(On 15 January 2018, The Economic Times published an article by RS Sharma, the first Director General of the UIDAI, claiming that there has been no Aadhaar data breach till date. In this article republished from The Quint’s archives, we explain how the UIDAI is obliged to ensure security of demographic information, like your address, email ID, phone number, and thus any leak of this information – something Sharma accepts has happened – also counts as a breach of Aadhaar data, contradicting hisclaim. It was originally published on 9 January 2018.)
Ever since the publication of an investigative report by The Tribune that showed that access to Aadhaar information of every Indian in the country could be bought with ease, the UIDAI has characterised the report as a “case of misreporting”. They have also denied that any breach of the Aadhaar database took place.
For anyone who has read The Tribune report, this is quite difficult to swallow. The report describes in detail how their reporter gained access as an Enrolment Agency Administrator, and was able to view the name, address, postal code, photo, mobile phone number and email ID (among other information) of any person enrolled for Aadhaar.
As reported here, The Quint’s sources had also confirmed this information, and also noted that any such Administrator could provide this access to additional persons of their choosing.
How, then, is the UIDAI claiming that there has been no breach?
The Fixation With Biometrics
The Tribune article says a lot of things, but one thing it doesn’t mention even once is the word “biometric” – there is no allegation whatsoever that any Aadhaar holder’s biometric details were available or accessible. The UIDAI, however, has in its responses repeatedly mentioned how their biometric information is perfectly secure.
This focus seems to be an attempt on the part of the UIDAI to emphasise that unless biometric information is breached, there is no problem with any other information being accessed by unauthorised persons – they have, after all, in the FIR filed on 5 January, accepted that Rachna Khaira, (The Tribune’s reporter) accessed personal and demographic information.
Too busy to read the whole story? Listen to it here:
This can be seen in their press statement dated 7 January where they have said that “This is a case in which even though there was no breach of Aadhaar biometric database… it is for the act of unauthorized access, criminal proceedings have been initiated.” Or when they insisted in their first statement released on 4 January that “mere display of demographic information cannot be misused without biometrics.”
The language they have used in different statements displays an interesting change as well. In the first statement, they said that “there has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure.”
In their latest statement, this has now become: “there has absolutely been no breach of Aadhaar biometric database in any manner whatsoever.” So from claiming that no data was breached, they are now saying that only biometric data was not breached.
The big question therefore becomes: Does the fact that no biometric information was accessed mean there was no breach? The answer is, quite clearly: no.
The UIDAI’s Obligations Under the Aadhaar Act 2016
Section 28 of the Aadhaar Act 2016 imposes the following obligations on the UIDAI:
- To ensure security of identity information and authentication records of individuals;
- To ensure confidentiality of identity information and authentication records of individuals;
- To take all necessary measures to ensure that the information in the possession or control of the UIDAI is secured and protected against access, use or disclosure.
The obligation to take all necessary measures includes not just having strong security, but also ensuring that agencies, consultants, advisors or other persons working for the UIDAI have such measures in place. The responsibilities imposed on the UIDAI also need to be included in agreements or arrangements with such persons. Raman Chima, Policy Director at Access Now, points out that the wording of the obligation is crucial:
The UIDAI is statutorily obligated to protect all information in their possession or control, and not just the data stored in the Central Identities Data Repository. The fact that the Act says that the UIDAI “shall ensure” that all measures are taken shows this is not just some minor mention, but a strong obligation that the Authority is supposed to comply with.
The obligations of the UIDAI are not restricted to biometric information, which is what one might think, given the Authority’s constant references to biometrics. Instead, their obligations are with respect to an individual’s “identity information” – which is defined in section 2(n) to include “his Aadhaar number, his biometric information and his demographic information”.
The Act also defines “demographic information,” to include an individual’s name, date of birth, address and so on – all of which were, as mentioned earlier, accessible to any Enrolment Agency Administrator.
It appears, therefore, that till 3 January 2018 at least (when The Tribune report was published), the UIDAI had failed to ensure security and confidentiality of identity information of individuals who had enrolled for Aadhaar.
If true, this would be a breach of their obligations under Section 28 of the Act.
Can the UIDAI be Held Accountable for This Breach?
As pointed out earlier, it is interesting that in its latest statement, the UIDAI is no longer denying that a breach of their non-biometric databases has taken place. Unfortunately, given the way the UIDAI is responding to all of this, there’s probably a lot more required to conclusively establish that the UIDAI failed its obligation under Section 28 of the Act. Let us, however, assume that we had all the necessary evidence to make that claim before a court or relevant authority.
Would we be able to make that claim in any effective manner?
This one is a lot harder to answer. The Aadhaar Act includes some very problematic provisions when it comes to recourse to legal options.
First off, there is no provision in the Aadhaar Act which allows for enforcement of the UIDAI’s obligations under it. No provision allows a private citizen to file even a civil complaint against the Authority, no matter what proof they might have of wrongdoing. The only complaint mechanism that exists under any Aadhaar legislation is Regulation 8 of the Aadhaar (Enrolment and Update) Regulations 2016, which allows you to complain to the UIDAI if your identity information has been wrongly shared or published.
Secondly, under section 47(1) of the Act, courts can only take cognisance of offences under the Act if the complaint is made by the UIDAI or a person authorised by it. This is a huge issue outside of this situation because it means that even if a private citizen is aware of a crime under the Act, they can’t file a report with the police. The breach of Section 28 doesn’t count as an offence under the Act per se, but section 47(1) also prevents any of us from making a complaint about any possibly related offences, such as disclosure of identity information (section 37) because of the UIDAI’s failure to ensure security.
Thirdly, section 52 of the Act includes a blanket protection for the Central Government and the UIDAI against any “suit, prosecution or other legal proceeding”, for anything which is done by them in good faith in relation to Aadhaar. It is likely that the UIDAI would look to use this to justify itself in any case, as they will always argue that their intentions even in building the system which allowed for such easy access to everyone’s demographic information, were good.
So what does that leave us with?
Thankfully, despite the attempt to bar all legal proceedings under section 52 of the Act, the High Courts or Supreme Court is likely to say that a writ petition on the issue would not in fact be barred. There is a long line of binding cases that say that the jurisdiction of these courts can’t be taken away by the government through a legislation.
This does not, however, guarantee any sort of effective action by the courts. The actual legal consequences of any writ petition are unclear at this point – even if granted, it is difficult to see what else the courts could do beyond issue a writ of mandamus directing the UIDAI to improve its security. This doesn’t take away from any existing breach, and offers no remedies to anyone whose data has already been accessed. And if the UIDAI still proves unable to protect the information, what then?
NB: The Economic Times has reported that they have been informed by a government official, who does not want to be named, that new security measures have now been introduced to “enable access only by entering the biometrics of the person whose details were sought to be verified.” The UIDAI has not released any statement on this, and even if true, this would not affect any prior failings regarding the UIDAI’s obligations.
Why Things Are Unlikely to Improve
There is one other option which could possibly be used. Under Section 48 of the Aadhaar Act, if the Central Government thinks that the UIDAI is unable to perform its duties, or the UIDAI has persistently defaulted in discharging its duties, then it can supersede the UIDAI for up to six months.
However, given that the ruling party and now the Law Minister have been defending the UIDAI and have consistently claimed even in earlier instances of breaches that no breaches have occurred, it is difficult to see the Central Government ever stepping in, no matter how bad things get.
And they will get worse. According to various IT law experts, the UIDAI’s approach means that we will continue to see breaches of Aadhaar data.
The kind of system that the Aadhaar framework is based on needs to continuously improve to combat security threats, but this involves acceptance and acknowledgment.
Regrettably, as Mr Chima puts it:
Instead of focusing on its requirements under the Aadhaar Act to protect all information that the UIDAI keeps, the UIDAI is focusing on suppressing information about these failures and instead prosecuting security researchers and journalists. Besides the fact of them possibly violating their own foundational law, the UIDAI does not have a constructive or effective approach to information security.
If the UIDAI wants to be able to seriously say that no breaches of its databases or its obligations have taken place, it needs to start inviting people to talk to them, and stop shutting down conversations with those who bring flaws in the system to light. If not, it will be clear that they are more interested in the illusion of security than actual security.
(Breathe In, Breathe Out: Are you finding it tough to breathe polluted air? Join hands with FIT in partnership with #MyRightToBreathe to find a solution to pollution. Send in your suggestions to fit@thequint.com or WhatsApp @ +919999008335)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)