The UIDAI could not be reached for comment. An official said the investigation was being handled by police.
The Delhi Police probe into an FIR against The Tribune newspaper and its reporter Rachna Khaira, who had reported that anonymous sellers over WhatsApp were allegedly providing access to Aadhaar numbers for a fee, has led investigators to the office of the Surat District Magistrate.
According to Additional Commissioner of Police (Crime Branch) A K Singla, two people working with an Aadhaar centre inside the DM’s office have been questioned.
“We have served notices under Section 160 of the CrPC to two persons working with an Aadhaar centre running inside the office of the District Magistrate of Surat. Further investigations are underway,” Singla said, adding that police have started questioning them at their office in Kotwali.
(ENS adds from Ahmedabad: While the Surat District Magistrate and Collector could not be reached for comment, Deputy Mamlatdar Mahendra Dave told The Indian Express: “A few days ago, a team from Delhi had come to Surat and they collected some information and left. I am unaware if two persons from the District Collector’s office were questioned by Delhi Police.”)
Police believe the particular server at the Aadhaar centre was allegedly used to access the details of private individuals.
On January 5, a Deputy Director of the Unique Identification Authority of India (UIDAI) registered an FIR against The Tribune and its reporter. The FIR also named Anil Kumar, Sunil Kumar and Raj, all of whom were mentioned in The Tribune report as people Khaira contacted during the course of her reporting. An FIR was lodged with the Crime Branch’s cyber cell under IPC Sections 419 (punishment for cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using as genuine a forged document), as well as Section 66 of the I-T Act and Section 36/37 of the Aadhaar Act.
The UIDAI could not be reached for comment. An official said the investigation was being handled by police.
An Cyber Cell officer, who did not wish to be named, told The Indian Express that following the FIR, police had sent a letter to the UIDAI, seeking details of the server from which data was allegedly accessed. “They replied but did not provide the particulars. Another letter was sent to them in February, and they responded after conducting an internal probe,” the officer said.
Cyber Cell sources said that two months ago, it was discovered that the login ID of the Surat DM was allegedly used to access the data. A team was sent to Surat to meet him. “Police then discovered that an Aadhaar centre had been running inside his office, and staff had been using his login ID. But since the staffers in question were not present, police paid a visit later and served notices to them,” an officer said. Typically, Aadhaar cards are made, and requests for information change are put in at such service centres.
Police said that on Tuesday, two persons joined the investigation at the Cyber Cell’s office in Kotwali, where they were questioned by an ACP-rank officer. “Since it was a technical case, police are trying to ascertain how they were allowed to access the server, and whether it was done legally or illegally,” the officer said.
In the January 5 FIR, the complainant, B M Patnaik, who works with UIDAI’s logistics and grievance redressal department, had said: “An input has been received through The Tribune dated January 3, 2018, that the ‘The Tribune purchased’ a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.”
The Tribune report, dated January 3, had stated: “It took just Rs 500, paid through Paytm, and 10 minutes in which an ‘agent’ of the group running the racket created a ‘gateway’ for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.”