Aadhaar Details on Google Search? Data of Thousands Kept Public

How many steps does it take to get access to thousands of Aadhaar numbers of citizens?

Step 1: Google ‘aadhar.jpg’

That’s it.

In a major breach of privacy and data protection, private entities of various kinds, educational, non-profit or commercial, that demand Aadhaar numbers as proof of identity, have kept their entire directories open and publicly searchable on Google. Scanned copies of Aadhaar cards are peppered in the search results that come up when one Googles “aadhar.jpg” or “aadhaar.jpg”.

Shocking Negligence

These images show up on Google because they have been stored in directories that have been kept public and searchable. A security lapse like this, breathtaking in its negligence, reflects a general lack of seriousness among institutions towards sensitive data of citizens as well as a failure to grasp the most basic security protocols.

So, why is Google throwing up images of Aadhaar cards?

The answer is simple. When an individual types in keywords to search for something, Google, based on its algorithm, crawls the web and returns relevant search results from the part of websites that are publicly accessible. Organisations need to keep only the relevant information publicly available on the client side of their website, not the complete database of sensitive information, such as sensitive user documents.

The Quint came across seven open directories in its scroll through the first fifty rows of photographs. Apart from educational institutions, other sources of directories of hundreds, and in some cases, thousands of people, include an NGO that runs an orphanage, an aviation academy and a trade conglomerate. All these institutions have collected Aadhaar and other identifying documents as part of its records but appear oblivious to the fact that the directory is stored directly on the server itself and not behind a login wall.

At a time when reports of Aadhaar leaks have been reported with increasing regularity, this appears to be the easiest among all the ways that the Aadhaar numbers of citizens have been leaked.

This serious lapse in providing the most elementary protection was detected a month after the Aadhaar-issuing body – UIDAI – explicitly directed people and organisations to never make Aadhaar numbers public. In a thread nine tweets long, UIDAI, firefighting TRAI Chairman RS Sharma’s controversial ‘Aadhaar Challenge’, asked citizens to “refrain from publicly putting their Aadhaar numbers on internet and social media”.

What Should Have Been Done

The leak could have easily been prevented by simply taking a few basic data security steps. The starting point is putting sensitive data behind a login wall.

• Store the files in a database or a secure location inside the server
• Keep the important fields (such as passwords, Aadhaar number) in the database encrypted.
• Specify access rights to the database to ensure that only those with proper credentials gain entry.

Busting Myths

The leaks bust a fundamental myth about organisations we hand over our data to – the belief that our sensitive information will be protected by these entities. In recent examples exposed by The Quint, it has repeatedly emerged that both public and private institutions have either allowed citizen data to be leaked or have misused it.

• Sanjay Gandhi Post Graduate Institute of Medical Sciences in Lucknow, known as the “AIIMS of Uttar Pradesh”, has inadvertently leaked the entire database of the most confidential information of kidney transplant patients.

• The Uttar Pradesh State Food and Civil Supplies Department officials have been accused of ordering the Aadhaar number of ration beneficiaries to be changed with other ones. Two lakh tonne of foodgrains was diverted into the open market.
• A Bengaluru Police database containing names, phone numbers, addresses, passport numbers and dates of birth of over 350 Bengaluru citizens was hacked and made its way to the dark web. It is nearly impossible to get information off the network of anonymous sites that make up the dark web. The police had been warned of the hack six months prior to it happening but no action was taken to prevent this.