No malicious intent, more a misadventure: Investigators on IIT grad held in Aadhaar case

“If there was malicious intent, he would not have left a trail. There does not seem to be criminal intent. It is more of a misadventure,’’ a police officer said.

“Though there has been no data theft, the incident does imply that UIDAI must enforce security in eKYC User Agencies (KUA) and Authentication User Agencies (AUA) who are authorised to submit and receive authentication data,’’ the police officer said. Agencies investigating the case are wary of providing technical details of how Srivastava’s app “piggybacked’’ the e-hospital app developed for Digital India initiative out of fears that it could cause data security problems.

Several independent data security experts have, however, weighed in on the technical modus operandi employed by Srivastava to indicate that he may have gained access to the authentication key employed by the e-hospital app to avail the Aadhaar authentication services.

“eKYC enables private companies to build their own parallel databases. The government continues to assure us that there haven’t been any data breaches etc. However, eKYC ostensibly makes such data breaches unnecessary — because they just hand all the demographic data on a platter to private businesses,’’ Anand Venkatanarayanan, a data security expert, has stated in an online article on the unauthorised access of Aadhaar data by Srivastava’s app. “Data received from eKYC is more than enough for Aadhaar Type 1 authentication by private operators in UIDAI ecosystem without user consent and all it takes is a shared KUA/AUA key,’’ he has stated.

A deputy director of UIDAI filed a police complaint on July 27, stating that Srivastava and Qarth Technologies, a start-up he co-founded, accessed Aadhaar data without authority.