Alleged breach of India's biometric database could put more than a billion users at risk
Posted January 9, 2018 9:51 p.m. EST
Updated January 11, 2018 11:27 p.m. EST
NEW DELHI (CNN) — The Indian government has announced new security measures following reports of an alleged security breach in the country's vast biometric database, which contains the personal details of 1.2 billion Indian citizens.
The announcement comes a full seven days after journalist Rachna Khaira first identified the alleged breach in an article in the Tribune newspaper, in which it was claimed reporters were able to buy access to citizens' personal details, such as names, addresses, phone numbers and even photos, via an anonymous WhatsApp account for as little as $8.
The database, known officially as Aadhaar, was launched in 2009 as a voluntary program intended to help prevent benefit fraud, it has since grown, and is now home to the collected data -- including fingerprints and iris scans -- of more than a billion Indians, or upwards of 90% of the entire population.
Users are issued with a personal 12-digit identity number which they can then use to access welfare payments, and other government controlled services.
Authorities have been widely criticized for their handling of the allegations, which if proven correct, could expose users to identity fraud and privacy invasions.
The Unique Identification Authority of India (UIDAI), which is responsible for maintaining the database, initially denied the claims, dismissing the Tribune story as "clearly a case of misreporting being incorrect and misleading."
This was followed by a tweet from the official account of the ruling Bharatiya Janata Party (BJP) referring to the report as "fake news," last Thursday.
A day after Khaira's report, the UIDAI filed a police complaint against her, the Tribune newspaper, and the anonymous individuals who allegedly provided them with access to the database, a move that served only to inflame the crisis further, and stoke wider concerns over diminishing press freedoms.
Reporters Without Borders (RSF), the Paris-based NGO which publishes an annual index of press freedom, last year ranked India at 136 out of 180 countries, down 3 places from the previous year, and lagging behind the likes of Myanmar, Colombia and even Zimbabwe.
The controversy led Edward Snowden, the former US National Security Agency contractor and high profile whistle blower, to weigh in with a tweet offering his support to Khaira, Tuesday.
"The journalists exposing the #Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI," said Snowden.
The agency quickly backtracked, and by late Tuesday afternoon had tweeted its support for press freedoms and its apparent willingness to work with the Tribune to investigate the problem.
It remains unclear, however, whether the UIDAI has in fact dropped its police complaint against Khaira.
The newest government security measures, announced late Wednesday, will allow users to generate a randomly-generated virtual ID or token to avoid sharing their direct Aadhaar number for authentication, according to the government notice. A second security measure prevents secondary agencies from storing an individual's Aadhaar number.
Experts say the move will go some way in addressing issues raised in the Tribune report, as well as broader safety concerns.
Amber Sinha, a senior program manager at the Centre for Internet and Society, a research institute based in Delhi and Bangalore described the government's announcement as a welcome measure.
"There have been various kinds of security incidents, but tokenization can definitely address some of them," said Sinha.
According to Sinha, the database's biometric data, which contains the most sensitive information, such as retinal scans, has not been breached and reports in the press are related to demographic data, which can also exist in separate databases, owned by different government agencies or state governments.
Though implemented under the previous administration, Prime Minister Narendra Modi's government has championed the database, and pushed to make Aadhaar cards mandatory.
The new security measures come a day after a report from a research institute affiliated with the Reserve Bank of India labeled the database "a prime target."
"Thanks to Aadhaar, for the first time in the history of India, there is now a readily available single target for cyber criminals as well as India's external enemies ... The loss to the economy and citizens in case of such an attack is bound to be incalculable," said the report by the Institute for Development and Research in Banking Technology.
While the authorities did not cite a specific reason for the new security measures, they did say there were "heightened privacy concerns," according to the statement from the Ministry of Electronics and Information Technology.