The breach points, yet again, to major concerns with the security of data in the Aadhaar ecosystem.

The increased focus on social media and technology as an enabler for the current elections meant that it was only a matter of time before reports of misuse of data for political purposes arose. The current report of finding 7.8 crore Aadhaar data records with IT Grids (India) Pvt Ltd, which were for use in the Seva Mitra app, however, are not significant for this misuse. Instead, the significance lies in that it has, for the first time, led to the UIDAI acknowledging the possibility of a large-scale breach of the Central Identities Data Repository (CIDR) and the State Resident Data Hubs (SRDH).

The breach points, yet again, to major concerns with the security of data in the Aadhaar ecosystem. The UIDAI, in fact, has also not ruled out the possibility of an internal breach by its employees. Apart from this, there is a possibility of offshore transfer of the data, leading to fears of exposure to foreign elements.

On the find of 7.8 crore data records

At present, the Hyderabad police have filed an FIR against IT Grids on a complaint by the UIDAI. The complaint, filed by Bhavani Prasad, the Deputy Director of the UIDAI, indicates numerous violations of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and the Information Technology Act, 2000, as well.

As per the complaint, an investigation of IT Grids led to the suspicion of its use of stolen voter information and Aadhaar data of Andhra Pradesh and Telangana, for voter profiling, targeted campaigning and even deletion of votes. The use was through the Seva Mitra application, an application which IT Grids had developed for the Telugu Desam Party (TDP).

FIR 278/2019 by Cyberabad Police in Madhapur on the request of @UIDAI against IT Grids Pvt Ltd. First time in a #Aadhaar case there is a forensic investigation which was missing in all other UIDAI security claims. pic.twitter.com/8gDI3LmpRt — Srinivas Kodali (@digitaldutta) April 15, 2019

Digital evidence including hard disks that were seized from the IT Grids Office were examined by the Telangana State Forensic Science Laboratory (TSFSL). This was discovered to contain over 7.8 crore records of the Aadhaar data. The fields of data included the Aadhaar number, the Aadhaar enrolment ID, the person’s name, his guardian’s name, his address and his contact details. So far there is no indication of the inclusion of biometric data, though some reports have suggested that photographs were also present.

‘Surprisingly similar’ database to that of the UIDAI’s

The UIDAI in its complaint states that the structure and size of this database is ‘surprisingly very similar’ to the databases that were originally owned by the UIDAI. Of the numerous fields of data that were found, the complaint takes particular note of the presence of Aadhaar enrolment IDs, stating that this indicates that the data was either from the CIDR or the SRDHs. The complaint thus, for the first time, shows the UIDAI acknowledging a possible breach of the CIDR and SRDHs, as opposed to its characteristic denial.

UIDAI acknowledges possible internal breach as well as hacking

Further, the complaint lists Section 38(g) of the Aadhaar Act among those violated, a section that deals with the UIDAI or its officials revealing any identity information in contravention of the Act. This shows that the UIDAI is considering the possibility of an internal breach through its officers for the first time as well.

The UIDAI also suspects hacking, possibly in the form of the source code of the CIDR or the SRDHs being tampered with, since Section 65 of the Information Technology Act, 2000 (Tampering with computer source documents) has also been listed in the complaint.

Provisions for the breach of the database itself

Apart from these, a number of additional sections have been listed for the theft of the data in itself. These include Section 29 of the Aadhaar Act for the sharing and use of the identity information for a purpose outside the scope of the Act, Section 40 of the Aadhaar Act for the misuse of identity information by the requesting entities and Section 42 for any residuary violations. It also lists other violations of the IT Act, including Section 66B for the dishonest receipt of a stolen computer resource (i.e., the receipt and use of the Aadhaar database) and Section 72A for the disclosure of information in breach of a lawful contract.

Though not listed, the breach also points to the violation of Sections 38(a) and (b) of the Aadhaar Act for access to and download of data from the CIDR.

Offshore storage of data

Another particular concern is that the data with IT Grids is suspected to have been hosted with Amazon Web Services in the US and other offshore facilities, raising questions as to the extent to which the data has been exposed to foreign elements as well. Even though the data exposed does not appear to include biometric data, it is a point of concern that the laws at present do not propose separate or heightened penalties for the disclosure of such sensitive data to foreign locations.

Penalties up to a crore and three years of imprisonment

It is clear that the UIDAI is considering violations at various levels including internally, through the requesting entities, or through any other entity in the Aadhaar ecosystem. The violations listed together draw a penalty of up to three years of imprisonment, and fines of up to Rs 10 lakhs. A more major penalty is under Section 33A of the Aadhaar and Other Laws (Amendment) Ordinance, 2019, which allows a penalty of up to Rs 1 crore for an entity failing to comply with the Aadhaar Act (the Ordinance has currently been challenged before the Delhi High Court). This section, however, has currently not been listed under the complaint.

Moving forward

The vulnerability of the Aadhaar ecosystem has long since been a major bone of contention amongst those for and against Aadhaar, and in the Aadhaar case fought last year as well. The acknowledgment of this after years of denial will be very welcome for the anti-Aadhaar activists.

Our government has been lying to us about Aadhaar. Once they've collected this data, the exposure surface (of people involved+ with whom it is shared) is so vast, that it bound to leak. It has been leaking: from the beginning, collection, till today, and will continue to leak. https://t.co/kcxv9YFIRg — Nikhil Pahwa (@nixxin) April 15, 2019

The acknowledgement, however, will need to be followed up with proper steps to secure the CIDR itself as well as to protect the data that has been exposed. The off-hand storage of the data overseas is a major point to be addressed as well, given the exposure it entails to foreign elements.

The author is a lawyer specialising in technology, privacy, and cyber laws.