Manjunath Kiran / AFP / Getty Images Nandan Nilekani

Three years after Nandan Nilekani, the high-profile tech entrepreneur who helped create India’s controversial biometric identity program Aadhaar, publicly tweeted his own confidential Aadhaar ID, his personal information is still readily available online, BuzzFeed News has learned. An Aadhaar ID, which is associated with personal information like your address and birthdate and is linked to services such as your bank account, tax records, cell phone number, and insurance, is like an extreme form of a Social Security number in the US, and is also connected to your biometric data. From 2009 to 2014, Nilekani served as the head of the Unique Identification Authority of India (UIDAI), the government agency responsible for administering Aadhaar. The program aims to create a digital national identity system by collecting the personal details and biometrics — all 10 fingerprints and iris scans — of 1.3 billion Indian residents into a government-owned database. Critics have slammed Aadhaar, saying it violates privacy, enables state surveillance, and exposes citizens to identity theft. Nilekani exposed himself to identity theft by tweeting a picture of his own Aadhaar card on April 12, 2014. He blacked out the first eight digits of his 12-digit Aadhaar number, but did not obscure the QR code containing his personal demographic details that could be read by any freely available iOS or Android app used for scanning QR codes. And as with just about anything that’s publicly tweeted, Nilekani’s private information remains online. Members of an internet forum popular with computer programmers scanned his QR code and posted his demographic details and Aadhaar number, and this data eventually ended up on at least half a dozen other webpages that BuzzFeed News reviewed. Images of Nilekani’s tweet with his Aadhaar card exist on at least one popular website. Despite several people on Twitter pointing out a potential breach of privacy, Nilekani’s tweet remained on Twitter at least through September 2016, when he finally deleted it.

“I guess Nandan didn’t realize what he had done at first,” said Prasanto K Roy, a former technology journalist who was one of the people who alerted Nilekani. “And I don’t think he paid much attention to it even when it was flagged, probably thinking that it wasn’t a big deal since, as a well-known person and the head of the Aadhaar program, most of his demographic details were publicly available anyway. I think he must have realized the seriousness of it later — that his tweet might suggest to others that it was OK to post a picture of your Aadhaar card simply by redacting the Aadhaar number itself.”

In September 2016, India’s government passed the Aadhaar Act to govern the program, which made publishing an Aadhaar number publicly a criminal offence. Nilekani did not respond to BuzzFeed News’ requests for comment. But a source close to him said under the condition of anonymity that they advised him to take down his tweet for almost six months — starting a few months before the Aadhaar Act was introduced — before it was finally deleted.

A screenshot of Nilekani's tweet. (BuzzFeed News redacted the identifying QR code.)

Experts said that Nilekani’s leaked Aadhaar number leaves him vulnerable to identity fraud because the Indian government requires citizens to link their Aadhaar numbers to essential services like food subsidies, utilities, bank accounts, cell phone numbers, and insurance services.

“Personal data such as full names, birthdates, and residential addresses should always be afforded a high level of protection,” cybersecurity expert Troy Hunt told BuzzFeed News. “For many people, this is information they won’t want to share beyond authorized parties because it can be used to locate them or aid in identity theft.” BuzzFeed News, for instance, was able to find out where Nilekani does his banking by using a publicly available, UIDAI-provided service that lets anyone simply punch in an Aadhaar number on a mobile phone to see the bank accounts it is linked to. Indeed, despite the UIDAI’s repeated denials, Aadhaar numbers leaked online have been used to commit identity theft in India. In October 2017, for instance, Indian police arrested a group that used the leaked Aadhaar numbers of nearly 300 pensioners to open bank accounts in their names and swindled over 4 million Indian rupees' worth of pension money over two years, according to reports. Making things murkier is the UIDAI’s conflicting messaging about whether an Aadhar ID is actually private information or not. After the Tribune published an investigation revealing how it was able to buy unauthorized access to the demographic details of nearly 1.2 billion Indians in the Aadhaar database earlier this week, the UIDAI said having someone’s Aadhaar number and demographic information was “not a security threat” without also having their biometric information. But a day later, the agency sent out a tweet cautioning the general public about the importance of keeping Aadhaar numbers confidential.



Please ensure that you delete the local copy of Aadhaar downloaded in any cyber cafe or on any other public machine… https://t.co/yx6Tz1xFGV