Indian government, faced with massive data breach, targets journalists

Kushal Das

Software Engineer, SecureDrop

Camille Fassett

Reporter

Instead of rushing to fix the problem that has exposed the private information of over a billion Indians, it is criminally investigating the journalists who exposed it.
Leszek Leszczynski

In the course of an extremely disturbing data breach, the Indian government has potentially violated the privacy of over one billion of its citizens. Now, instead of rushing to fix the problem that has exposed the private information of over 90% of Indians, it is criminally investigating the journalists who brought it to the public’s attention.

A branch of the Indian government filed a police complaint last week launching an investigation into journalist Rachna Khaira and the Tribune of India, after the publication released a report describing what looks to be a massive vulnerability in a government database that is being exploited by an unknown group to sell highly sensitive and private data about Indian citizens.

Khaira wrote an article on January 4 detailing how reporters were able to easily purchase access to the personal information of over one billion Indian citizens from the national identity database—for the price of approximately $8 USD. She bought the access from an unknown seller, and settled the small fee via digital payment. The Unique Identification Authority of India (UIDAI), which manages the database, initially denied the breach of the system before filing a complaint against the journalist and her publication and accusing them of criminal conspiracy.  

The Aadhaar database is the largest of its kind in the world, and contains both biometric data like fingerprints and personal details like addresses and phone numbers, that, when combined, build unique and detailed profiles of its citizens. Participation in the database is required to access basic services like filing tax returns, and this normalization of government collection and retention of such intimidate data raises serious civil liberties and privacy concerns.

The Tribune reported that this isn’t the first time the database has been breached, and that the UIDAI is aware of past unauthorized attempts to access the database. Many Indian privacy advocates have long been warning that exactly this type of worst case scenario would occur.

At a minimum, the size and sensitivity of this system should make its security a paramount priority for UIDAI, since this concentration of identifying information makes it extremely susceptible to exploitation. So far, the agency hasn’t addressed the vulnerability or closed the loopholes in the system discovered by security researchers and journalists, but rather attacked the press for doing its job.   

The police complaint, called a First Information Report, has been widely condemned by human rights and press freedom organizations, including the Editors Guild of India and Amnesty International. Edward Snowden, Freedom of the Press Foundation’s board president, wrote on Twitter this week:

“The journalists exposing the #Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI.”

After an outpour of public criticism to its response to the breach, UIDAI tweeted on January 8 claiming to defend journalism. “UIDAI is committed to the freedom of Press. We're going to write to @thetribunechd & @rachnakhaira to give all assistance to investigate to nab the real culprits. We also appreciate if Tribune & its journalist have any constructive suggestion to offer.”

Despite this statement, UIDAI continues to investigate Khaira and the Tribune under the Aadhaar Act.

The targeting of Khaira and the Tribune by UIDAI is just the latest example of attempts to curb press freedom and stifle investigative journalism in India. Last year, the UIDAI filed an FIR against a CNN-News 18 journalist for a report on how it was possible to obtain two separate Aadhaar enrollment numbers. Courts allow public figures to bring spurious defamation lawsuits against publications such as The Wire that are meant to stifle critical reporting. The Indian government regularly uses a draconian sedition law to censor the press, particularly when it investigates state corruption.

India ranked 136th in the World Press Freedom Index in 2017, a decline from 2016. According to the Committee to Protect Journalists, at least 75 journalists were killed in India between 1992 and 2018. Veteran journalist Gauri Lankesh, who was known for her critical reporting on inequality and racial discrimination, was recently murdered in front of her house.

The Indian government has a responsibility to vigorously defend the press in both words and actions. As long as it targets journalists and newspapers for reporting information vital to the public interest rather than acting to protect the privacy of its citizens, the UIDAI cannot seriously claim to defend democracy and the free press.


Read more about Security

First major study looks at how SecureDrop is used in newsrooms in North America

Today the Tow Center for Digital Journalism at Columbia Journalism School has published a first-of-its-kind study on how newsrooms are using SecureDrop, our open-source whistleblower submission system that is now ...

Publishing the unredacted SecureDrop 0.3.4 audit report

In July, we announced the release of SecureDrop 0.3.4 and published the accompanying security audit by iSEC partners (now NCC Group). The audit found 10 issues, one of ...

US officials have no problem leaking classified information about surveillance—as long as it fits their narrative

In the past few days there have been a flurry of stories about the Russian plane that crashed in the Sinai peninsula, which investigators reportedly think may have been caused ...