Linking Aadhaar can land you in soup!!
The UIDAI needs to realize the harm sharing Aadhaar, PAN and other crucial data can cause to the system
Time and again, whenever a security allegation is made against the Aadhaar ecosystem, the Unique Identification Authority of India (UIDAI) comes out with a standard response, the allegation in question is irrelevant to security, the Aadhaar 'system' (read biometric database) is completely secure, and, in certain cases, an FIR against the reporter. The latest security allegations against Aadhaar are in the form of French researcher Robert Baptiste (going by the alias Elliot Alderson), who claims to have found 20,000 Aadhaar cards publicly online, within a span of 3 hours.
The UIDAI's response to this (a statement on Twitter which is being >assumed to be in response to Baptiste's allegations) is extremely worrying, stating that first of all, people should share Aadhaar freely, and second of all, that disclosure of not only Aadhaar numbers, but also PAN numbers, bank account numbers and passport, poses no threat to the security of the systems of which they are a part (See Tweet number 7/n). It appears that as per the UIDAI, the only data worth protecting, is biometric data, and the only thing that constitutes a threat to the 'system', any system, is a large-scale technical breach.
1.The UIDAI's statement- Aadhaar is not confidential
2. Disclosure of Aadhaar, PAN, and bank account numbers is extremely harmful
The UIDAI has always taken an extremely narrow stance on privacy, concerning itself only with biometric data. It has also betrayed an absolute lack of understanding of the risk that data disclosures pose to people in today's world of cybercrime. This was seen, for instance, with >The Tribune story, after which the UIDAI made a statement that the demographic data disclosed, like name, date of birth, address, PIN, photo, phone number, and e-mails cannot be misused. The UIDAI's latest statement has now added Aadhaar, PAN, passport, and bank account numbers to this list of data, the disclosure of which is not harmful.
Consider a simple method of cybercrime today- account recovery mechanisms. This may be of the income tax website or a bank's website. Consider the data that is normally needed to recover a password- PAN number, account number, date of birth, e-mail, and so on. A password is needed, sent either to an e-mail or via OTP. To give one example, passwords to an e-mail account can quite easily be found in the dark net (See this >report on how a person's e-mail account was hacked into within 36 hours using just their name).
OTPs have been extracted from people, whether through fraudulent phone calls or through duplicating SIM cards. Consider this report where the victim's bank account was emptied after obtaining a duplicate sim, obtained via a fraudulent phone call made under the pretext of Aadhaar- Sim linking. Reports have similarly arisen on scams which are said to be related to> Aadhaar linked bank accounts, and >Aadhaar based UPI apps.
3. Aadhaar, PAN, bank account numbers are huge targets for cybercriminals
4. In such a situation, instead of treating this data with utmost confidentiality, the UIDAI has instead dismissed their value towards the security of various systems.
5. UIDAI contradicts its own statement on Aadhaar number confidentiality
The most surprising part of this statement is that the UIDAI has, in fact, contradicted its own statements and actions in the past with respect to protecting the Aadhaar number. Consider the Virtual ID system. Without going into the problems that the Virtual ID system in itself has, the whole purpose of Virtual ID is to protect the Aadhaar number; to prevent its disclosure.
6. The UIDAI, has also, in the past, advised people to be 'very discreet' with sharing their Aadhaar number. The same thing can also be seen looking at the Aadhaar Act and regulations themselves, where the publication of Aadhaar numbers is a punishable offence ( See Section 29 of the Aadhaar Act and Regulation 6 of the Aadhaar (Sharing of Information) Regulations).
7. UIDAI says sue for civil damages
In the last part of its statement, the UIDAI suggests that people's remedy for any data disclosed is to sue the publisher for civil damages for violation of privacy. The UIDAI's statement, however, does not mention if any effort was made on the UIDAI's part to investigate the reports (Baptiste's or otherwise) before dismissing them as irresponsible. In the past, the UIDAI had similarly dismissed The Tribune story as >misreporting, and then later went on to file the FIR.
8. People's remedies under the law
The Aadhaar Act, it must be remembered, authorizes only the UIDAI to act against violations of the Aadhaar Act, including such publications of Aadhaar numbers (See Section 47 of the Aadhaar Act). The people have been given no power to act against it, beyond filing a grievance. Thus, people have no remedy under the Aadhaar Act.
People's remedies are those provided under the Information Technology Act. Section 43A of this Act grants damages by way of compensation. However, for this, a wrongful loss has to be proved. This can be difficult, particularly when the effects of a loss of data are often felt much later, by way of a cybercrime. In fact, when a cybercrime occurs, it is often difficult to find out where the data used for the crime was sourced from. Another option is Section 72A, but this only penalizes a deliberate disclosure of data, made with the intent to harm a person, and in breach of contract.
The main issue with these remedies are, first of all, most people will not even know if their data was disclosed via such a publication. Secondly, even if they do know, most people will not be in a position to pursue a case in a court of law, unless the damage is significant. Add to this the UIDAI's statements that the disclosure of this data will not harm the system, and people's incentive to act against such disclosures reduces further.
9. UIDAI's responsibility to act against violations
This is one of the reasons why the proposal of class action lawsuits under the Data Protection Framework is so welcome. With the inadequacy of current regulations, the solution, therefore, lies with penalizing the publisher and having the data removed. This power, however, lies only with the UIDAI, making its responsibility to act against such violations that much greater.
10. The UIDAI has long since needed to take a much more responsible approach to privacy. Where the UIDAI should be advising people to treat such data with extreme caution, a statement like the current one can send a very wrong signal to the people. It needs to realize the cruciality of the data in its possession and work with the people to protect this data.
Hopefully, the ongoing hearings in the Supreme Court will result in the required privacy obligations on the UIDAI, as well as greater rights to the people. more
Time and again, whenever a security allegation is made against the Aadhaar ecosystem, the Unique Identification Authority of India (UIDAI) comes out with a standard response, the allegation in question is irrelevant to security, the Aadhaar 'system' (read biometric database) is completely secure, and, in certain cases, an FIR against the reporter. The latest security allegations against Aadhaar are in the form of French researcher Robert Baptiste (going by the alias Elliot Alderson), who claims to have found 20,000 Aadhaar cards publicly online, within a span of 3 hours.
The UIDAI's response to this (a statement on Twitter which is being >assumed to be in response to Baptiste's allegations) is extremely worrying, stating that first of all, people should share Aadhaar freely, and second of all, that disclosure of not only Aadhaar numbers, but also PAN numbers, bank account numbers and passport, poses no threat to the security of the systems of which they are a part (See Tweet number 7/n). It appears that as per the UIDAI, the only data worth protecting, is biometric data, and the only thing that constitutes a threat to the 'system', any system, is a large-scale technical breach.
1.The UIDAI's statement- Aadhaar is not confidential
2. Disclosure of Aadhaar, PAN, and bank account numbers is extremely harmful
The UIDAI has always taken an extremely narrow stance on privacy, concerning itself only with biometric data. It has also betrayed an absolute lack of understanding of the risk that data disclosures pose to people in today's world of cybercrime. This was seen, for instance, with >The Tribune story, after which the UIDAI made a statement that the demographic data disclosed, like name, date of birth, address, PIN, photo, phone number, and e-mails cannot be misused. The UIDAI's latest statement has now added Aadhaar, PAN, passport, and bank account numbers to this list of data, the disclosure of which is not harmful.
Consider a simple method of cybercrime today- account recovery mechanisms. This may be of the income tax website or a bank's website. Consider the data that is normally needed to recover a password- PAN number, account number, date of birth, e-mail, and so on. A password is needed, sent either to an e-mail or via OTP. To give one example, passwords to an e-mail account can quite easily be found in the dark net (See this >report on how a person's e-mail account was hacked into within 36 hours using just their name).
OTPs have been extracted from people, whether through fraudulent phone calls or through duplicating SIM cards. Consider this report where the victim's bank account was emptied after obtaining a duplicate sim, obtained via a fraudulent phone call made under the pretext of Aadhaar- Sim linking. Reports have similarly arisen on scams which are said to be related to> Aadhaar linked bank accounts, and >Aadhaar based UPI apps.
3. Aadhaar, PAN, bank account numbers are huge targets for cybercriminals
4. In such a situation, instead of treating this data with utmost confidentiality, the UIDAI has instead dismissed their value towards the security of various systems.
5. UIDAI contradicts its own statement on Aadhaar number confidentiality
The most surprising part of this statement is that the UIDAI has, in fact, contradicted its own statements and actions in the past with respect to protecting the Aadhaar number. Consider the Virtual ID system. Without going into the problems that the Virtual ID system in itself has, the whole purpose of Virtual ID is to protect the Aadhaar number; to prevent its disclosure.
6. The UIDAI, has also, in the past, advised people to be 'very discreet' with sharing their Aadhaar number. The same thing can also be seen looking at the Aadhaar Act and regulations themselves, where the publication of Aadhaar numbers is a punishable offence ( See Section 29 of the Aadhaar Act and Regulation 6 of the Aadhaar (Sharing of Information) Regulations).
7. UIDAI says sue for civil damages
In the last part of its statement, the UIDAI suggests that people's remedy for any data disclosed is to sue the publisher for civil damages for violation of privacy. The UIDAI's statement, however, does not mention if any effort was made on the UIDAI's part to investigate the reports (Baptiste's or otherwise) before dismissing them as irresponsible. In the past, the UIDAI had similarly dismissed The Tribune story as >misreporting, and then later went on to file the FIR.
8. People's remedies under the law
The Aadhaar Act, it must be remembered, authorizes only the UIDAI to act against violations of the Aadhaar Act, including such publications of Aadhaar numbers (See Section 47 of the Aadhaar Act). The people have been given no power to act against it, beyond filing a grievance. Thus, people have no remedy under the Aadhaar Act.
People's remedies are those provided under the Information Technology Act. Section 43A of this Act grants damages by way of compensation. However, for this, a wrongful loss has to be proved. This can be difficult, particularly when the effects of a loss of data are often felt much later, by way of a cybercrime. In fact, when a cybercrime occurs, it is often difficult to find out where the data used for the crime was sourced from. Another option is Section 72A, but this only penalizes a deliberate disclosure of data, made with the intent to harm a person, and in breach of contract.
The main issue with these remedies are, first of all, most people will not even know if their data was disclosed via such a publication. Secondly, even if they do know, most people will not be in a position to pursue a case in a court of law, unless the damage is significant. Add to this the UIDAI's statements that the disclosure of this data will not harm the system, and people's incentive to act against such disclosures reduces further.
9. UIDAI's responsibility to act against violations
This is one of the reasons why the proposal of class action lawsuits under the Data Protection Framework is so welcome. With the inadequacy of current regulations, the solution, therefore, lies with penalizing the publisher and having the data removed. This power, however, lies only with the UIDAI, making its responsibility to act against such violations that much greater.
10. The UIDAI has long since needed to take a much more responsible approach to privacy. Where the UIDAI should be advising people to treat such data with extreme caution, a statement like the current one can send a very wrong signal to the people. It needs to realize the cruciality of the data in its possession and work with the people to protect this data.
Hopefully, the ongoing hearings in the Supreme Court will result in the required privacy obligations on the UIDAI, as well as greater rights to the people. more
Viewed by 3659
View all 42 comments Below 42 comments
Dear Sir, The Aadhar Number is the unique identification number - just like our name and address. We are giving details for opening bank accounts, for getting loans, for insurance policies, for transfer of properties etc. etc. We are even providing our date of birth and telephone numbers while purchasing even a Mixie or a phone. We are getting greetings from these companies regularly. So, what is wrong in providing an identity to a database and using the number for transactions? Without this We have to provide multiple documents and spend hours filling forms and submitting documents to the bank for opening an account - Now, banks offer a 5 minutes opening of account. The forms required to be filled to get a mobile connection was so cumbersom - Now, mobile connection is ready in few minutes. For getting a loan may take days - if not months to get sanction - Now, it is a matter of minutes - that too at the comfort of your home - no need to visit the bank even! The benefits are numerous. But any system may have some problems in its initial stages. so, let us make the system fool proof and enjoy the freedom. Let us consider the Aadhar Number as our name - The name is ours but it is not at all used by us and it is used only by others! It is the identity of each one of us and be proud to introduce ourselves with the confirmed identity. Babu more
Mar 21
Linking of aadhar is important like IT, Bank A/C, Properties for Govt. use but privacy should not be exposed of any individual. Govt. to ensure. more
Mar 19
aadhar is necessary for smooth running of finance of the country. Make it safe , also more
Mar 19
Csn, u r right. While there may be some genuine objection to Adhar (and good people put up reasonable arguments too) . But mostly Modi baiters are Adhar haters. They are part of 'Award waapsi' group who returned their awards to Govt only to humiliate Mody, at the order of their Congress bosses.
They want Modi to solve all the problems in 5 yrs, which Congress took 70 years to create. more
They want Modi to solve all the problems in 5 yrs, which Congress took 70 years to create. more
Mar 19
Still I could not understand what additional information Aadhaar Card posses than the EXISTING ID Cards. Uproar is only because of individual objections to link their Bank Accounts and Phones STILL TO BE AWAY FROM IDENTIFICATION AND TIME-BOUND LOCATION.
This is only due to those Criminals being caught identifying their Phone place ; Numerous Bank Accounts identified with HUGE AND BULK UNDECLARED MONEY , Lockers found with Bundles of Currency, Property Documents [ BANKS HAD COMMITMENT NOT TO DISCLOSE A/c as well as the Lockers which became a boon to those afraid keeping in house or on Business] . more
This is only due to those Criminals being caught identifying their Phone place ; Numerous Bank Accounts identified with HUGE AND BULK UNDECLARED MONEY , Lockers found with Bundles of Currency, Property Documents [ BANKS HAD COMMITMENT NOT TO DISCLOSE A/c as well as the Lockers which became a boon to those afraid keeping in house or on Business] . more
Mar 19
People by and large some people may not be against Aadhar. But the UIDAI has failed to secure and protect data and our data is available in public domain. This is certainly not good. Nevertheless, now Supreme Court has extended Aadhar linkage limit indefinitely. more
Mar 18
Ms.Ramamani shoud know that when Aadhar is linked, there are many advantages to the Government who can easily identify the corrupt, anti nationals, pro pakistanis multiple pan card holders etc. more
Mar 17
