Data security issues relating to Aadhaar are unlikely to die down soon. Even as the government is in the process of making 12-digit unique identification number mandatory for people to avail benefits of various social service schemes, an investigation by The Tribune has revealed that details of Aadhaar is easily accessible, that too just by paying Rs 500.
According to the newspaper, its reporter purchased a service by anonymous sellers on WhatsApp and paid Rs 500 via Paytm to an agent of the group running a racket. The agent then created a “gateway” for the reporter and gave a login ID and password, thus giving unrestricted access to details, including name, address, postal code (PIN), photo, phone number and email, of more than 1 billion Aadhaar numbers submitted to the UIDAI (Unique Identification Authority of India), the Aadhaar issuing body.
Not only this, the newspaper team paid another Rs 300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.
This report came at a time when the Supreme Court is hearing petitions challenging the government's decision on Aadhaar. The petitioners had contended that the biometric data and iris scan that was being collected for issuing Aadhaar cards violated the citizen’s fundamental right to privacy as their personal data was not being protected and was vulnerable to exposure and misuse.
In December last year, the government extended the deadline for mandatory Aadhaar linking from December 31 to March 31, 2018.
This extension will be for 139 services for which the deadline is currently December 31, 2017. The extension, would in all likelihood, include the mandatory linkage of Aadhaar with bank accounts.
Sanjay Jindal, additional director-general, UIDAI Regional Centre, Chandigarh accepted that this was a lapse and told The Tribune: “Except the director-general and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.”
According to the newspaper, the racket may have started around six months ago, when some anonymous groups were created on WhatsApp. These groups targeted over 3 lakh village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, offering them access to UIDAI data.
More than one lakh VLEs are now suspected to have gained this illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards.
The UIDAI, in a press statement, said: “Aadhaar security systems are best of the international standards and Aadhaar data is fully secure. There has been no breach or leakage of Aadhaar data at UIDAI. Also, the Aadhaar numbers which were made public on the said websites do not pose any real threat to the people as biometric information is never shared and is fully secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics.”
It added: “UIDAI clarified that Aadhaar number is not a secret number. It is to be shared with authorized agencies when an Aadhaarholder wishes to avail a certain service or benefit of government welfare scheme/s or other services. But that does not mean that the proper use of Aadhaar number poses a security or financial threat. Also, mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of individual is also required. Further all authentications happen in presence of personnel of respective service provider which further add to the security of the system.”