An answer to a question in the Rajya Sabha by Shri Neeraj Shekhar regarding the “unrestricted availability of Aadhaar details on Social Media App” (WhatsApp) confirms that the UIDAI has filed FIR against the whistleblowers.

Shri Neeraj Shekhar had asked the following of the Minister of Electronics and Information Technology:

  1. whether Government is aware that more than one billion unrestricted Aadhaar details were available on WhatsApp for just Rs. five hundred, as per a recent report;
  2. if so, the details thereof;
  3. whether UIDAI has filed FIR against the whistle blowers; and
  4. if so, the details thereof and the reasons therefor?

To this, the response of the Minister of Electronics and Information Technology, Shri Ravi Shankar Prasad is startling (and predictable). To the first two questions, he has replied that “Aadhaar data is fully safe and secure and there has not been a single case of data breach from Unique Identification Authority of India (UIDAI)’s database. The report in media about “Rs 500, 10 minutes, and you have access to billion Aadhaar details” was a case of misreporting and is completely false. UIDAI, for the purpose of grievance handling, has provided search facility to State Government officials, which provide demographic information of the person whose enrolment ID or Aadhaar is provided. The reported case was a case of misuse of the said facility.”

For the last two questions on whether the UIDAI has filed FIR against whistle blowers and the details and reasons for it, R S Prasad has confirmed that the UIDAI has filed an FIR against the whistleblowers and provided the details of the FIR. The part of the last questions asking for the reasons for filing the FIR against the whistleblowers is not answered.

Medianama’s take

A large scale project based on technology that is responsible for the security of sensitive data being handled in such an unprofessional manner does not bode well for the project or those whose data it puts at risk. A technologically sound response to reports of vulnerabilities must invite information that compromises the data, explore the extent of the vulnerability, mitigate harm done and ensure future harm cannot be done. This is a well established practice followed by mature and secure projects as well as governments that depend extensively on IT for functioning (case in point, Recommendations to the US President on Federal IT Modernization, which explicitly recommends bug bounty programs for government applications and computer tools to reward ethical hackers who spot hackable digital vulnerabilities in government systems.) Persecution of the whistleblower on issues related to security of sensitive national data sabotages the ability of the country to secure its information and serves to undermine national interest.

Punishing the whistleblower is an irresponsible action that puts public minded individuals at threat from their own government and prevents improvements in security by persecuting those who would raise alarm about vulnerabilities. It misinterprets the role of the government in safeguarding the interests of citizens and in effect serves to protect entities delivering substandard work to the government as well as those who would exploit sensitive information of Indians using the vulnerabilities created (intentionally or unintentionally) by the developers of the project. If reporting and repairs of vulnerabilities is repeatedly being prevented by representatives of the government as well as public funded bodies, there should be an investigation as to the reasons in the interests of national security.