Helpline Mishap: UIDAI Wrongly BlamedGoogle Says Its Error Led to UIDAI Helpline Being Automatically Loaded in Android OS
It appears some security experts were too quick to blame the Unique Identification Authority of India, which administers the Aadhaar program, when it was revealed that its helpline was being automatically added in the contact lists of mobile phones that run the Android operating system.
See Also: Why CASBs Matter to Cloud Security
As it turns out, Google acknowledged that its coding error led to a mishap. So UIDAI critics, who have been rightly criticizing the agency in the aftermath of many questions about Aadhaar security, were off base in taking swipes at the agency for this problem (see: Unusual Attempt to Prove Aadhaar Security Raises Questions)
Google said in a statement: "Our internal review has revealed that in 2014, the then UIDAI helpline number and the distress helpline number were inadvertently coded into the setup wizard of the Android release given to mobile manufacturers for use in India and has remained there since. Since the numbers get listed on a user's contact list, these get transferred accordingly to the contacts on any new device."
The Blame Game
Last week, a French security expert who goes under the pseudonym Elliot Alderson and describes himself as "worst nightmare" of the UIDAI tweeted: "Hi @UIDAI, Many people, with different provider, with and without an #Aadhaar card, with and without the mAadhaar app installed, noticed that your phone number is predefined in their contact list by default and so without their knowledge. Can you explain why?"
That led to others expressing concern about whether, in fact, UIDAI had made a misstep that could, perhaps, lead to privacy issues. Some tweets asserted that UIDAI was to blame for the problem. But those concerns appear to be off base, given Google's clarification of what actually happened.
After Google admitted that it inadvertently hard coded the helpline number, some security experts claimed that the tech giant had been directed by the government to take the blame. But why would a company of Google's stature take the blame for a government agency's misstep?
And is the helpline incident, in fact, potentially a privacy issue? After all, many helpline numbers come preloaded on phones. And the UIDAI number could easily be deleted if a phone user did not find having it useful or relevant.
In the wake of the helpline loading news, some security specialists and others have blamed the government for a lack of mobile security even though there has been no proof of any malicious app or illegal intrusion. Google insists that loading the number in no way compromised the security of the users.
Cause for Concern?
So is there really any cause for concern?
Certainly, many questions are raised by the news.
For example, why was Google involved in getting a phone number for UIDAI pre-loaded on phones? Why didn't the telecom authority step in to address the issue and determine whether loading the number was appropriate? Was this a move planted to move UIDAI into another controversy?
The Cellular Operators Association of India said that mobile operators can pre-install helpline numbers. But in this case, there apparently was no original equipment manufacturer that pre-installed the UIDAI number.
Instead, it appears that Google pre-installed the number in the Android operating system.
Clearly, it would be helpful for Google to come out with a detailed report stating how this pushing of UIDAI took place.
For now, Google is apologizing for the misstep.
"We are sorry for any concern that this might have caused, and would like to assure everyone that this is not a situation of an unauthorized access on their Android devices. Users can manually delete the number from their devices," Google said. "We will work toward fixing this in an upcoming release of SetUp wizard, which will be made available to OEMs over the next few weeks."
Because India will soon come out with its own data privacy and protection law, it would be better if the telecom authority was more transparent about pre-installing numbers. For example, it could make an announcement on its website on the numbers it plans to pre-install. This would not only meet the expectations of privacy advocates, but also provide a sense of transparency to consumers who have been disillusioned by the entire Aadhaar controversy.