13499 - Worrying gaps - Telegraph India

Worrying gaps

May 09, 2018 00:00 IST

Data leaks and security breaches have become a part of 21st-century life. However, how organizations — especially the government — react to such events is important in assuring the citizen that this is something not to be condoned and something that must be made more infrequent through greater security. Taking away personal data (for whatever purpose) without the consent or knowledge of the individual is as good as property theft — both are violations of rights and constitute an act of coercion. The theft of information can be humiliating for the person whose data has been stolen. Personal data can be of various kinds and misuse could lead to substantial losses for the owner. This is often not realized.

In India too, data breaches are becoming more common. The reactions of the people who fail to prevent the breach and those of the government and the experts who know how certain security lapses lead to breaches can, at times, be shocking. Some time back, the government of Andhra Pradesh put up on its website the Aadhaar details of a large number of citizens. When the lapse was pointed out, the government hastily removed some of the details, but claimed that it was done to provide transparency regarding beneficiaries of certain publicly-funded projects. The more recent news about the Employees Provident Fund Organisation data breach is even scarier. 

Financial details could be widely misused. The government has chosen to remain silent, as have civil service experts. Transparency is not the opposite of privacy. Achieving transparency by the coercive violation of privacy is patently wrong. Silence on the part of the government can only be seen as a gradual and systematic blurring of the lines separating the private and the public spheres. This is an ominous sign; it portends greater control and manipulation on the part of agencies and institutions of the lives of ordinary citizens. Unlike in India, the Equifax data breach — it had taken place in the United States of America last year — had led to a quick apology and beefed-up security.

12763 - The Gazette Of India And The Aadhaar Paradox - Bloomberg Quint

The Gazette Of India And The Aadhaar Paradox
BloombergQuintOpinion

Abhimanyu Radhakrishnan @abhi2point0
23 January 2018, 5:36 PM23 January 2018, 5:36 PM

I owe my initial break in the media business indirectly to my father’s ‘gazetted officer’ status. It was 2002 and a family friend asked for a favour on behalf of his friend, a senior television industry honcho who was moving to London. The United Kingdom-bound executive needed to get his infant child’s nanny a passport and it was proving to be a struggle to obtain the ‘letter from gazetted officer’. Most people would rightly have been wary of giving such approvals given the human trafficking cases and disappearances rampant via this route, but since the reference came from a trustworthy person, dad decided to oblige. Now ‘oblige’ here didn’t mean just signing off on a letter. It meant taking the next logical step of visiting the executive’s residence (where the nanny lived) and meeting both of them to convince himself of the legitimateness of the entire exercise. Over a cup of tea, the polite conversation veered towards family and dad casually mentioned a recently graduated son interested in a news media career. The executive, as a gesture of gratitude, was quick to offer the mobile number of his industry peer who happened to head a new business TV channel. Back in those days, CEOs actually picked up phone calls from unknown numbers and after a quick follow-up email to HR with CV, yours truly had a foot in the door with an (unpaid) internship.

One might point out that this could be construed as a potential situation for quid pro quo and it’s true that there’s a fine line — but making sure you were on the right side of that line was the entire point.

The government’s ‘trust architecture’ was based on this principle that a certain cadre of official, with a certain rank — usually linked to the number of years served — could be trusted to use his official seal honestly.

Verifying credentials in person, using one’s discretion (that these credentials were legitimate) and ideally, making a counter-record in one’s own ledger were all part of the fairly rigorous process. However, it was clear that this colonial-era administrative procedure would wilt as demand for such documents exploded with populations and development. The most obvious problem was that practically no human being could keep real-time track of the voluminous Gazette of India, (printed weekly) and nowhere did there seem to be a consolidated directory of every gazetted rank and position. In fact, it was well after the easy availability of tools of forgery (rubber stamps, scanners, and printers) that official notices started insisting that such letters be on official letterheads and mention official addresses and phone numbers. This system was designed after all, in an era in which all gazetted officers in government service probably knew each other — a woefully outdated assumption for decades now.

This is precisely the kind of antiquated system that Aadhaar, in theory, was supposed to be an answer to. The epic mess that’s been playing out over the past few weeks in particular, however, points to a very fundamental issue with the project.

If your premise is that most people are inherently corrupt and can’t be trusted with authentication, how can you expect those same people to deploy this system?

As technologist and activist Kiran Jonnalagadda — whose criticism amongst others is finding its way into the ongoing Supreme Courts hearings on the project — nicely put it in a long and detailed critique: the system assumes you are the potential perpetrator of fraud and not the state apparatus.

This assumption has been smashed to smithereens by the complete collapse of two systems on the administrative back-end. The first is the outsourced enrollment system which the Unique Identification Authority of India has now shut down after blacklisting nearly 50,000 enrollment agencies and operators.

There is some scant data on how many were fined for overcharging but no specifics on how many have been caught creating fake entries (with real biometrics but incorrect information), ghost entries (using combinations of different people’s biometrics) and/or using fake documents. The second system which had to be taken offline and overhauled was the online verification system — the subject of the recent sting. The “breach” there was that login IDs to view data of any Aadhaar holder were up for sale.

The shocking technical ‘fail’ there was that these were users with administrator rights, i.e. those admins could, in turn, create more users with administrator rights.

Aadhaar Seva kendra. (Source: Aadhaar Official Account/Facebook)

Also Read: Is Aadhaar Likely To Pass The Privacy Test?

Anybody who has even used simple collaborative software like Google Docs would notice a basic option when giving people editing rights that says “allow editors to give others editing rights”. What’s more disturbing is that in the First Information Report application provided by the UIDAI, there are no details of the time or internet protocol address of the unauthorised login, despite the fact that the reporter shared the user ID with which she logged in. If the UIDAI cannot trace who gave administrator rights to the person who gave these administrator rights, etc. then the system is comically flawed. Blocking the access of 5,000 officials to this system shows that the ancient “gazetted officer” system has proven to be more robust.

The bigger danger though in this kind of system is yet to come. As the mobile SIM-Aadhaar linking deadline approaches and reports of rampant fraudulent linkage by telecom companies are emerging, serious questions arise. The UIDAI keeps harping on the fact that biometrics are only one kind of verification and one-time passwords on the mobile phone can be used instead. But a major point of access to that mobile phone is controlled after all by a mobile phone operator who in turn has given thousands of kiosk-level employees the right to accept and authenticate documents.

The gazetted officer ‘burden of trust’ has now moved to this fairly junior section of the workforce.

While it would be unfair to generalise on the moral proclivities of any broad section of the populace, let’s just say that these roles aren’t particularly well compensated — due to easy supply of millions of young people looking for any kind of service industry job — and offer little or no job security. Most telecom stores and kiosks are currently allowing users to either authenticate immediately with biometrics or to leave a copy of their Aadhaar ‘cards’ and wait for them to be (presumably) verified manually. 

The latter option seems to be the source of fraudulent linking with multiple people finding unknown numbers linked to their SIMs. The UIDAI has gone on record to say that it’s no big deal if only demographic data is leaked since the biometrics are safe. But that demographic data clearly mentions the Aadhaar-registered mobile number and thus has made it very easy to collude with a low-level telecom employee or partner to get a SIM card deactivated and re-issued (to someone else) using the legitimate process for lost SIM applicants. With OTP being considered on a par with biometrics for verification, this is essentially the equivalent of enabling identity theft.

Also Read: Benefits Of Aadhaar Unclear: RBI Researchers

Bharti Airtel, Vodafone India. and Idea Cellular SIM card packs are arranged for a photograph in Mumbai, India. (Photographer: Dhiraj Singh/Bloomberg)


Someone might point out that this is trivially solved by hereon insisting that only biometric verification can be accepted to re-issue SIMs. But then what of UIDAI’s much-vaunted feature of locking your biometrics on the Aadhar portal? The unlock needs an OTP which is no longer available to genuine users who’ve lost or damaged their registered SIMs. In that case, will telecom companies across the country then upgrade their systems to ensure that only someone equivalent of a gazetted officer (ideally one who registers with the government) has the authority to approve re-issuing of a SIM without biometrics? Will all these private sector employees with short stints across companies and industries have the same implicit level of trust and background check, as say, a commissioned officer of the Armed Forces with twenty years of service? Will the loss of a phone suddenly become a nightmare given that registering a new number against Aadhaar now requires a visit to an enrollment center? Most are already reeling under manpower and resource constraints.

Also Read: Aadhaar Hasn’t Fixed Identity Fraud, But Made It Worse

The problem with top-down centrally designed systems — which then outsource key functions to the lowest bidders — is that you can’t compete with the perverse incentive of thousands of motivated small players. The old way was to seed the system with enough people whom you trusted, in a decentralised way i.e. the gazetted officer concept. The new way, with essentially the same decentralised principle, could probably be to trust the wisdom of the entire system as a whole, using blockchain or similar technologies. The current way that the UIDAI seems to prefer is by evolving its systems at the expense of user safety and convenience, being not just un-apologetic but arrogant about it. That approach never ends well in a democratic setup.

Abhimanyu Radhakrishnan hosts television shows and writes on science, technology and business while also running a digital media consulting firm.


The views expressed here are those of the author’s and do not necessarily represent the views of BloombergQuint or its editorial team.

BloombergQuint

12743 - Existence of other biometric databases may pose new challenge to Aadhaar - Hindustan Times

Existence of other biometric databases may pose new challenge to Aadhaar

The existence of independent biometric databases means the information the UIDAI holds under lock and key is also scattered among scores of government departments. The real database problem for Aadhaar is not as much with its database but with these other databases.INDIA Updated: Jan 21, 2018 07:39 IST

Aman Sethi
Hindustan Times, New Delhi

Employees mark their attendance through Aadhaar-based system at the Yojana Bhawan.(Vipin Kumar/HT File Photo)

The widespread and largely unsupervised use of biometrics for everything from accessing university classrooms to identifying sea-faring fishermen along India’s coasts has resulted in the proliferation of public and private databases that could compromise the integrity of India’s Aadhaar-based authentication system.

“Ordinarily, the existence of these biometric databases would not scare me,” said Subhashis Banerjee, Professor of Computer Science Engineering at IIT Delhi. “But given the UIDAI uses biometrics for authorising transactions, these databases are a risk.”

In effect, the real database problem for Aadhaar is not as much with its database but with these other databases.

The Unique Identification Authority of India (UIDAI), the agency responsible for the Aadhaar programme, did not respond to HT’s request for comment.

Earlier this month, The Tribune reported that Aadhaar numbers and demographic information could be purchased for as little as Rs 500.

The UIDAI insisted that the biometrics of over 1 billion citizens were secure in the Central Identities Data Repository (CIDR) maintained by the agency.

That’s true, but the existence of independent biometric databases means the information the UIDAI holds under lock and key is also scattered among scores of government departments, many of whom have little conception of data security.

UIDAI to allow Aadhaar authentication using face recognition from July

Aadhaar database has never been breached since its existence: UIDAI

Repeated government directives to seed databases with Aadhaar numbers has only worsened this threat, two senior IT administrators said.

This is because any biometric database that seeds Aadhaar numbers, by default, has the same information as UIDAI’s CIDR for those particular Aadhaar numbers.

Thus far, there have been no public reports of hackers stealing Indian biometric stashes, but in 2015 hackers believed to have ties with Chinese security agencies stole 5.6 million fingerprints from the servers of the Office of Personnel Management, the human resource department of the US government.

50 million prints

From 2012 to 2016, the Employees State Insurance Corporation (ESIC) of India gathered 50 million biometric records to issue identity cards for workers and their family members, according to project documents reviewed by HT.

The ESIC then switched to Aadhaar-based authentication, and had linked 10 million Aadhaar numbers to their insurance database by 31 July 2017, according to a reply to a Lok Sabha question.

This means a server in the ESIC office on Delhi’s outskirts, and its backup in Hyderabad, hold a database that integrates Aadhaar numbers with biometrics and demographic details, effectively mirroring a portion of the UIDAI’s top secret CIDR.

In an interview, Mr. Sanjay Sinha, Additional Commissioner at the ESIC, said the database was safe, and encrypted. But databases must be continuously upgraded to stay secure. The ESIC system was built by Wipro in February 2009 under a five-year agreement to maintain it.


I stand by every word, have earned the FIR: Tribune reporter on Aadhaar breach story

Mamata ready to lose phone connection, but won’t link Aadhaar: 7 times scheme the card created controversy

When the agreement expired in 2014, ESIC signed a maintenance contract with Railtel Corporation of India, a subsidiary of the Indian Railways, Mr. Sinha said. This means the corporation no longer receives security upgrades from Wipro, and relies on Railtel to secure a system they haven’t built.

Databases galore

The ESIC is not the only organisation to unwittingly build a slice of the CIDR.

Gujarat’s ration card project captured the biometrics of 7 million residents. This database is being seeded with Aadhaar numbers as well, a senior IT official in the state said, implying that the Gujarat government has their own abbreviated version of the UIDAI’s CIDR as well.

Meanwhile, the fingerprints of 2.1 million coastal fishermen are stored in the “National Marine Fishers Database” built by a consortium of public sector companies.

“The enumeration of fisherman by conducting many number of camps in fishing villages has been completed,” a spokesperson for Bharat Electronics Limited, the consortium leader said, “The data collected has been converted to smart cards and issued to fishermen through state authorities.”

BEL did not explain how the information was stored, but a 2012 order by the Central Information Commission notes that the data is the “proprietary information of the Registrar General” and that these “PSUs will take all care to safeguard the confidentiality of this information.”

These 2.1 million fingerprints would probably be held by the Department of Animal Husbandry, Dairying and Fisheries, an official said.

“Who knows what they know about data security,” the official observed, seeking anonymity as the matter is deemed too sensitive to discuss with the press.

From database to fingerprint

Biometrics are protected by encryption and by condensing fingerprints into templates obtained by using software to extract unique features of a given print.

But encrypted data needs decryption keys, which may be leaked if a database is accessed by multiple users.

Templates do not offer total security either.

Read more

Edward Snowden says reporter who exposed Aadhaar ‘breach’ deserves an award

There’s an orchestrated campaign to malign Aadhaar: Former UIDAI chairman Nilekani

“There was a misconception that a template cannot be inverted, but that is not true anymore,” said Anil Jain, Professor at the Department of Computer Science and Engineering at Michigan State University. “It is possible to use a template to reconstruct a fingerprint to a high degree of accuracy.”

The reconstructed fingerprint, Prof. Jain has shown, can be used to build spoof fingerprints that fool most biometric readers.

Meanwhile the ESIC continues to sit on its enormous archive of fingerprints. “We can’t just delete the data,” said an ESIC official. “That will happen as and when we get the appropriate orders.”

12738 - UIDAI Denies Aadhaar Data Breach Puts Massive Biometric Database at Risk - CPO Magazine

CYBER SECURITYASIANEWS

UIDAI Denies Aadhaar Data Breach Puts Massive Biometric Database at Risk

Sarah MeyerOn Jan 19, 2018

In the face of what has been described as one of the largest data breaches in India – if not the world’s history – the Indian Aadhaar database is now coming under the scrutiny of the Indian Courts who will decide on the scope of the implementation of the gigantic one billion person database. The Unique Identification Authority of India (UIDAI) has denied reports that the Aadhaar data breach has made masses of biometric data available to external players for a miniscule sum (INR 500 – under USD 8 at time of writing) paid via a digital wallet – in fact, much of the data could be accessed via a simple Google search.

And much of the data was incredibly sensitive.

That simple search would reveal thousands of databases along with demographic data including Aadhaar numbers, names, names of parents, PAN numbers, mobile numbers, religion, school results, the status of rejection of applications, bank account numbers, IFSC codes and other information.

The Indian government response to the Aadhaar data breach – to threaten the journalist who revealed the information with police charges and the very real possibility of serving time behind bars.

UIDAI denial

UIDAI was quick to label the issue a mere case of ‘unauthorized access’ to the Aadhaar website rather than an Aadhaar data breach and assured users that no biometric data was stolen. This may be a case of clever use of semantics – and it didn’t take long for confusion to spread among users, potential users and government agencies.

The UIDAI then issued a series of FAQs that addressed some of the concerns for the Aaaar data breach that were increasingly worrying.

One of the questions that the organization tried to answer was:

‘UIDAI has all my data including biometrics, bank account, PAN, etc. Will they be used to track my activities?’

The answer was unequivocal:

‘Absolutely false. UIDAI database has only the following information –
(a) Your name, address, gender, date of birth
(b) Ten finger prints, two IRIS scans, facial photograph
(c) mobile number and email ID.

Related Posts

How Effective is Apple’s New Face ID Security Feature?

Nov 14, 2017

Facial Recognition Technology Raises Privacy and Mass…

Oct 12, 2017

Emerging Technologies to Address Data Privacy and Security…

Aug 16, 2017

Rest assured, UIDAI does not have your information about family, caste, religion, education, bank accounts, shares, mutual funds, financial and property details, health records etc and will never have this information in its database.’

In other words – users should be very, very worried. This is some of the most sensitive information that could ever be stored in a database and is potentially extremely attractive to hackers – even with the exclusion of the other information that is mentioned.

Aadhaar data breach – A series of unfortunate events

How worried? Perhaps the word ‘very’ is not sufficient to describe what sort of damage this information can do in the wrong hands – and it is not as if the Aadhaar system has not experienced significant data breaches in the past.

Recently a French security researcher pointed out flaws in the Aadhaar app that is available on the Google Play Store. This is a government mobile app with flaws that can potentially allow attackers to access the Aadhaar database including demographic data.

An Indian IT graduate was arrested for illegally accessing the Aadhaar database in August 2017 between 1 Jan and 26 July without the relevant permissions. He developed an app called ‘Aadhaar eKYC’ by hacking into the servers related to an e-Hospital system that was created under the Digital India initiative. The eKYC app would then route all the data access requests through those servers.

In January 2017 in order to provide ‘more choice’ to citizens authenticating using Aadhaar, the UIDAI has introduced facial authentication along with fingerprints and iris recognition. This measure will be used in “fusion” OTP (one-time-password). It is scheduled to be fully implemented by July of 2017.

Is big government the right custodian?

Over the last year, there have been multiple instances of Aadhaar data breach involving data leaking online through government websites. Recently, a media query from the Tribune forced the UIDAI to reveal that about 210 government websites made the Aadhaar details public on the internet. No timeframe was revealed about how long it took for the problem to be remedied. Let’s be clear – that a security breach caused by government involving over 200 hundred government owned sites – not something that should give users even the smallest sense of comfort.

Once again it is important to know that this isn’t just password protected information – it’s a database that contains a huge wealth of information – including highly sensitive biometric info – and it touches the lives of a billion people. In addition, this isn’t ‘opt in’ – it’s mandatory. At the risk of belaboring the obvious, how much would the Indian government be faced with paying if a skilled team of hackers planted ransomware, preventing the government from accessing that database – the dangers beggar belief.

Given the abysmal track record of Aadhaar when it comes to protecting data it can only be seen as obvious that big government in India may simply have overreached itself as far as its vision for this database is concerned. The control of just how quickly it will be rolled out and the eventual scope is now firmly in the hands of a five-judge Constitution Bench in India – we can but hope they rule wisely.

12707 - Aadhaar security breaches: Here are the major untoward incidents that have happened with Aadhaar and what was actually affected - First Post

Aadhaar security breaches: Here are the major untoward incidents that have happened with Aadhaar and what was actually affected
News-Analysis tech2 News Staff Jan 16, 2018 11:13 AM IST

Aadhaar Database is one of the largest government databases on the planet, where a 12 digit unique-identity number has been assigned to the majority of the Indian citizens. This database contains both the demographic as well as biometric data of the citizens.

A file photo of Aadhaar registration. Reuters

With the sheer amount of private and confidential data amassed in one singular database, it is no surprise that Aadhaar and Unique Identification Authority of India (UIDAI), the authority that established the database, continue to be the focus of attention whenever there is any security shortcoming.

Irrespective of the number of complaints and objections against the program, the government of India has made it mandatory in almost all the facets of public life. Despite the number of reports over the last couple of years, UIDAI has constantly maintained that the server and the data itself, especially biometric data is safe. We are not contesting the claims by the authority. However, we do think that the number of security incidents has increased in past few years and we wanted to highlight everything major that has happened.

App-based flaws

Most recently, the entire controversy around Aadhaar and privacy concerns, captured centre stage after a French security researcher pointed the flaws in the mAadhaar app that is available on the Google Play Store. What is striking is the fact that this is not the first time when the issue has been raised about a government mobile app with flaws that can potentially allow attackers to access the Aadhaar database while accessing the demographic data.



An IIT graduate was arrested for illegally accessing the Aadhaar database back in August 2017 for accessing the database between 1 Jan and 26 July without authorisation. He created an app called ‘Aadhaar eKYC’ by hacking into the servers related to an ‘e-Hospital system’ that was created under the Digital India initiative. The eKYC app would then route all the requests through those servers.

Government Websites

Over the last one year, there have been multiple instances of Aadhaar data leaking online through government websites. The most recent case was when an RTI query pushed UIDAI to reveal that about 210 government websites made the Aadhaar details of people with Aadhaar, public on the internet. The report pointed out that the data was removed from the websites but it also did not mention about the time frame of the leak of the data.

The problem was so rampant that a simple google search would reveal thousands of databases along with demographic data including Aadhaar numbers, names, names of parents, PAN numbers, mobile numbers, religion, marks, the status of rejection of applications, bank account numbers, IFSC codes and other information.

Google. Pixabay

Three Gujarat-based websites were also found disclosing Aadhaar numbers of the beneficiaries on their websites. Last but not the least, a website run by Jharkhand Directorate of Social Security leaked Aadhaar details about 1.6 million people living in Jharkhand due to a technical glitch.

Centre for Internet and Society (CIS) also pointed out that about 130 million Aadhar numbers along with other sensitive data were available on the internet. The reason for the data leak was narrowed down to four government-run schemes ranging from National Social Assistance Programme by the Ministry of Rural Development, the National Rural Employment Guarantee Act (NREGA), also by the Ministry of Rural Development, Daily Online Payment Reports under NREGA by the government of Andhra Pradesh and the Chandranna Bima Scheme, also by the government of Andhra Pradesh.

Third party leaks

There have been a number of leaks when it comes to demographic data. Sometimes the leak happens because of a picture is tweeted to showcase the infrastructure such as the time when Aadhaar card application of MS Dhoni leaked on the internet. The reason for the leak of the form was that the CSC e-governance Services India Ltd tweeted the picture of the machine with Dhoni’s form still on the screen with a bulk of personal details visible. This prompted UIDAI to blacklist CSC e-governance services for 10 years.

Aadhaar registrations

UIDAI has also regularly shut down ‘fraudulent websites’ and mobile apps that claim to provide Aadhaar services to users as done almost a year back. It also blocked about 5,000 officials from accessing Aadhaar portal after it was reported that the portal was accessed without any authorisation.

It is almost amusing to note that it was not the first time that UIDAI blacklisted officials or operators. Back in 2017, itblacklisted about 1,000 operators and filed FIRs against 20 individuals for malpractice. The report did not point at any security issues but did state that charging for Aadhaar was illegal.

The most recent case was the investigative story done by a journalist from The Tribune, who uncovered a racket wherein you could get access to the Aadhaar data if you paid a sum of Rs 500 to certain individuals on a closed WhatsApp group.

Misuse of Aadhaar

A report from a year ago implied that several parties illegally tried to store the biometric data and conduct multiple transactions using the same fingerprint. UIDAI detected the problem when it found multiple transactions done using the same fingerprint. The official who spoke on conditions of anonymity to Livemint, said that this would not have been possible without storing biometric data.


Image: Airtel

The story is not over about the misuse of Aadhaar as the organisation suspended the eKYC license of Bharti Airtel and Airtel Payments Bank after they violated the Aadhaar Act which barred the company from opening bank accounts of their customers without undertaking any informed consent from them.

Duplicate Aadhaar cards

Apart from the usual fear associated with hackers breaching the Aadhaar database, the menace of fake Aadhaar cards is also a problem for UIDAI. According to a report last year, a gang in Kanpur was running a racket in order to generate fake Aadhaar cards. UIDAI stated that its systems detected abnormal activities and filed a complaint accordingly. It clarified that the big scam to generate the fake cards was foiled by the system and it did not affect the database of the processing system.



What is interesting is that UIDAI refused to disclose the number of fake or duplicate Aadhaar cards in circulation citing the threat to national security. So much for transparency and accountability on the part of UIDAI and the government.

Demographic data on sale

A recent investigation by The Tribune uncovered that anonymous individuals were ready to sell the Aadhaar card details of any individual with an Aadhaar number against the payment of a sum of Rs 500. An additional Rs 300 would also let you print out these Aadhaar cards. The investigating team was able to get a Login ID and username that allows the team to check details of any of the users in the database. What was surprising to note is that the ‘agents’ were running a racket using messaging platforms as WhatsApp to reach out to potential buyers.



Access to the Aadhaar demographic data is not the only issue here. An additional Rs 300 could also let the ‘agent’ with a login ID and username to print any Aadhaar card after entering the card number. The report also pointed out that the agents hacked into the website of Government of Rajasthan to gain access to the software. According to the report, the investigator was able to gain immediate access to particulars of all the users listed by UIDAI including name, address, photograph, email ID as well as the mobile phone number.

Other claims

The claims about unauthorised access to the Aadhaar database is not limited to the websites in the country. According to a previous report last year, WikiLeaks tweeted claiming that CIA might have access to the database as well.



The series of tweets claimed that CIA was using Cross Match Technologies to access Aadhaar database as this company was one of the first suppliers of biometric devices certified by the UIDAI. The report claimed that CIA was using Express Lane, a covert information collection tool to ex-filtrate the data collection.


Published Date: Jan 16, 2018 11:13 AM | Updated Date: Jan 16, 2018 11:13 AM