A First Information Report (FIR) by the police against a journalist who exposed a potentially-dangerous breach in the world's largest biometric database sparked angry protests from her media colleagues across the country, pushing the Unique Identification Authority of India (UIDAI), which runs the identity card scheme Aadhaar, on the back foot.
In her investigative report, Tribune correspondent Rachna Khaira claimed that access to the Aadhaar database of more than 1 billion citizens was being sold for just Rs 500 ($8). The Tribune newspaper said it bought login details to the Aadhaar website from touts on WhatsApp and had access to personal information such as the names, numbers and addresses of millions.
This is what Khaira wrote:
"It took just Rs 500, paid through Paytm, and 10 minutes in which an "agent" of the group running the racket created a "gateway" for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.
What is more, The Tribune team paid another Rs 300, for which the agent provided "software" that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual."
After media groups slammed the FIR against Khaira and accused UIDAI of shooting the messenger, instead of addressing the real issue of securing its database, the authority issued a press statement saying that it respected free speech and had no intention of targetting Khaira or Tribune. It denied there was any breach of Aadhaar's biometric database.
UIDAI said it was "duty-bound to disclose all details of the case", and it does not mean that "everyone mentioned in the FIR is a culprit".
Here's the statement:
The Network of Women in Media said it was "appalled" that UIDAI lodged a police complaint against Khaira. It said the UIDAI appeared to lack "basic understanding of how journalism works".
Here's the full statement:
The Network of Women in Media, India, is appalled that the Unique Identification Authority of India (UIDAI) has reportedly lodged a police complaint against Rachna Khaira, a journalist at The Tribune, over her report on the vulnerability of Aadhaar data.
The story, 'Rs 500, 10 minutes and you have access to billion aadhaar details' and the follow-up, 'Aadhaar whistleblower who first called uidai', published on January 3, 2017, had described how it was possible to buy access to personal information about citizens stored in the Aadhaar database for as little as Rs. 500. On January 4, based on a complaint by UIDAI, a first information report (FIR) was filed against Khaira for alleged offences, including cheating and forgery.
The UIDAI appears to lack basic understanding of how journalism works.
Khaira's report conclusively demonstrates fundamental flaws in the way the Aadhaar programme has been structured. This is public interest journalism. The UIDAI should be welcoming and acting on reports like Khaira's, not stifling them.
The UIDAI action raises concerns about whether it is meant to intimidate journalists and deter them from reporting freely on the Aadhaar programme. This is a blatant attack on the freedom of the press, as well as the public's right to information. Other journalists and civil society groups who have revealed failings in the Aadhaar programme have been targeted as well. This must stop.
We also condemn the charges that have been brought against whistleblowers Anil Kumar, Sunil Kumar, and Raj, all of whom were mentioned in Rachna's report. Such punitive action against sources and whistleblowers is completely unacceptable.
As a public authority, the UIDAI is answerable to the public. If there are weaknesses in the system, they need to be fixed. Shooting the messenger is not the responsible or accountable way forward. The media will not be cowed down by these legal browbeating tactics.
The NWMI calls upon the UIDAI to immediately withdraw the complaint against Rachna Khaira and her sources. Instead, it must direct its action against those who have compromised the security of the Aadhaar database.
The Network of Women in Media in India
January 7, 2018
The Editors Guild said UIDAI's action was "clearly meant to browbeat a journalist whose investigation on the matter was of great public interest."
Here's their statement:
The Editors Guild of India is deeply concerned over reports that the Deputy Director of the Unique Identification Authority of India (UIDAI) had registered an FIR against Rachna Khaira, a reporter of The Tribune, in the Crime Branch of the Delhi Police. The reporter has been booked under IPC sections 419 (punishment for cheating under impersonation), 420 (cheating), 468 (forgery), 471 (using a forged document) and also under sections of the IT Act and the Aadhar Act.
The Tribune report of January 3 by Khaira had exposed how, for a small sum of money made to a payment bank, an agent of a private group would allegedly create a gateway to access details contained in an individual's Aadhar card. Using a false identity, Khaira had posed as an interested party and claimed in her report that she had easy access to details that individuals had listed in their Aadhar cards. The UIDAI in a statement had subsequently denied that any data breach was possible.
The Guild condemns UIDAI's action to have the Tribune reporter booked by the police as it is clearly meant to browbeat a journalist whose investigation on the matter was of great public interest. It is unfair, unjustified and a direct attack on the freedom of the press. Instead of penalising the reporter, UIDAI should have ordered a thorough internal investigation into the alleged breach and made its findings public. The Guild demands that the concerned Union Ministry intervene and have the cases against the reporter withdrawn apart from conducting an impartial investigation into the matter.
Raj Chengappa, President
Prakash Dubey, Generalk Secretary
Kalyani Shankar, Treasurer
"Mere display of demographic information can't be misused without biometrics," UIDAI said, dismissing concerns that the data could be used for financial fraud.
"I think I have earned this FIR. I am happy that at least the UIDAI has taken some action on my report and I really hope that along with the FIR, the government of India will see what all breaches were there and take appropriate action," Khaira told a TV channel, adding that she stood by "every word" of her report.