Citizens, residents, and visiting workers in India are required to submit all ten of their fingerprints and an iris scan to participate in the country's controversial unique identifying number program. The man behind that program, Nandan Nilekani, for some reason tweeted a photo of his ID card with the numbers blacked out, but he didn't redact the QR code.
Nilekani spearheaded the program known as Aadhaar when he served as the head of the Unique Identification Authority of India (UIDAI) from 2009 to 2014. As of April of last year, 1.14 billion people, or around 87 per cent of India's population, had been issued a number. In addition to biometric data, India's unprecedented database contains demographic information, home addresses, and much more. In 2016, World Bank Chief Economist Paul Romer called Aadhaar "the most sophisticated ID programme in the world." Having an Aadhaar number is required to participate in any of India's numerous social safety net programs, as well as to receive employee compensation, file your taxes, set up a bank account, get insurance, purchase a home - the list goes on and on. You have to have an Aadhaar number.
Nandan Nilekani has defended the program against security experts and privacy advocates from the beginning of its rollout, and in what must have been a moment of hubris, he tweeted a photo of his own Aadhaar ID on April 12, 2014, with the first eight digits of the 12-digit identification number obscured. But he bafflingly elected not to obscure the QR code on the right-hand side of the card. Scanning that code gives anyone access to his number and demographic information. And despite being told by others to delete the tweet, Nilekani reportedly waited until September of 2016 to remove it. Buzzfeed News reports:
And as with just about anything that's publicly tweeted, Nilekani's private information remains online. Members of an internet forum popular with computer programmers scanned his QR code and posted his demographic details and Aadhaar number, and this data eventually ended up on at least half a dozen other webpages that BuzzFeed News reviewed. Images of Nilekani's tweet with his Aadhaar card exist on at least one popular website...
"I guess Nandan didn't realise what he had done at first," said Prasanto K Roy, a former technology journalist who was one of the people who alerted Nilekani. "And I don't think he paid much attention to it even when it was flagged, probably thinking that it wasn't a big deal since, as a well-known person and the head of the Aadhaar program, most of his demographic details were publicly available anyway. I think he must have realised the seriousness of it later - that his tweet might suggest to others that it was OK to post a picture of your Aadhaar card simply by redacting the Aadhaar number itself."
September of 2016 is actually when it became illegal to publish Aadhaar numbers in public. So, it's more likely that Nilekani was just complying with the new law.
It would be difficult, though not impossible, to impersonate someone with their Aadhaar number. There are three verification options to match with the number: a fingerprint or iris, a code sent to a linked cell phone, or a linked piece of demographic information such as a birthday. And of course, hackers can do a lot with just a few bits of info about a person. Nilekani may feel that he's invulnerable to someone using his data to commit fraud, but less powerful residents have more to worry about.
Despite authorities continued insistence that people have nothing to worry about, recently we've seen reported breaches that exposed 130 million people. In one instance, access to India's full database was sold for just $US8 ($10). In November, more than 200 government websites accidentally exposed the personal information of an undisclosed number of Aadhaar users.
Even beyond the security risks, the system seems to be a bureaucratic disaster. The EFF has detailed the absurd and confusing legal limbo that has plagued the program. In August, India's Supreme Court issued a long-delayed ruling that confirmed citizens' right to privacy and appeared to strike down the government's ability to make Aadhaar compulsory. But observers fear that the system is already too ingrained in society for that ruling to have much of an effect on business owners and other institutions still demanding the identification. All the while, implementation of the program is filled with screw-ups like the case of 65-year-old Sajidha Begum, a woman with leprosy who was denied her pension because she didn't have an Aadhaar number due to her lack of fingers.
Though he's no longer part of the UIDAI, Nilekani continues to defend the program he started. On Wednesday, he told reporters in India that there was "an orchestrated campaign to" malign Aadhaar in public. For critics, the system's vulnerabilities speak for themselves.