The “relative print” feature in the Aadhaar enrolment client

Every enrolment operator has always had full access to every resident’s demographic data

On 3 January, 2017, The Tribune published one of the best kept secrets in the Aadhaar enrolment ecosystem: that anyone can access the demographic details of all residents by paying just ₹500.

The news sent shock waves, and the UIDAI — which did not have a Chief Information Security Officer (CISO) and hence lacked a Standard Operating Procedure (SOP) — responded through a predictable pattern.

First came the denial:

Then came the police case:

And when that blew up, obfuscation and deflection asserting that even if access was indeed available, it is impossible to get the details of one billion residents:

While this was called out by Kiran Jonnalagadda in his Mint opinion column, the assumption in his response was that a name search was not available (emphasis added):

The Tribune breach required one to know an Aadhaar number to retrieve personal information. It takes a computer mere seconds to produce all 80 billion possible Aadhaar numbers. The one billion currently-valid numbers can be filtered out by using the 130 million already-leaked numbers, and the rest using a number of verification services, including UIDAI’s own — which is technically protected by a “captcha” to prevent such automated attempts, but which is so trivial that amateurs break it to win programming contests, and then share on code repository GitHub.com.

This assumption is flawed. By forensic investigation from publicly available sources, we can show that everyone who had access to the Aadhaar enrolment client could view any resident’s demographic information by merely searching for a name.

Two stories and a familiar response

The twitter handle @databaazi alerted its followers that anyone who knows an enrolment operator can obtain the details of any resident through a name query.

This is an explosive claim, but we need proof that substantiates this claim, and two stories by Times of India reporter Sunitha Rao provide an early indicator that this was indeed the case.

On August 31, 2015, TOI published a story that PVC cards are available without any check. The story had some interesting details.