Aadhaar biometric data breaches trigger privacy concerns
Suranjana Roy, Komal Gupta, and Apurva Vishwanath report:
A case of Aadhaar data breach has caused privacy concerns and raised questions over the security of biometric data in possession of the Unique Identification Authority of India (UIDAI).[…]
The UIDAI filed a police complaint on 15 February against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics.
A UIDAI official, who requested anonymity, said that the three had been given time till 27 February to explain their action.
Read more on LiveMint.
But the problems go way beyond this specific case. As Srinivas Kodali writes on The Wire, there have been three major incidents related to violation of privacy and security of Aadhaar in the past few weeks alone:
The first is an incident that I am directly involved with, where a website was found to have publicly displayed the Aadhaar numbers of over five lakh minors. This website was eventually shut down – although we don’t know for how long the data was online, whether the guardians of these minors in question would be notified of such a data breach and whether any criminal or civil action is being taken against the operators of the website.
The other two incidents are inherently linked. Earlier this week the Chairman of the Skoch Group, a think-tank known for its governance awards, wrote a post that alleged issues with Aadhaar’s security; notably with the way several intermediaries stored biometric data. The post included a video that showed an Android application performing an Aadhaar authentication process by storing a user’s biometrics after the initial first use. The UIDAI CEO, who initially called it fake on Twitter and ignored the allegation, has now likely ordered an investigation over such a possibility.[…]
The last, and third, incident is probably most significant. Just a week after the Skoch incident, media reports showed that the identification authority had issued notices to three agencies – who had been authorised by UIDAI to act as important intermediaries in the Aadhaar infrastructure pipeline – and issued notices about possible misuse of user biometrics under sections 29, 37, 42 and 43 of the Aadhaar Act.
March 6 Update: See the government’s response/denial.