On a public website meant to help students learn about opportunities for scholarships in government schools in Andhra Pradesh, anyone can access a dashboard showing the complete list of students belonging to scheduled castes, along with their Aadhaar numbers.
The UIDAI has made it clear that Aadhaar numbers should not be shared publicly, and only used for official purposes. Most recently, after the Department of Posts told people to paste an Aadhaar copy on top of international parcels, it quickly changed its stance to say the Aadhaar document is for office use only.
But even beyond that, the use of Aadhaar to identify students is a concern because as a unique identifier, it can be used to connect data from different dashboards like these, and build a surveillance profile of people. The upcoming Supreme Court verdict on Aadhaar could bring some relief, although it's too early to say now.
Using the dashboard, HuffPost India found the Aadhaar numbers of literally thousands of students. Using the UIDAI's website, HuffPost India was able to verify that these are genuine Aadhaar numbers, which are registered in Andhra Pradesh and belong to people of the right age.
This is a serious concern, and not the first time that Andhra Pradesh has made the location and identity of people public in this fashion. In April, HuffPost India reported on a website that allowed anyone to geolocate people in Andhra Pradesh by caste and religion.
"Creating public, searchable, digital profiles of minorities makes them potential targets of attack," said Kavita Srivastava, who has investigated scores of communal riots as National Secretary of the People's Union for Civil Liberties.
HuffPost India has written to the government body behind the website, but no response has been received until now, and the site remains accessible at the time of publishing.
DATABASES ARE RARELY SECURED
This is the latest in a long line of breaches that have been discovered by security researchers. As has been pointed out in the past, there is no security governing access to this sensitive data, and finding it did not involve attacking the cyber resources of the state; this data is simply there for anyone to discover. HuffPost India wrote to the helpline for the site and for the agency that designed and deployed the site as well, and received no response.
This is very similar to an earlier breach where the Aadhaar numbers and other personal details of farmers receiving subsidies from the government were made public, and could be located through a simple Google search.
According to security researchers, the government actively discourages researchers from examining the security of its digital assets. This happens even though the officials themselves know that there are security lacunae which will take time to address.
Although the AP government is working to patch leaks and improve security, officials themselves agree that this is not going to happen overnight. "You have to understand that not every department has the same training when it comes to security, and a lot of the work we have to do is just basic hygiene," explained V Premchand, managing director of Andhra Pradesh Technology Services, which is in charge of the state's digital security setup.
"There is no cohesive single network for us to secure," he explained. "Some are on-premises, some are using Azure or AWS, there is a lot to be done, and we are steadily working towards it."
In the interim, there have been a huge number of leaks where the private data of citizens has gone public. For instance, one publicly available database tracked all the medicines people buy, such as generic viagra, along with their phone numbers; and one that tracked pregnant women in ambulances in real time.
With Andhra's focus on "real-time governance", such privacy breaches are only likely to become more common, and a lax understanding of security is only making matters worse.