Jharkhand’s Aadhaar breach: India needs a strong data protection law
Aaadhar requires stringent scrutiny because of its scale, because it is mandatory, and because so many who are registered have neither the knowledge nor the means to protect themselves, or get recourse in case something goes wrong.Updated: Apr 29, 2017 18:31 IST
It is ironic that a technological solution that could have plugged India’s porous welfare delivery system — and saved the State huge amount of funds — is itself proving to be extremely leaky. On Saturday, thanks to a programming error, names, addresses, Aadhaar numbers and bank account details of a million beneficiaries of Jharkhand’s old age pension scheme – or digital identities — surfaced on a government website. When HT reporters logged onto the site, they could drill down to get transaction-level data on pension paid into scores of pension accounts. This major privacy breach comes at a time when the Supreme Court, cyber-security experts and opposition politicians have questioned the Modi government’s policy to make Aadhaar mandatory to get benefits of a variety of government schemes and services.
The purpose of Aadhar when it was mooted is laudable. It had and has great transformative potential, it could if implemented in the right way lessen corruption and put each Indian on the official map when it come to rights and benefits. But, the breach reminds us that the security of our information is in the hands of authorities who don’t know how to secure it. In an interview to HT, AB Pandey, CEO, UIDAI, indicated the scale of challenge that Aadhaar faces: “For security inside Aadhaar, yes, I would say it is secure…but the nature of security threats keep changing. So we have to show absolute vigilance and take every possible measure to constantly assess the threats”. This “constant assessment of threats” obviously did not happen in Jharkhand (the situation could be similar in other states as well) because certain basic challenges were not addressed before embarking on the Aadhaar “seeding” process: User education does not match the rate at which security-related risks are growing; departments that hold this information are ill-equipped to maintain and safeguard these sensitive databases; and, while the UIDAI’s servers are impervious to attack, there are thousands of insecure computers at block-level government offices. In Jharkhand, for instance, cyber security experts had long warned that many websites maintained by the state government were insecure. Moreover, this multiplicity of software solutions and private service providers makes it enormously difficult to implement nationwide fixes once vulnerability had been discovered in one state.
Despite such critical data privacy issues, there are no legal safeguards for citizens in case of a data breach. Cyber security expert Pranesh Prakash mentioned in a recent HT piece that the Aadhaar Act and Rules don’t limit the information that can be gathered by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you. But if and when identity theft is committed, individuals may never come to know as the law does not require the UDIAI to inform citizens about a data breach.
What India requires today is a strong data-protection law. It should have preceded the Aaadhar roll-out but unfortunately it did not. Such a law can also ensure that data are not misused by private companies. Recently, the UIDAI filed FIRs against eight unauthorised websites for promising Aadhaar-related services, and illegally collecting Aadhaar number and enrolment details from people.
Aaadhar, however, requires greater scrutiny because of its scale, because it is mandatory, and because so many who are registered have neither the knowledge nor the means to protect themselves, or get recourse in case something goes wrong.