In the course of an extremely disturbing data breach, the Indian government has potentially violated the privacy of over one billion of its citizens. Now, instead of rushing to fix the problem that has exposed the private information of over 90% of Indians, it is criminally investigating the journalists who brought it to the public’s attention.



A branch of the Indian government filed a police complaint last week launching an investigation into journalist Rachna Khaira and the Tribune of India, after the publication released a report describing what looks to be a massive vulnerability in a government database that is being exploited by an unknown group to sell highly sensitive and private data about Indian citizens.



Khaira wrote an article on January 4 detailing how reporters were able to easily purchase access to the personal information of over one billion Indian citizens from the national identity database—for the price of approximately $8 USD. She bought the access from an unknown seller, and settled the small fee via digital payment. The Unique Identification Authority of India (UIDAI), which manages the database, initially denied the breach of the system before filing a complaint against the journalist and her publication and accusing them of criminal conspiracy.



The Aadhaar database is the largest of its kind in the world, and contains both biometric data like fingerprints and personal details like addresses and phone numbers, that, when combined, build unique and detailed profiles of its citizens. Participation in the database is required to access basic services like filing tax returns, and this normalization of government collection and retention of such intimidate data raises serious civil liberties and privacy concerns.



The Tribune reported that this isn’t the first time the database has been breached, and that the UIDAI is aware of past unauthorized attempts to access the database. Many Indian privacy advocates have long been warning that exactly this type of worst case scenario would occur.



At a minimum, the size and sensitivity of this system should make its security a paramount priority for UIDAI, since this concentration of identifying information makes it extremely susceptible to exploitation. So far, the agency hasn’t addressed the vulnerability or closed the loopholes in the system discovered by security researchers and journalists, but rather attacked the press for doing its job.



The police complaint, called a First Information Report, has been widely condemned by human rights and press freedom organizations, including the Editors Guild of India and Amnesty International. Edward Snowden, Freedom of the Press Foundation’s board president, wrote on Twitter this week: