If MS Dhoni’s personal Aadhaar data can be leaked, how safe is yours?

The leaking of former cricket captain Mahendra Singh Dhoni’s personal details by a sanctioned Aadhaar enrolment agency exposes a deeper flaw in the identification project’s data collection and storage systems, with experts saying no citizens’ private information is safe.

Analysts say the government’s decision to handover the enrolment process to private agencies for a licence fee was wrong and the set-up to secure private details was weak and prone to data mining and hacking.

“Most people working on the ground are not trained and are not aware of what norms are to be followed. Imagine the kind of data that every service centre has access to,” said activist Nikhil Dey. “There is a reason why an important exercise such as census is performed by the government and not outsourced to small private players.”

The 12-digit biometric identification project was mooted roughly a decade ago to plug leakages in the delivery of state benefits but many say the massive data collection process – more than a billion people have signed up for Aadhaar – and its ever-expanding use was paving the way for government spying and security breaches.

These fears got more real after Dhoni’s wife complained to information technology minister Ravi Shankar Prasad on Tuesday that Common Service Centre, which has been authorised by the Unique Identification Authority of India, had tweeted a photo with the cricketer’s personal information. The centre has been blacklisted for 10 years.

Gopal Krishna, member of the Citizens Forum for Civil Liberties, highlighted the biometric technology companies could store personal information for seven years. “In the electronic age, it means the central government has surrendered the data to these foreign companies forever…compromising national security and personal liberty of citizens.”

Others question the way the entire Aadhaar ecosystem is made. Reetika Khera, an economist and social scientist, said the seeding of Aadhaar numbers with accounts, along with other databases, was just a way of creating a tracking infrastructure. “Such tracking is, at best, poorly regulated, and amounts to a violation of our right to privacy.”

Speaking with HT last week on the issue, UIDAI chief Ajay Bhushan Pandey, had dismissed such speculation. “Since 2012, the UIDAI has done 500 crore authentications, 100 crore EKYC transactions, 32 crore Aadhaar enabled payment system transactions, and not a single case of identity theft or financial loss has been reported over a period of five years.”

But other experts aren’t convinced. Krishna termed the Central Identities Data Repository (CIDR) of the UIDAI as one of the world’s most vulnerable databases. “The making of CIDR is contrary to the principle of decentralisation in cybersecurity. “In a bizarre act, it provides only UIDAI can file a complaint when the data of a resident of India is misused or abused instead of the victim of abuse.”

“Section 39 of the act reads, ‘Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable’. Thus, it admits that such acts are possible and imminent.”