Reporter uncovers potential Aadhaar breach, government files criminal complaint against her

An Indian newspaper published a bombshell report last week claiming to have uncovered a scheme to sell access to personal information on the over 1.1 billion enrollees in India’s Aadhaar digital identity system.

Reporter Rachna Khaira of Chandigarh-based newspaper The Times used a false name to contact an agent claiming to be able to provide “Aadhaar services.” According to her report, the agent gave her direct login access to the government’s official Aadhaar portal for a one-time payment of 500 Rs (less than $8). There Khaira was able to view sensitive data including the full name, address, photo, phone number, and email address associated with any Aadhaar number.

For another 300 Rs (about $4.75), the agent provided software to print Aadhaar cards after entering the 12-digit identification number for any citizen.

The Unique Identification Authority of India (UIDAI) issued a statement refuting the story.

“UIDAI assured that there has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure,” the statement said, further claiming that Khaira accessed data illegitimately by misusing an approved “grievance redressal search facility.”

As a result, UIDAI filed a police complaint against Khaira and The Times on Friday. She is accused of “cheating under impersonation,” “cheating,” “forgery,” and “using a forged document.”

The Editors Guild of India, among several other free speech and privacy advocates, has spoken out against the government’s complaint, calling it an “attack on freedom of the press.”

“The Guild condemns the UIDAI’s action to have the Tribune reporter booked by the police as it is clearly meant to browbeat a journalist whose investigation on the matter was of great public interest,” the group said. UIDAI responded with a statement of its own, claiming that the criminal proceedings don’t constitute “shooting the messenger.”

UIDAI also reiterated its position that the integrity of Aadhaar’s biometric database remains intact, and stated that “demographic info cannot be misused without biometrics.”

That’s likely an oversimplification, however. Even if biometric information has not been compromised, unnecessary exposure of personal information still makes citizens more vulnerable engineering efforts, phishing attacks, and fraud.

This controversy also comes at a politically sensitive time for Aadhaar. This month, the country’s Supreme Court will be conducting several hearings as it looks to make a ruling on the legality of the system as a whole, and whether or not it violates Indians’ fundamental right to privacy. Petitioners have already raised concerns about Aadhaar security, and the potential weaknesses exposed by The Times will almost certainly bolster their position.