Problems with Aadhaar, the 12-digit unique identification number for all residents in India linked with their biometric details, have been highlighted by members of civil society members ever since the scheme began to be discussed more than 15 years ago. But over the past few weeks, even government bodies seem to be waking up to the problems.
Several government bodies, including the Unique Identification Authority of India that regulates Aadhaar, the Comptroller and Auditor General of India and several state police forces have flagged concerns about security flaws in the ecosystem.
At the same time, there has been an increase in Aadhaar-based frauds – from fake Aadhaar cards being manufactured to identity and monetary theft. Recently there have been a spate of reports of money being stolen using Aadhar-enabled payment systems.
Still, that has not stopped the use of Aadhaar, with governments constantly increasing the scope of its use.
Acknowledging fault with Aadhaar
On May 27, the Unique Identification Authority of India issued a press release where it cautioned users against sharing their Aadhaar details. The release asked people to not share photocopies of Aadhaar with “any organisation” as it “can be misused”. Instead, it instructed people to share a masked version, which only displays the last four digits of Aadhaar.
The release also said that only organisations that have obtained a “user license” from UIDAI can use Aadhaar for identity verification. “Unlicensed private entities” such as “hotels or film halls” cannot collect or keep copies of Aadhaar.
“If a private entity demands to see your Aadhaar card, or seeks a photocopy of your Aadhaar card, please verify that they have valid User License from the UIDAI,” the notification read. In 2016 too, UIDAI had said something similar: users should not share their Aadhaar numbers or copies of their cards with anyone.
The UIDAI’s press release created outrage and confusion, given that sharing copies of Aadhaar is, by now, a common practice in India. Presently, for services such as hotel check-ins or SIM card purchases, most places insist on producing copies of Aadhaar cards.
Within two days, on May 29, however, the press release was retracted “in view of the possibility of the misinterpretation”. It asked Aadhaar card holders to exercise “normal prudence” in using and sharing their Aadhaar numbers and highlighted that the Aadhaar ecosystem has adequate safeguards for protecting people’s identity and privacy.
Even while the press release stands withdrawn, experts have pointed out that the concerns raised in it were legitimate. Sharing Aadhaar details with someone makes them vulnerable to identity theft, such as non-consensual loans and land transfers in their name.
This is not the first time the UIDAI has itself warned of security flaws in Aadhaar. In 2018, RS Sharma, former director general of the UIDAI shared his Aadhaar number on Twitter challenging people to show “one concrete example where you can do any harm to me!” Within hours, Twitter users managed to dig out his personal address, phone number, PAN number and other personal information.
Three days after Sharma’s challenge, the UIDAI asked users to not share their Aadhaar numbers publicly.
Warnings have come from other places as well. In May, the Telangana Police tweeted asking users to disable their biometric link from Aadhaar if they have lost money from Aadhaar-enabled payment systems. Last year, the home ministry and several police departments also warned users about Aadhaar-enabled payment systems fraud.
CAG report
Another significant development occurred in April, when the Comptroller and Auditor General of India, which audits the government’s receipts and expenditures, released a scathing report highlighting fundamental problems with Aadhaar.
Having unique IDs and removing duplication was cited as the biggest feature of Aadhar. However, the report noted that till November 2019, the UIDAI had to cancel more than 4.75 lakh Aadhaar numbers citing duplication.
It also noted faults with recording biometrics – such as fingerprints and iris scans – for Aadhaar. The report said there were instances of Aadhaars numbers issued to different residents but backed by the same biometric data. Further, it noted that there were a huge volume of voluntary updates to biometric data, which “indicated that the quality of data captured to issue initial Aadhaar was not good enough to establish uniqueness of identity”.
The UIDAI did not carry out audits of a large percentage of its authentication ecosystem partners, the report said. “Moreover, UIDAI had not ensured that the client applications used by its authentication ecosystem partners were not capable of storing the personal information of the residents,” it stated, “which put the privacy of residents at risk. The Authority had not ensured security and safety of data in Aadhaar vaults. They had not independently conducted any verification of compliance to the process involved.”
Usha Ramnathan, a lawyer and leading Aadhaar researcher, described the report as “somewhat of a landmark”. “The report is a scathing indictment of the way the project is run, and it confirms the apprehensions that were taken to court,” she wrote.
Reetika Khera and Ria Singh Sawhney, members of the Rethink Aadhaar campaign, wrote, “In many ways, the CAG’s report on UIDAI does not tell us anything we did not know. Yet the CAG report is important because it is a constitutional body calling the Aadhaar bluff...”.
Rising problems
Acknowledgment of these problems is important since experts claim Aadhaar-related frauds are also increasing.
“There is an increase in Aadhaar based frauds,” Srinivas Kodali, a researcher with the Free Software Movement of India, said. “Earlier Aadhaar was mainly used for data and identity theft. However, increasingly it is being used for monetary theft as well and regulators are not doing anything.”
Aadhaar-enabled payment system allows users who have linked Aadhaar to bank accounts to withdraw money using their biometrics. This system has been used to steal money from people’s accounts. Fraudsters only need the name of the bank, the user’s Aadhaar number and their fingerprint to withdraw money.
Police forces in several states, including Madhya Pradesh, Haryana and Uttar Pradesh, have made arrests where using Aadhar details and cloned fingerprints, money was stolen from Aadhaar enabled payment system. In some instances, the fingerprints were cloned from publicly available documents, such as land sale deeds.
Apart from this, there are examples of agents handling Aadhaar-based authentication stealing money. In December 2021 in Bihar, biometric verification against Aadhaar database was used for voter verification for panchayat elections. Several voters found that their money was stolen from their accounts within hours of them casting their votes. Officials involved in verification used their own devices to secretly take fingerprints of voters and used that to withdraw money, the Hindustan Times reported.
There are also reports of physical theft from Aadhaar data centres. In September 2021, “several hard disks, memory cards, servers and other devices” were stolen from an Aadhaar data centre in Karnataka. A complaint was filed by the supplier of these devices. However, the UIDAI denied the theft.
Despite these concerns around Aadhaar, the government has not taken steps to reduce the use of Aadhaar. Rather, its scope is increasing. In December, the Central government allowed the linking of voter ID and Aadhaar databases and the use of using Aadhaar numbers for voter identification purposes. The government is also creating a central database of farmers and digital land records, referred to as AgriStack. The data here will be linked to Aadhaar.
These measures have also been opposed for their lack of privacy safeguards and because they could potentially exclude residents eligible for benefits.