UIDAI Denies Latest Aadhaar Data Leak, Misinforms the Public Again

On Friday, The Quint reported that the Aadhaar details of numerous individuals had been published online by websites including a government site, India’s top football body AIFF, and a private company Starcards India among others. The report did not blame the UIDAI for the data leak.

But predictably enough, the UIDAI felt the need to issue a complete nine-point denial on Twitter and in the process, misinformed the public about the matter. Not to mention the obvious, but a simple Google search “mera aadhaar meri pehchan filetype:pdf” gives access to the data.

So if you want to check the veracity of our article, all you need to do is make one simple online search.

UIDAI Cries "Fake News" but Can't Explain Why

Dear UIDAI, when you say that our reports “are intentional and irresponsible acts of some unscrupulous elements” and “are far from the reality”, you’re wrong. They’re not far from reality at all – the reports are stating facts, facts that are verifiable by anyone who searches the internet for the phrase “mera aadhaar meri pehchan filetype:pdf”.

Nothing to Do With the Security of Aadhaar?

UIDAI says that the data leak has “nothing to do with the security of Aadhaar and its database. As none of the Aadhaar cards shown are taken from UIDAI database.”

Nowhere in the original article has the UIDAI been blamed for the data leak. Nowhere does it say that the Aadhaar cards shown have been leaked from the UIDAI database.

The report is not about the security of the Aadhaar database. The report is about the danger of Aadhaar details of random people being available online, their loss of privacy and increased vulnerability to online frauds and phishing.

In fact, what’s needed from the UIDAI, is acceptance that several organisations that are now repositories of Aadhaar-related data of their employees, need education on how to safeguard such data and their employees’ privacy.

People Should Take Precautions, but Govt Sites Shouldn't?

That precaution is essential because if the personal documents of individuals fall into the wrong hands, there is immense scope for misuse of that information.

Which is what we have been saying all along! Which is the problem with the personal documents of hundreds of individuals being available online, accessible by anyone with an internet connection.

See, dear UIDAI, the problem would seem a problem to you if you weren’t so intent on denying everything that has the words “Aadhaar” and “leak” in the same sentence.

“Sharing Aadhaar Details” Not the Same as Divulging Them

UIDAI tweeted, “Aadhaar as an identity document by its very nature needs to be shared openly with others as and when required and asked for.”

Dear UIDAI, nobody is refuting that. But there’s a difference between an individual providing his Aadhaar details when needed versus an organisation divulging them online.

Surely You’re Joking, UIDAI!

Among the nine tweets in UIDAI’s vehement denial, the most absurd one has to be the sixth tweet.

The UIDAI claims, “By simply knowing someone’s Aadhaar, no one can impersonate & harm him because Aadhaar alone is not sufficient, it requires biometrics to authenticate one’s Identity.”

The following details of people were revealed online in the latest Aadhaar data leak.

• Name
• Aadhaar number
• Parent’s name
• Address
• Date of birth
• Photograph

Phishing in Troubled Waters

Phishing is the fraudulent practice of sending emails or making calls claiming to be from reputable companies in order to induce people to reveal their personal information, such as passwords and credit card numbers. The information obtained is then used to carry out credit card frauds, unauthorised transactions and the likes.

So organisations like the AIFF and government body Indian National Centre for Ocean Information Services are making the people, whose personal details they are divulging online, more vulnerable to online frauds and phishing.

If Only Wordplay Could Make Our Data Safer

The UIDAI’s final two tweets of denial use a clever choice of words to tell a half-truth.

When the UIDAI claims, “there has not been a single breach from its biometric database during that last eight years of its existence”, it conveniently ignores two things.

1. The report on the latest data leak specifically mentions that biometric details have not been divulged in the leak.
2. Neither the investigative report by The Tribune in January (Rs 500, 10 minutes, and you have access to billion Aadhaar details) nor the followup by The Quint (Aadhaar’s Dirty Secret Is Out, Anyone Can Be Added as a Data Admin) mentioned that biometric details have been leaked. However, both reports showed how compromised the security of the Aadhaar database was.

So for the UIDAI to boast that “Aadhaar remains safe and secure” by mentioning that “there has not been a single breach from its biometric database” is to quote information in a deliberately misleading manner.

These non-biometric details include an individual’s photograph, full name, parent’s name, date of birth, email address, mobile number, gender and complete residential address.

And as explained above, for reasons like the increased threat from phishing, such data leaks are a cause for concern, aside from the obvious privacy woes that arise.

Living in Denial: Against National Interest

For the UIDAI to repeatedly brush away legitimate worries about data leaks does not bode well for the country. Their vehement denial to the latest data leak relies on half-truths and faulty reasoning to make its point – that all is well with everyone’s Aadhaar data.

Yet, as we’ve explained in this point-by-point counter, the UIDAI’s assurances seem to be, to use their own words, “far from the reality.”

(The Quint has given up the use of plastic plates and spoons. This Earth Hour, what will you #GiveUp to save the planet? Use the hashtag #GiveUp and tag @TheQuint to tell us.)