By Vivek Ananth
MUMBAI – While the recent breach of 3.2 mln debit cards sent the government and banking industry into damage control mode about the data breach, there might be another risk under the radar going unnoticed- Aadhaar-linked database, said cyber security and privacy experts.
The Reserve Bank of India has made it mandatory from January 1 2017 for every ATM and point of sale device at vendors to be biometrically enabled. This means that an individual with a bank account linked with Aadhaar could withdraw cash or make a payment through a biometric authentication.
Every Indian resident’s Aadhaar number is embedded in the records of banks, government agencies and other service providers, wherever they voluntarily produced it as a means of identification or to receive government subsidy and services.
As every bank transaction gets validated by an Aadhaar number an electronic trail gets generated, which can be monitored.
“Every time you authenticate, you leave a mark,” said Usha Ramanathan an independent law researcher. “How many times you have used it, how many times you opened it, what are the timings… all that metadata… will tell them how often it gets used.”
In September, the Unique Identification Authority of India issued regulations, which allows service providers to retain such authentication data for seven years.
Cyber security and privacy experts state that constant vigilance, heightened technology awareness and sensitivity for adhering to privacy concern are needed by people and agencies handling Aadhaar details.
There is still no mechanism to monit
or the misuse of data by service providers who use the Aadhaar database, Ramanathan said.
The authority says it prescribes strong data protection norms to its service providers on maintenance of Aadhaar-linked databases.
“First of all, (Aadhaar) Act requires us to have a very strong data protection policy,” said Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India. “…We follow one of the highest international standards. There are some of the steps that need to be taken to ensure the data is protected and we follow that.”
This is though limited to the Aadhaar database that is maintained by the authority and many of the service partners involved in performing Aadhaar verification using biometrics. The authority also prohibits publication of the Aadhaar number of any resident with any linked database.
There are regulations in place under the Information Technology Act 2000 which govern maintenance and storage of all digital records of individuals, like bank records, information shared with an app developer over the internet and any other service provider while providing services.
“The data protection section in the IT Act (Information Technology Act 2000)) does not apply to the government,” said Sunil Abraham, executive director at Centre for Internet and Society, a Bengaluru-based policy think tank which researches internet and digital technologies. “The data protection section… does not comply with international best practice and therefore does not comprehensively protect the right to privacy.”
None of the above regulations make it mandatory that a service provider inform its customers about a data breach of private information. The breach at the ATMs was detected recently but they happened over 4 months ago.
Banks’ customers weren’t informed about the breach or asked to change their cards’ personal identification numbers till recently, when emails and text messages were sent out to customers informing them.
“No government can at present promise perfect security for even its most critical personnel data,” Mishi Choudhary, legal director at Software Freedom Law Center said. “No ‘platform’ company, with all the immense profits earned from processing the data of hundreds of millions of customers, can claim to guarantee perfect security of customer data.”
Currently, the only recourse available is to file a complaint with the local police station if a person finds that Aadhaar details have been unlawfully used or given away without consent.
If offences are committed under the Aadhaar Act, then the punitive provisions associated with it too will follow, Pandey said.