Only a few days after first pontificating upon the potential harms that accompany the Government of India’s Aadhaar initiative, in an article that followed a Facebook test, and the dystopian visions that it prompted to this writer, another possible data breach, and issues regarding the security measures of the Unique Identification Authority of India(UIDAI) have been raised in a recent article from The Tribune, first published on Thursday, the Fourth of January.

The article reported anonymous sellers, providing unauthorised access to the identity information, and photographs, submitted for Aadhaar enrollment to the UIDAI, over Whatsapp. According to the investigation team at The Tribune, “It took just Rs 500, paid through Paytm, and 10 minutes,” in which agents involved with the racket provided the correspondent with a login ID, and password, that could be used to access, through a search facility, information particulars such as names, addresses, and photographs, associated with over one billion Aadhaar numbers that have been, so far, generated. For an additional Rs 300, the team was also able to ‘purchase’ a software that would facilitate the printing of Aadhaar cards, from such information. A detailed and timely account of the conversation that happened between the reporters and the racketeers is available on The Tribune website.

The data was allegedly accessed through targeted breaches into the several Village Level Entrepreneurs(VLEs) spaces that have been set up by the Ministry of Electronics and Information Technology, under the Common Services Centers scheme. The SCS scheme is envisioned to provide “front-end delivery points for Government, private and social sector services to rural citizens of India, in an integrated manner.” The May 2007 guidelines for the implementation of the CSC scheme in states position them as a “Change Agent” that would promote rural entrepreneurship, “through a bottom-up model with focus on the rural citizen.”

These small-scale VLEs functioned as Aadhaar enrollment points for several thousands of people, and were denied the right to provide the same service back in November 2017. Consequently, as Rachna Khaira of The Tribune reports, “spotting an opportunity to make a quick buck, more than one lakh VLEs are now suspected to have gained this illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards.” It was also found that the template used for the website that provided access and printing of this information was of the Government of Rajasthan, as the software purchased redirected to “aadhaar.rajasthan.gov.in.”

UIDAI Response.

The UIDAI response has been one of complete denial, and aligns with the recent trend of deflecting responsibility behind the shield of ‘fake news,’ by labelling the investigative report as ‘misreporting.’ The UIDAI, in a statement issued yesterday, stated that the aforementioned instance appears to be an abuse of the ‘grievance redressal search facility,’ and in lieu of the logs and traceability maintained, the appropriate legal actions against the concerned individuals are being taken. Furthermore, it stated, clearly, that there has been no breach in the demographic and biometric databases. Also, that a simple access to the Aadhaar number does not create opportunities for misuse since accompanying fingerprints and iris scans are required for the authentication process to be completed, and the Aadhaar number isn’t a secret number and has to be made available to several authorised agencies for access to Government services and benefits.

A further enquiry into, and analysis of the UIDAI’s statement by The Tribune and the newspaper’s response can be found here. The Wire, here, also presents an interesting analysis, and and questions that have to be asked to, and answered by, the UIDAI, in the face of this disturbing occurrence, including one that the writer himself wants the most persistently addressed. The UIDAI response discussed above alleges the instance to be a misuse of a ‘grievance redressal search facility’. The facility, apparently, helps “designated personnel and state government officials” to aid the residents “only by entering their Aadhaar number/EID.” As The Wire puts it, “Does the UIDAI’s explanation imply that access to the grievance facility can be only done with the consent of the user/resident?” The Tribune’s story clearly states differently, and contradicts this implication.



Yet, another disconcerting issue is the manner of the response, and its ambivalence. While the UIDAI states that there has been no breach in data, the fact that there are legal steps being taken against the individuals involved represents something criminal to have taken place, further corroborated by the comments from Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh, who told The Tribune, that this was a lapse. The discrediting of a news report that brings this to notice as ‘misreported’ doesnt position the UIDAI in the best light, and to further add fuel to the already flaming fire, that the BJP Twitter handle has marked The Tribune with a phrase that has come to echo the Scarlet Letter,‘fake news,’ represents an almost aversion to addressal of faults in the system.

While the Aadhaar has been championed and defended, on National television, and private Whatsapp groups, by reference to the international accolades that the initiative has received, the probable breach has brought it under renewed international attention, ostensibly towards the negative, and several international news-services and actors including the prolific Buzzfeed, and the whistleblower, Edward Snowden, have shared their concerns, as of Friday. In a tweet, Snowden expressed this writer’s thoughts rather eloquently, and stated that, “It is the natural tendency of government to desire perfect records of private lives. History shows that no matter the laws, the result is abuse.”

Latest News

DHRUV TREHAN