Another Aadhaar Data Leak: Just Google ‘Mera Aadhaar Meri Pehchan’

In yet another revelation that raises worries about the privacy of your Aadhaar data, it has been found that a simple Google search will lead you to the Aadhaar details of several individuals. These details, including their name, address, Aadhaar number, date of birth and photograph, have been made publicly accessible on the internet for no clear reason. Thankfully, the biometric details are not available.

The sites that have uploaded Aadhaar details of individuals for apparent public consumption include, among others:

• The official government website of the Indian National Centre for Ocean Information Services (www.incois.gov.in)
• The official website of the All India Football Federation (www.the-aiff.com)
• The website of a private company Starcards India (http://starcardsindia.com), a service provider of payment gateway service, mobile app development and mobile app design based in Hyderabad.

Modus Operandi to Accessing Aadhaar Details

Here’s how easy it is to actually find the Aadhaar details of several people unknown to you.

• Step 1: Google “mera aadhaar meri pehchan filetype:pdf”
• Step 2: Click on any of the multiple PDF files that show up on the search
• Step 3: Click to download PDF
• Step 4: Voila! Aadhaar details of random strangers are now saved on your desktop

The details you will be able to access are as follows:

• Name
• Aadhaar number
• Parent’s name
• Address
• Date of birth
• Photograph

Twitter Asks: What Is Even Happening?

A Moneylife article that pointed out this ease of accessing Aadhaar details of individuals unknown to you has triggered an online conversation as well.

The Big Questions

Here are some of the worrying questions that arise as a result of this revelation.

If the websites concerned (including a government site) deliberately uploaded the Aadhaar details of these individuals online:

1. What is the purpose being served by uploading this information online, accessible to anyone with an internet connection, anywhere in the world?
2. Were these individuals asked if they are comfortable with their Aadhaar detais being uploaded publicly online? Are these individuals even aware that this has happened?
3. If the permission of the individuals concerned was not taken, is it not an infringement of the person’s privacy? These are, after all, their personal details.

If the websites concerned (including a government site) are not aware that the Aadhaar details of these individuals are publicly available online:

1. What prompted the websites to upload the Aadhaar details of these individuals? What were they attempting to do when they uploaded these PDFs online?
2. If a government website (www.incois.gov.in) has also done this unintentionally, is there a lack of awareness even within the government as to how to protect people’s data and Aadhaar details?

And the common question, regardless of whether these websites deliberately uploaded this information publicly:

These are questions that the Unique Identification Authority of India (UIDAI) will have to answer. Yet again, at some stage or the other, there has been a failure to keep the Aadhaar details of individuals secure.

The UIDAI cannot possibly deny the revelations made as anyone can search and verify this story for themselves. Therefore, anything short of a good explanation as to what has gone wrong will be unacceptable.

On AIFF Website, Easy Access to Hundreds of Personal Documents

The All-India Football Federation (AIFF) does not seem to understand the difference between keeping an internal records of member’s ID proofs and uploading people’s personal documents online.

The Quint is refraining from sharing the specific URL on the AIFF site which reveals the data. This is to respect the privacy of hundreds of people whose personal documents are on the webpage.

However, it would seem that the AIFF itself has little respect for the privacy concerns of people who provide the organisation with their identification proofs. Or worse still, the AIFF is unaware about the difference between uploading files to a private drive on the cloud versus uploading them on their website for public consumption.

The Danger of Such Leaks –Increased Vulnerability to Phishing

When someone gains access to so much of your personal information, it makes you more vulnerable to phishing.

Phishing is the fraudulent practice of sending emails or making calls claiming to be from reputable companies in order to induce people to reveal their personal information, such as passwords and credit card numbers. The information obtained is then used to carry out credit card frauds, unauthorised transactions and the likes.

So organisations like the AIFF and government body Indian National Centre for Ocean Information Services are endangering the security of the people whose personal details they are divulging online.

If this callousness in handling people’s personal data continues, our vulnerability to fraud and phishing too will only increase.