No, India’s AADHAAR database has not been compromised

A report from Guardian

Social and mainstream media is abuzz with headlines that scream that the Aadhaar database has been ‘leaked’ or ‘breached’ by miscreants and that the UID Authority of India has been caught napping.

“Personal data of a billion Indians sold online for £6”, screams the Guardian. “Local Indian newspaper was able to access the private data of nearly 1.2 billion Indians for just $8,” claims Buzzfeed.

“India’s national Aadhaar ID database reportedly breached,” claims Reuters.

Has Aadhaar data really leaked? Or is it a case of journalists not understanding how technology works? Going by available data, it looks like the second scenario is more likely, even if the report by the Tribune newspaper is 100% correct.

First, let’s look at what the Tribune says.

The report says that if you spend a certain amount of money, you can get access to an Aadhaar verification facility.

Using this facility, you can verify — or figure out — the actual identity of a person if you input an Aadhaar number into the system or press his finger against a reader for identification.

This does not constitute a breach or hacking of the Aadhaar database.

At best, it constitutes the violation of privacy of the citizens, as anyone willing to pay can now figure out the residential adressess, email addresses and phone numbers of anyone else whose Aadhaar number they have.

While this is certainly not a satisfactory state of affairs — after all, nobody wants to expose their phone numbers and addresses to all and sundry — it is a far cry from a ‘breach’ or ‘leak’ of the database, as media reports would have you believe.

In fact, the primary purpose of creating the UID database is to be able to verify the identity of a person, and the entering an Aadhaar number and checking the person’s details is exactly how you verify the identity of a person.

Anyone who has used the Aadhaar e-verification facility will know that when you enter your unique ID or press your finger against the sensor, the system displays all the above details, including your address, email and phone number.

That is a feature, not a bug.

The problem, in this case, is that this verification facility is supposed to be available only to ‘serious’ users — such as telecom operators and banks. Just about any Tom, Dick & Harry with 500 rupees to spare is not supposed to be able to get access to the verification portal.

According to the UID Authority, the people who were selling the access were using the accounts created for ‘grievance redressal’.

In other words, they were misusing the verification facility that was set up for government officials and UID agencies to deal with complaints regards wrong Aadhaar data and so on.

This suggests that some officials have been ‘selling’ their access for money.

SHOULD YOU BE WORRIED?

The key question is, should you be worried? Is your UID data just lying there somewhere for everyone to see?

No.

First, your data has not been leaked. Nobody, other than the UIDAI has a list of Aadhaar numbers, names, emails etc.

At best, what anyone can do is to find our your name and address if they have your Aadhaar number.

The ‘if’ part is key. They need to have your Aadhaar number to find out your name and other details. They cannot enter your name and get your Aadhaar number.

It’s a bit like your PAN or your vehicle registration number. If someone has your PAN, they can go to the Income Tax website, enter the PAN and know your name.

Similarly, anyone can go to your government’s Road Transport Department website, enter your car or bike registration number and find your details as well.

The key difference is in the level of detail.

While a PAN or a VAHAN lookup only allows you to verify your name, an Aadhaar check reveals your address, phone number and email address, if provided.

Moreover, in case of Aadhaar, all requests are logged.

In other words, there is a record of all verification requests carried out from all IDs.

In other words, the people who sold their logins are not very smart and it’s not very difficult to find out who has been selling their access facility for money.

Is this an ideal situation?

Far from it.

But has the Aadhaar system been finally hacked, is your data personal data up for sale on the Internet? Should you get a new set of fingers and eyes? Nopes, at least not yet.