New Delhi: Poor information security standards with the Unique Identification Authority of India’s (UIDAI) enrollment infrastructure led to news of a massive data breach on Thursday.
But what exactly happened? As of Thursday evening, we have two reports and the UIDAI’s response, all with varying levels of detail. The most basic picture appears to be that an unknown number of UIDAI enrollment partners were illegally selling the personal and private data of millions of Indians who had signed up for an Aadhaar number. The Tribune alleges that access to the whole Aadhaar database, in the form of a digital search facility, was up for grabs for as little as Rs 500.
Beyond this basic picture, there is little detail as to the extent of this problem. Who exactly should be punished? What should be done now to prevent future breaches? The Wire breaks it down.
What portal or service was used to access the search facility?
This isn’t clear at the moment. The Tribune describes the search facility – where if the Aadhaar number of a person is entered, a user could gain access to all demographic information that was furnished at the time of enrollment – merely as a “gateway”. Another service, where a piece of software allowed the printing of “Aadhaar cards of any Indian citizen”, allegedly was done through “aadhaar.rajasthan.gov.in.”
The Quint, without indicating the nature of its source of information, describes the search facility as a feature that is part of “portal.uidai.gov.in” – a website that the government describes as an “interactive self service portal for UIDAI partner management”. As of Thursday evening, this website is not accessible.
The UIDAI calls the whole incident a misuse of a search facility that is intended for “the purpose of grievance redressal”. In its statement, the UIDAI maintains that only authorised personnel and state government officials have access to this grievance redressal mechanism and that because of this, any misuse can and is being traced. It does not state what portal, service or government website is used for this purpose.
How many operators are in on the whole alleged scam of selling Aadhaar data for money?
It’s still unclear. The Tribune claims that up to one lakh village level enterprise (VLE) operators had access to UIDAI data, but doesn’t provide its sourcing for this number. The Quint doesn’t expand on this and the UIDAI is silent on this issue.
What can an authorised official, enrollment partner or operator do with this access? How big is this breach in terms of the number of people affected?
Again here, we are largely in the dark. The UIDAI describes it purely as as a tool for authorised people and state government officials to “help residents only by entering their Aadhaar number or enrollment ID”. It says nothing about enrollment partners.
This statement gives rise to a host of questions that need answering. Does the UIDAI’s explanation imply that access to the grievance facility can be only be done with the consent of the user/resident? (The Tribune‘s story directly contradicts this implication).
What portions of the Aadhaar demographic database do these authorised people/state government official have access to? Is it only available in silos, in that Tamil Nadu officials would have access to the Aadhaar details of only people who reside in Tamil Nadu? Or does the grievance facility technically allow access to the personal details of any single person who has signed up for Aadhaar?
Can designated personnel/state government officials/enrollment partners hand out access to this facility to just about anyone?
Again, the UIDAI is silent here. The Tribune story describes the correspondent as being made an “enrollment agency administrator” for a common service centre (CSC) after which a login ID and password was emailed to her. Using these credentials, she was able to access the portal/service that allowed access to the details of millions of people who had signed up for Aadhaar.
The Quint report, without identifying the source of its information, alleges that an “administrator” can make anyone else also an administrator without going through any established process that contains checks and balances. Another report that spoke to The Tribune‘s source claims that it is possible to create an unlimited amount of usernames and passwords.
The UIDAI needs to address these concerns: Do enrollment partners have the ability to give over access to the Aadhaar search facility to just about anybody? Can they do this without the UIDAI’s permission or knowledge? Does the UIDAI not have any processes in place to detect the usage of non-authorised access? How does it plan on stopping further and future creation of unauthorised enrollment partners that have access to the search facility?