Police suspect user agency insiders responsible for Aadhaar data leak
Indian police and Aadhaar officials suspect that insiders at an authentication user agency (AUA) and a KYC user agency (KUA) are responsible for last week’s Aadhaar data leak, according to sources cited in a report by Deccan Herald.
On July 29, the case was transferred from High Grounds police station to the cyber crime police station.
The leak was discovered when an app offered e-KYC (know your customer) certificates, allegedly by accessing an Aadhaar database without authorization.
The Unique Identification Authority of India (UIDAI) filed a complaint against two of its own authentication service agencies (ASUs), as well as the developer of the app, Qarth Technologies.
Although the complaint alleges that an authentication user agency (AUA) and a KYC user agency (KUA) were behind the data leak, it does not refer to the agencies by name.
The UIDAI said it had issued detailed instructions addressed to all such agencies to ensure the security of the authentication process.
The agencies were tasked with maintaining the confidentiality of Aadhaar information, according to an official source.
The UIDAI framework mandates that an AUA/KUA may be a government, public, private legal agency registered in India.
According to the Aadhaar Act of 2016, a registered authentication agency cannot allow another entity to perform authentication.
Agencies are not allowed to share a licence key, nor are they allowed to forward authentication requests as it would require the use of personal identity data captured by an unaudited application.
“Even for a sub-AUA, separate licence key is used,” a source said.
The complaint registered at the High Grounds police station names mobile app developer Abhinav Srivastava as the prime entity accused, followed by an AUA and a KUA.
Since no sharing of information is allowed without the use of the licence key, the investigation would involve determining which insider leaked the information.
“It looks like some agencies have shared information illegally in connivance with Abhinav Srivastava,’’ a police source said.
There are approximately 400 AUAs and KUAs in operation across India. An AUA provides Aadhaar-enabled services to Aadhaar holders, using authentication as facilitated by an Authentication Service Agency (ASA).
Last week, India’s Supreme Court heard from several petitions challenging the legality of the Aadhaar project in order to determine whether citizens are entitled to privacy as a fundamental right.