Excerpts from the paper* “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”, by Amber Sinha and Srinivas Kodali of the Centre for Internet and Society, India:
Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, exclusion and security concerns. In the last month, there have been various reports pointing out instances of leakages of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these leaks reported contain personally identifiable information of beneficiaries or subjects of the leaked databases containing Aadhaar numbers of individuals along with other personal identifiers.
All of these leaks are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of these leaks, those that create a ripe opportunity for financial fraud.
A review of government schemes’ dashboard and portals demonstrated to us the dangers of ill-conceived data driven policies and transparency measures without proper consideration to data security measures and lapse statistical disclosure control. While initiatives such as the government open data portals may be laudable for providing easy access to government data condensed for easy digestion, however in the absence of proper controls exercised by the government departments populating the databases which inform the data on the dashboards, the results can be disastrous by divulging sensitive and adversely actionable information about the individuals who are responding units of such databases.
Thus, while availability of aggregate information on the dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive personally identifiable information (PII) such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are. The lack of consistency of data masking and de-identification standard is an issue of great concern.
Masking of Aadhaar numbers does not follow a consistent pattern. In some instances, the first four digits were masked, while in others the middle digits were masked. Given the multitude of databases publicly available, someone with access to different databases could use tools for aggregation to reconstruct information hidden or masked in a particular database. Further, most of the databases we encountered were also available for download as spreadsheets. The availability of the information in datafied formats also facilitates the use of data analytics to aggregate information from various sources, thus, increasing the risk of data points from different sources coming together to enable reconstruction of masked or undisclosed information.
Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at. While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for direct bank transfer (DBT) could have leaked PII similarly due to lack of information security practices. Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT, and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number.
National Social Assistance Programme
The National Social Assistance Programme (NSAP) is a welfare programme being administered by the Ministry of Rural Development. It is intended to provide public assistance to its citizens in case of unemployment, old age, sickness and disablement. The programme includes disbursement of benefits under the National Old Age Pension Scheme, National Family Benefit Scheme, National Maternity Benefit Scheme, Indira Gandhi National Widow Pension Scheme and Indira Gandhi National Disability Pension Scheme.
The NSAP portal has a dashboard for digitized data. As we explored the links in the dashboard further, it led to a several lists of beneficiaries with PII available about them. The portal allows users to explore lists of pensioners. These lists are organised by state, districts, area, sub-district/municipal area and gram panchayat/ward. Among the attributes listed in the databases of pensioners available, the following are PII: Job card number, Bank Account Number, Name, Aadhaar Number, account frozen status.
While the details were masked for public view, someone with login access could get the details. When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password. It is entirely unclear to us what the purpose behind making available a Data Download Option on the NSAP website is.
This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.
The NSAP portal lists 94,32,605 banks accounts linked with Aadhaar Numbers, and 14,98,919 post office accounts linked with Aadhaar Numbers. While the portal has 1,59,42,083 Aadhaar numbers in total, not all of whom are linked to bank accounts. Further, the NSAP dashboard also lists the total number of beneficiaries, and the exploring the various links available for public access leads to information about mode of payment for each applicant (Bank/cash/PO) and payment category (DBT/Non-DBT).
National Rural Employment Guarantee Scheme (NREGS)
The NREGS seeks to provide livelihood security of households in rural areas of the country by providing at least 100 days of guaranteed wage employment in a financial year. This project extends to 683 districts in the country with over 25,46,00,000 workers. The NREGA portal has separate section on MIS reports. Within the MIS reports page, one of the heads was the Direct Benefits Transfer Reports which contain various sub-sections including one called ‘Dynamic Report on Worker Account Detail’. This led us to granular reports for each district, mandal and panchayat.
The final pages in this link for each Panchayat had a list of very sensitive PII, namely Job card No., Aadhaar Number, Bank/Postal Account Number, no. of days worked, Registration Number, account frozen status. As per the NREGA portal, there as 78,74,315 post office accounts of individual workers seeded with Aadhaar numbers, and 8,24,22,161 bank accounts of individual workers with Aadhaar numbers. The total number of Aadhaar numbers stored by portal are at 10,96,41,502.
Chandranna Bima Scheme, Govt. of Andhra Pradesh
This is a scheme to provide relief to the families of unorganized workers in case of death or disability of the unorganised worker. It involves registration of unorganised workers and their enrollment in the Chandranna Bima Scheme, data entry, maintenance of database, hard copies of signed applications and other connected matters. The registered unorganised workers are to be enrolled as members under State Accident Death and Disability Scheme, Aam Admi Bima Yojana (AABY) and will also be covered under the Pradhan Mantri Suraksha Bima Yojana (PMSBY).
The scheme dashboard is extremely informative about different kinds of data maintained by the scheme. We looked at the Aam Admi Bima Yojana documents which was organised in the form of lists workers registered for each district, mandal, village and block. Within each block, there is a list of all registrant and finally each registrant has their own page with sensitive PII available.
Under the database fields with PII include the following: Aadhaar Numbers, Name, Father’s/Husband’s Name, age, caste, mobile number, gender, partially masked bank account number, IFSC Code, Bank Name and details of the nominee. Even though the details were masked while rendering, we found MS Access databases of all the data being published by the portal negating the masking process. At the same time urls which were used to get reports have Aadhaar numbers part of them making anyone familiar with web development access the details. This database has 2,05,65,453 workers registered under the Aam Admi Bima Yojana.
Daily Online Payment Reports of NREGS, Govt. of Andhra Pradesh
Along with the national portal maintained by Ministry of Rural Development, the Government of Andhra Pradesh maintains its own portal to track progress of NREGS work and payments made under it. The MIS reports section of the portal has reports for various works done under the programme, social audits, quality control, expenditure and DBT. This section of DBT has been studied and documented. Exploring DBT section gave us information on Aadhaar seeding for workers, Bank account seeding for PMJDY, Payment transaction details using Aadhaar Payments Bridge (APB), Details of Suspended NREGS workers, Consent forms status of workers, workers details along with UID, bank account details and phone numbers.
The final pages in this link for each Panchayat had a list of very sensitive PII, namely Job card No., Aadhaar Number, Bank/Postal Account Number, Whether it is seeded with mobile number, no. of days worked, registration Number, date on which e-pay order number is created, date, date on which e-pay order number is sent to paying agency, date of which credit to worker’s account, time and date for disbursement, pay order amount, mode of payment. As of 28th April, the portal gives out details about 1,12,99,803 Aadhaar numbers and 76,63,596 bank account numbers.
While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data. It is important to note that when Nandan Nilekani claims repeatedly that the Aadhaar data is secure, his focus is largely on the enrolment data collected by UIDAI, or authentication logs maintained by it. With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may be used for mischief.
UIDAI may point to Section 29 (4), which makes publication of Aadhaar Numbers illegal , to state that legal machinery exists to deal with situations such as these, but its selective implementation against anyone pointing out flaws can be harmful. However, given the scale of the project, the amount of data involved, and the large expanse of both public and private parties involved, we would argue that there is no way that UIDAI, in good faith, could have determined the presence of one legal provision, on its own, as sufficient deterrent to prevent such flagrant misuse of data. Further, it is staggering that while these databases have existed in the public domain for months, while framing the Aadhaar Act Regulations in late 2016, the UIDAI did not even deem these as important matters to be addressed by way of regulations or standards.
*Download full paper HERE