Time and again, the security of Aadhaar has been proclaimed as the best in the world by UIDAI and the Indian government has called it impenetrable on every occasion of breach or vulnerability. Several security researchers have pointed at the government’s imperfect impression of what the word “impenetrable” means, and as a result Aadhaar has gone from a tool of empowerment to a grave national identity crisis.
And now, UIDAI’s Twitter account was engaged in a ping-pong game of blame and defense – itself being the only player, claiming that “unscrupulous elements” have been trying to paint an incorrect image of the unique identification ID’s security. UIDAI posted a tweetstorm with more than 10 tweets, hitting out at those who question the security of Aadhaar basis internet reports. The series of tweets follows discovery of vulnerable government websites leaking Aadhar data by Baptiste Robert, aka Elliot Alderson on Twitter.
Yesterday, I found 20K+ #Aadhaar cards with a manual search. @UIDAI: Do I need to create a Twitter bot which is doing this work automatically and publish the result on Twitter to have a reaction from your side?
— Baptiste Robert (@fs0c131y) March 11, 2018
UIDAI has advised people not to get confused with such reports which are far from the truth and intended to spread misinformation on India's robust identity system – Aadhaar – unnecessarily. 2/n
— Aadhaar (@UIDAI) March 11, 2018
Although UIDAI didn’t explicitly target Robert aka Alderson in their tweets, the timing left little doubt as to the intended recipient of their ire. Robert said he notified UIDAI that he got access to more than 20,000 Aadhaar cards by doing a manual search. In the recent past, Alderson had been chasing cybersecurity issues in Indian digital infrastructure and has especially been enticed by the flaws in Aadhaar’s security.
In its latest defence of the system, UIDAI boldly called Aadhaar a “robust” system, reiterating that just knowing Aadhaar number is not enough to leak private data of citizens which is linked to Aadhaar. The organisation also falsely claimed that there has not been a single breach of UIDAI’s database since its inception eight years ago, perhaps ignoring the sale of a billion-plus Aadhaar numbers for Rs 500. In its tweet, UIDAI said that someone cannot “impersonate and harm” another citizen even after securing their unique Aadhaar ID. However, in the same breath it also asked citizens to keep Aadhaar number secure. Take a look at the contradictory tweets below. In one, UIDAI claims that Aadhaar is not to be treated as a confidential document but in the next tweet advises that it must not be shared to protect the privacy of the individual.
Aadhaar just like any other identity document, therefore, is never to be treated as a confidential document. 4/n
— Aadhaar (@UIDAI) March 11, 2018
Although Aadhaar has to be shared with others, it being a personal information like mobile number, bank account number, PAN card, passport, family details, etc, should be ordinarily protected to ensure privacy of the person. 5/n
— Aadhaar (@UIDAI) March 11, 2018
Back in May last year, the Centre for Internet and Society reported that Aadhaar data of 13 crore citizens had been compromised, with bank details of at least 10 crore citizens being leaked. The Hindu Business Line had reported that as of April 2017, there had as many as 21 “reported” breaches. In addition, private companies have been misusing privileges of using Aadhaar for KYC by forcefully enrolling new bank accounts. And even though Airtel was fined Rs 5 crore last week for this transgression, it pales in comparison to the financial security threat posed by Aadhaar’s misuse by hackers.
All in all, UIDAI blamed citizens for sharing their Aadhaar details even when government agencies refuse to do work without it. If the UIDAI continues to abscond from responsibility and refuses to accept the mistakes in Aadhaar security, Indian citizens are in far greater trouble than we imagined. Meanwhile, as we try to unravel the mysteriously tucked meaning in these tweets, you can check where has your Aadhaar been used for UID authentication by visiting this link.
