Abhinav Srivastava’s (31) arrest for accessing the data by piggybacking on the e-hospital app (Representational Image) Abhinav Srivastava’s (31) arrest for accessing the data by piggybacking on the e-hospital app (Representational Image)

An IIT graduate arrested by Bengaluru Police on charges of unauthorised access of Aadhaar demographic data did not have any malicious intent in accessing the data through an app he developed, a senior police officer investigating the case has said. However, Abhinav Srivastava’s (31) arrest for accessing the data by piggybacking on the e-hospital app — which is authorised to carry out Aadhaar authentication — does mean that UIDAI has to ensure that hundreds of user agencies accessing Aadhaar data for authentication do not leave loopholes that allow piggybacking, the officer said.

According to the official, Srivastava developed the app as part of his interest and the app on Google Play Store did not store data of nearly 50,000 users, but only provided demographic information.

“If there was malicious intent, he would not have left a trail. There does not seem to be criminal intent. It is more of a misadventure,’’ a police officer said.

“Though there has been no data theft, the incident does imply that UIDAI must enforce security in eKYC User Agencies (KUA) and Authentication User Agencies (AUA) who are authorised to submit and receive authentication data,’’ the police officer said. Agencies investigating the case are wary of providing technical details of how Srivastava’s app “piggybacked’’ the e-hospital app developed for Digital India initiative out of fears that it could cause data security problems.

Several independent data security experts have, however, weighed in on the technical modus operandi employed by Srivastava to indicate that he may have gained access to the authentication key employed by the e-hospital app to avail the Aadhaar authentication services.

“eKYC enables private companies to build their own parallel databases. The government continues to assure us that there haven’t been any data breaches etc. However, eKYC ostensibly makes such data breaches unnecessary — because they just hand all the demographic data on a platter to private businesses,’’ Anand Venkatanarayanan, a data security expert, has stated in an online article on the unauthorised access of Aadhaar data by Srivastava’s app. “Data received from eKYC is more than enough for Aadhaar Type 1 authentication by private operators in UIDAI ecosystem without user consent and all it takes is a shared KUA/AUA key,’’ he has stated.

A deputy director of UIDAI filed a police complaint on July 27, stating that Srivastava and Qarth Technologies, a start-up he co-founded, accessed Aadhaar data without authority.

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest India News, download Indian Express App.