Opinion Insecure authority
Shooting the messenger is an old trick that doesn’t work. Instead of booking a reporter, UIDAI should address the report’s questions


Since the setting up of the Unique Identification Authority of India (UIDAI) in 2009, the issue of privacy and security of data has been at the heart of the debate around Aadhaar. These concerns have been magnified during the NDA’s current tenure, as Aadhaar is linked with an increasing number of services, from mobile phones to bank accounts. Whether and to what degree the government can mandate the use of the biometric-based unique identity is a matter before the Supreme Court. On Saturday, however, the institutional mechanism at the heart of the project acted in a manner that raises questions over the ethos by which it plans to deal with these questions, as well as any perception of lapses in its own functioning.
By initiating criminal proceedings against a newspaper and its reporter for a journalistic exercise highlighting possible gaps in its data security apparatus, the UIDAI has displayed a worrying lack of maturity and insecurity that it must rectify immediately.
A report in The Tribune on January 3 claimed that “It took just Rs 500, paid through Paytm, and 10 minutes in which an ‘agent’ of the group running the racket created a ‘gateway’ for this correspondent and gave a login ID and password.” Using the login, the reporter could ”enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted.” The UIDAI, immediately after the report was published, said that there had been no breach of biometric data and that “data was fully safe and secure”. On Saturday, a deputy director from the body proceeded to register an FIR against both the reporter and the publication along with those named in the story for cheating, fraud, forgery as well as under various sections of the Aadhaar and IT Act.
It is imperative that the UIDAI identify and prosecute any officials or employees who are complicit in a possible breach of data security. The way to do that, and assuage the public’s concerns over privacy, was to examine the events and issues raised by the report. Instead, it chose to shoot the messenger, to initiate a criminal prosecution that in the best case scenario shows an unwillingness to listen to criticism and at worst will be seen as an attempt to browbeat and intimidate a free press. If the UIDAI, as a relatively young independent organisation, needs a role model, it need not look far. Since the 2014 general elections, and particularly after the Uttar Pradesh polls, questions were raised by the Opposition over EVMs being tampered with to favour the BJP.
The Election Commission, in response, invited political parties to a “hackathon” to prove exactly how the machines could be meddled with. It is that attitude, marked by confidence and transparency, that the UIDAI must emulate. By filing an FIR over a newspaper report, it does just the opposite.