Aadhaar ‘breach’: Everything you need to know

Is your Aadhaar information safely stored in UIDAI's servers? This is the question hundreds of thousands of citizens are asking after news outlet Tribune reported about an agent who was selling access to a specific section of the Aadhaar website for as little as ₹500.

The Tribune newspaper claims that it bought specialised access to the Aadhaar website from an "agent" who was advertising about such service on a WhatsApp group. The report is the latest revelation against the Aadhaar system, which has been mired in controversy in the recent years over how personal information of more than a billion Indians is being handled and whether enough safeguards are in place to protect its integrity.

The Unique Identification Authority of India (UIDAI), which governs the Aadhaar project, on Thursday denied the claims that the Aadhaar database had been breached, as was interpreted by some, but noted that the newspaper had accessed limited details abusing a search facility that is only available to government officials.

Rogue agents allegedly selling access to Aadhaar website

The crux of the matter, as reported by Tribune newspaper and corroborated by BuzzFeed News, is that there exists a portal on the Aadhaar website which gives anyone who has the login credentials access to the Aadhaar database. UIDAI says the portal is intended for government officials for addressing grievances such as rectifying spelling mistakes in a person's name.

But somewhere in the chain, according to media reports, rogue agents have started to sell access to this portal to just anyone. A rogue agent could create new accounts with same privileges as an authorised administrator for other people, reports claim.

In a televised interview with CNBC TV-18, Ajay Bhushan Pandey, the CEO of UIDAI, said the portal exists only for authorised officials. He pointed out that even if an unauthorised personnel gains access to the Aadhaar database, they can only look up information of people whose Aadhaar number, a unique 12-digit ID, they already have in their possession. So if the agent knows a certain person's Aadhaar number, the agent could access their private details.

But such abuse won't be possible if they don't know your Aadhaar number, for instance. On top of this, "Aadhaar is not a secret number," UIDAI's Pandey said, drawing comparisons with a bank account number, the knowledge of which by a rogue party, he said, cannot hurt the victim.

Biometric data is still safe

According to Tribune, they were able to look up a person's name, home and email addresses, photographs, and the registered phone number. The newspaper further claimed that the rogue agent was selling a specialised software which allows creation of fake Aadhaar cards. The biometric information -- unique fingerprints, Iris scans -- were not accessible from the website, UIDAI has said.

This is an important point for you to keep in mind. A person may have your home address, name and phone number, but to avail several services where your biometric information -- such as your fingerprint -- might be required, and they don't have access to such data. Furthermore, it remains unclear for now the scale of the abuse of this grievance redressal system. We do not know how many unauthorised people have accessed this search facility, and whose data they have captured.

In a statement, the UIDAI said the Aadhaar data is "safe & there has not been any Aadhaar data breach," adding that Tribune had "misreported" the facts, a claim the newspaper had refuted.

"UIDAI maintains complete log and traceability of the facility," the government-backed agency said, adding that "FIR will be lodged against the misuse of grievance redressal system."

"Even in grievance redressal system, the designated officer does not have access to biometric details," UIDAI added. "Claims of data breach in biometric database are totally unfounded. Aadhaar data is fully safe and secure and has robust world-class security."

The statement was reshared by the central ruling party BJP's social media account.

Not the first time

This isn't the first time the UIDAI has found itself in a controversy over the security of Aadhaar database. In November last year, more than 200 government websites were spotted that had published Aadhaar numbers of citizens with other personal details. At the time, UIDAI said the information had been inadvertently published by government departments and were removed after media reports outlined the issue.

The Aadhaar project was initiated as a voluntary program in a bid to tackle benefit fraud, but over the years, it has been made mandatory for access to welfare as well as several other schemes and benefits.

Privacy advocates have warned the government about potential dangers of maintaining a centralised system of such large volume of data. "I know how worried friends in India have been for a while now about #Aadhaar and this is why: if you digitise it, sooner or later you must expect it will be abused," a well-known security researcher Troy Hunt tweeted.

"It is the natural tendency of government to desire perfect records of private lives. History shows that no matter the laws, the result is abuse," Whistleblower Edward Snowden tweeted on Friday.