Linking Aadhaar can land you in soup!!
Time and again, whenever a security allegation is made against the Aadhaar ecosystem, the Unique Identification Authority of India (UIDAI) comes out with a standard response, the allegation in question is irrelevant to security, the Aadhaar 'system' (read biometric database) is completely secure, and, in certain cases, an FIR against the reporter. The latest security allegations against Aadhaar are in the form of French researcher Robert Baptiste (going by the alias Elliot Alderson), who claims to have found 20,000 Aadhaar cards publicly online, within a span of 3 hours.
The UIDAI's response to this (a statement on Twitter which is being >assumed to be in response to Baptiste's allegations) is extremely worrying, stating that first of all, people should share Aadhaar freely, and second of all, that disclosure of not only Aadhaar numbers, but also PAN numbers, bank account numbers and passport, poses no threat to the security of the systems of which they are a part (See Tweet number 7/n). It appears that as per the UIDAI, the only data worth protecting, is biometric data, and the only thing that constitutes a threat to the 'system', any system, is a large-scale technical breach.
1.The UIDAI's statement- Aadhaar is not confidential
2. Disclosure of Aadhaar, PAN, and bank account numbers is extremely harmful
The UIDAI has always taken an extremely narrow stance on privacy, concerning itself only with biometric data. It has also betrayed an absolute lack of understanding of the risk that data disclosures pose to people in today's world of cybercrime. This was seen, for instance, with >The Tribune story, after which the UIDAI made a statement that the demographic data disclosed, like name, date of birth, address, PIN, photo, phone number, and e-mails cannot be misused. The UIDAI's latest statement has now added Aadhaar, PAN, passport, and bank account numbers to this list of data, the disclosure of which is not harmful.
Consider a simple method of cybercrime today- account recovery mechanisms. This may be of the income tax website or a bank's website. Consider the data that is normally needed to recover a password- PAN number, account number, date of birth, e-mail, and so on. A password is needed, sent either to an e-mail or via OTP. To give one example, passwords to an e-mail account can quite easily be found in the dark net (See this >report on how a person's e-mail account was hacked into within 36 hours using just their name).
OTPs have been extracted from people, whether through fraudulent phone calls or through duplicating SIM cards. Consider this report where the victim's bank account was emptied after obtaining a duplicate sim, obtained via a fraudulent phone call made under the pretext of Aadhaar- Sim linking. Reports have similarly arisen on scams which are said to be related to> Aadhaar linked bank accounts, and >Aadhaar based UPI apps.
3. Aadhaar, PAN, bank account numbers are huge targets for cybercriminals
4. In such a situation, instead of treating this data with utmost confidentiality, the UIDAI has instead dismissed their value towards the security of various systems.
5. UIDAI contradicts its own statement on Aadhaar number confidentiality
The most surprising part of this statement is that the UIDAI has, in fact, contradicted its own statements and actions in the past with respect to protecting the Aadhaar number. Consider the Virtual ID system. Without going into the problems that the Virtual ID system in itself has, the whole purpose of Virtual ID is to protect the Aadhaar number; to prevent its disclosure.
6. The UIDAI, has also, in the past, advised people to be 'very discreet' with sharing their Aadhaar number. The same thing can also be seen looking at the Aadhaar Act and regulations themselves, where the publication of Aadhaar numbers is a punishable offence ( See Section 29 of the Aadhaar Act and Regulation 6 of the Aadhaar (Sharing of Information) Regulations).
7. UIDAI says sue for civil damages
In the last part of its statement, the UIDAI suggests that people's remedy for any data disclosed is to sue the publisher for civil damages for violation of privacy. The UIDAI's statement, however, does not mention if any effort was made on the UIDAI's part to investigate the reports (Baptiste's or otherwise) before dismissing them as irresponsible. In the past, the UIDAI had similarly dismissed The Tribune story as >misreporting, and then later went on to file the FIR.
8. People's remedies under the law
The Aadhaar Act, it must be remembered, authorizes only the UIDAI to act against violations of the Aadhaar Act, including such publications of Aadhaar numbers (See Section 47 of the Aadhaar Act). The people have been given no power to act against it, beyond filing a grievance. Thus, people have no remedy under the Aadhaar Act.
People's remedies are those provided under the Information Technology Act. Section 43A of this Act grants damages by way of compensation. However, for this, a wrongful loss has to be proved. This can be difficult, particularly when the effects of a loss of data are often felt much later, by way of a cybercrime. In fact, when a cybercrime occurs, it is often difficult to find out where the data used for the crime was sourced from. Another option is Section 72A, but this only penalizes a deliberate disclosure of data, made with the intent to harm a person, and in breach of contract.
The main issue with these remedies are, first of all, most people will not even know if their data was disclosed via such a publication. Secondly, even if they do know, most people will not be in a position to pursue a case in a court of law, unless the damage is significant. Add to this the UIDAI's statements that the disclosure of this data will not harm the system, and people's incentive to act against such disclosures reduces further.
9. UIDAI's responsibility to act against violations
This is one of the reasons why the proposal of class action lawsuits under the Data Protection Framework is so welcome. With the inadequacy of current regulations, the solution, therefore, lies with penalizing the publisher and having the data removed. This power, however, lies only with the UIDAI, making its responsibility to act against such violations that much greater.
10. The UIDAI has long since needed to take a much more responsible approach to privacy. Where the UIDAI should be advising people to treat such data with extreme caution, a statement like the current one can send a very wrong signal to the people. It needs to realize the cruciality of the data in its possession and work with the people to protect this data.
Hopefully, the ongoing hearings in the Supreme Court will result in the required privacy obligations on the UIDAI, as well as greater rights to the people. more
They want Modi to solve all the problems in 5 yrs, which Congress took 70 years to create. more
This is only due to those Criminals being caught identifying their Phone place ; Numerous Bank Accounts identified with HUGE AND BULK UNDECLARED MONEY , Lockers found with Bundles of Currency, Property Documents [ BANKS HAD COMMITMENT NOT TO DISCLOSE A/c as well as the Lockers which became a boon to those afraid keeping in house or on Business] . more