“The government agencies are pretending to be shocked by yet another ‘leak’. The ‘leak’ shows the true character but real message is that it is not happening by default but by design”, said Dr Gopal Krishna, Member, Citizens Forum for Civil Liberties (CFCL), who has been working on the subject of Big Data and biometric-digital surveillance technologies, while talking to The Citizen Thursday.
The Andhra Pradesh government’s cyber security researcher Srinivas Kodali had tweeted on April 25, 2018, “Another day, yet another #Aadhaar data leak of 89,38,138 MNREGA workers. Website maintained by $100 billion company TCS along with another government department. Reported to security agencies. Question: where is the UIDAI bug reporting mechanism?”
With his series of tweets, he exposed the data breach of Andhra Pradesh Government websites and its links to publicly accessible Aadhaar data, available to all takers. Kodali had revealed how a state-run agency has disclosed the Aadhaar data, bank accounts information with IFSC codes, caste and religion besides geo-location of 134,000 beneficiaries of housing schemes. With the fiasco in play, hours after he blew the whistle, the website administrators began masking the data. In May 2017, Srinivas had co-authored a report for the Centre for Internet and Society, exposing how the Aadhaar data of 13.5 crore card holders was leaked online. One year later, the news does not raise eyebrows on the breach as it is quoted as “not the first, not the last”.
Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. Andhra Pradesh Government collected all details of every citizen with a survey using Know Your Customer (eKYC) . This included data on religion, caste, bank accounts, Aadhaar, mobile and is using this data to build 360 profiles of citizens. Andhra Pradesh shutdown this website very recently. “Andhra Pradesh is ground zero for Aadhaar where the government conducted door to door eKYC for every household. This would entail a geotagging of the entire family on the radar”, Kodali added.
Kodali further added, “There were multiple government records that were building 360 degree profiles of people. The tender of 360 degree profiles being built by AP called People Hub. Since I was aware, I could identify this pattern being generated all across. This was also to highlight the government’s contradictory statements where UIDAI would say that Aadhaar data is not being used. In fact, it was a major lie. This issue had to be reported.”
Talking to The Citizen, Reetika Khera, Associate Professor of Economics, Indian Institute of Technology Delhi, said, “People's personal information is collected by the government since a long time. It's easy availability online is especially worrying *now* because each of these websites now have a unique identifier (ie, the aadhar number), which can be used to aggregate data across websites. People, including the government, can pull in information from various sources to profile us. Even the *possibility* of profiling and tracking has been shown to have a chilling effect on dissent, which is not good for our democracy.”
In November 2017, Khera had filed a "Right to Information" (RTI) request with the Unique Identification Authority of India (UIDAI) to solicit public data on how much the agency spent to advertise and promote Aadhaar, since the program started in 2009.
“There was an approach paper by Union of India which is long back in 2010 itself said that convergence should not be promoted because that will be the end of privacy. Before the arrival of UIDAI, the data of the citizens were secured because they were available in separate files. Now, if this convergence happens this is bound to happen. The contract agreement that Union of India has signed with foreign entities like Accenture, Ernst & Young etc. shows that they are handing over the data to the companies. The Aadhar data is being linked to pre existing dataset such as voter ID to be used in elections by data mining companies. So, it is the part of the design which wants 360 degrees view of a citizen”, Gopal Krishna told The Citizen. Gopal Krishna had appeared before the Parliamentary Standing on Finance that examined the Aadhaar Bill, 2010. He is editor of www.toxicswatch.org.
The class and caste divided Indian society has been witnessing dalits being marked and lynched, rationalist being murdered, journalists being attacked and several cases of individual targeting. In such a tensed political atmosphere, discussing the implications and harmful potentiality of continuous data breach, Kodali opined, “I believe that we do not know the full extent of the potential usage of population data but the very existence of this data is problematic. We are aware that in 1984 riots, voter lists were used to identify people. It did happen. We are now in 2018 and it is absolute wishful thinking that we are safe and so is our data, currently in the hands of many”.
Khera also added, “I think there are two dangers: one, the "loss" or "theft" of our data, where it can be used to identify religious or social identity and target on the basis of that or cause economic harm. A related danger is loss of control over our data. Once we share our information and it is digitally available, we lose control over it. As more and more aspects of our life are digitized, combined with the "free for all' data regime that we live in, the sense of powerlessness increases.”
The Andhra Pradesh government and the Centre have many questions to answer. What steps are they taking to protect the data of its citizens? Whose purpose is being served by converging the Aadhaar data?
Earlier the Attorney General K K Venugopal argued in Supreme Court that Aadhaar data is safe and secure within 13-feet high walls. If this is the understanding of data security, where is the redressal?