MongoDB Startup Hired by Aadhaar Got Funds from CIA VC Arm

MongoDB Startup Hired by Aadhaar Got Funds from CIA VC Arm is an investigation published in The Economic Times on 3 December 2013, written by Lison Joseph. The article disclosed that MongoDB, a database management company contracted by the Unique Identification Authority of India (UIDAI) for Aadhaar implementation, had received funding from In-Q-Tel, the Central Intelligence Agency’s venture capital arm. The piece features security analysis from Sunil Abraham regarding potential vulnerabilities in centralised identity systems and the implications of foreign intelligence agency connections to critical national infrastructure.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: The Economic Times
✍️ Author:: Lison Joseph
📅 Date:: 3 December 2013
📄 Type:: News Report
📰 Newspaper Link:: Read Online

Full Text

Synopsis
MongoDB is expected to help in capturing & analysing data related to the ambitious plan to issue a UID—Aadhaar—to over a billion citizens.

BANGALORE: Two weeks ago, Max Schireson, chief executive of MongoDB, a New York-based technology startup, was in New Delhi to sew up a very important contract for his company — with the Unique Identification Authority of India (UIDAI).

The contract is yet to be announced but what could raise eyebrows is the fact that MongoDB is part-funded by the US' Central Intelligence Agency.

The company is expected to help in capturing and analysing data related to the ambitious plan to issue a unique identity number — Aadhaar — to over a billion citizens.

MongoDB, which makes software that helps manage large databases, especially unstructured data, has raised $231 million (Rs1,400 crore) since being founded in 2007. Some of its funding is from In-Q-Tel, the not-for-profit venture capital arm of CIA.

While MongoDB lists In-Q-Tel as one of its investors on its website, the company has not disclosed the quantum of funding received from it. The fund's stated mission is to identify, adapt and deliver innovative technology solutions to support the missions of CIA and the broader US intelligence community.

Besides CIA, In-Q-Tel works with National Geospatial-Intelligence Agency, Defense Intelligence Agency and Department of Homeland Security Science and Technology Directorate.

"Once an investment is made, IQT (the fund) works with the company and the intelligence community partner agency to complete a work program and facilitate solution delivery," the fund's website said. The quote describes IQT's relationship with any company in which it invests in and is not specific to MongoDB.

Neither UIDAI nor MongoDB responded to queries from ET on whether the CIA link was considered before entering into a partnership. UIDAI Chairman Nandan Nilekani did not respond to emails, messages and phone calls.

A senior UIDAI official confirmed the agency has entered into an agreement with MongoDB and that the company's database software is already being used for analysing the pace at which registration of new beneficiaries is taking place.

It is not clear if MongoDB's vendor relationship would be with UID directly or with one of the system integrators that UID works with. Schireson, the CEO, was also one of the national co-chairs for Technology for Obama, an interest group that campaigned for the reelection of President Barack Obama after his first term.

There is no evidence in the public domain that the firm is controlled or significantly influenced by the CIA in any manner.

But the revelations of Edward Snowden, a former NSA contractor-turned-whistleblower that US intelligence agencies routinely intercepted communication in Europe and Asia, including in India has raised concerns. Experts said the UID's centralised design could pose a risk, where even a single mistake can make the whole system disproportionately vulnerable.

"The risk exposure because of CIA involvement (could be that) if MongoDB is a data controller, then secret courts and secret court orders could be used to get access to the UID data," said Sunil Abraham, executive director at the Centre for Internet and Society.

He added that even if UIDAI is only using the source code without getting into a commercial relationship with MongoDB, they should audit the source code to check if CIA has introduced any back doors. "This is because Snowden has told us that the army of mathematicians working for the US government has compromised some standards even though they were developed in an open, participatory and transparent fashion." MongoDB, whose name is a play on the word humongous, competes with Oracle, IBM and Microsoft. It has around 320 employees and some 600 customers. At its latest round of $150 million in fund-raising in October, the company was valued at about $1.2 billion, according to Bloomberg. Other investors include Intel Capital, Salesforce-.com, Red Hat and Sequoia.

Context and Background

This 2013 investigation emerged during heightened global anxiety about surveillance following Edward Snowden’s revelations about NSA mass data collection programmes. The disclosure that MongoDB—a company handling data infrastructure for India’s billion-person biometric identity scheme—had received investment from In-Q-Tel, the CIA’s venture capital arm, raised fundamental questions about technology sovereignty and the security architecture of critical national systems.

In-Q-Tel’s operational model involved not merely passive investment but active engagement with portfolio companies to adapt technologies for intelligence community requirements. The fund’s stated mission of facilitating “solution delivery” to CIA and partner agencies meant its relationship with companies extended beyond typical venture capital dynamics. Whilst the article noted no public evidence of CIA control over MongoDB, the Snowden disclosures had revealed that US intelligence agencies had systematically compromised encryption standards and inserted backdoors into commercial products—often without the knowledge of the companies themselves.

Sunil Abraham’s analysis identified two distinct threat vectors. First, if MongoDB operated as a data controller rather than merely providing software, US legal frameworks including the FISA Amendments Act could compel the company to provide intelligence agencies with access to Indian citizens’ biometric and demographic data through secret court orders, with no possibility of public disclosure or legal challenge. Second, even if UIDAI was only deploying MongoDB’s source code locally, the possibility of deliberately inserted vulnerabilities required rigorous independent auditing—particularly given Snowden’s documentation of how NIST cryptographic standards had been weakened through covert NSA influence.

The timing was particularly significant. UIDAI was constructing what would become the world’s largest biometric database, collecting fingerprints, iris scans, and demographic information from over a billion people. The system’s centralised architecture—criticised by security experts as creating a single point of catastrophic failure—meant that any compromise could expose unprecedented quantities of sensitive personal data. Unlike decentralised identity systems where breaches affected limited populations, Aadhaar’s design magnified the consequences of security failures.

UIDAI’s lack of response to queries about whether the In-Q-Tel connection had been evaluated during vendor selection suggested either that due diligence had been inadequate or that officials considered the relationship immaterial. The silence from Chairman Nandan Nilekani, despite multiple contact attempts, left unclear whether the authority had conducted security assessments of MongoDB’s investor relationships or implemented additional safeguards given the foreign intelligence connection.

The article highlighted broader tensions in India’s technology procurement for sensitive national projects. Whilst the country lacked indigenous capacity in certain advanced database technologies, reliance on foreign vendors—particularly those with documented ties to intelligence agencies—created dependency vulnerabilities. The absence of mandatory source code audits, security certifications specific to intelligence agency relationships, or requirements for data localisation meant that systems handling sensitive citizen information operated without the protective frameworks that geopolitical realities arguably demanded.