Three years after Nandan Nilekani, the high-profile tech entrepreneur who helped create India’s controversial biometric identity program called Aadhaar, publicly tweeted his own confidential Aadhaar ID, his personal information is usually still readily available online, BuzzFeed News has learned.
An Aadhaar ID, which is usually associated with personal information like your address as well as birthdate, as well as is usually linked to services such as your bank account, tax records, cellphone number, as well as insurance, is usually like an extreme form of a social security number from the US, which is usually also connected to your biometric data.
via 2009 to 2014, Nilekani served as the head of the Unique Identification Authority of India (UIDAI), the government agency responsible for administering Aadhaar. The program aims to create a digital national identity system by collecting the personal details as well as biometrics — all 10 fingerprints as well as iris scans — of 1.3 billion Indian residents into a government-owned database. Critics have slammed Aadhaar, saying This kind of violates privacy, enables state surveillance, as well as exposes citizens to identity theft.
Nilekani exposed himself to identity theft by tweeting a picture of his own Aadhaar card on April 12, 2014. He blacked out the first eight digits of his 12-digit Aadhaar number, yet did not obscure the QR code containing his personal demographic details in which could be read by any freely available iOS or Android app used for scanning QR codes.
as well as as with just about anything in which’s publicly tweeted, Nilekani’s private information remains online. Members of an internet forum well-known with computer programmers scanned his QR code as well as posted his demographic details as well as Aadhaar number, as well as This kind of data eventually ended up on at least half a dozen some other web pages in which BuzzFeed News reviewed. Images of Nilekani’s tweet with his Aadhaar card exist on at least one well-known website.
Despite several people on Twitter pointing out a potential breach of privacy, Nilekani’s tweet remained on Twitter at least through September 2016, when he finally deleted This kind of.
“I guess Nandan didn’t realize what he had done at first,” said Prasanto K Roy, a former technology journalist who was one of the people who alerted Nilekani. “as well as I don’t think he paid much attention to This kind of even when This kind of was flagged, probably thinking in which This kind of wasn’t a big deal since, as a well-known person as well as the head of the Aadhaar program, most of his demographic details were publicly available anyway. I think he must have realized the seriousness of This kind of later — in which his tweet might suggest to others in which This kind of was OK to post a picture of your Aadhaar card simply by redacting the Aadhaar number itself.”
In September 2016, India’s government passed the Aadhaar Act to govern the program, which made publishing an Aadhaar number publicly a criminal offence.
Nilekani did not respond to BuzzFeed News’ requests for comment. yet a source close to him said under the condition of anonymity in which they advised him to take down his tweet for almost six months — starting a few months before the Aadhaar Act was introduced — before This kind of was finally deleted.
Experts said in which Nilekani’s leaked Aadhaar number leaves him vulnerable to identity fraud because the Indian government requires citizens to link their Aadhaar numbers to essential services like food subsidies, utilities, bank accounts, cellphone numbers, as well as insurance services.
“Personal data such as full names, birthdates, as well as residential addresses should always be afforded a high level of protection,” cybersecurity expert Troy Hunt told BuzzFeed News. “For many people, This kind of is usually information they won’t want to share beyond authorized parties because This kind of can be used to locate them or aid in identity theft.”
BuzzFeed News, for instance, was able to find out where Nilekani does his banking by using a publicly available, UIDAI-provided service in which lets anyone simply punch in an Aadhaar number on a mobile phone to see the bank accounts This kind of is usually linked to.
Indeed, despite the UIDAI’s repeated denials, Aadhaar numbers leaked online have been used to commit identity theft in India. In October 2017, for instance, Indian police arrested a group in which used the leaked Aadhaar numbers of nearly 300 pensioners to open bank accounts in their names as well as swindled over four million Indian rupees worth of pension money over two years, according to reports.
generating things murkier is usually the UIDAI’s conflicting messaging about whether an Aadhar ID is usually actually private information or not. After The Tribune published an investigation revealing how This kind of was able to buy unauthorized access to the demographic details of nearly 1.2 billion Indians from the Aadhaar database earlier This kind of week, the UIDAI said having someone’s Aadhaar number as well as demographic information was “not a security threat” without also having their biometric information. yet a day later, the agency sent out a tweet cautioning the general public about the importance of keeping Aadhaar numbers confidential.
“Their claim about demographic information being useless without biometrics is usually simply not true,” said Pranesh Prakash, policy director at the Centre for Internet as well as Society, a Bangalore-based think tank. “Having This kind of kind of information available publicly allows anyone to gain enough knowledge about you to impersonate you, because there are certain details like your date of birth, for instance, in which are often used today by places like banks to make sure you are who you say you are.”
More importantly, the Aadhaar Act itself allows for three types of authentication to verify a person’s identity: matching an Aadhaar number that has a linked fingerprint or iris, that has a one-time code sent to a linked mobile number, or that has a linked piece of demographic information like a residential address.
“The third type of authentication assumes in which a person’s Aadhaar number is usually private,” said Prakash. “Having an Aadhaar number available on the public internet makes This kind of kind of authentication unviable.”
In addition to This kind of week’s breach, Aadhaar numbers have been made public at various times from the past. In November 2017, for instance, more than 0 government websites accidentally exposed thousands of people’s Aadhaar numbers. In May, 2017, researchers estimated in which leaky government websites have exposed the data of 130 million people. as well as in March 2017, a government agency accidentally included the Aadhaar details of M. S. Dhoni, the captain of the Indian cricket team, in a tweet in which was pulled down only when Dhoni’s wife tweeted angrily at India’s information as well as technology minister.
Nilekani’s critics say in which he should have exercised more caution before tweeting a picture of his Aadhaar card. “He was no doubt aware in which This kind of was sensitive information in which he was putting out, as well as This kind of was bad precedent for him to be doing This kind of as the most visible evangelist for Aadhaar,” said Kiran Jonnalagadda, a member of the volunteer-led Internet Freedom Foundation, which works on privacy, freedom of expression, as well as net neutrality issues in India.
Nikhil Pahwa, another member of the Foundation as well as a staunch Aadhaar critic, said in which Nilekani’s “mistake shows in which sometimes, even apparently tech savvy people make mistakes.” Pahwa thinks in which the Aadhaar program needs a way to revoke or change an Aadhaar number — something in which’s currently impossible. “While Mr. Nilekani may not personally face issues because of This kind of foolishness,” he said, “spare a thought for common people whose Aadhaar details have been leaked.”
Got a confidential tip? Submit This kind of here.