advertisement
How many steps does it take to get access to thousands of Aadhaar numbers of citizens?
Step 1: Google ‘aadhar.jpg’
That’s it.
In a major breach of privacy and data protection, private entities of various kinds, educational, non-profit or commercial, that demand Aadhaar numbers as proof of identity, have kept their entire directories open and publicly searchable on Google. Scanned copies of Aadhaar cards are peppered in the search results that come up when one Googles “aadhar.jpg” or “aadhaar.jpg”.
These images show up on Google because they have been stored in directories that have been kept public and searchable. A security lapse like this, breathtaking in its negligence, reflects a general lack of seriousness among institutions towards sensitive data of citizens as well as a failure to grasp the most basic security protocols.
So, why is Google throwing up images of Aadhaar cards?
The answer is simple. When an individual types in keywords to search for something, Google, based on its algorithm, crawls the web and returns relevant search results from the part of websites that are publicly accessible. Organisations need to keep only the relevant information publicly available on the client side of their website, not the complete database of sensitive information, such as sensitive user documents.
The Quint came across seven open directories in its scroll through the first fifty rows of photographs. Apart from educational institutions, other sources of directories of hundreds, and in some cases, thousands of people, include an NGO that runs an orphanage, an aviation academy and a trade conglomerate. All these institutions have collected Aadhaar and other identifying documents as part of its records but appear oblivious to the fact that the directory is stored directly on the server itself and not behind a login wall.
At a time when reports of Aadhaar leaks have been reported with increasing regularity, this appears to be the easiest among all the ways that the Aadhaar numbers of citizens have been leaked.
This serious lapse in providing the most elementary protection was detected a month after the Aadhaar-issuing body – UIDAI – explicitly directed people and organisations to never make Aadhaar numbers public. In a thread nine tweets long, UIDAI, firefighting TRAI Chairman RS Sharma’s controversial ‘Aadhaar Challenge’, asked citizens to “refrain from publicly putting their Aadhaar numbers on internet and social media”.
The leak could have easily been prevented by simply taking a few basic data security steps. The starting point is putting sensitive data behind a login wall.
The leaks bust a fundamental myth about organisations we hand over our data to – the belief that our sensitive information will be protected by these entities. In recent examples exposed by The Quint, it has repeatedly emerged that both public and private institutions have either allowed citizen data to be leaked or have misused it.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)