Since many used the report of The Centre for Internet & Society (CIS) to allege a breach in the UIDAI’s Aadhaar database, it is important to keep CIS’s latest clarification in mind. CIS has said that while its report talked of various government portals revealing data of various beneficiaries—their names, bank accounts, Aadhaar numbers—this was misunderstood or misreported to mean a breach in UIDAI’s biometric database; it has not made any claim, CIS says, of the central repository being breached. That said, CIS sticks to its original point of the ‘illegal data disclosure’—as opposed to a data ‘leak’ or a ‘breach’—being a problem and making ‘no difference as far as potential for identity fraud or financial fraud is concerned’. CIS goes on to say that while some government portals have started masking some of the data like the Aadhaar number or the bank account details, this makes no material difference since, with the government agencies still collecting and storing the data, this can be accessed through cyber-attacks or through a leak from people who have access to the data. In the four government schemes that CIS has looked at, it said around 130-135 million Aadhaar numbers could have been disclosed through these sites along with around 100 million bank accounts—its report gives details of some of the individual schemes. A similar exercise of the pension accounts in Puducherry by FE, for instance, threw up Aadhaar numbers and bank accounts even though the names were blacked out—a Google search using the Aadhaar numbers, though, gave the names and addresses of some of these persons.
How the data, whether masked or not, can be used to commit identity or financial fraud, however, is not clear if the original UIDAI repository cannot be hacked. After all, if a financial transaction is to be carried out with the details obtained from, say, an MGNREGA website, it will still have to be authenticated through a biometric. While UIDAI must put an end to the issue of identity/financial fraud by inviting hackers like the Election Commission is doing with EVM machines, a privacy law would probably take care of issues of how much data government agencies should make public. It has to be kept in mind, though, that with so much theft in most government programmes, it is very important to have an independent audit mechanism. And that audit can only take place if details of beneficiaries, including the bank accounts to which the money was transferred, are maintained by various government departments and then shared with independent auditors—long before Aadhaar was conceived of, Aruna Roy began demanding making public the rosters of various works programmes run by the government, to ensure the wages were actually received by genuine beneficiaries.