Around 1 billion citizens registered with a twelve-digit number and recorded in a database with their biometric and personal information. India has scanned the iris and fingerprint of its citizens as part of the Aadhaar initiative, the largest biometric project on the planet, for identification purposes upon accessing social security and other services.

Since its inception in 2009, the Aadhaar program has assigned 1.13 billion numbers to both citizens and non-citizens working in the country. However, the program, which was not favorably viewed by the public, has proved to be unsafe.

A recent study published by the Center for Internet and Society of India, a non-profit organization that investigates digital technologies, notes that the personal data of between 130 and 135 million people, in addition to 100 million bank accounts, was leaked. Four databases of government projects, which stored ID numbers, personal information, and bank account information, were responsible for exposing this data.

An “Irreversible” Damage to Privacy

The massive theft of data of millions of Indians poses a serious threat: these numbers are increasingly used in banking or insurance, and there are still no adequate means of confirming identity with biometric data.

“All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm,” says the report, which also notes that they create “a ripe opportunity for financial fraud” as bank data was part of the leaked information.

The report from the Center for Information and Society has also been tough on the Unique Identification Authority of India (UIDAI). It accused the government entity of recommending to other databases that it store Aadhar information without ensuring security and privacy, as has been demonstrated by the leak of data from those four projects.

In the case of the National Social Assistance Programme portal, one of the databases cited in the study, the page allowed users to explore a list of pensioners, which included information such as their bank account numbers and their Aadhaar number. Although the details were hidden from public view, the study notes that it was easy to access the information without so much as a password, simply by modifying the parameters of the URL.

Following the publication of the study, the head of UIDAI has argued that this particular report “does not concern” the institution and has ensured that, although Aadhaar numbers are available, biometric information is in “safe custody”. Meanwhile, some experts point out that India needs a strong privacy law that responds to potential problems with Aadhaar data.

At the moment, what seems clear is that the demographic and biometric identification plan of India, the second most populous country in the world, is already proving to be problematic. So other nations must take good note of the rulings to avoid making it so easy to access the digitized personal information of their citizens before embarking on such an ambitious program.