India probes breach of biometric ID system

This follows news report that journalist was able to access database after paying $10 fee

Indian police have started investigating a possible breach of India's massive biometric identification (ID) system following a report that citizens' data could be bought for as little as 500 rupees (S$10).

This has revived ongoing concerns about privacy and the safety of the database.

Called Aadhaar, the unique ID system, launched nine years ago, gives every citizen a 12-digit identity number with biometric details such as fingerprint and iris data, along with demographic data such as addresses and phone numbers.

The Indian government has collected the personal information of one billion citizens, including that of the elderly and babies.

A Jan 3 report in The Tribune newspaper said that for 500 rupees, a journalist was able to log in to the database and access details such as phone numbers and addresses.

According to the Tribune report, an unnamed seller got in touch via WhatsApp and allowed correspondent Rachna Kaira to access the database. The small fee was settled via digital payment.

Ms Kaira was given an ID and password, with which she was able to key in any identity number and get the person's name, address, photo, phone number and e-mail address.

Called Aadhaar, the unique ID system, launched nine years ago, gives every citizen a 12-digit identity number with biometric details such as fingerprint and iris data, along with demographic data such as addresses and phone numbers.

The police were initially reported to have filed a case against Ms Kaira, but government authorities yesterday said this was not the case, following an uproar in the Indian media.

"Govt is fully committed to freedom of Press as well as to maintaining security & sanctity of #Aadhaar for India's development... I've suggested @Uidai to request Tribune & its journalist to give all assistance to police in investigating real offenders," tweeted Law Minister Ravi Shankar Prasad.

Uidai is the Unique Identification Authority of India, the authority behind Aadhaar, which was aimed at giving unique IDs to every individual in a country where the poor often do not have any form of identification.

It has allowed millions to access welfare schemes, open bank accounts and get funds directly from their bank accounts instead of going through middlemen, which opens the system to corruption.

It is now mandatory, with the government linking a range of services, including access to bank accounts and income tax filing, to Aadhaar.

Critics have argued that the system violates the privacy of citizens and that biometric data is unsafe in the absence of a data protection law. They said the latest breach was an example of what could go wrong.

Uidai, however, said the biometric data remains safe. In a statement on Sunday, it called the breach an "act of unauthorised access" and said it had initiated criminal proceedings.

Social activist Nikhil Dey noted that the current episode highlighted the problems in the system.

"It shows how little control there is over the data. This was information available under a login," said Mr Dey.

The Editors Guild of India, a top editors' body, noted: "Uidai should have ordered a thorough internal investigation into the alleged breach and made its findings public."

A version of this article appeared in the print edition of The Straits Times on January 10, 2018, with the headline 'India probes breach of biometric ID system'. Print Edition | Subscribe