Why is UIDAI So Confused on Whether Aadhaar Database Was Breached?

(On 15 Jan 2018, The Economic Times published an article by RS Sharma, the first Director General of the UIDAI, claiming that there has been no Aadhaar data breach till date. In this article republished from The Quint’s archives, we explain why the UIDAI is so confused as to whether there has been a data breach or not, and what the truth of the matter is. It was originally published on 9 January 2018.)

The Unique Identification Authority of India (UIDAI) seems terribly confused about whether the Aadhaar database has been breached or not.

On Friday, their response to The Tribune story was, “UIDAI assured that there has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure.”

And then the UIDAI filed an FIR against The Tribune, which claimed that unauthorised persons including The Tribune’s reporter Rachna Khaira “have unauthorisedly accessed the Aadhaar ecosystem in connivance of the criminal conspiracy.”

Misreporting or Misuse?

Let’s give you a recap of UIDAI’s contradictory statements.

On Thursday morning, The Tribune published an investigative story that showed that access to the “secure” and “protected” Aadhaar database was being sold for as cheap as 500 rupees.

The headline read Rs 500, 10 minutes, and you have access to billion Aadhaar details.

Within hours, a followup investigation by The Quint showed that it was only the tip of the iceberg.

The admin doesn’t need to take permission from the government, or anybody else for that matter, to add someone else as an admin. Just type a name (which could be a fake one) and an email address and voila! that individual would be granted access to the entire Aadhaar database.

Did the UIDAI admit the presence of this massive loophole in their security system?

Nope. Their first reaction was to say that The Tribune was “misreporting.”

Two minutes after that, they tweeted that “some persons have misused demographic search facility.” So was it “misreporting” or “misuse”?

Because “misreporting” would mean that The Tribune’s story was wrong, factually incorrect or out of context. But if “misuse” took place, then some wrongdoing was definitely going on.

So which one was it?

The Devil is in the Detail

Notice how in their first tweet after the reports were published, the UIDAI cleverly slid in a line about “No biometric data breach”.

Yes, because The Tribune’s story never claimed that there was a biometric data breach. Neither did The Quint’s story ever claim so. But that doesn’t mean that there was no data breach.

As highlighted in The Quint’s report, the data breach pertained to the following personal information of Aadhaar cardholders.

• His or her photograph
• Full name
• Parent’s name
• Date of birth
• Email address
• Mobile number
• Gender
• Complete residential address

UIDAI vs UIDAI

So essentially, the UIDAI first said it was misreporting. Then they admitted there was misuse. Then, they added yet another twist to their defence/denial/admission/whatever it is.

In a press statement, the UIDAI said, “Mere display of demographic information cannot be misused without biometrics.”

But wait, if random people can get access to your personal details, including your photograph, your phone number, your residential address, your email id, they can do any number of unfriendly things with that data.

• They can use your personal information to stalk you.
• They can use the existing information they have about you (which is quite a lot anyway) to gain access to even more information.
• The rogue admin could impersonate you or share your details with someone who wishes to do so.
• They could print your Aadhaar card and use it to avail benefits in your name.

Not exactly as happy a situation as the UIDAI would want you to believe. Their defence that the data “cannot be misused” seems woefully off the mark.

First the Denial, Then the FIR

And if the UIDAI’s ever-changing standpoint on the issue wasn’t embarrassing enough, they went ahead and registered an FIR naming The Tribune and its reporter Rachna Khaira.

Instead of thanking the reporter for exposing a major flaw in the Aadhaar ecosystem, the UIDAI thought it would be a good idea to try punishing her for doing so.

Eventually, Union Minister Ravi Shankar Prasad had to nudge the UIDAI, asking it to focus on assissting the police in catching the “real offenders” (read: not investigative journalists).

It would be natural to assume from the contents of the FIR, a copy of which is with The Quint, that the UIDAI was filing the FIR because it believed that The Tribune’s reporter had accessed “details for any of the more than 1 billion Aadhaar numbers created” so far.

Yet, a letter from the UIDAI to The Tribune paints a picture of another denial rather than admitting that something is wrong with the security of the Aadhaar database.

The UIDAI asked The Tribune, “Whether it was at all possible for your correspondent to view or obtain Fingerprints and Iris scan of any person through the aforesaid access to UIDAI portal?”

The UIDAI further stated, “You are requested to send your response to UIDAI on the sender’s email by 8 January 2018 failing which it will be presumed that there was no access to any Fingerprints and/or Iris scan.”

But the UIDAI very well knew that it was not the biometrics that had been accessed but the personal information (photo, parent’s name, date of birth, email id, mobile number, residential address).

But does that change the truth about the data breach, its severity and magnitude? Nope.

So why exactly is the UIDAI busy comforting itself with sweet nothings? And worse still, why does the UIDAI still seem confused about whether there has been a data breach at all or not?

The facts are out there, plain and simple. It’s time the UIDAI stopped vacillating from denial to partial admission to denial again, and looked at the facts, admitted the problem and started getting their act together on how to fix it.

As we’ve said before, even relatively unimportant systems have access control via two-stage or three-stage processes, OTPs, biometric checks and the like – but the world’s largest biometric database allows its admins to add others as admins without even a two-step checking process.

Wasn’t putting in a security check before allowing admins to create new admins a common sense move? Why should admins have been ALLOWED to add unknown persons as admins with just a name, an email address and no other check whatsoever?