A billion users, but no bug reporting policy

Even after 210 websites were found publishing Aadhaar numbers and bank account details, UIDAI has not done enough to engage with security researchers who discovered these and other issues

Mainstream and social media have carried several reports about security issues in Aadhaar. Any organisation holding so much sensitive information of individuals (including yours) should ideally host a bug bounty program for independent security researchers, to receive and process bug reports in a secure manner.

Certain features of Aadhaar — like eKYC — share sensitive personal information, including your photo, to third parties. The Aadhaar Act and regulations were introduced to enforce control around this shared information. But the Aadhaar Act only applies within the jurisdiction of India. A cybercriminal from another country cannot be brought to justice under the Act (unless extradition treaties apply). Besides, cybersecurity issues can’t be controlled by law alone. They need sane architecture and design choices to be made upfront, backed by continuous technological improvements.

Section 1, Clause 2 of the Aadhaar Act recognises any offence committed outside India

Security researchers, journalists, and writers like Sameer Kochhar have been gagged with criminal complaints for bringing issues to public attention.

Earlier this year, UIDAI CEO Ajay Bhushan Pandey promised a legal and safe bug reporting mechanism for researchers to report issues directly to UIDAI. It has been months since, but with no such policy in place, it is hard for security researchers to report actual issues with Aadhaar.

Reply from CEO of UIDAI to Anand Venkatanarayanan

Pertinent to note: the Government of India does have cybersecurity reporting procedures via the Computer Emergency Response Team of India (CERT-In) and the National Critical Information Infrastructure Protection Centre.

But UIDAI not having such a process for itself is an issue, as they are custodians of the Aadhaar project and need to be primary responders. Twitter Direct Messages (DMs) and phone calls to a call centre are not secure channels for reporting issues.

When an organization lacks an official procedure, many researchers define their own ethical framework for reporting security issues. For example, Datameet, a community of data enthusiasts, offers these guidelines:

Citizens complaints often go unresolved by UIDAI, and they can be seen expressing frustration on Twitter. UIDAI does respond on Twitter some of the time, but using Twitter DM for sharing enrolment ID (EID) and UID is not safe. The Twitter company retains access to all private messages, and may be obliged to share with security agencies such as the NSA in its host country, the United States.

An organization that claims a billion active users refusing to engage with security researchers is strange, but not even having a secure bug reporting policy is in the realm of bizarre. The very least that UIDAI must do to recover its credibility is to publish an official policy — assuming it cares about its credibility, that is.