There are no breaking news at the moment

In India, on past one month there are many news reports on various #AadhaarLeaks from Aadhaar seeded Govt services. As of now combined number of Aadhaar numbers leaked will cross 200 million , considering various leaks from Employment Guarantee, minor /student scholarship portal leaks, Social assistance schemes, and various pension schemes.

Yesterday I was closely following Attorney General of India’s arguments in the ongoing Supreme court petition questioning Aaadhaar -PAN Linkage.

At one time Attorney General Mukul Rohatgi said “It is Important to note there was no leak from us . It was from Jharkhand Govt.”

Publishing Aadhaar Number is a Crime as per Aadhaar Act Rule 6

So I think this is the time to talk about Aadhaar Numbers publicly posted by UIDAI itself . There are multiple files in UIDAI website displaying aadhaar numbers violating citizen privacy and consent . But for current purpose I am Exhibiting images from just one PDF with gross privacy violations of most disadvantaged people including visually challenged people

Image Source : UIDAI website , PDF Page 33 | Masking: Mine
Image Source : UIDAI website , PDF Page 34 | Masking: Mine
Image Source : UIDAI website , PDF Page 35 | Masking: Mine
Image Source : UIDAI website , PDF Page 38 | Masking: Mine

There are more photos with aadhaar numbers on same file. I verified these numbers using UIDAI’s verification service and all of them are valid numbers. The file seems to be archived at-least 15 times in Internet Archive.

Just confirm the URL Once again . it is from UIDAI itself https://uidai.gov.in/images/aepds_16th_june_2014.pdf

Now this is what UIDAI CEO Dr ABP Pandey says

So Mr . Attorney General, who is violating Aadhaar act here ?

You are distancing yourself from leaking databases of state Governments, Central Government Schemes and even the Prime Minister’s own Awas Yojana

But What about UIDAI’s own leaking sir ? If UIDAI itself is leaking data what protection citizen have? Remember , Only UIDAI can file FIR against violation of Aadhaar Act .

#AadhaarLeaks: Why UIDAI and PwC Are Responsible

News reports shows there was repeated point stating “leaks are not from UIDAI”. Arghya Sengupta (From Rohini Nilekani backed Vidhi Centre for Legal Policy)appearing as a counsel for Government in petition challenging PAN-Aadhaar linking said following

“As of today, Aadhaar is foolproof. Biometric technology is the best system in 2016. There has not been a single leak from the UIDAI. The leaks of details may have been from the States… their offices and agencies,” advocate Arghya Sengupta, counsel for the Centre, submitted in the court.

source : Aadhaar data leaks not from UIDAI: Centre — The Hindu Report 04th May17

This separation of Aadhaar from its ecosystem is new. Lets look at who is responsible for Information Security in UIDAI & its ecosystem

In November 2015 UIDAI contracted audit and consultancy firm PricewaterhouseCoopers India has been roped in for building an additional layer of oversight by reviewing the security of the entire ecosystem that includes UIDAI data centres and servers along with that of government departments and private agencies such as banks that are engaging with Aadhaar for authenticating citizen information.

Source Economic Times , 03rd Nov 2015

So UIDAI rightly understood the need of security of entire ecosystem and had an audit consultant for oversight . We know #AadhaarLeaks are not just from State schemes. It includes gigantic leaks of Whole MNREGA & NSAP data and Central schemes such as Swachh Bharat portal and Pradhan Mantri Awas Yojana. But for deeper understanding of UIDAI ecosystem & data with states lets look at some other UIDAI documents

Source : UIDAI-SRDH-State Adoption Strategy Document, Page 11

This have more terms SRDH . SRDH means State Resident Data Hub. It is conceptualised as subset of CIDR Data

Central Identities Data Repository (CIDR) is the centralised database of Aadhaar project that stores every individual’s data collected via enrollment process. SRDH is a primarily contains Enrolment data (including KYR+ extra parameters specified by the states) of All residents in state. SRDH helps in seeded data verification of welfare projects in states as you can see in the conceptual data flow diagram. In short SRDH is a critical Information Infrastructure as same as CIDR . If Jharkhand PDS is leaking , it means both UIDAI and their security auditing and monitoring agency failed in their information security function.

While exploring various SRDH , I came across these documents from Karnataka (Thanks @databaazi)
1. KRDH Presentation (PPT) [Cached Version]

2. Process Manual — Update Consent Sharing from No to yes.doc [Cached Version](cached version luckily does not have photos)

This documents are just for indication of how irresponsibly citizen data is maintained at SRDH level. This data is from Karanataka , where UIDAI have a technical base. The below pictures show you the Information Security practices are non existent.

From KRDH Presentation linked above. Aadhaar Numbers not masked.
From KRDH Presentation linked above. Aadhaar Numbers are not masked.
From Update Consent Sharing Document Linked Above . Aadhaar Number is not masked

The document have pictures of this lady in each step , including public display of aadhaar & Update slip with EID& Aadhaar Numbers . Agency enrolled MS Dhoni is blacklisted for very same reason of sharing similar slip.

Aadhaar , EID , DOB are displayed.

Now lets examine who else is responsible apart from the Karanataka State Resident data Hub , which published these details online. I checked ownership details of documents in meta data and result was shocking

The KRDH Presentation Document is created by Usha Rani Kamisetty
From Companay: PwC
created by Sandeep Patil from Pwc

A simple search on confirmed both these names in document metadata resolve back to one company , the very same company responsible for “building an additional layer of oversight by reviewing the security of the entire ecosystem that includes UIDAI data centres and servers along with that of government departments and private agencies such as banks that are engaging with Aadhaar for authenticating citizen information.”

PwC was a consultant for Karnataka for audit process for the Aadhaar enrolment process as well as the data captured from 2011 onwards. It was also listed as an empanelled firm as consultants, software solution providers and complete end to end solution providers for UIDAI in SRDH Institutional Framework document.

SRDH Institutional Framework, Page 13

The dates in above document they are mostly prepared in implementation period prior to the Information Security consultancy. This makes clear that PwC also participating as a consultant implementing even design. Then how PwC is also doing a InfoSec audit of same structure? Isn’t that a conflict of interest?

I am linking LinkdIn profiles these names I have seen below, because that is not Aadhaar and it is publicly available to anyone . If citizen’s personal details are posted in presentations, I think it is fair to publish their name and designation from public URLs.

Source : LinkedIn
Source: LinkedIn

This shows a clear proof of security practices and auditing on UIDAI Ecosystem and related Information systems. As you can clearly see PwC India failed in following basic information security practices and violated the duty UIDAI assigned them. There is no corrective measure from anyone in Ecosystem so far. I would like to present this fact as a public record to understand Why #Aadhaar & Its data handling practices within ecosystem are totally insecure and violating citizen’s control and consent over their personal data .

This article was originally published as a two part series in Medium.com

Anivar Aravind is a researcher, Founder/Director @indicproject | @smcproject | @mozillareps | #FOSS #i18n #access #infosec #openness | https://anivar.net

One Comment

  1. K SHESHU BABU says:

    The article reflects gross violation of privacy rights. It is regrettable that there is no concrete step to protect the deprived persons, disabled persons including visually impaired persons and rural people.