Aadhaar – the 12-digit unique identification number for Indian residents – is going through a tough phase. On the one hand, the government, keen to make it mandatory, is linking it with filing of income-tax returns and benefits. On the other, many are uncomfortable with it because of privacy issues and leakages that have been reported recently. The Supreme Court, on Tuesday, referred another fresh plea challenging the Aadhaar Act and its mandatory use in government schemes to a larger Constitution bench.
In the meantime, there have been several reports that say that Aadhaar numbers and other personal data are being leaked. Bengaluru-based Centre for Internet and Society (CIS) has published a report (titled Information security practices of Aadhaar, or lack thereof) where it lists four government departments that have posted Aadhaar numbers and other personal information of people. According to the report, an estimated 130-135 million Aadhaar numbers and 100 million bank account numbers were posted on the four portals that the CIS researchers checked. Such leakages violate peoples' privacy and expose them to the risk of identity and financial fraud.
Many government programmes all over the country use information present within the Aadhaar system for a variety of purposes. Normally such data should be kept on the government's intranet, where only authorised people can access it. However, a few government departments have uploaded this data on their websites. In many cases, the data was in excel format, making it all the more easy for people to download and misuse it.
The worst part: If your data is stolen and misused, you cannot file even a first information report with the police. Only the nodal body, Unique Identification Authority of India (UIDAI), can file a police complaint.
Your data can be misused: Experts say that leakage of Aadhaar numbers and other personal information into the public domain violates peoples' privacy. "Your name, phone number, address, bank account number and Aadhaar number are personal information. Only you have the right to decide whether to release such information to others. Such data shouldn't be complied in excel sheets in large numbers and be freely accessible on the internet to everyone," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru.
Tele-marketers and advertisers will now have access to the personal information of all those people. More serious problems such as identity theft can occur. When you have a problem and call up the customer care centre of your bank, broker or e-tailer, before solving your problem the personnel there try to authenticate your identity by asking for some personal data, such as your date of birth. Now, other people in possession of such data can transact on your behalf. Says Smitha Krishna Prasad, project manager, Centre for Communication Governance at National Law University, Delhi: "The more information a person has about you, the easier it becomes to impersonate you when that person is speaking to, say, a bank." The impersonator could open a bank account or even take a loan in your name.
Experts who manage threats in the digital world for their clients explain that when a hacker is on a mission to break into someone's account (bank, credit card, etc), any personal information he gets from any public source becomes fodder for the next layer of attack. Suppose that a hacker gets your email ID. "He will use the 'Password reset or Forgot password' feature to change your password and get access to your account. This feature poses questions based on personal info about you. Any such data collected about you comes useful here. Such hackers mine a lot of data about potential victims from all possible sources," says Shomiron Das Gupta of NetMonastery, a threat management provider. In the email, he could find info about your bank account, credit card account, etc and cause financial losses to you.
Serious risks can also arise if someone manages to breach the biometric authentication or one-time password (OTP) required for using the Aadhaar system. "It is possible to copy an individual’s fingerprints, and replicate them using very commonly available resins. It is also possible for hackers to capture the data being communicated between a telephone tower and a mobile phone, especially if it is poorly encrypted. This will allow the hacker to see the OTP. Admittedly, this does require expertise and a targeted effort vis-a-vis an individual," says Tiwari. Now that the Aadhaar numbers of so many people have been divulged, someone could utilise their identity to steal their government-granted benefits, or obtain a Sim card, which could then be misused. Raman Jit Singh Chima, policy director, Access Now informs that at many places where the Aadhaar number is required today, no biometric authentication is done, so just the number can be used to impersonate you.
Lock your Aadhaar biometrics: If your Aadhaar number and other personal information have been leaked, here are a few steps you can take to safeguard yourself. One, be wary of any calls you receive asking for additional details, which may not have been leaked already. Be equally wary if you receive a call wherein someone rattles off your personal data and asks you to verify it. The caller could pretend to be calling from your bank. It is best not to reveal or confirm any information over the phone at all. Two, you have the option to lock your biometric data online. Even if someone manages to steal your fingerprint, he will not be able to use it if you have locked your biometric data. Also, if you get an OTP on your phone for an Aadhaar utilisation that you did not initiate, notify the UIDAI, and thus ensure that no transaction is carried out using your Aadhaar account.
Need for a privacy law: To prevent data leaks in the future, the government needs to sensitise state government officials who work with Aadhaar data about the need to protect its privacy. More importantly, India needs a comprehensive data protection law. At present, there is a limited provision in the Information Technology Act of 2008 under which you can file a civil case against a corporate that has leaked your personal information. "The person affected by data leakage has to show that he has suffered wrongful loss, or somebody else has enjoyed a wrongful gain, and then claim compensation," says Prasad.
After the Radia tapes incident, the government had said that it would pass a comprehensive privacy law. "This law would lead to the creation of a data protection authority with enforcement powers, which would be able to penalise both companies and government bodies violating privacy principles. Despite the process beginning in 2012-13, and multiple drafts being leaked into the public domain, there has not been much progress on this count," says Chima. He adds that when the privacy law becomes a reality, any part of the Aadhaar Act that is contrary to it should also be amended.