Aadhaar - How safe is your data?


New data leak hits Aadhaar system crumbling UIDAI’s 13-feet high, 5-feet thick wall. ~The News Minute


Aadhaar number is a 12-digit random number issued by the UIDAI (“Authority”) to the residents of India after satisfying the verification process laid down by the Authority. Any individual, irrespective of age and gender, who is a resident of India, may voluntarily enrol to obtain Aadhaar number. Individuals willing to enrol have to provide minimal demographic(name, age, gender, Address, mobile number and email ID) and biometric information(Ten Fingerprints, Two Iris Scans, and Facial Photograph) during the enrolment process which is totally free of cost. An individual needs to enrol for Aadhaar only once and after de-duplication, only one Aadhaar shall be generated, as the uniqueness is achieved through the process of demographic and biometric de-duplication.

UIDAI is a statutory authority established in January 2009 by the government of India, under the jurisdiction of the Ministry of Electronics and Information Technology, following the provisions of the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016.

Central Identities Data Repository (CIDR) is a government agency in India that stores and manages data for the country's Aadhaar project. CIDR, which is regulated by the Unique Identification Authority of India (UIDAI), is responsible for verifying the authenticity of documents submitted by an individual and that an applicant is actually the person he or she claims to be.


Aadhaar is the worlds largest centralised data repository of demographic and biometric data. And yet the security around the private data of nearly every Indian citizen is abysmal. In the UK, a similar idea for a unique central data repository was dropped due to concerns about security and privacy. The actual magnitude of risk mitigation and complexity necessary to safely maintain such a large repository was beyond the UK, a country which is relatively much more technologically advanced has better connectivity and a much smaller population than India. The invulnerability of CIDR thus becomes a huge question mark.

Earlier this year, an investigative journalist at The Tribune, contacted anonymous people via WhatsApp who were selling Aadhaar data. In less than 10 minutes after the journalist paid Rs.500 via paytm, an agent of the racket provided her with an unauthorised login ID and password by which she could access the demographic data of the over one billion Indians using their Aadhaar number. The data breach included private data such as name, date of birth, address, PIN, phone number and e-mail ID of all the Aadhaar enrolled individuals. For just another Rs.300, she was also offered software which would allow her to print the Aadhaar card of any individual for her own use.

Multiple government and private organisations have also been uploading Aadhaar data to the public domain through their websites. French hacker Baptiste Robert, through nothing more sophisticated than Google searches, found almost over 20,000 confidential Aadhaar data in public domain - in less than 3 hours. He also demonstrated via a viral video how the official Aadhaar app could be hacked in less than one minute to bypass its password protection of data.

These incidents show a major lapse in national security. "Data is the new oil" is the catchphrase of our times and CIDR is a gold mine for big data analysts. As the recent controversy surrounding Cambridge Analytica using psychological tactics to influence voter behaviour in US elections shows, access to private data can be a very dangerous weapon in the wrong hands. Other than for targeted marketing and advertising, such data can also be used in phishing scams, for opening illegal bank accounts, getting sim cards in someone else's name etc.

The racket providing Aadhaar services apparently has its origins in the village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology under the Common Service Centres Scheme (CSCS) across India during initial phases of Aadhaar registration. When their job was withdrawn for security measures, it is estimated that more than 1 lakh of these VLEs turned towards the racket to help in providing Aadhaar data for a price. This leads to a shocking data breach as in any state only the director-general and additional director-general of UIDAI regional centres should have access to the data.

Aadhaar has been much debated as a violation of the right to privacy, and now it has become a national threat. Linking Aadhaar and making it mandatory to avail almost any government service has exponentially scaled up the magnitude of this threat. The CA scandal in the US was because the firm accessed illegally 50 million Facebook profiles. Aadhaar contains twenty times that number, and the scale of magnitude of a hack into the CIDR can barely be imagined. Attorney General KK Venugopal telling the Supreme Court that data collected for Aadhaar was secure behind 13 feet high and 5 feet thick walls are a farcical example of how safe the data is, and how much the officials in charge understand how it works. If any foreign hostile forces and governments get hold of this data, it will be an understatement to call it detrimental to India's interests.


The UIDAI has dismissed the Tribune story as a case of "misreporting". The organisation has assured that there has been no breach in Aadhaar data as "UIDAI maintains complete log and traceability of the facility and any misuse can be traced". The UIDAI further reassured that "UIDAI Data Centres are infrastructures of critical importance and is protected accordingly with high technology conforming to the best standards of security and also by legal provisions.”

Aadhaar data contains both demographic and biometric information. Of these, it is the biometric data which is of a confidential nature and must be protected. CIDR uses the latest technology (2048 bit) for encryption of data and it would mathematically take a supercomputer several times more than the age of the known universe to crack a single encrypted Aadhaar. Not a single allegation of breach of biometric data has even been alleged. All the allegations deal with demographic data.

It must be remembered that Aadhaar data cannot be considered confidential. Demographic data, like name, address, phone number etc, are easily available online and offline. They can be found in electoral rolls, which by law are mandated to be in the public domain, phone directories, social media pages etc. This availability of demographic data is a necessary compromise between individual privacy and national security. The claims that demographic data has been leaked from CIDR is thus essentially baseless. UIDAI also said that "by simply knowing someone's Aadhaar, one cannot impersonate and harm the person because Aadhaar alone is not sufficient to prove one's identity but it requires biometrics to authenticate one's identity".

Furthermore, Aadhaar number is a 12 digit random number. The illegal access of data alleged in Tribune was using a grievance redressal mechanism. But it still required the user to input the correct 12 digit Aadhaar number of a person to get his details. And not all 12 digit numbers are used either; the chance of correctly guessing any Aadhaar number is less than 0.001, i.e, you will get a correct Aadhaar number only once every 1000 trials. If a person has already supplied his/her Aadhaar number and it was used to obtain the information without consent, it is a case of violation of trust, and not a breach of data.

Claims that Aadhaar is a violation of privacy are also shrill voices going against the national interest. The same people would have no issue filling out the 10-page documents necessary for a US visa application. Jio has a database of nearly 100 million users of its SIM, complete with demographic data and call records. Aadhaar is an attempt to reduce corruption and bring transparency into the Indian system. It will help eliminate middlemen in welfare schemes and gives every Indian a unique identity. Those alleging data breach and leaks are merely trying to get their five minutes in the spotlight by twisting facts.

Post a comment