Thursday, January 4, 2018

FIR filed in Aadhaar data leak case; all info safe, says UIDAI

The Unique Identification Authority of India (UIDAI) has registered an FIR for unauthorised access to Aadhaar data, such as names and other demographic details, due to the misuse of the grievance redressal facility at the office of the Surat district administration in Gujarat. The breach came to light following a report in The Tribune that claimed an "agent" available on WhatsApp facilitated access by a login ID and password to the particulars of any Aadhaar number.

The agent, the report claimed, was paid Rs 500 through Paytm. Particulars such as name, address, postal code, photo, phone number and email were accessed and the Aadhaar card printed, the report said. UIDAI denied that the breach allowed access to millions of Aadhaar cardholders' details, saying the search facility is available for the purpose of grievance redressal to designated personnel and state government officials and details are limited to the particular Aadhaar number punched in.

The system did not provide an avenue to other cardholders. Demographic information cannot be misused without biometrics, UIDAI said. An FIR has been filed at Mohali from where the "purchase" of access to Aadhaar data was reported. Officials said they are taking the unauthorised use of the grievance mechanism seriously and will work with police to trace people involved in making the login ID and password available to a private entity, which will also be investigated. "UIDAI assures there has not been any Aadhaar data breach. The Aadhaar data, including biometric information, is fully safe," UIDAI said, adding the redressal mechanism was intended to help residents by entering their Aadhaar or enrolment number.

Stating that the given case appears to be a misuse of the grievance redressal search facility, UIDAI said it maintains a complete log and traceability and legal action will follow. "UIDAI reiterates that the grievance redressal search facility gives only limited access to name and other details and has no access to biometric details," it said.

The media report also mentioned that groups operating on the internet targeted village-level enterprise (VLE) operators operating under the Common Service Centres Scheme and said the VLEs had gained illegal access to Aadhaar data to subsequently claim to provide "Aadhaar services". A UID official said they were looking at the claim but pointed out that enrolment agents did not have access to the Aadhaar system.

With the Supreme Court due to soon pronounce on the validity of the use of Aadhaar for a range of services, the claim of a data theft raised a flurry of reactions, with Left leaders saying the incident exposed the frailty of the UID system. Senior police officials told TOIthat by entering Aadhaar numbers, one could get details that are available on an Aadhaar card, along with the phone number. Kiran Jonnalagadda, cofounder at tech discussion forum HasGeek and Internet Freedom Foundation, said the Aadhaar system is insecure.

"The backdoor has already been opened. It is quite easy to hack into their systems and the stolen demographic identities can be misused in a lot of ways," he said. He is one of the petitioners in a petition demanding proper auditing of Aadhaar database. Aperson working with the government on Aadhaar-related projects said while leaks should not happen, no material leak had happened in this case.

"Aadhaar has less information about you than even the voter ID card," he said, adding that such leaks could happen even in the voter ID card system or the RTO. The Indian system does not allow any agency, including the government, to access a resident's data, without authorisation from the person. He said telecom operators and others in the US can look up a citizen's data by accessing his/her social security number without even the citizen knowing about it.

UIDAI said Aadhaar is not a secret number. It is to be shared with authorised agencies whenever an Aadhaar holder wishes to avail a certain service or benefit from government schemes.

No comments:

Post a Comment