Giving fresh impetus to fears of Aadhaar data leaks, the Andhra Pradesh State Housing Corporation was this week called out for exposing private information about individuals after a cybersecurity researcher complained that the state-run body had exposed Aadhaar numbers of 1.3 lakh people and allowed targeting of over 50 lakh individuals by caste, religion and locality.
Independent security researcher Kodali Srinivas has claimed that the state government has shared personal and bank details of these people with several private agencies. He said that details such as caste, religion, location, and bank accounts with IFSC codes were being leaked by the government website. This information has reportedly even been put up on a few private sites and is easily downloadable.
It also had a search feature which could generate target lists of people based on their religion and caste and even show their exact location because of geo-tagging. For example, one could simply search for "Dalits" or "Muslims" and get to know how many Dalits live in Vishakhapatnam or Muslims live in Kurnool.
"The UIDAI has informed the Supreme Court that Aadhaar can never be used for surveillance or to track religious and caste information. But the fact is the Andhra Pradesh government has used Aadhaar to build profiles of their beneficiaries. All of this information is in public domain and it could be misused by political parties for voter profiling," Srinivas said.
The affected people are mostly beneficiaries of the state housing scheme and their details are available on the State Housing Corporation's website, Srinivas said, adding that he has informed of the privacy breach to the UIDAI and other officials.
Andhra Paradesh IT secretary Vijayanand said that the issue has been noted and a team is working to find out how and what details were leaked. "I cannot comment more on this since we don't have complete information. We will get full details by tomorrow," he said.
The leak has also affected hundreds of teachers in the state and information on the caste and religion of about 9,766 teachers is said to be available on the website of Commissionerate of School Education. The state IT minister Nara Lokesh has been told of the leak, but he is yet to respond to the matter.
Details of the Aadhaar are confidential information and cannot be put up online by any party as it violates the Aadhaar Act 2016.
In an incident that made national headlines in 2017, Aadhaar details of star cricketer M S Dhoni had been put up on Twitter by an Aadhaar centre. After the image of the cricketer's ID went viral, his wife Sakshi Dhoni complained about it to union law, justice and IT minister Ravi Shankar Prasad. The centre that put up the image was then blacklisted for 10 years.
The Aadhaar law has strict provisions how the biometric data collected by UIDAI can be used. As UIDAI chief A B P Pandey told the Supreme Court, its data was secured using encryption that would take “billions of years” to crack.
But there is nothing to stop private and government departments from creating Aadhaar-based databases that can be abused. In previous instances, UIDAI has washed its hands of such leaks or databases, suggesting that its responsibility stopped at securing its database.
Amba Kak, a policy analyst who has taken a hard look at India's privacy provisions, suggests there are many ways in which such data can be misused.
"The question to be asked is the ways it can be used and misused. This could mean financial fraud but it can also mean targeting of minorities in this country. We keep hearing about how privacy is not so important for socially and economically disadvantaged populations. But this (database leak) is a reminder that these marginalised communities are ones who are at most risk," she told NDTV.