Once again Aadhaar, India’s biometric identification system, is in the eye of a storm after a report in Tribune India claimed how the entire data of 1 billion Indians could be accessed, or purchased, for just Rs 500 to a third-party claiming to offer the service. Following the report, which has raised concerns, the Unique Identification Authority of India has issued a denial that no such data breach took place and insisted that all “Aadhaar data including biometric information is fully safe and secure.”
So what has happened with Aadhaar and is your data affected? Here’s a quick look.
What are the claims being made in the ‘Rs 500 for Aadhaar data’ news report?
According to the Tribune report, third-party sellers operating on WhatsApp are selling access to the entire database of Aadhaar. The report claims these sellers created a gateway and a login access for The Tribune reporter, who was able to enter Aadhaar number of any individual and get all details, including photo, address, name, date of birth, etc. The report also claims they paid another Rs 300 to get access to a software to print the entire Aadhaar card itself. Indianexpress.com cannot independently verify the authenticity of the report.
In response, the UIDAI, in a statement, said: “UIDAI has given the said search facility for the purpose of grievance redressal to the designated personnel and state government officials to help residents only by entering their Aadhaar number/EID. UIDAI maintains complete log and traceability of the facility and any misuse can be traced and appropriate action taken.”
UIDAI says this is how the reporter got access to the database
The Aadhaar authority might have denied a data breach per se, say like the one where cybercriminals gain unlawful access to the Aadhaar database. However, the statement adds that this particular case reported by the Tribune “appears to be an instance of misuse of the grievance redressal search facility.” So, yes, UIDAI has a search facility for the entire Aadhaar database, which is only supposed to be accessed by authorised personnel.
UIDAI is claiming they can trace how this access was given and will take legal action against those involved. The agency also claims this “grievance redressal search facility gives only limited access to name and other details and has no access to biometric details.”
The body also claims just having someone’s Aadhaar number does not pose to “be a security threat or will not lead to financial/other fraud, as for a successful authentication, fingerprint or iris of individual is also required.” The agency insists all Aadhaar data is protected with the best technology and security standards.
The reason for worry is that this is not the first time there have been reports of data leaks around Aadhaar, which should ideally remain private. Previously in November 2017, PTI reported that personal details of many Aadhaar users were made public on over 210 central and state government websites. The report added that UIDAI in response to an RTI query, said it took note of the breach and got the data removed from those websites.
The body had said at the time, “It was found that approximately 210 websites of central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.”
Is there a way to prevent misuse of biometrics and Aadhaar data?
Biometrics and their misuse is one of the biggest dangers that privacy activists highlight. A user cannot change their fingerprint or iris scan if this kind of sensitive data is stolen. However, the UIDAI website says Aadhaar users can lock their biometrics so as to prevent any kind of authentication.
The procedure to lock the biometrics, according to UIDAI, is this:
A person can go to http://resident.uidai.gov.in/biometric-lock and enter their Aadhaar ID; a security code appears on the screen and an OTP thereafter comes to their mobile number. Once logged in, just toggle on for lock biometric. Remember, if you do this you will not be able to use your fingerprint to authenticate any eKYC transaction that uses biometrics.
The mobile number has to be the one registered with UIDAI to get the OTP, else you will be unable to carry out this step. If you need to update your mobile number linked with Aadhaar, then you will have to go an Aadhaar centre with the required documents and proof for the same. This step cannot be carried out online.