How many steps does it take to get access to thousands of Aadhaar numbers of citizens?
Step 1: Google ‘aadhar.jpg’
In a major breach of privacy and data protection, private entities of various kinds, educational, non-profit or commercial, that demand Aadhaar numbers as proof of identity, have kept their entire directories open and publicly searchable on Google. Scanned copies of Aadhaar cards are peppered in the search results that come up when one Googles “aadhar.jpg” or “aadhaar.jpg”.
These images show up on Google because they have been stored in directories that have been kept public and searchable. A security lapse like this, breathtaking in its negligence, reflects a general lack of seriousness among institutions towards sensitive data of citizens as well as a failure to grasp the most basic security protocols.
So, why is Google throwing up images of Aadhaar cards?
The answer is simple. When an individual types in keywords to search for something, Google, based on its algorithm, crawls the web and returns relevant search results from the part of websites that are publicly accessible. Organisations need to keep only the relevant information publicly available on the client side of their website, not the complete database of sensitive information, such as sensitive user documents.
Apart from Aadhaar numbers, the list of openly available documents includes scanned copies PAN cards, voter IDs, passports, driver’s licence, and school leaving mark sheets. Most of the open directories that The Quint found through the search belonged to educational institutions. One of the open directories also contains scanned passport copies of foreign nationals.
The Quint came across seven open directories in its scroll through the first fifty rows of photographs. Apart from educational institutions, other sources of directories of hundreds, and in some cases, thousands of people, include an NGO that runs an orphanage, an aviation academy and a trade conglomerate. All these institutions have collected Aadhaar and other identifying documents as part of its records but appear oblivious to the fact that the directory is stored directly on the server itself and not behind a login wall.Also Read: UP Hospital’s Server Gives Free Access to Patients’ Aadhaar Info
At a time when reports of Aadhaar leaks have been reported with increasing regularity, this appears to be the easiest among all the ways that the Aadhaar numbers of citizens have been leaked.
This serious lapse in providing the most elementary protection was detected a month after the Aadhaar-issuing body – UIDAI – explicitly directed people and organisations to never make Aadhaar numbers public. In a thread nine tweets long, UIDAI, firefighting TRAI Chairman RS Sharma’s controversial ‘Aadhaar Challenge’, asked citizens to “refrain from publicly putting their Aadhaar numbers on internet and social media”.
People are advised to refrain from publicly putting their Aadhaar numbers on internet and social media and posing challenges to others. 1/n
— Aadhaar (@UIDAI) July 31, 2018
Aadhaar number is personally sensitive information like bank account number, passport number, PAN number, etc., which should be strictly shared only on a need basis for a legitimate use for establishing identity and for legitimate transactions. 5/n
— Aadhaar (@UIDAI) July 31, 2018