Over a billion Indian citizens may be vulnerable to identity theft and intrusions of privacy after a newspaper sting uncovered a security breach in the country's vast biometric database, which contains the personal data of almost every citizen.
The Tribune newspaper said its reporters were able to access names, email addresses, phone numbers and postal codes by typing in 12-digit unique identification numbers of people in the government's database, after paying an individual about $8. For another $5, the newspaper said, the individual offered reporters software to print out unique identification cards, called Aadhaar cards, that can be used to access various government services including fuel subsidies and free school meals.
The individual was part of a group that had gained access to the database through former workers who were initially tasked with making the cards, the Tribune reported. Several groups were part of this scheme, the newspaper said. The Washington Post has not independently verified the report.
Extending the biometric ID program, known as Aadhaar — meaning foundation — to every citizen is one of Prime Minister Narendra Modi's flagship policies in his crusade against corruption. Campaigners say that an Aadhaar card is a way for citizens to prove their identity and access government and financial services. It also is a way to prevent fraud — corrupt officials often add fake names in welfare databases and steal money meant for the poor, they allege.
The Tribune's finding is the latest in reported privacy breaches, raising concerns about the Indian government's ability to protect its citizens from hackers. In the past, government websites have accidentally leaked the data of thousands of citizens.
India's Unique Identification Authority, which oversees the Aadhaar program, said in a statement that “Claims of bypassing or duping the Aadhaar enrollment system are totally unfounded. Aadhaar data is fully safe and secure and has robust, uncompromised security.” Modi's governing Bharatiya Janata Party tweeted from its official account that the Tribune's report was “fake news.”
The program has faced criticism in India, and the latest development stokes growing privacy fears. Internet campaigner Nikhil Pahwa said in a tweet that campaigners had warned against potential breaches of data for years. “As the usage and linkage of Aadhaar grows, this is going to increase. Bad, bad design,” he wrote.
In August, the Supreme Court ruled that privacy is a fundamental right for Indian citizens. The ruling may affect the government's efforts to extend the Aadhaar program to cover every citizen.
For months, government officials in India set up registration centers in cities and villages, snapping photographs and taking iris and fingerprint scans of citizens for a single, centrally secured database. In some hospitals, officials say, babies are given 12-digit registration numbers within minutes of being born.
According to Nandan Nilekani, the tech titan who designed the program, enrolling India's citizens has saved the government billions of dollars. It has won Modi praise from foreign dignitaries. Bill Gates, on a recent visit to India, hailed it as a “12-digit lie detector,” and the World Bank's chief economist Paul Romer said “it could be good for the world if this became widely adopted.” Delegations from Tanzania, Bangladesh and Afghanistan have visited India to talk about how it could be replicated in their own countries.
Although signing up isn't mandatory, the Indian government has made Aadhaar registration mandatory for access to many crucial government services. Banks have threatened to freeze accounts if they are not linked with Aadhaar numbers.
In a news report, relatives of a woman said she died after being turned away from a hospital because her family did not have her Aadhaar card. In another case, activists said an 11-year-old girl died because food rations were denied to her because she did not have an Aadhaar card.