The UIDAI has admitted in response to an RTI that 210 government websites publicly displayed names, addresses of Aadhaar users, reports PTI.

Much of this data was online and easily available for months and CIS India had determined that data for at least 130 million people had been leaked online by government departments, for only 4 sites. A separate MediaNama aggregation had listed around 12 other government sites. A few questions then for the UIDAI:

1. Why was there no proactive disclosure about the fact that 210 government websites had published personal, identification details of Individuals?
2. Data for how many individuals had been published online? Did the UIDAI do any analysis to assess the number of people affected by this leak?
3. Were each of the individuals, whose data had been leaked, informed about the data leaks, as should be the case with responsible disclosure of leaks of personal information?
4. Given that Aadhaar is a permanent number, and were these people offered new Aadhaar numbers, now that their data has been compromised?
5. How many cases have been registered by the UIDAI against specific government officials/departments for illegal publishing of Aadhaar numbers online? This is a clear violation of the Aadhaar Act and its rules:

AADHAAR (SHARING OF INFORMATION) REGULATIONS, 2016, point 6

  • “The Aadhaar number of an individual shall not b e published, displayed or posted publicly by any person or entity or agency.
  • “Any individual, entity or agency, which is in possession of Aadhaar number(s) of Aadhaar number holders, shall ensure security and confidentiality of the Aadhaar numbers and of any record or database containing the Aadhaar numbers.”
  • “…no entity, including a requesting entity, which is in possession of the Aadhaar number of an Aadhaar number holder, shall make public any database or record containing the Aadhaar numbers of individuals, unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and electronic form.”

Instead, what the UIDAI has done is gone after a journalist for exposing flaws in Aadhaar enrolment, and (allegedly) against Sameer Kochhar who said Aadhaar can be hacked. They’ve also sent notices to CIS for their disclosure of Aadhaar leaks.

6. The PTI report says that the UIDAI has said “Aadhaar details have never been made public from or by UIDAI.” This is factually incorrect. Of course, one can’t expect the UIDAI to file an FIR against the UIDAI. So who watches over the antecedents of the UIDAI?
7. What processes does the UIDAI have to proactively monitor the Internet for future disclosures, to ensure that such things don’t happen again?