitive information being freely accessible to anyone with an internet connection! 

The website leaking the information belonged to the Andhra Pradesh State Housing Corporation.

On 25 April, Kodali flagged how the Aadhaar numbers and other details of more than 89 lakh MGNREGA workers were leaked online by the Andhra Pradesh Benefit Disbursement Portal.

Then on 26 April, Kodali pointed out that the Aadhaar data of more 69 lakh children was had been leaked on the website of Andhra Pradesh Commissionerate of School Education.

Although the leaked information was masked by these websites after Kodali brought them to light, damage may already have been done.

There seems to be no end to these instances of Aadhaar data leaks in this country of more than 1.3 billion people — as evidenced by the numerous instances of data leaks and security breaches brought to light by cyber researchers and hackers over the past couple of years.

Even as the final hearings on the constitutional validity of the Aadhaar project are going on in the Supreme Court, the Unique Identification Authority of India (UIDAI) continues to maintain that the citizens’ biometric data is safe and there is no threat to citizens’ privacy and security.

The UIDAI says that the Aadhaar data stored in the database of the Central Identities Data Repository (CIDR) contains only biometric and basic demographic data along with authentication requests. There are provisions in Aadhaar Act mandating that data related to religion, caste, etc. shall be collected but not shared and that UIDAI would not store the purpose for which an authentication transaction took place. So, UIDAI argues, it cannot be used to profile citizens.

Also, the UIDAI says that the biometric information in the database is not accessible to anybody. Attorney General KK Venugopal even told the Supreme Court that Aadhaar data was secure behind walls that are “13 feet high and five feet thick”.

But the security of the biometric information in the CIDR database is not the main problem with the project of Aadhaar — the 12-digit biometrically linked Unique Identification number that is being forced on Indian citizens.

The more dangerous — and real —  problem is the Aadhaar seeding. Seeding is the process through which Aadhaar numbers of residents are included in the service delivery database of service providers.

And the BJP-led NDA government has been aggressively pushing for linking of Aadhaar to all kinds of services — government and private companies’ services — and even lying about it, like it did with the SIM-Aadhaar linking diktat, falsely claiming that the Supreme Court had ordered it.

Cybersecurity experts and activists have been crying themselves hoarse about the dangers of a giant, centralised database of biometric and demographic information of citizens — and the dangers of linking the Aadhaar numbers with every imaginable service, on the shaky premise of de-duplication of database and Aadhaar-based authentication/verification.

As we have seen, most of the leaks have happened through government agencies themselves. In February 2017, Kodali flagged how the Aadhaar details of 5-6 lakh children had been leaked by a Telangana government website. Throughout last year and continuing this year, there were reports of massive security breaches of Aadhaar data and poor security of government websites — such as the leaking of personal details of 35 lakh pensioners in Kerala , 14 lakh pensioners in Jharkhand, etc.

In February this year, French cybersecurity researcher Robert Baptiste showed how biometric and other details of 56 lakh beneficiaries of MGNREGA and 40 lakh beneficiaries of social security pension on Telangana government’s benefit disbursement portal 'TSPost' were accessible through a simple hacking technique.

In May 2017, Kodali and another researcher had authored a report for the Centre for Internet and Society revealing that poor security of four government websites had revealed details of 13 crore people.

In January this year, a journalist for The Tribune reported how she could buy “unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far” by paying Rs 500 to “sellers”.

But even more worryingly, the agencies with whom the Aadhaar number is seeded can themselves link it to sensitive personal information like religion and caste — like in the case of the Andhra Pradesh State Housing Corporation, flagged by Kodali.

Needless to say, the publishing of such sensitive personal and financial details and the power afforded by such databases to geographically locate the homes of individuals and their families is dangerous. Especially, in a country like India where not only are financial frauds common given the financial and technological illiteracy of the vast majority of people, but also where communal and caste-based tensions are frequently fanned by vested political interests.

As this piece in The Huffington Post elaborates, there are grave consequences of the ability to geo-locate people by religion and caste and that “big-data governance revolution can be subverted to target vulnerable citizens”.

For example, in the 2002 anti-Muslim riots in Gujarat and in the 1984 anti-Sikh riots, voter lists were used to identify people. Currently too, we have been witnessing a spate of lynchings of Dalits and minorities, and murders of dissenting journalists and activists and rationalists.

But most importantly, this will allow the use of Aadhaar as a unique identifier to aggregate and consolidate data about the UID holder from across databases and websites.

This means that profiling and tracking individuals would be a cake-walk.

Earlier, while citizens’ data was still available with state agencies and even corporations, it existed in separate files or databases.

The seeding of the Aadhaar number in all kinds of databases will give unimaginable powers to the database owners — the State and the corporations — to collate information about the individual and construct “360-degree profiles” of citizens.

Kodali told The Citizen, “There were multiple government records that were building 360 degree profiles of people. The tender of 360 degree profiles being built by AP called People Hub. Since I was aware, I could identify this pattern being generated all across. This was also to highlight the government’s contradictory statements where UIDAI would say that Aadhaar data is not being used. In fact, it was a major lie. This issue had to be reported.”

In fact, an IRS officer of Telangana had earlier even made a presentation on how to do “360-degree Profiling” of citizens, based on Aadhaar numbers among other things, using the Integrated Tax Payer Data Management System software. The presentation was titled “Using Data Mining to convert information to actionable intelligence”.

“There was an approach paper by Union of India which is long back in 2010 itself said that convergence should not be promoted because that will be the end of privacy,” said Gopal Krishna of the Citizens Forum for Civil Liberties to The Citizen.

And yet, there have been projects like the State Resident Data Hub, which is an Aadhaar-seeded repository of information consolidated from various government databases.

The Facebook-Cambridge Analytica case showed how personal data can be used to influence the electoral behaviour of people, but with the Aadhaar project — given the extent, nature and convergence of the information available — the consequences can be far more dire.