Now That the Government Has Admitted to Security Issues with Aadhaar, People Need To Demand Better Security
The withdrawal of a press release warning people about the possible misuse of Aadhaar data, after it went viral on social media, has only added to public anxiety and confusion rather than clarified matters. Here’s what happened.
On 27th May, the regional office of the Unique Identification Authority of India (UIDAI) issued a release warning about “sharing photocopy of your Aadhaar with any organisations” since it could be ‘misused’. This was the first official warning directly from UIDAI, despite countless reports of Aadhaar-based frauds and there was good reason for the panic that it triggered. Until now, the government has stoutly denied and ignored misuse and cloning of Aadhaar. (see link:
In September 2018, attorney general KK Venugopal famously told a five-judge Supreme Court bench that Aadhaar data “remains secure behind a complex that has 13-ft high and five feet thick walls.” A couple of months earlier, just before the apex court began its final hearings on Aadhaar, RS Sharma, chairman of Telecom Regulatory Authority of India (TRAI), shared his Aadhaar number on Twitter and challenged people to  ‘harm him’ by accessing his personal data. Mr Sharma’s childish challenge was widely reported and, although all his personal data was bandied in public, he created a false sense of security among people about handing over photocopies of their Aadhaar card.
The government deliberately ignored lessons from the US Social Security Number (which does not capture biometrics) and allowed Aadhaar to be touted as the ultimate, infallible and primary identification card. From hotels to schools, hospitals, vaccination centres, crematoriums and even entry passes to gated communities, people were required to share their Aadhaar and most have complied without hesitation. In fact, providing an alternative ID was viewed with suspicion and derision.
By the time UIDAI issued its well-warranted warning last week, the abuse of Aadhaar was already widespread. Banks had long stopped opening accounts with only Aadhaar identification. The extent of fraud in the much-touted Jandhan accounts, opened only with Aadhaar plus mobile, remains a well-kept secret except for occasional warnings about their use as ‘money mules’ in speeches by Reserve Bank of India’s (RBI’s) top brass.
There were many problems with the UIDAI’s withdrawn warning too. It asked people to avoid using public computers at internet café/kiosks to download e-Aadhaar. If used, to ensure that copies of e-Aadhaar are permanently deleted from that computer. Secondly, it said, do not to share Aadhaar with unlicensed private entities like hotels or cinemas. They are not permitted to collect or keep copies of the Aadhaar card and it is an offence under the Aadhaar Act 2016, said the release. If that weren’t enough, it asked people to verify whether private entities demanding to see Aadhaar proof had ‘valid user licences from UIDAI’ to do so.
Typical of the government’s online processes, it sought to burden ordinary people with impossible actions. For starters, the police require hotels to seek and store valid identification in response to terror issues around the world. Most people shared their Aadhaar and, since the availability and acceptance of Aadhaar with ‘masked’ numbers has hardly been publicised, very few people were aware of it. 
A report of the Centre for Internet Society has documented how as many as 130 million #Aadhaar numbers have been leaked. It probably got UIDAI working harder at ways to hide the Aadhaar number by creating a virtual ID or permitting the download and submission of a masked Aadhaar number. But many people have reported rejection of masked Aadhaar numbers on social media. 
The expectation that ordinary people will demand, or be shown, ‘valid user licences’ at hospitals, crematoriums, schools and hotels, is absurd. As for public computers, tech-savvy folks at UIDAI perhaps believe that most people use them at fancy clubs and airport lounges. The reality of India is that a large number of people who need to upload Aadhaar and other proofs for a range of subsidies and benefits have no computers or the knowledge of how to upload, download, update or rectify forms required for a variety of services. They use third-party services mainly roadside kiosks that were once cybercafés or passport assistance centres a decade ago. 
In our neighbourhood in Mumbai, a run-down cybercafé is now buzzing with activity, since it offers every conceivable online service—passport applications, vaccination appointments, train bookings, Aadhaar updates, MSME registration and much more. Tech-challenged senior citizens and the poor end up getting affected. Do we seriously expect these people to ensure that internet cafés will erase their data or not sell it?
Without addressing any of these concerns, UIDAI merely advised people to ‘exercise normal prudence’ in sharing data and withdrew the earlier release “in view of the possibility of the misinterpretation.” Interestingly, it reiterates that the “Aadhaar Identity Authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder.” Ask any banker or fin-tech company and they will admit that the industry is rampantly using illegal databases cobbled together with personal data scraped from government websites and social media. In February this year, a public furore over ghost loans by Dhani Loans and Services led to the revelation that shortcuts in identification while on-boarding people was an industry-wide issue. The cartoon below best represents what UIDAI has achieved with the warning and its withdrawal.
The government flip-flop on the misuse of Aadhaar also calls into question and dilutes the regular warnings by the police across India.
On 18th May, the Telangana police warned people ‘never’ to share Aadhaar details with anyone and to disable ‘your biometric link from your Aadhaar’. This is after a spate of Aadhaar-linked frauds where cloned biometrics have been used to access bank accounts of people.
The Delhi police has been issuing such warnings since 2018.
The most vulnerable are those dependent on banking correspondents (BC) armed with biometric Aadhaar-enabled payment systems (AePS). BCs have often been caught colluding with online criminals to share data and worse.
V Anand, a privacy researcher and author recently tweeted “There is a market in Varanasi, where you get full replicas of fingers and prints encased in a Plaster of Paris covering so that it is all-weather proof. Adding FIR+FMR does not fix the clone market. But they have to do something. So just more pain for people.”
Gangs operating with stolen biometrics have also been reported from Haryana, Uttar Pradesh, Madhya Pradesh and Jharkhand.
The United Progressive Alliance (UPA) as well as the National Democratic Alliance (NDA) strongly backed Aadhaar on the premise that it gave the poor an identity and prevented large-scale leak of subsidies and social benefits. The government is silent on the large-scale diversion of subsidies actually enabled by online systems and fake identities. Worse, four years after the government declared that all beneficiary payments and direct benefit transfers in 120-odd schemes involving over Rs12,000 crore would happen online, our systems do not seem geared for it.
On 28th May, the Deccan Herald reported that “Thousands of bank transactions are bouncing due to issues related with Aadhaar,” depriving citizens, especially farmers, of cash benefits under various government schemes. Such issues impose a crippling burden on India’s poorest but are barely reported.
Although it must be admitted that the UIDAI and the e-payment industry is constantly at work to fix vulnerabilities, fraudsters are often a step ahead, especially since they work in collusion with people inside the system. Fin-tech companies also encourage shortcuts to cut costs.
In a series of tweets, V Anand, quoted above, has an interesting take on the problem. He says the root cause of the ‘various screw ups of UIDAI’ is that, at every stage, the decisions were driven by a need to keep costs low so that the card is universal. Addressing scams and frauds through smart cards, seeding verification, proper cryptography or consent were all avoided to save costs and make it universally easy to use. But, now, this makes everybody vulnerable. Multiple entities, both authorised and unauthorised, are easily accessing these by scanning QR codes on the Aadhaar card. Government agencies have repeatedly put out Aadhaar data on public websites allowing illegal databases to thrive and vitiating the checks & balances ordered by the Supreme Court judgement on Aadhaar. They simply don't work for ordinary people.
The solution was clearly not to ignore the problem by withdrawing a release. Hopefully, it will not be possible to put that genie back in the bottle and the episode will have alerted people to be more careful and question the government.
2 years ago
Good to see how it progresses and how govt plans to make it foolproof.
Free Helpline
Legal Credit