Hardly had we come to terms with the terror that the deadline for linking AADHAR – a 12-digit unique id for availing n-number of services – created, when we had the scary story revealing that all that data which the UIDAI (unique identification authority of India) had kept under wraps for the last five years could be accessed by paying as little as Rs. 500.
A few days ago, The Tribune, a Chandigarh-based daily, revealed that its correspondent could get access to the AADHAR data by merely paying 500 bucks to an agent and that, too, over WhatsApp. After receiving the payment through PayTM, the agent created a user id and password for the reporter. Within 10 minutes, the reporter was able to see the details of a billion users. Of course, the data was not misused by the reporter as the newspaper wanted the UIDAI only to take note of and tighten the data safety and security.
Instead of acknowledging the report and taking necessary action, the UIDAI filed an FIR against the paper and the reporter, something that was highly criticised by the Editors Guild of India. People used the social media to protest against the move. The paper published a story by giving a point-by-point reply to the letter issued by the UIDAI, refuting the claims that the report was a case of “misreporting” and no such breach had happened.
This shows either the claims that the information stored with the UIDAI is safe are not true or the UIDAI does not have a mechanism to find out whether anyone breached its security or not. A paper which has served the nation for more than 135 years will certainly not publish an irresponsible report or write a story without reliable source of information or evidence.
When people started questioning the freedom of the Press and the right to investigative journalism, Ravi Shankar Prasad, information technology minister, gave a statement that “the government is fully committed to the freedom of the Press as well as to maintaining security and sanctity of Aadhaar for India's development. The FIR is against unknown (sic). I've suggested @UIDAI to request Tribune and its journalist to give all assistance to the police in investigating the real offenders.”
Moments after the tweet, the UIDAI tweeted that “UIDAI is committed to the freedom of the Press. We're going to write to @thetribunechd & @rachnakhaira to give all assistance to investigate, to nab the real culprits. We also appreciate if The Tribune & its journalist has any constructive suggestion to offer”. This shows how the UIDAI changed its stand the moment people started expressing their concern.
For a while, setting aside The Tribune report, if we go back to December 16, 2017, the fear of data being misused is not something that the government should wish away with. We were told that the UIDAI had suspended e-KYC (electronic know your customer) license of Airtel Payment Bank allegedly for opening bank accounts and forcibly linking with AADHAR number without obtaining prior consent of the customers.
Not only this, LPG subsidy worth Rs. 190 crore was directed into these bank accounts, instead of what was chosen by the user. Was it not a breach of trust that people showed in the UIDAI’s capacity of keeping their information safe? Or does a license given to anyone give authority to use the data the way anyone wants?
In this case, around 31 lakh users linked their AADHAR with the Airtel mobile connection as the government deadline for linking the unique id with mobile connections was approaching. It is a different matter that the deadline was extended by another three months to March 31, 2018.
Also, the new customers have to mandatorily give their AADHAR for obtaining a SIM card. The number was used to complete the e-KYC and AADHAR authentication. Since the customer does not know how e-KYC is done or for what purpose his/her biometric data will be used, it is like putting a thumb impression on a blank paper and putting yourself to risk.
Airtel certainly misused the e-KYC mechanism to open Airtel bank accounts without the consent of the customer. While the company had a customer base of 28.20 crore subscribers at that time, it did 83.8 crore e-KYC transactions, nearly three times of what it should have done. Should it not raise eyebrows? Should the UIDAI or the central government not accept that the data can be easily misused even by those who have been given a licence to do so?
Of course, Airtel had two licenses – one for the telecom company and the other for its payment bank. Opening bank accounts with zero-balance would have added to its administrative and operational cost. And hence the easier way was to direct the LPG subsidy into its bank accounts. The user was stranded as he/she would never know where the subsidy has gone nor was he/she aware of a new bank account.
Days after The Tribune report was published, Elliot Alderson, a French security researcher, working on exposing how mobile phones store customer data, tweeted how easy it is to obtain the password of a local database through the recently launched AADHAR android application, which is available on play store. The researcher says that when a person logs onto the application, it stores the biometric settings in a local database, which, of course is password protected. But this password can be easily breached with a simple numeric combination like 123456789 as seed and thereafter by using another code “db_password_123”.
The person claims to put more information in a few days. Not only this, it has also suggested to remove the “developer” endpoint from the release apk….
Another tweet by Alderson says, “Hi! My #Indian friends! Let me show you how to bypass the password protection set up by @UIDAI and @KhoslaLabs in the #Aadhar #Android app. In less than a minute, an attacker can access your #Aadhar information without having your password #Aadharfail.”
This brings up another issue. If this twitter handle has openly exposed the way the UIDAI database can be hacked and used, how can the reporter, who allegedly got access to the so-called secure information by paying a few bucks be false?
The government may have announced face recognition and creation of a virtual id instead of using the original AADHAR number as another set of security measure, but this move will not be of any use to those, who have already given their unique ids to various agencies and those whose details have been uploaded on the government websites, without their permission.
If you remember, around 200 government websites had already disclosed unique id of millions and millions of people in the past, which were withdrawn later on.
True, the AADHAR number alone cannot be used to carry out a bank transaction. But the number along with the one-time password (OTP) can do that. And there are many who have the technical knowhow to do so. We have seen in the past how OTPs generated for doing a bank transaction have been hacked and misused by hackers.
But, then, has the AADHAR project met the purpose for which it was created five years ago. The AADHAR-linked direct benefit transfer (DBT), which was purportedly announced to stop any pilferages in public distribution system and many other welfare schemes, has actually proved to be a more cumbersome exercise for the ultimate beneficiaries.
Jharkhand is a case in point. By the mid of 2016, the state had one of the most effective public distribution systems. The state government had initiated a number of reforms so that the people do not suffer.
After the mandatory AADHAR linkage, the system, which could have inspired others, is virtually on the verge of getting derailed. A recent study conducted by the Economic and Political Weekly revealed that DBT has actually made the lives of people miserable and has revived corruption.
The government cancelled a number of ration cards that were not linked with AADHAR. While it claimed that these were all fake ration-card holders and AADHAR helped them in tracing them, the fact is that many of these ration-card holders were genuine and could not avail the benefit as they do not have AADHAR. And where has their entitlement gone? Certainly, not to those who deserved.
Not only this, a person who is required to get subsidised foodgrains is now required to pay the full amount first. Logically speaking, if a person had the capacity of paying say Rs. 32 for a kilo of rice, why would he/she want subsidy? People sitting in remote corners have to stand in long queues for first purchasing the ration and then for updating their pass books and withdrawing cash from Pragya Kendras – a nodal point or service centres from where money can be withdrawn. Now, one may ask, why a person can’t withdraw money from the bank? Because banks ask them to visit a Pragya Kendra for this purpose. Otherwise, what is the fun of setting up such kendras?
Imagine an old person being taken by his/her family members to the bank, then to the Pragya Kendra and finally to the fair price shop from where he/she may get foodgrains in case the biometrics matches. The most disturbing aspect is that ration-cards are being cancelled without prior notice. Pensions are being stopped without any information. What a flawless system!
While the Supreme Court has to decide whether AADHAR violates the privacy of a person or should it be made mandatory for a person to avail certain benefits, the government and the UIDAI is propagating and promoting its usage, mandatorily, painting it as their biggest success story. Meanwhile we may be forced to link AADHAR to our bank accounts, insurance policies, mobile connections etc. etc., but the government is not even ready to listen to us. As a citizen, what else can we do except subjecting us to the risk and hoping and praying that our data is not misused?
(The writer, a company secretary, is director communications and can be reached at Jassi.firstname.lastname@example.org
(Published on 22th January 2018, Volume XXX, Issue 04)