Security researcher Srinivas Kodali has reported another leak of Aadhaar numbers. This time on an MNREGA Direct Benefit transfer website. The data of workers is listed by district, tehsil and village and lists the names of individuals, their job card numbers and their Aadhaar numbers.
Another day, yet another #Aadhaar data leak of 89,38,138 MNREGA workers. Website maintained by $100 billion company TCS along with another government department. Reported to security agencies. Question: where is the UIDAI bug reporting mechanism? pic.twitter.com/0L4K2YUyl1
— Srinivas Kodali #SaveKBR (@digitaldutta) April 26, 2018
Kodali reported the site to security agencies. However, he has a pertinent question – “where is the UIDAI bug reporting mechanism?”. Srinivas Kodali was among the researchers who had reported that government websites were leaking Aadhaar details and personal information for over 130 million Aadhaar holders last year. Other researchers too have reported publicly available Aadhaar information.
“Little has changed”, says Kodali. “We did not have a way to report these data leaks then, we don’t have one now. Security agencies are not really the answer. This isn’t a hack or breach or an attack on a government website, it is the government itself putting out data that it shouldn’t be making public.”
The lack of a bug reporting system for Aadhaar is an ongoing problem that is compounded by the UIDAI’s tendency to shoot the messenger. This continues to encourage non-reporting of vulnerabilities, leaving them open for malicious actors to exploit. While the government counsel has argued vociferously in the Supreme Court during the Constitutional Challenge to Aadhaar, saying that the Petitioners should report problems and suggest improvements, there isn’t actually a mechanism to do so, reducing genuine researchers who would like to see vulnerabilities fixed by approaching security agencies or reporting them on media.
It also raises serious questions about the standards of tech delivered to governments. The government does not appear to examine the quality of work delivered by companies contracted to maintain its digital services. Government websites are notoriously hard to use, have design flaws, poor coding standards, obsolete server software and more. TCS is among the leading tech organizations in the country. For such a glaring flaw to exist in a website maintained by it indicates a lack of rigour. Would TCS be delivering such work to non-government clients where personal information is made public without so much as a basic password for accessing? Does the government have a mechanism for independent assessment for security and quality in the absence of a bug reporting mechanism where citizens do it for them for free?