Scroll.in: National: Sunday, March
05, 2017.
On February
18, Hindi news daily Dainik Bhaskar reported the arrest of six salespersons of
telecommunications service provider Reliance Jio in Madhya Pradesh for selling
SIM cards by using the Aadhaar data and fingerprint scans of other customers
for between Rs 300 and Rs 1,000.
A day
earlier, security researcher Srinivas Kodali brought to the notice of the
authorities that a website had leaked the Aadhaar demographic data of over five
lakh minors. The website was shut down immediately.
The
researcher warned of the existence of several such parallel databases that
stored identification data by linking to Aadhaar, and the lack of oversight
over this.
The two cases
are the latest in a number of incidents in the past month that have raised
questions about the security of the Aadhaar database – which contains the
biometric data of over a billion Indians.
The first
signs of trouble came on February 24 with media reports that the Unique
Identity Authority of India which enrols residents, stores and manages their
biometric data, and issues the 12-digit Aadhaar numbers had, in a first,
registered a complaint with the Delhi Police against Axis Bank Limited, Suvidha
Infoserve, which is a business correspondent with Axis, and esign provider
eMudhra. The three are accused of performing multiple Aadhaar transactions
using stored biometrics in violation of the Aadhaar (Targeted Delivery of
Financial and Other Subsidies, Benefits, and Services) Act, 2016, which
prohibits the storage of such data.
In all of the
above cases, it is not clear if the individuals whose personal data was
compromised were even informed of it. This leads to the question: what right to
information does an individual have in the case of such a security breach?
Information
blackout
Section 6 of
the Aadhaar (Sharing of Information) Regulations says:
The Aadhaar
number of an individual shall not be published, displayed or posted publicly by
any person or entity or agency.
However, at
the same time, the Aadhaar Act lacks any provision for a mandatory notice to an
individual in case of a breach of his or her information – which was a
recommendation of the Justice Shah Committee on Privacy in 2012, which was set
up to lay the ground for a comprehensive new privacy law.
Thus, under
the law, Aadhaar users have no right to be informed when a crime related to
their personal data occurs. And they cannot approach a court directly because
under Section 47 (1) of the Aadhaar Act, the Unique Identification Authority of
India has the exclusive power to make complaints in case of any violation or
breach of privacy.
In the case
of Axis Bank and the other two firms, the Authority has temporarily stopped
them from conducting Aadhaar-based transactions while the investigation is on,
but it is not clear if any notice has also been sent to the individuals whose
stored biometrics were used illegally by the firms.
Regarding the
leak of data of five lakh minors, security researcher Srinivas Kodali said he
was not aware if the parents of the children had been informed about the breach
after he alerted the authorities. “They should have notified parents of all
minors whose data was on the website, issued them new Aadhaar numbers, but this
has not happened, as far as I know,” he said. “The authorities have not even
formally acknowledged that I notified them that this data was leaking.”
What’s more,
information regarding breaches and security-related incidents is not accessible
even under the Right to Information Act.
In response
to a right to information application filed last year in the course of
Scroll.in’s Identity Project series, the Unique Identification Authority of
India refused to share data on how many security breaches, intrusion attempts
or security incidents it had detected or been notified of. It denied this
information for both its Central Identities Data Repository, where it stores
all core biometric information, as well as for the other databases it
maintains.
While denying
the information, the Authority cited Section 8 (1) (a) of the Right to
Information Act, which mentions national security and states:
8 (1)
Notwithstanding anything contained in this Act, there shall be no obligation to
give any citizen,
(a)
information, disclosure of which would prejudicially affect the sovereignty and
integrity of India, the security, strategic, scientific or economic interests
of the State, relation with foreign State or lead to incitement of an offence.
It also cited
Section 7 of the Aadhaar (Data Security) Regulations that deals with
confidentiality of “procedures, orders, processes, standards and protocols” on
security.
Similarly,
the Authority refused to share information on security practices, citing
Section 8 (1) (1) of the Right to Information Act, and Section 7 of the Aadhaar
(Data Security) Regulations. “…data being national asset and sharing the
systems in place can affect the security interest of the UIDAI and may lead to
incitement of an offence,” it noted in its reply to Scroll.in’s right to
information application.
No disclosure
Legal experts
said this absence of proactive disclosure in the Aadhaar system was in contrast
with international norms on data protection and transparency towards users.
Chinmayi
Arun, executive director of the Centre for Communications Governance at the
National Law University, Delhi, said that in the United States, every time a
breach takes place, the authorities have to follow proactive disclosure
requirements.
“Other
countries like the US that are used to sell the idea of government databases to
Indian citizens do not run their databases with such wilful carelessness, they
are required by law to publish it and inform citizens,” she said. “Here, the
government refuses to make the UIDAI tell citizens when a stranger has stolen
their personal data. The UIDAI refuses to divulge the most basic security
breach statistics when asked under the RTI. The haphazard security of the
biggest biometric database on earth should worry everyone.”
According to
technology lawyer Apar Gupta, “the UIDAI is a blackbox that cannot be opened
even after a system crash”.
He said, “In
Aadhaar, there is no proactive duty to publish the data breach as an individual
notification to the affected Aadhaar user, no legal obligation to even publish
aggregate data at the end when the breach is rectified, no reporting
requirement to any other government department.”
Gupta pointed
out that Aadhaar lacks an oversight mechanism, and a bounty reporting system
that rewards those who find and report security flaws in its system all
measures that would encourage vulnerability testing to prevent hacks and
exploitive acts.
On the
contrary, reporting security flaws may land one in trouble, as in the case of
entrepreneur Sameer Kochhar. Last week, the Authority registered a police
complaint against him after he published an article and video on his web
magazine on February 11 demonstrating how Aadhaar systems were vulnerable to
replay attacks in instances where firms registered with the Authority resorted
to illegally storing biometrics locally.
The Delhi
Police are investigating the charges made by the Authority against Kochhar
under Section 37 of the Aadhaar Act, which deals with the intentional
disclosure of “identity information collected in the course of enrolment or
authentication”.
Lawyers and
technical experts have criticised the Authority’s decision to take action
against an individual for reporting a security vulnerability in Aadhaar.