Thursday, January 4, 2018

Tribune report on Data breach

The Tribune carried a news of UIDAI data breach:

This was followed by a clarification from UIDAI:

More information about the Aadhaar breach has come into the public domain subsequently. There are some clear facts that have emerged from everything that is known.

1) The UIDAI essentially admits that resident data (demographic and personal information, probably including photo, and not including fingerprint and iris data) has been accessed in an unauthorized manner. It is said that perhaps 1 lakh un-authorized users had accessed Aadhaar data. It also seems that the authorities had no idea this was happening until the reporter broke the story.

2) The breach of demographic information is a serious matter. Consider for a moment - if intelligence agencies of  foreign countries have access to this information, they can look up the residential address of any officer in Indian security forces. Less ominously, mischief-makers and marketeers can create targeted databases of individuals with particular characteristics within a PIN code.

3) Had the Aadhaar system restricted itself to YES / NO verification (as it correctly did when it was conceived), none of this would have happened. Unfortunately, after the NDA Govt took office, private entities were permitted to access and obtain Aadhaar information (via what is called eKYC). eKYC has permitted many private entities to essentially replicate large sections of Aadhaar database in private databases over which no one can exercise control.

4) Any corrective action at this time is akin to bolting the door after the horses have fled. While the SC continues to debate and hear "privacy" related cases, the reality of the situation is that much of the information has already been compromised and the genie cannot be put back in the bottle.

(This post was modified in light of information available after the initial Tribune story.)

No comments:

Post a Comment