advertisement
If you think your Aadhaar data is only in the hands of those authorised to access the official Aadhaar database, think again. Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that’s not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters – the Aadhaar database won’t ask.
A person of your choosing would then have access to the data of all 119,22,59,062 Aadhaar cardholders.
Let’s break it down.
Say Person X has an email address registered on the Aadhaar portal for access to the user information of Aadhaar cardholders. The URL for the portal website is http://portal.uidai.gov.in/.
(By the way, within hours of The Tribune’s report that showcased how a reporter could access the Aadhaar portal in 5 minutes and by spending Rs 500, the website portal.uidai.gov.in was down. Visiting the site gave the response – “This site can’t be reached.”)
Getting back to Person X.
Now, Person X may have been provided access to the Aadhaar portal by the government for carrying out certain legitimate functions.
However, here’s the catch.
Person X also has the ability to provide anybody else in the world the rights to access the portal as an admin.
Let’s say X gives access to person Y and person Z. Persons Y and Z can then log onto the Aadhaar portal and add Persons A, B, C and so on.
The going rate for being granted access to the Aadhaar portal has varied from Rs 500 to Rs 6,000, and possibly higher in other cases.
Once you are made an admin of the Aadhaar portal, here’s what you can do – and we’re not making this up. Well-placed sources have successfully attempted this.
Through the Aadhaar number of the person whose ID was originally used to access the portal, new admins can access user information of other Aadhaar cardholders.
These details include:
To cut a long story short – everyone.
Since the portal allows an admin to view the data of different users by merely changing 12 digits of the URL, a computer program could potentially run different permutations and land up with the data of every single one of the 119,22,59,062 Aadhaar cardholders.
Does this site show your biometric data? No.
Is this still a worry for you?
Think about it. A photograph of you along with all that personal information of yours has been in the hands of unauthorised persons with no government links or credentials.
Yes, the fact that your personal data is unsafe should definitely worry you.
What could these unauthorised admins use the data for?
The unauthorised admins could sell your data, along with that of millions of others, for a fortune. They could attempt to extricate other personal information of yours based on the information that they already have.
It’s their call, really.
Let’s face it, even relatively unimportant systems have access control via 2-stage or 3-stage processes, OTPs, biometric checks and the like – but the world’s largest biometric database allows its admin rights to be freely exchanged across any email address in the world. Could the UIDAI not have added a security check, such as a biometric authentication, for any unknown person who tries to log in from these freely exchangeable logins?
Based on their denials on Twitter, it would not seem so.
There have always been significant doubts over how secure the Aadhaar database really is. Remember this tweet by Narendra Modi during his election campaign in 2014?
Today, it is the Congress’ turn to cry foul.
The Quint has reached out to the authorities at the UIDAI for a response to this investigation. This article will be updated with their response if and when they revert.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)