Rs 500 to breach entire UIDAI database shows Aadhaar is a national security disaster
For two years now, digital rights and security activists have been holding a placard with the warning about the Aadhaar database, carrying the unique biometric identity of almost one billion Indians, being a hornet’s nest of security lapses, willing breaches, oversights and human errors. Reports on rising incidents of Aadhaar-based exclusions, most heartbreaking of them being the 11-year-old Jharkhand girl Santoshi’s death from starvation, have been filed aplenty. However, neither does the government acknowledge the enormous threat to social justice and digital security that Aadhaar poses, nor does the UIDAI, or the Unique Identification Authority of India, admit that there have been lapses.
While incremental breaches have been reported with government websites leaking data, or Aadhaar data being sold to third parties for commercial purposes without the consent of the users, or banks force-linking Aadhaar with accounts, once again without consent of the customer, despite the deadline being postponed by the Supreme Court itself, the latest investigation into the loophole-ridden rotten structure of Aadhaar is nothing short of explosive.
An investigation by The Tribune, the Chandigarh-based English daily, has claimed that just by giving Rs 500 to an anonymous source can yield access to the entire UIDAI database carrying the Aadhaar numbers and linked details of one billion Indians at the click of one’s fingers. The viral story says that all it takes is 10 minutes to breach the Bastille that government of India, the Union law minister Ravi Shankar Prasad, the UIDAI, its head Nandan Nilekani, his friends in the Indian media, and in the international media, claim the Aadhaar database is.
Hello biometricked citizens of India. UIDAI's central server has been breached. All of our Aadhaar data, all 1 billion of us, can be bought for FUCKIN Rs 500!That's how cheap our info is. The government has screwed with all of our lives quite royally.https://t.co/9IiojtjCaR
— Meghnad (@Memeghnad) January 4, 2018
This is a HUGE #AadhaarFail. #Aadhaarhttps://t.co/pKw61d4DfB
— Rethink Aadhaar (@no2uid) January 4, 2018
For as little as Rs. 500, a Tribune correspondent gains access to the Aadhaar details of every Indian citizen registered with the UIDAI. Aadhaar at this point seems little more than a national security disaster. https://t.co/gbbFEuD72N
— Puja Mehra (@pujamehra) January 4, 2018
“UIDAI officials in Chandigarh expressed shock over full data being accessed...” Someone tell UIDAI it needs to to stop being shocked each time there’s a breach & actually improve security if they expect us to entrust our lives to them. #Aadhaar #privacy https://t.co/PTuWUgnfBu
— Maya Mirchandani (@maya206) January 4, 2018
The Tribune investigation shows how Rs 500 paid via Paytm to an “agent” running a racket that “created a gateway” for the correspondent by giving her a login ID and a password to access the Aadhaar numbers stored in the portal. In fact, the portal stored the entire UIDAI database, or had connection to the UIDAI central database, and the gateway could summon up any Aadhaar number, as well as name, address, postcal code, photo, phone number and email with one click of the mouse.
While The Tribune story says that the UIDAI authorities in Chandigarh “expressed shock” over the full data being accessed, therefore opening the floodgates of an enormous national security disaster waiting to happen, the shock is both misplaced and hypocritical to say the least. In fact, The Tribune team paid an additional Rs 300 to access a software that could print the entire Aadhaar card of any individual once the Aadhaar number is provided by looking up the portal. This means anyone with access to any portal – something that can be bought or arranged for a sum as paltry as Rs 500 – could be using the Aadhaar details of virtually any individual, hack in at ease, and mess around with the precious and confidential identity details, when not stealing from the bank account, or causing other grievous injuries.
Sensational exposé, is Aadhaar dead now? - enter Aadhaar number in portal, instantly get all details an individual may have submitted to the UIDAI, including name, address, postal code (PIN), photo, phone number and email https://t.co/pKw61d4DfB
— Rethink Aadhaar (@no2uid) January 4, 2018
How to purchase the Aadhar details of all one billion of your country men and women in 10 minutes for Rs 500 using PayTM. pic.twitter.com/j4shZNyMZV
— churumuri (@churumuri) January 4, 2018
In fact, The Tribune claims that a commercial group tapping UIDAI may have sold access to one lakh service providers, and that means all these commercial service providers are, through highly questionable and possibly illegal means, are sitting on the goldmine of user data as collated in the UIDAI database.
That the government has been forcing the citizens to link Aadhaar to everything, from mobile numbers, to bank accounts, to making this voluntary proof of identity into a mandatory requirement for availing rations via PDS, social benefits, pensions, hospitalisation and medical care, to draw salaries, to mark attendance, to all financial transactions, among other things, makes the UIDAI database a veritable super treasure trove of customer information.
1. Details of Aadhaar enrolment by enrolment agency. pic.twitter.com/2OXYSLIskt
— india subsidy data (@databaazi) January 3, 2018
Hi @ceo_uidai I've sent these questions to you via email. Please do respond. Posting them here in case you can respond here or via DM pic.twitter.com/977NLJxkHQ
— Nikhil Pahwa (@nixxin) January 4, 2018
This, it seems has already started a scramble for user information, encouraging large-scale surreptitious digital thefts, tendencies that are in-built in the Aadhaar system. This is something that activists and watchers in the media have been repeatedly raising an alarm about, to the extent that the Supreme Court itself has created a Constitution bench to hear the matter and pronounce a verdict later this month.
It’s but obvious that the UIDAI has given a brazen and expected response, denying the entire incident, saying the breach never happened. This is exactly how they organisation behaved when data breach from Reliance Jio and other portals were reported, when telecom companies and commercial bodies seemed to have a free run at access the confidential UIDAI database.
Unique Identification Authority of India denies media report titled “Rs 500, 10 minutes, & you have access to billion Aadhaar details” & calls it is a case of misreporting. UIDAI assures that there has not been any Aadhaar data breach & that the data is fully safe & secure: UIDAI pic.twitter.com/yvP8HQy180
— ANI (@ANI) January 4, 2018
Full statement from @UIDAI on Aadhaar breach report today. pic.twitter.com/OIChO5q9dA
— Chandra R. Srikanth (@chandrarsrikant) January 4, 2018
However, this is no longer going to be an easy ride with the political Opposition now woken up to the dangers of Aadhaar and publicly talking about the grave problems and in-built security crisis within the UIDAI system. From Congress’ Shashi Tharoor to Randeep Surjewala, to CPI(M)’s Sitaram Yechury, to Lok Sabha MP and Biju Janata Dal (BJD) leader Tathagata Sathpathy, among others, have become vocal opponents of Aadhaar and lending their voice to the largely citizens-driven movement against being “biometricked” by the government.
‘AADHAR’ data breached yet again!As every citizen’s personal information is exposed to hackers everyday & ‘Right to Privacy’ is mocked and flouted with impunity, Modi Govt remains immune.Is anyone listening?https://t.co/UDSfOlSWv9
— Randeep S Surjewala (@rssurjewala) January 4, 2018
How ₹500 is all it takes to buy you unauthorized access to the #Aadhar database: https://t.co/Q2ksbElnT7
— Shashi Tharoor (@ShashiTharoor) January 4, 2018
The perils of making Aadhaar mandatory and linking it to bank accounts, as insisted upon by Modi govt, are visible here. Do we need more proof to stop this madness? https://t.co/9OEbitCmDO
— Sitaram Yechury (@SitaramYechury) January 4, 2018
"If data is the new oil: Compensate citizens for their personal data used." TS's peice in @timesofindia todayhttps://t.co/Nk9LSJgAz6 pic.twitter.com/dDXDEVdNb3
— Office of T Satpathy (@SatpathyLive) August 4, 2017
In fact, Tathagata Satpathy has been one of early voices of resistance, and his furious piece of writing against treating citizens’ digital lives as mere “data” and saying “data is the new oil” has been well received as an important intervention in this concerted attempt to reduce citizens to digital shadows of themselves, chained to Aadhaar and the surveillance state it’s creating for the government and its corporate backers in the country.
Can't even build a surveillance State competently.
— Gautam Bhatia (@gautambhatia88) January 4, 2018
However, as a wise soul noted, the irony lies in the fact that even a surveillance state couldn’t be competently built by those at the helm. And, we should be thankful that these alarm bells are being regularly sounded to alert and prepare the digital citizens of India and safeguard their fundamental right to privacy.