When The Tribune reported that access to the Aadhaar database was being sold for Rs. 500 on WhatsApp, the UIDAI and BJP attempted to pass it off as fake news. When The Quint backed the news with its own follow up of the story saying that access was being sold in this manner because users with admin rights are allowed to create other admin users without any checks, the UIDAI replied that the breach appeared to be a misuse of the grievance redressal search facility and said that it maintains a complete log and traceability. It also stated that the access was “limited” – meaning that it did not have biometric details
By now, we have seen that players in the Aadhaar ecosystem will claim whatever makes it sound good with little relevance to whether it makes sense. It has also been known to flat out lie or say completely opposite things at various times.
For example, in reply to a parliamentary question on grievances received by UIDAI, Minister of State for Information and Technology, Shri Alphons Kannathanam replied that there was no information on grievances because the UIDAI does not record grievances distinctly from other communication received by it like requests for information or queries.
So let us get this straight. UIDAI does not record grievances, but it has a grievance redressal search facility accessible by admins, who can spawn countless other unverifiable admins, of which it maintains a complete log and traceability. What does the UIDAI even mean here?
Also, an important question is, admin rights for redressing grievances would also involve the rights to update records? Otherwise how would the grievances with Aadhaar data be redressed? (Update: When the UIDAI restricted access to 5,000 admin uers, it shared that there were 500,000 requests to change details per day) If so, the bogus 500 rupee admins could alter the database independently of the Aadhaar holder. This renders the entire data suspect. UIDAI insists its biometrics are not breached. However, if the records of who the biometrics belong to are tampered, there is no need to breach biometrics, because the personal information would no longer match that of the owner of the Aadhaar number. Unless of course it is intended to be a feature of Aadhaar that you’d have the owner of the original record creating an account in someone else’s name on validation? This sounds very broken.
Perhaps, the UIDAI should begin with putting its self proclaimed “complete log and traceability” to work and identify all the false admins and the accounts they accessed and/or tampered. They are claiming they can. While they are at it, it might be a good idea to actually count the “grievances” they find, as opposed to any edits by bogus admins and reply to that query on grievances – after all, their foolproof system, with its grievance redressal features, that can’t prevent unauthorized access, should be good for something, no? If only to list grievances that they forgot to record before addressing?
But wait. One more question. If the UIDAI has this complete log and traceability, why does it need to “work with police to trace people involved in making the login ID and password available to a private entity”? Surely their mythical perfect logs would have the record of who authorized which user on an allegedly secure system where access is intended to be restricted? I mean even forum invites record who sent the invite for the user to join and give you spam like “your friend just accepted your invite”.