A public online dashboard on a website maintained by the Andhra Pradesh government allows anyone with an internet connection to use “religion” or “caste” as a search criterion to identify the homes of 5,166,698 families in 13 districts in Andhra Pradesh. The vulnerability was first spotted by Srinivas Kodali, a security researcher.
HuffPost India is not revealing the website to protect the privacy of those listed in its database.
On using the dashboard, HuffPost India found the precise latitude and longitude of homes inhabited by Muslim families, Dalit families, Hindu homes and even Zorastrian families. When HuffPost India checked back on the database, the number of families enrolled had increased, suggesting the database continually updated and the privacy implications are growing every hour. HuffPost India is not publishing the exact numbers, as this is sensitive information.
The dashboard uses Aadhaar numbers as a unique identifier to compile detailed information about beneficiaries of a widely-promoted government subsidy programme.
The Andhra Pradesh case illustrates that the real value of Aadhaar for state governments is not biometric authentication, as is commonly assumed, but rather the Aadhaar number itself. And the real risk to citizen privacy isn’t the security of UIDAI’s biometric database, but the relentless, and unsecured, the seeding of Aadhaar numbers into every single database including income tax, property records, bank loans, phones, bank accounts, and beneficiary records.
Aadhaar-seeding, privacy advocates say, showcases the ability of using Aadhaar to create giant, detailed, searchable citizen databases and confirms their worst fears about how India’s big-data governance revolution can be subverted to target vulnerable citizens.
“Creating public, searchable, digital profiles of minorities makes them potential targets of attack,” said Kavita Srivastava, who has investigated scores of communal riots as National Secretary of the People’s Union for Civil Liberties.
“A database like this, means anyone can simply Whatsapp the locations of the homes of victims to rioters. It is very scary.”
“In the past, rioters used crude forms of targeting, which allowed at least some victims to escape,” Srivastava said, recalling how in the anti-Sikh riots of 1984, several Sikh families removed their name-plates from outside their homes in an effort to blend in with their neighbours. In the Gujarat riots of 2002, victims told this reporter that rioters came armed with electoral rolls to identify Muslim homes.
A digital, geo-tagged, public database – searchable by religion and caste – like the one in Andhra Pradesh, makes it much easier to target potential victims. Opening the database to the public in such communally polarised times is particularly foolish, Srivastava said. But, as the examples of 1984 and 2002 illustrate, even state administrations cannot be trusted with such detailed information.
“A database like this, means anyone can simply Whatsapp the locations of the homes of victims to rioters. It is very scary,” Srivastava concluded.
A cursory exploration of the AP government dashboard revealed the phone numbers, bank account numbers, and IIFSC codes of those enrolled in the database. The website had also published the Aadhaar numbers of approximately 100,000 beneficiaries, according to Kodali, a security researcher who spotted the vulnerability. Publishing Aadhaar numbers is an offence under India’s Aadhaar Act. Kodali said he alerted the Universal Identification Authority of India, the National Critical Information Infrastructure Protection Centre, and CERT-In, the Indian government’s cyber-response cell.
“The authorities masked the Aadhaar numbers after I wrote to them. But 50 lac phone numbers are still available on the site for anyone to take,” Kodali said. “We find that authorities seem to forget to mask Aadhaar numbers each time they upload a new batch of data.” The data still visible on the website is enough to clean out the bank accounts of those thus exposed.
The full 360
The Universal Identification Authority of India (UIDAI), the agency that oversees Aadhaar, insists that Aadhaar cannot be used to profile citizens. The authority, as it frequently reiterates in public statements, only gathers basic demographic information and biometrics, and its authentication service only provides a “Yes/No” answer.
“By design, the technology architecture of UIDAI precludes even the possibility of profiling individuals for tracking their activities,” the authority stated in an affidavit to the Supreme Court in July last year, claiming government agencies “will never have or will not be able to build a 360-degree view of any of its customers or beneficiaries.”
Aadhaar information, the UIDAI has said on multiple occasions, is ‘federated’ – i.e. scattered across databases – rather than centralised in one place.
Privacy researchers contest this categorisation.
“If you can take a unique identifying number and use it to find data in different sectors, then the federated database loses its meaning,” explains Pam Dixon, Executive Director of the World Privacy Forum, an American public interest research group. “That number can be cross-walked across all the different parts of their life.”
In Andhra Pradesh, authorities created a software platform, called the People’s Hub, that used the Aadhaar number as the unique identifier to cross-walk, or merge, data from 29 different departments, an official told HuffPost India. Some of these departments – like a school scholarship database – held information about a citizen’s caste, other departments had pension data, still others had religion data. In a final stroke, the government conducted a “smart-pulse” survey in which they geo-tagged the homes of beneficiaries of all government schemes, and linked it to the Aadhaar numbers of the inhabitants of each home.
Aadhaar numbers, in effect, became the glue that fuses all these discrete databases into one master database, which allows authorities to search the database using any defined search criteria in a single click: be it caste, religion, gender, age, or physical location. By opening the database to the public, they have given that power to anyone with an internet connection.
To describe a database as federated is one thing, Dixon concluded, “but unless the rules for that database federation have been set up appropriately, it really doesn’t matter nearly as much.”