The UIDAI, the body that governs Aadhaar, has told the Supreme Court that its database cannot be breached or used to profile citizens. A new data leak suggests that there may be no need for hackers to go that far. Government departments are already using the unique identification number to aggregate data from different departments, complete with the individual’s religion, caste, bank account numbers and their exact location.
Still worse, some of them have placed this private information on its websites for anyone to see.
The Andhra Pradesh State Housing Corporation this week joined the list of organisations called out for exposing private information about individuals after a cyber security researcher complained that the state-run body had exposed Aadhaar numbers of 1.3 lakh people and allowed targeting of over 50 lakh individuals by caste, religion and locality.
This is what made the leak more dangerous. It also had a search feature which could generate targeted lists of people based on their religion and caste and even show their exact location because of geo-tagging. For example, one could simply search for “Dalits” or “Muslims” and get to know how many Dalits live in Vishakhapatnam or Muslims live in Kurnool.
Srinivas Kodali, the Hyderabad-based cyber security researcher, says this was contrary to what the centre had been telling the Supreme Court.
“The UIDAI has informed the Supreme Court that Aadhaar can never be used for surveillance or to track religious and caste information. But the fact is the Andhra Pradesh government has used Aadhaar to build profiles of their beneficiaries. All of this information is in public domain and it could be misused by political parties for voter profiling.”
The Aadhaar law has strict provisions how the biometric data collected by UIDAI can be used. As UIDAI chief ABP Pandey famously told the Supreme Court, its data was secured using encryption that would take billions of years to crack.
But there is nothing to stop private and government departments from creating such database that can be abused. In previous instances, UIDAI has washed its hands off such leaks or database suggesting that its responsibility stopped at securing its database.
The database on Andhra’s housing corporation website – it has been shut down for now – was part of an ambitious project launched by the Andhra Pradesh government in 2017 called the People’s Hub. It used the Aadhaar number to merge data from 29 different departments. Other states are planning to follow the same footsteps and that would only lead to a bigger crisis for data privacy in this country.
Amba Kak, a policy analyst who has taken a hard look at India’s privacy provisions, suggests there are many ways in which such data can be misused.
The state of Andhra Pradesh is the first State to form ‘core data authority’ following guidelines of Aadhaar Act 2016 that frame the guidelines for executing and regulating the application of Aadhaar.