Aditya Madanapalle

A Medium post by the user St_Hill points out four issues with Aadhaar. Aadhaar cards are used by organisations and institutions as a proof of address, when it is clearly not meant to be one. Aadhaar is only a proof of identity. On the ground, the possession of a physical Aadhaar card is considered an identity proof in airports, trains and other places, even though it should not be. An Aadhaar card can be used to obtain a passport, or obtain documents that allow for creation of a passport, even though non Indian citizens can get an Aadhaar card, and the Aadhaar card is anyway not a proof of citizenship.

In certain cases, Aadhaar accounts can be used as a proof of address. According to a circular issued by the RBI, the Aadhar letter issued by Unique Identification Authority of India can be used as both a proof of identity, as well as a proof of address, if the address provided by the account holder is the same as the address on the Aadhaar letter. An Aadhaar card or letter is also accepted as a proof of address for a passport application, and furnishing an Aadhaar card actually expedites the process.

The fourth point in the post is one that is causing a furore. A Reddit thread raises the issue, and consolidates reports on the "Aadhaar data leak". A simple Google search reveals thousands of databases, that contain Aadhaar numbers along with other sundry personal data according to the source of the database. These include, names, names of parents, PAN numbers, mobile numbers, religion, marks, status of rejection of applications, bank account numbers, IFSC codes and other sensitive information. None of these are a problem with the Unique Identification Authority of India (UIDAI), the agency that manages the Aadhaar initiative.

The databases are available on Google searches for strings such as "aadhaar name filetype:xls -uidai", without the quotes. Here the "filetype" is used to specify the kind of documents returned, in this case a Microsoft excel sheet, and the "-uidai" parameter prevents results from UIDAI showing up. Variations of the string can be tried out, including "passport name filetype:xls" or "aadhaar name filetype:xls inurl:gov.in -uidai". The first search will deliver databases with passport details from Google, and the second with databases which contain Aadhaar numbers, but from only government web sites. If you find anything interesting in your investigations, please do let us know in the comments section below.

The Aadhaar act (PDF) says "No Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations."

While the Aadhaar numbers are available, the biometric information is not. The leaked databases do not pose a real threat to the people whose information is publicly available. According to Cyber Law and Cyber Security expert, Prashant Mali, when compared to a potential breach in the biometric database of Aadhaar, the databases available on Google searchers "are not a major cause for concern." Mali goes on to point out that, "criminals can potentially abuse a leak in the Aadhaar biometric data", but that data has not been breached.

The biometric Aadhaar data is stored in a Central Identities Data Repository, which is adequately secured according to the latest security standards, and regularly audited by third parties. The Aadhaar Act explains the database as: "Central Identities Data Repository means a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto."

In a press release following reports of Aadhar data being stored in an insecure manner, the UIDAI has said, "During the last 7 seven years, there has been no report of breach or leak of residents' data out of UIDAI." In short, the Aadhaar data has sufficient security measures in place, according to the UIDAI.

Further, the UIDAI has committed to strictly enforce any violations of the Aadhaar act, and misuse of data. When the data is stored by third party agencies, it is done so without linking to biometrics. A telecom service provider, or a banking organisation can only use the Aadhaar information for the services it provides. The Aadhaar act has clear provisions for how the data should be stored, used, as well as the penal provisions for contraventions.

There are three important points of note here, as far as the UIDAI is concerned. The UIDAI has committed to prosecute those who misuse Aadhaar data, the data with the UIDAI in its database is adequately secured according to the latest standards, and the databases available through Google search are not the direct responsibility of UIDAI.

Users may not want to have their phone numbers and names publicly listed, which is not the best practice when it comes to data privacy, if not data security. However, the public availability of third party databases is a shortcoming on the part of the third parties, if at all it is a shortcoming. The UIDAI or NPCI has not commented on the issue of availability of Aadhaar numbers in databases on Google search as yet. Some Reddit users are reporting that the spreadsheets are disappearing from the web sites that host them.

From the privacy perspective, even though the data may not be of much use to criminals, the individuals listed in the databases may be concerned about their personal information being available in such a public manner. The privacy of all the citizens in India is at risk because of the lack of adequate laws. While the Aadhaar data is protected by the Aadhaar act, India has no specific laws on data protection, or privacy.

Pavan Duggal, India’s leading expert and authority on Cyberlaw, Cyber Security Law & Mobile Law, has pointed out the issue in an article on the need for pro active cyber legal approaches for Privacy in India, "This is one area that requires urgent and immediate attention. All stakeholders have to quickly realise that protecting data privacy and personal privacy are important pillars which can help contribute to the further strong development of digital ecosystem and the mobile environment."