india

Updated: Jul 29, 2017 08:51 IST

Police are investigating how a Bengaluru-based engineer gained access to the Aadhaar database to develop an Android application that seemed to be able to pull out confidential details, bring back into focus concerns over the programme’s security.

The Aadhaar project has been criticised for impinging on the right to privacy, and a number of cases where government websites leaked people’s 12-digit ID numbers have mounted worries that flaws could make it vulnerable to abuse and crimes like identity theft.

The engineer, Abhinav Srivastava, has been accused illegally accessing the Aadhaar database and sources say that the way he did it could involve either the collusion of people who had authorised access or a hack.

Srivastava has been booked under sections of the Aadhaar act that outlaws access and distribution of Aadhaar data, and sections of the Information Technology act that deal with hacking.

The USP of his application — named Aadhaar KYC which was taken down from Google’s Play store —was to provide KYC verification using Aadhaar data.

KYC — know your customer — refers to a process of establishing a person’s identity with data such birth date, address and phone numbers, and the application developed by Srivastava appeared to pull those details out using Aadhaar numbers.

An official of the UIDAI at the headquarters in Delhi, speaking on the condition of anonymity, denied that its servers could have been hacked, and suggested the information may have been leaked from the National Informatics Centre, or any of the agencies authorised to provide KYC services.

“The UIDAI database is very secure,” the official said. “This seems to have happened at the level of the Authentication User Agency (AUA) or e-KYC User Agency (KUA).”

AUA and KUA refer to agencies — such as those providing rations —to access the Aadhaar database so that they can deliver services based on UID verification.

“The matter is now with the police and let us wait for the investigation to be completed,” the UIDAI official added, declining to comment on how many, if at all, such cases were registered at the national level.

Staff at the regional UIDAI office in Bengaluru, which also houses the technical centre where data from across the country is stored, said this was the first such case in the city.

“Generally, we encounter malpractice cases, where some false documents have been submitted. This is the first such technical case,” an official said.

Srivastava headed Qarth Technologies, which built a mobile payments app called X-Pay which was acquired by Ola in March 2016. Sources said the app Aadhaar KYC was developed in his personal capacity, and queries on Android application mirroring websites showed that the programme was uploaded using a developer account titled “MyGov”. Screenshots on the website showed the programme would show Aadhaar enrolment data after taking a person’s name and UID number as input. HT Could not verify if this application was the one that triggered the criminal complaint.

MyGov is used as an affix by the government for its digital services.

Srivastava’s mobile phone was switched off and attempts to contact him failed.

A statement issued by Ola said: “Ola has neither commissioned nor is involved in any such activity. No such complaint has been brought to our notice.”

Bengaluru Police Commissioner Praveen Sood said two people had been identified, and no arrests had been made till Thursday evening. “The app has been deactivated,” he added.