“Government is fully committed to freedom of the press as well as maintaining security and sanctity of Aadhaar for India’s development. FIR is against unknown…”, tweeted Union Electronics & Information Technology Minister Ravi Shankar Prasad after concerns were raised over an FIR that was reportedly filed against The Tribune and its reporter Rachna Khaira over a story regarding breach of Aadhaar data.
Govt. is fully committed to freedom of Press as well as to maintaining security & sanctity of #Aadhaar for India’s development. FIR is against unknown. I’ve suggested @UIDAI to request Tribune & it’s journalist to give all assistance to police in investigating real offenders.
— Ravi Shankar Prasad (@rsprasad) January 8, 2018
On January 4, 2018, The Tribune published an article which detailed how access to the Aadhar database of over 1 billion citizens was available for a small fee through a network of sellers operating on the messaging service WhatsApp. For a paltry sum of Rs.500, the details of any citizen such as DoB, phone number, address, email etc. could be accessed simply by entering the Aadhaar number. The report was explosive as it questioned the robustness of the data security system that the UIDAI has been insisting is impregnable.
#TRIBUNEINVESTIGATION — #SECURITYBREACH | by @RachnaKhaira
Rs 500, 10 minutes, and you have access to billion #Aadhaar details | Group tapping @UIDAI data may have sold access to 1 lakh service providershttps://t.co/3vlJhbP94t #AadhaarData pic.twitter.com/CvF6F6Y1Ap— The Tribune (@thetribunechd) January 3, 2018
According to the report, for another Rs.300, the ‘agent’ provided ‘software’ that would facilitate the printing of the Aadhaar card. The article written by Rachna Khaira working with the Chandigarh-based daily was shared widely on the internet. The UIDAI’s first response was a denial. It rubbished the report, calling it a case of misreporting and insisting that no biometric data had been compromised.
Tribune’s Story “Rs 500, 10 minutes, and you have access to billion Aadhaar details” is a case of misreporting. No biometric data breach @thetribunechd@rsprasad@ceo_uidai@timesofindia@firstpost@IndiaToday@ZeeNews
— Aadhaar (@UIDAI) January 4, 2018
While UIDAI insisted that there had been no breach of the biometric data, it did acknowledge that the grievance redressal search facility to which certain designated personnel have access could have been misused, and that the misuse could be traced.
Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details @thetribunechd @rsprasad @ceo_uidai @timesofindia @firstpost @IndiaToday @ZeeNews @htTweets @TheQuint
— Aadhaar (@UIDAI) January 4, 2018
Soon after, the BJP’s official twitter handle tweeted that The Tribune’s report of the breach of Aadhaar data was fake.
Tribune’s report suggesting the data breach at @UIDAI is fake news! pic.twitter.com/qtOzNIq7zH
— BJP (@BJP4India) January 4, 2018
In response, The Tribune published another article which countered the claims of the UIDAI. It stood by the report on the data leak, saying that the UIDAI had indeed admitted to a data breach and that the UIDAI’s assertion that claims of bypassing the system were unfounded flew in the face of facts.
UIDAI’s defense did not limit itself to a denial. Instead, an official of the statutory authority filed a police complaint which reportedly mentioned The Tribune and Rachna Khaira as the accused, along with three other people who had been contacted by Khaira for the story. Faced with criticism over its move to file the complaint against The Tribune and Rachna Khaira for reporting about the data breach, the UIDAI issued a statement in which it said that the complaint was lodged against the organisation and the journalist as it was ‘duty bound to disclose all the details of the case’ and ‘name everyone who is an active participant in the chain of the events leading to the commission of the crime, regardless whether the person is a journalist or anyone else…’
Pls see our statement in the @thetribunechd story case @htTweets @timesofindia @FinancialXpress @DeccanChronicle @EconomicTimes @CNBCTV18News @ndtv @abpnewstv @aajtak @TimesNow @IndianExpress pic.twitter.com/Nj25guIiyp
— Aadhaar (@UIDAI) January 7, 2018
The explanation given by UIDAI does not seem to be in sync with the assertion of Ravi Shankar Prasad. While the latter said the FIR was filed against unknown persons, UIDAI acknowledged that the complaint it filed did contain the names of the journalist and the organisation. So what is the truth of the matter? Alt News decided to dig deeper and find out.
Above is a copy of the FIR accessed by Alt News. As can be seen from point number 7 on page 1 of the FIR, it is indeed filed against ‘unknown’ persons. However, on page 2 of the FIR under the title ‘FIR contents’, it can be seen that the complaint is filed by the UIDAI and it clearly mentions that The Tribune and Rachna Khaira as having violated provisions of the Aadhaar Act, IPC and the Information Technology Act, 2000. As highlighted above, the text of the FIR contents reads, “The above mentioned persons have unauthorisedly accessed the Aadhaar ecosystem in connivance of the criminal conspiracy. The above act of the aforesaid involved persons namely Anil Kumar, Sunil Kumar, Raj, Rachna Khaira, The Tribune and other unknown persons is violation of Sections 36 and 37 of the Aadhaar Act, 2016 Section 419,420,468 and 471 of IPC 1860 and Section 66 IT Act, 2000”
So, while Ravi Shankar Prasad is technically on sound footing when he claims that the FIR has been filed against unknown persons, the police complaint that has been filed by the UIDAI which falls under his ministry has unambiguously named The Tribune and Khaira. On the other hand, the UIDAI’s explanation that the complaint against The Tribune and Khaira was part of the essential procedure for investigation is facing scrutiny. Alt News spoke to Raman Jit Singh Chima, legal expert based in New Delhi who said, “The language of the FIR seems to very specifically name the reporter and the organisation in a manner to treat them as an accused rather than a witness. This is not abstract language but is clearly communicated to the police to say that they are part of a conspiracy, whereas in most of the circumstances when the press reports something, they may be compelled to be a witness but they are not named in the FIR process in a way in which they are the actual accused party. That is the general practice”.
The Aadhaar project has been at the centre of controversy since its inception. While its proponents laud its objectives of ushering transparency, reducing corruption and ghost accounts and ensuring targeted delivery of services, its critics have raised alarm over the security of the data and the potential for its misuse. In recent times, there have been cases of citizens’ data being made public. While UIDAI insists that the biometric data is secure, it is worth asking whether only the security of the biometric data matters and not other personal information that is part of the UIDAI database. Moreover, the agency’s self-contradictory claims and its move to lodge an FIR against The Tribune for reporting on the data breach does precious little to instill confidence among those who have been sceptical of the project and its implications.
Independent journalism that speaks truth to power and is free of corporate and political control is possible only when people start contributing towards the same. Please consider donating towards this endeavour to fight fake news and misinformation.
