comscore
News

Aadhaar data breach: Edward Snowden says if anyone should be arrested it is UIDAI

UIDAI recently filed a criminal complaint against the reported who had first reported the breach.

  • Published: January 9, 2018 4:32 PM IST
edward-snowden-image

Last week, the Unique Identification Authority of India (UIDAI) was in the middle of a big controversy, after a journalist from The Tribune alleged that some “agents” working for the authority, were handing over crucial Aadhaar details, in exchange of a mere Rs 500 over Paytm. UIDAI soon reverted to the accusation, calling it a case of misreporting. Ever since, there has been a back and forth between the publication and the authorities, with the latter recently demanding the reporter to be arrested for “false accusations”. To this, US NSA whistleblower, Edward Snowden has responded, and he holds UIDAI responsible.

Snowden said in a recent post on Twitter that the “journalist deserves an award, not an investigation”. He said that if the government was really concerned about the biometric information, then they should be working on reforming policies. And if they do want to arrest someone, it should be the UIDAI.

The Tribune reporter had revealed last week that she was able to buy access to the personal information of nearly 1.2 billion people in the Aadhaar database for just Rs 300. She was then named in a criminal complaint by the UIDAI, with alleging a range of offences including forgery and cheating.

The filed complaint led to a heated debate online regarding ‘Freedom of Press’ and ‘Free Speech’, to which UIDAI soon responded saying that while it respects those fundamental rights, it is for an act of unauthorized access that the complaints have been filed.

Ravi Shankar Prasad, India’s Information and Technology minister, doubled down on the government’s commitment to freedom of the press.

Last week, The Tribune reported that anonymous sellers over WhatsApp were providing unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far. Reportedly, for exchange of a mere Rs 500 over Paytm, “agents” create a “gateway” and pass on login ID and passwords. You could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

To the cybersecurity concerns that this issue has raised, CEO and founder of a cyber security consulting firm, Network Intelligence, KK Mookhey said, “Aadhaar has now become one of the biggest concerns from a national perspective when it comes to data security and privacy. It is very important that UIDAI takes necessary measures to build the confidence of the citizen in terms of protecting their demographic and biometric data. UIDAI should conduct a full-fledged end to end security audit and should make the results of the audit and the subsequent mitigation measures public.”

He added, “UIDAI should provide detailed instructions to all stakeholders on security mechanisms including both technical & procedural and provide the complete details of the security architecture and encryption used. No security by obscurity. To detect frauds that misuse authorized logins, UIDAI should implement robust monitoring mechanisms and a proper incident response mechanism.” “UIDAI can repeat audits every year if not every six months as only full transparency will restore trust back in this system, else more bad news is likely to come. It may also be a good idea to implement a public bug bounty program and reward researchers who find issues.”

  • Published Date: January 9, 2018 4:32 PM IST