If there was ever a case of shoot the messenger, it is this.

The UIDAI, the body which runs the Aadhaar project in India, has written to the Centre for Internet & Society suggesting that their disclosure of the fact that the data of 130 million Aadhaar users is being publicly disclosed on the Internet is owed to a hack-attack, reports the Times of India. On being contacted by MediaNama, Pranesh Prakash, Policy Director at CIS told MediaNama that “We are waiting for an official copy of the letter, and once we receive it we will decide on our future course of action.” The UIDAI told MediaNama that they’ll get back to us, and declined to share a copy of the letter with MediaNama.

So what we have from the Times of India report is the following:

– The UIDAI has argued that the data downloaded from one of the websites – the National Social Assistance Program – could not have been accessed unless a website was hacked. They’ve alleged data theft, and asked CIS for details of the people involved in this.

– They’ve asked CIS to reply to the notice before May 30th 2017, pointing towards the fact that violations of the IT Act could lead to rigorous imprisonment for 10 years.

– They’ve asked for how much of this data – of 130 million – is in their possession.

On their part, while CIS has refused to comment, specific responses to these concerns were responded to by CIS a few days ago, via a clarification (PDF):

Q6. Did CIS violate any legal or regulatory provisions in course of its research?

The relevant sections of the Information Technology Act, 2000 that some have argued is applicable to this case are Section 43 – “Penalty and compensation for damage to computer, computer system, etc.”, Section 65 – “Tampering with computer source documents”, and Section 66 – “Computer related offences”, often known as the hacking provisions. For CIS researchers to have violated either of these three provisions, it would need to be shown that they either could “accesses or secures access to such computer, computer system or computer network or computer resource” and did so “without permission of the owner or any other person who is in charge of a computer, computer system or computer network” [Section 43(a), and Section 66] or “tampered with computer source documents” [Section 65]. Neither of these provisions are applicable in this case, including in the case of changing the public URL string “login” to “nologin” while accessing the SNAP website, can be seen in page 6 of the report. The reasons for this inapplicability are as follows:

1. Prior and Proactive Publication – All the databases mentioned in the report had been proactively published by the concerned government departments and had been available in the public domain for a significant period of time prior to the intimation provided to the government authorities and CIS publishing the report. These datasets were not protected or secured in a manner that would prevent an ordinary member of the public from accessing them.

2. Public Availability via Search Engines – In the absence of a robots.txt exemption or alternative means to restrict search engines access, the significant portion of the data was widely crawled and indexed by search engines and available to anyone typing in the right keywords on the search engine. This public availability via widely used search engines not only made it far easier for this information to be accessed but also made it

possible for it to be discovered inadvertently, significantly compromising the privacy of the affected individuals 3. Lack of Access Controls for Sensitive Data – The datasets used in the study were not guarded by any form of access control, including usernames, passwords or any other unique identifier that controlled access to them in any form. The lack of protection for such sensitive personal and financial information allowed for the data to be accessed without unique knowledge or significant effort, a fact we have highlighted in the report. Given that there was no access control placed on the data, that it was publicly indexed by search engines and all of this was enabled via the proactive publication of such data by government departments, it cannot remotely be claimed that access to the data was procured “without permission of the owner or any other person who is in charge of a computer, computer system or computer network”. If what CIS researchers did violate the law, then every single person visiting the government website without taking prior approval from the site’s owner would be violating the law as well. Clearly that is not what the law is meant to do and as not been done in this case. Keeping these facts and the law in mind, there is no violation of the Information Technology Act, 2000 due to the research method adopted for this report, the intimation to government authorities Q7: Was there a violation of the law due to the actions of other

parties?

While none of the research dealt with the CIDR at the UIDAI or any other information stored with the UIDAI, the proactive publication of such documents (by unrelated government departments) without access controls and allowing it to be indexed by search engines by concerned departments does have ramifications with regard to the Aadhaar (Targeted Delivery of Finanancial and other Subsidies, benefits and services ) Act, 2016 and its Aadhaar (Shring of Information) REgulations, 2016 (No.5 of 2016). These liabilities exist between the UIDAI and the concerned departments which published this information and do not involved CIS in any manner. Further, the publication of Aadhaar numbers by the government portals was in violation of Section 29(4) of the Aadhaar Act, 2016, under Rule 6 of the Aadhaar (Sharing of Information) Regulations. They were also not mandated by the right to Information (RTI) Act, under the section on proactive disclosure (Section 4). Indeed, section 8(1)(j) of the RTI Act specifically states that there is no obligation to release personal information which is not related to public activity or for the larger public

interest. CIS is not responsible for any of these practices nor for reporting the same via a documented, methodological and open access report.

Our Take

This, on the face of it, is just vindictiveness, and it is shameful. The UIDAI has failed to protect Aadhaar data, failed to take action against government departments who have leaked Aadhaar data by the millions (read this), and indeed, several government departments and the UIDAI have violated provisions of the Aadhaar Act themselves (read this), by releasing user Aadhaar numbers online. Ministers in the government have published photos which disclose people’s Aadhaar numbers.

It’s important that CIS India has disclosed that government departments were releasing this data online, is not the same as CIS is disclosing private data. What they’ve done is in the interest of the citizens of this country. It’s important — maybe not in the interest of UIDAI — that people know that the government’s data management practices are shoddy and have put people’s well being in danger by publishing online data like the Aadhaar number, bank account numbers, mobile numbers. 130 million is no small number.

Instead of accepting that the UIDAI has failed in its duty, the organisation is now – on the basis of the Times of India report – appears to be threatening the entity that has served the public interest.

This is not new, though. In the past, they’ve filed a case against a journalist for exposing flaws in Aadhaar enrolment, and (allegedly) against Sameer Kochhar who said Aadhaar can be hacked.

What does this achieve? It has a chilling effect on future disclosures of the failures of the Central and State Governments, and the UIDAI. Preventing people from disclosing government failures doesn’t lead to fewer failures: it leads to a reduction in checks and balances, putting people at more risk. It’s the same risk that this country runs if we have a vipaksh-mukt-bharat. Whistleblowing, disclosures, criticism and opposition is necessary for a healthy democracy, and we need more watchdogs ensuring that incompetence from government departments are highlighted, so that they clean up their act (and the draconian Aadhaar Act which robs citizens of rights over their own data, while they’re at it).

One thing worth noting here is that instead of filing a case directly, in this instance, they’ve sent a note. Typically, their reaction has been knee-jerk, where they’ve filed cases. Perhaps they know they don’t have a leg to stand on.