The data breach casts serious doubts on the unique ID’s crucial role in Tamil Nadu’s State Family Database.
Tamil Nadu’s Makkal Number, a unique ID that’s being used to tie together all the digital records of citizens of the state, has been exposed in a massive data breach. This brings into question the privacy implications and legality of such an identification number.
What is Makkal Number?
Makkal Number (people’s number) is a unique number that the Government of Tamil Nadu has already allotted to nearly 7 crore citizens of the state and is used by the government for consolidating records in the backend.
Contrary to the name, Makkal Number is an 8-digit alphabetic code. And unlike Aadhaar, Makkal Number is not necessarily known to the citizen. It is already live and is being used to dole out some welfare benefits and is connected to many records including the birth and death records of citizens.
Makkal Number is also the core element tying together records in Tamil Nadu’s upcoming State Family Database (SFDB).
What is the State Family Database (SFDB)?
SFDB is an all-in-one database that will be used across different departments of the state government to maintain records of various kinds. For example, SFDB can be used by the Department of Revenue to maintain land records pertaining to a citizen and by the Department of Higher Education to maintain education records of the same citizen.
The government has described SFDB as the single source of truth on all details with respect to the state’s residents and the data it holds is expected to be “the most current, relevant, complete, logically consistent, and comprehensive.”
The SFDB database will first be built using the data available from Public Distribution System (PDS). Along with PDS data, data from seven other departments will form the core database, and data from these departments will be matched to PDS data using Makkal Numbers.
Both the PDS database and Makkal Number have been compromised in a massive data breach that took place last month.
What happened in the Public Distribution System breach?
Tamil Nadu’s PDS database has the personal data of nearly 7 crore beneficiaries. As of yesterday, the personal data of over 6 crore of these beneficiaries is currently for sale, including over 6.6 crore Makkal Numbers.
Here’s a timeline of events:
June 29: Reports emerged that a breach of the TN government website for PDS has resulted in the leak of the Aadhaar details and other personal information of nearly 50 lakh people. Earlier in the week, on June 26, the website showed it had been “hacked by 1945VN”, and later showed that it was under maintenance.
July 2: A few days later, more data emerged from the breach, exposing over 3 crore people’s personal details, including addresses. Cybersecurity startup Technisanct said that 1.9 crore of these users’ Aadhaar numbers had been exposed.
July 3: The hacker forum selling the leaked data posted an update revealing that it had 5 crore records for sale, which expose over 2 crore Aadhaars. Following this, the PDS website was taken down for maintenance.
July 6: Sample files for 15,000 Makkal Numbers and 10,0000 Aadhaars became publicly available. TNPDS website came back online after maintenance, but there were no details on what was changed. The same day, the hacker was also selling host access to the PDS website, indicating that the sensitive data is still being exposed.
July 8: The hacker updated the sale post to reflect that 6.5 crore Aadhaar details, 6.6 crore Makkal Numbers, and 22 crore lines of data were up for sale. This is a little less than 90 percent of the PDS database. The compromised data also includes over 1.3 crore beneficiary addresses.
Why is Makkal Number concerning from a privacy point of view?
As mentioned above, Makkal Number is already being used to tie together various digital records of citizens. The fact that most of these numbers along with other personal information of the citizens are now for sale gives miscreants the ability to draw various patterns in data and use them for nefarious purposes.
The problem is further compounded by the crucial role Makkal Number is going to play in SFDB. A hacker that can breach the SFDB, which is not a far-fetched possibility given the recent PDS hack, can use the already exposed Makkal Numbers to create a complete and well-organised dataset for each of the state’s citzens that can expose every single digital record pertaining to that citizen from birth to death, such as education certificates, health records, land agreements, family information, and even financial data.
From a privacy point of view, this is highly concerning. The denial of any hack and slow response by the Tamil Nadu government against the PDS breach only exacerbates this concern.
The Makkal Number not only makes it easier for the government to tie together records but also makes it easier for hackers to do the same.
Furthermore, there is no data protection law in India that governs how personal data is to be collected and protected, though one is currently being considered by a Joint Parliamentary Committee, giving Makkal Number leeway that can result in damaging consequences.
Is Makkal Number legal?
Will it pass Puttuswamy Test? The potential privacy implications described above might cause the Makkal Number serious challenges in court. A strong argument can be made that the Makkal Number might fail the Puttuswamy Test because a) there is a legitimate state aim b) and creating this number or the State Family Database is not the least restrictive way of achieving this aim.
But it is not certain that courts will concur with the above argument. “The information is already there and the number only allows the data to be tied together. It is not compelling the resident to give up any details about herself anew nor is it denying any service for not having this number,” Alok Prassana, Senior Resident Fellow at Vidhi Centre for Legal Policy, told MediaNama.
“Unless the right to privacy is expanded to include the right to prevent the government from linking databases to each other (nowhere has this principle been recognized) there are no privacy implications as far as I can see,” Prassana added.
No legislation backing it and issued without consent: Another notable point is that Makkal Number currently does not have legal status because there is no legislation backing it. The lack of clear regulations and rules on how this number can be used is the very reason it is preferred by the state government.
Unlike Aadhaar or Family ID in Haryana, Makkal Numbers are being issued to citizens of the state without any information or consent from the individual.”The moment a child is born, a ‘Makkal Number’ (people’s number) is generated and assigned to the child,” The Hindu reported in 2019.
Although this raises red flags, it does not by itself make the number illegal. “As long as they use this Makkal Number to harmonize and link the records in the databases, there is not a problem as far as I can see it. However, the moment they make it necessary for the citizen to quote it to get government services or deny lawful rights for not having this number, that is when it will run into trouble,” Prassana said.
Why Makkal Number instead of Aadhaar?
Aadhaar Act poses limitations: “From my understanding of the Aadhaar’s use and purpose, it does not meet the requirements of what the TN Government is doing,” Prassana said.
Aadhaar number is governed by the rules set in Aadhaar Act, 2016, which clearly sets out how the number can be used. The Aadhaar Act allows states to use the Aadhaar number for establishing the identity of an individual for any purpose, but only with the consent of the individual and any identifying information can only be used for submission to the Central Identities Data Repository for authentication.
More importantly, the Aadhaar Act does not have any provision for collecting any other information other than biometric and demographic data, and the demographic data is explicitly forbidden to contain data like “race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.” Furthermore, the Unique Identification Authority of India (UIDAI) sets the rules on “the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies, benefits, services and other purposes for which Aadhaar numbers may be used.”
Makkal number can be used in any way the TN govt sees fit: The limitations above do not exist with Makkal Number, which can be used by the state government in any way it sees fit.
This is not the first state government to pursue a different unique numbering system. The Harayana government last year began issuing a Family ID to each family in the state under the premise of offering residents welfare schemes. Prashant Panwar, Additional Deputy Commissioner of Gurugram, who oversaw the project in the city said that the additional ID on top of Aadhaar is needed because Aadhaar does not provide enough insight into the citizens. “Aadhaar in itself doesn’t provide any information to the government where we can sift through, and determine who to onboard for certain welfare schemes of the state government. There is a lot of friction in that process,” Panwar said. Likewise, Makkal Number will allow the Tamil Nadu government to collect data and gain insight that Aadhaar does not allow or cannot provide.
Aadhaar and Makkal have shared history: Aadhaar, however, has a long, shared history with Makkal Number. It is not clear when exactly the government started issuing Makkal Numbers but it appears to have stemmed from another e-governance project. Back in 2013, the Tamil Nadu government created the State Resident Data Hub (SRDH), later renamed Makkal, an e-governance project that sought to do many things that the new SFDB is now looking to do. But SRDH primarily used Aadhaar to deliver its services under the provisions granted by Section 57 of the Aadhaar Act, 2016. This section was struck down in 2018, although a separate amendment in 2019 allowed states to still use Aadhaar to a certain extent. About the same time, the Tamil Nadu government started issuing Makkal Numbers to its citizens and shifted to using them instead of Aadhaar.
- Health Ministry Permits ‘Voluntary’ Aadhaar Authentication For Creation Of Unique Health ID
- Supreme Court Dismisses Aadhaar Review Petitions, With Justice Chandrachud Dissenting
- Election Commission To Start E-KYC For Voter IDs, As Government Considers Linking Aadhaar To EPIC