Aadhaar – A Weapon of Mass Financial Destruction?

The Centre for Internet & Society (CIS) published a report this May which claimed that around 135 Million AADHAAR Numbers and associated personal information were leaked from 4 Govt. websites. In addition to this, they estimated that probably 100 Million Bank accounts were also leaked from these same websites. UIDAI, the Government agency responsible for Aadhaar, vehemently denied any breach of its database and then turned around and threatened the researchers with lawsuits saying that it was important to bring to justice those involved in “hacking such sensitive information.” Ex-Chairman of UIDAI, Nandan Nilekani, in an interview in August, downplayed Aadhaar security and privacy concerns saying: “The kind of intrusion of privacy that the smartphone does is order of magnitudes higher. Aadhaar is a sporadic thing—it is episodic, for instance, when I go and open an account, etc.” This typifies the Govt’s arrogance and callousness in dealing with security concerns surrounding Aadhaar.

Aadhaar was launched with the promise that “Aadhaar will not be mandatory, and will not be enforced on the resident by the UIDAI. Hence, there is a need to create a product whose benefits are strong enough to create a demand for enrolment.” Yet in practice, we have witnessed exactly the opposite. The Govt. has aggressively pushed for citizens to enrol into Aadhaar and increasingly made Aadhaar mandatory to avail various services. Services ranging from getting Govt. Pensions, subsidies, rations, PAN, Passports, etc. and even services from private entities such as Bank accounts, Mobile Numbers are made contingent on citizens providing their Aadhaar Cards. This has forced citizens to provide their Aadhaar cards to a variety of Government and Private agencies. Hence the Aadhaar number and the personal information contained in the Aadhaar Card itself such as Date of Birth, Address, Photo ID and Father’s Name of the person has been made available to these various agencies and stored in their databases. Additionally, these providers also store other information along with this such as Bank Numbers, Mobile Numbers, PAN, etc. So, now the citizens are really at the mercy of security standards or the lack thereof of in these various agencies. Additionally, the Government has encouraged a large number of retail stores both online and offline to operate as Aadhaar enrolment centres. Many of these are stores don’t have the knowledge or capability of securing their digital assets and are therefore are vulnerable to attacks. Also, the due diligence that goes into auditing the reliability and security practises of these stores is questionable when major websites run by the Central Government themselves have such poor security practices as the CIS study demonstrated.

The widespread leak of such personal data can be used to commit massive financial frauds, criminal impersonation, and money-laundering in an unsuspecting innocent’s name. The Government in refusing to admit to this or by its sheer callousness is creating a time bomb which has the potential to cause massive devastation in not just the lives of innocent people but to our financial institutions as well. The really concerning part is we don’t even know how much of this devastation has already taken place and whether news about it is being suppressed by the Govt.

There have been many reports of Aadhaar data leaks and cases where financial frauds were committed using these data leaks. In all probability, these reports are just the tip of the iceberg. In order to understand the scale of this, we did a quick search of Twitter for the hashtag – #AADHAARLeaks. Many critics of Aadhaar have used this hashtag to report instances of Aadhaar data leaks. To our surprise, we found a recent thread on Twitter started by a user “Anand V” which reported 4 such instances with URLs where the data was to be found. The four websites which were reported in this thread were: e-kendra.com, zambo.in, chahatgroup.co.in and yesbank.co.in. This Twitter thread was 2 days old when we investigated it. Even after 2 days except for Yesbank, the Aadhaar data was openly available on all these sites. As per our investigations, a total of 10,000 Aadhaar cards were compromised in this fashion. We must emphasize that as part of our investigation we didn’t engage in any hacking activity. The Aadhaar data was simply openly available to anyone who bothered to browse the links using a standard web browser. All these sites had directory listing enabled which allowed users to look at various directories on their servers. It is a trivial and elementary security precaution on websites to disable directory listing and yet these websites didn’t follow these guidelines. In case of one of these websites, probably as a result of getting reported they had blocked the particular directory which was reported but other directories were still open and contained not just Aadhaar, PAN and Bank information but even personal data of the website owner. This is the shocking level of incompetence of people running these websites. The user “Anand V” had tagged UIDAI in this Twitter thread in order to bring these leaks to the notice of the Government and yet even after a couple of days, no action had been taken by the authorities. Such is the stunning callousness of the Government when presented with evidence of these leaks.

When confronted with such a mountain of evidence, the Government passed the buck in the Supreme Court claiming “The leaks are not from UIDAI database. There is not a single leak from the UIDAI database.” This is just a shocking attempt to divert valid security concerns and shirking of responsibility. What the Government is referring to is that the AADHAAR Biometrics is kept in a centralized and presumably secure repository called the CIDR – Central Identities Data Repository. It claims that the CIDR is both physically and digitally secured and that access to the CIDR is only through leased lines to select (26 as of now) large Government and private entities called ASAs.

Even if we take the Govt’s claim that the CIDR is secure at face value, that doesn’t mean the thousands of Govt and private entities who have access to AADHAAR Cards and the associated personal information are secure. The Govt doesn’t even have the framework in place to ensure that all these thousands of entities are following minimal security standards to ensure that this data is not compromised. At the same time, the Govt is actively encouraging and forcing the use of Aadhaar cards.

Disclaimer: The views expressed here are the author’s personal views, and do not necessarily represent the views of Newsclick.