Subscribe for perks & to support LI

Your Interests & Preferences: Personalise your reading

Which best describes your role and/or interests?

I work in a law firm
I work for a company / in-house
I'm a litigator at the bar
I'm a law student
Aspiring law student
Save setting
Or click here to show more preferences...

I am interested in the following types of stories (uncheck to hide from frontpage)

Firms / In-House
Legal Education

Always show me: (overrides the above)

Exclusives & Editor's Picks

Website Look & Feel

Light Text on Dark Background

Save preferences

Note: Your preferences will be saved in your browser. You can always change your settings by clicking the Your Preferences button at the top of every page.

Reset preferences to defaults?

Shooting the messenger: UIDAI files FIR against reporter who exposed lax Aadhaar security

The Indian Express has reported that a Unique Identification Authority of India (UIDAI) deputy director has filed an FIR against Tribune reporter Rachna Khaira, who had reported on the sale of administrator usernames and passwords to websites having full access to the Aadhaar database for Rs 500 last week.

The UIDAI had responded to the Tribune report saying that there had been no data breach of Aadhaar, though buying access to a database with nearly full Aadhaar holders’ details is arguably as bad.

And one does wonder how long (or if) the alleged sale of Aadhaar information would have stayed hidden, if the Tribune had not reported on it.

The Express reported that the FIR - under IPC Sections 419 (punishment for cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using as genuine a forged document), as well Section 66 of the IT Act and Section 36/37 of the Aadhaar Act - was also filed against other persons who were named in the Tribune report as involved in allegedly selling Aadhaar detail access.

The security hole, as pointed out by The Quint, appears to have been caused by allowing anyone with an administrator account on a Rajasthan government's website that had full Aadhaar database access, to also create an administrator account in turn, allegedly resulting in a booming trade for backdoor Aadhaar access to service providers that offered the printing of Aadhaar cards for holders.

Whether that hole has been plugged or even acknowledged is not clear, and shooting the messenger with an FIR seems like a recipe not for making Aadhaar more secure but to continue encouraging security by obscurity, which for a project of this size, can only be a terrible idea.

Latest comments