The Mumbai Division of the Western Railways has published the Aadhaar numbers, addresses and phone numbers of those injured in a stampede on Elphinstone bridge in Mumbai in September 2017, in response to a Right to Information (RTI) request.
Publishing Aadhaar numbers in this manner is an offence under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016. The public disclosure of personal information like Aadhaar numbers and phone numbers leaves victims vulnerable to cybercrime, privacy advocates said.
At a time when government directives to seed Aadhaar numbers with bank accounts, telephone numbers, tax returns, and welfare entitlements, has resulted in the creation of detailed citizen profiles; this latest error adds to an already dismal record of government departments in safeguarding such information.
The Unique Identification Authority of India (UIDAI), the agency with the sole right to prosecute breaches of the Aadhaar Act, did not respond to requests for comment.
CITIZENS AT RISK
This callous attitude to data security, and the absence of a robust data privacy law and data-handling regulations, is putting citizens at risk.
In this instance, this reporter filed an RTI asking for proof that the victims of the 2017 stampede had received their compensation. The reporter did not ask for Aadhaar numbers or sensitive demographic information, but the Railways provided the details anyway.
"You tell me does anyone tell us where it [personal data] will go, what they will do [with it]?"
Only 20 Aadhaar numbers were provided, compared to previous leaks in which the sensitive information of millions of Indians has been exposed on government websites. But the information shared by the Railways is enough to break into the bank accounts of those affected by this breach.
"You tell me does anyone tell us where it [personal data] will go, what they will do [with it]?" said Pradnya Bagawe, who was hurt in the stampede, and is now nonplussed by the publication of her personal details in this manner. "Now, what do we have to do?"
The inability to conceptualise data-security is so wide-spread that even well-intentioned state functionaries appear unaware of how personal information, particularly Aadhaar numbers paired with phone numbers, can be misused.
"I would actually laud the public information officer who gave you that information. By that you can ensure that the data you have got is authentic," said former Central Information Commissioner Shailesh Gandhi in an interview over the telephone. "Aadhaar numbers by itself cannot be used to do anything."
HuffPost wrote to the current Chief Information Commissioner Radha Krishna Mathur for comment, and shall update the story once he responds.
Gandhi's confusion is understandable, given the mixed messages put out by the UIDAI.
The agency frequently issues warnings against sharing and publishing Aadhaar numbers.
Government agencies which collect Aadhaar from people should keep them confidential.— CEO UIDAI (@ceo_uidai) April 2, 2017
Do not share Aadhaar data publicly. Violation may attract penal action as per the Aadhaar Act, 2016. pic.twitter.com/yAEnmvIbzD— CEO UIDAI (@ceo_uidai) March 29, 2017
But when confronted by instances where government departments have published Aadhaar numbers, the UIDAI has back-pedalled on its assertions.
Further, one must understand that the Aadhaar number, though a personal sensitive information, is not a secret number. 6/8— Aadhaar (@UIDAI) March 24, 2018
Mere availability of Aadhaar number with a third person will not be a security threat to the Aadhaar holder or will not lead to financial/other fraud, as for any transaction, a successful authentication through fingerprint, Iris or OTP of the Aadhaar holder is required.7/8— Aadhaar (@UIDAI) March 24, 2018
In this instance, the Railways published phone numbers along with Aadhaar numbers – offering an easy way for hackers to bypass the OTP provision.
"Phishing attacks don't require biometric details. All your attacker needs is some of your personal demographic information," said Reetika Khera, an economics professor at IIT Delhi, who has written extensively on privacy and Aadhaar. "In this case they have provided everything, except for the date of birth. That creates a lot of potential for identity theft."
Transparency versus Privacy
The relentless integration of Aadhaar into the fabric of daily life in India has sharpened the need to balance the privacy of individual citizens with the need for transparency on the part of the government.
"The issue of giving away Aadhaar numbers becomes more complicated because Aadhaar numbers are linked to people's bank accounts, and to health services."
Activists have long relied on tools like the Right to Information to conduct social audits and evaluate the efficacy of schemes like the public distribution system, and the rural employment guarantee act.
Aadhaar-seeding has complicated these efforts.
"The Aadhaar number is not like a ration card number which is only linked to your ration under the Public Distribution System", said Anjali Bharadwaj, co-convener of the National Campaign for People's Right to Information. "The issue of giving away Aadhaar numbers becomes more complicated because Aadhaar numbers are linked to people's bank accounts, and to health services. There are issues of identity theft, as well as of people's privacy being compromised."
Days after HuffPost published this story, a spokesperson for the railways responded with the following statement, "It is clarified that in an RTI query, the applicant had sought the copies of cheques issued to the victims of EPR stampede as compensation alongwith the copies of acknowledgement receipt for the above mentioned cheques. However, as some of the kins/relatives of the victims had given their Adhaar Cards in the acknowledgement receipt paper, it was shared with the RTI applicant unintentionally. The concerned staff has been sensitized specifically to be careful in such cases in future."
This story was updated on April 6 2018 to include a response from the Indian railways.