Millennium Post

Data security

The National Democratic Alliance government is adamant that the biometric data of over 1.12 billion Indians who have enrolled for Aadhaar is safe. In a recent interview, Nandan Nilekani, the first chairman of the Unique Identification Authority of India, maintains that there are no security flaws in the system.

The National Democratic Alliance government is adamant that the biometric data of over 1.12 billion Indians who have enrolled for Aadhaar is safe. In a recent interview, Nandan Nilekani, the first chairman of the Unique Identification Authority of India, maintains that there are no security flaws in the system.

These assurances have come at a time when the Centre has mandated the use of the 12-digit Aadhaar number to access a variety of government services, even to the extent of making it compulsory for filing income tax returns. As argued in these columns, such measures are in direct violation of the Supreme Court's directives, which has said that possessing an Aadhaar number is not mandatory for Indian citizens to avail of social welfare benefits. Even though these 12-digit identity numbers and the information they contain are supposed to remain confidential under law, various government agencies have in the recent past inexplicably published sensitive personal data of unsuspecting citizens on their websites.

Section 6 of the Aadhaar (Sharing of Information) Regulations explicitly states: "the Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency." Despite the rules governing Aadhaar, the Jharkhand Directorate of Social Security was careless enough to publish the personal information of about 1.5 million people on its website early last Saturday. The details include their bank account details, mobile phone and Aadhaar numbers.

These unfortunate pensioners could now come under the lens of financial fraudsters, not to mention profiling for nefarious purposes. At least, the administrators had the common sense to take down the website on the same night. On Monday, there were also reports that the Aadhaar numbers and other personal details of Public Distribution System (PDS) beneficiaries in the Union Territory of Chandigarh were displayed on its website. These instances are not uncommon. What the government must acknowledge is that the digital security system around the Aadhaar scheme remains vulnerable and that the privacy of its citizens should not suffer such compromises.

"That was not the first, and these will not be the last because, by design, you are allowing the Aadhaar number and details to be stored by anyone. You do not even need an Application Programme Interface. Right now everyone can build their own database of Aadhaar numbers," says Srinivas Kodali, an interdisciplinary researcher working on issues of cities, data and the internet. While the government was quick to take action again nine private enrolment agencies for publishing sensitive information, including one that leaked the application of former Indian Test captain Mahendra Singh Dhoni, it is yet to take any government agency to task for such inexplicable breaches.

Data stored by small government agencies across the country remain vulnerable. In the process of linking Aadhaar to a whole host of government schemes, the Centre has made it incumbent upon these small agencies to store sensitive data, allowing hackers easier access. "Aadhaar has information security problems, which are primarily due to the non-enforcement of responsible technology practices by government officials who use, build, maintain and secure systems with sensitive data. Even if India gets a strong privacy law, it will almost certainly face institutional capacity challenges within government departments in implementing the rule of law," Kodali writes in a recent column for a popular Indian news website.

"The lack of capacity within the IT (information technology) wings of various government departments is appalling due to lack of awareness with national policies around data sharing and cybersecurity. It needs to be remembered that the Aadhaar project was not built by government officials but by volunteers from India's software industry who don't maintain it anymore. The need for improving skill sets of public servants across the country is of the utmost importance to make sure the technology we built is not abused against us by bad state actors," he goes on to add. Reading about the reaction of officials in Jharkhand to the massive data leak, it is evident that they had little inkling of how the personal data of millions of people saw the light of day on their website. Although the law makes the publication of such data illegal and prescribes punitive action for violators, one continues to witness such unfortunate breaches.

Where is the Supreme Court amidst all this chaos? It has shown no alacrity in dealing with petitions about the constitutional validity of Aadhaar, especially on the question of whether privacy is a fundamental right. "It is of the highest importance that the question whether a law is valid or not must be decided at the earliest moment," wrote KM Munshi, a member of the Constituent Assembly in a draft note in 1947. "Any uncertainty about its validity will lead to great hardships.

The object of the fundamental law will be frustrated if people have to serve sentences, pay fines or deny themselves the privileges given by the Constitution for a long time under an invalid law." In other words, any delay on the part of the courts in dealing with important matters related to the Constitution can have adverse consequences on the fundamental rights of its citizens. Last month, the court refused to accept demands for an early hearing of vital Aadhaar-related petitions. On Wednesday, the court will reportedly take up challenges against making Aadhaar compulsory for filing income tax returns and getting Permanent Account Numbers.

The apex court's primary task is to stand as a bulwark between the State on one side and the individual on the other. That is the main reason why it exists in a democratic republic. With the government determined to expand the Aadhaar programme's sphere of influence in the lives of ordinary citizens, there cannot be any ambiguity in its legal status and limits. The government must also limit any further expansion of Aadhaar until a comprehensive review and correction of the security systems attached to the scheme are completed.
Next Story
Share it