Identity Project

Security of Aadhaar's data is under question, but pointing to the gaps could lead to a police case

The official UIDAI has filed a criminal complaint against a writer-entrepreneur for an article demonstrating how stored biometric data could be misused.

In the past week, reports of two criminal complaints related to the security of the Aadhaar database – a centralised database of biometric scans of over 100 crore Indians – has raised concerns about a bigger data breach.

On February 24, the Times of India reported that the Unique Identification Authority of India – which issues the 12-digit Aadhaar numbers that ensure targeted delivery of subsidies, benefits and services – had on February 15 lodged a complaint with the Delhi Police Cyber Cell against Axis Bank Limited, its business correspondent Suvidha Infoserve, and esign provider eMudhra for illegally storing biometric data and performing unauthorised Aadhaar authentication.

The Authority alleged that the firms performed multiple transactions using replay of stored biometrics – for instance, one individual supposedly performed 397 biometric transactions between July 14, 2016 and February 19 this year. It described this as a violation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, as the law does not allow the storage of biometric data.

Announcing additional safety measures, Authority officials stated that they have submitted a proposal to the IT Ministry on February 22 that from now on till May, all biometric devices would be registered with it, and an Aadhaar encryption key would be introduced in their hardware to ensure the data received was “captured live”.

Gaps in the system

While the investigation into the complaint is still on, the Asian Age reported on February 28 that the Authority had registered a separate police complaint against an individual, Sameer Kochhar, who heads the Gurgaon think tank Skoch Development Foundation. The complaint was in connection with an article, “Is a Deep State at Work to Steal Digital India”, Kochhar had published on February 11 in his magazine, Inclusion, about security vulnerabilities in Aadhaar systems. The article included a video demonstrating how unauthorised transactions were possible using replay of stored biometrics – the same malpractice for which the Authority had taken action against Axis Bank, Suvidha and eMudhra.

Two days after the article was published, the Authority’s chief executive officer, ABP Pandey, responded to it on Twitter by calling it a fake video and asking Kochhar to stop spreading rumours. Two weeks later, the agency registered the police case against Kochchar.

Confirming this, Deputy Commissioner of Police (Crime-South) Bhisham Singh said, “We have received a complaint from UIDAI that an individual Sameer Kochhar had floated a video and an article on Google, saying Aadhaar was not foolproof, the UIDAI says this is against Aadhaar Act, and we have registered a First Information Report.” Singh added that the FIR was not yet public and the police had not contacted Kochhar. “UIDAI says his claims are false, and we will investigate if this is so,” he said.

Another senior police official, who did not wish to be identified, said the case against Kochhar was registered under Sections 37 of the Aadhaar Act and several other provisions of the Act as well as the Indian Penal Code.

Section 37 says:

Whoever, intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act or regulations made thereunder or in contravention of any agreement or arrangement entered into pursuant to the provisions of this Act, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees, or with both.

On February 22 – before the police complaint against Axis Bank and the two other firms were reported – Kochhar leaked a letter purportedly sent by the Authority to one registered authentication user agency (whose name was masked) asking how it had performed multiple concurrent Aadhaar authentications on January 11 through the unauthorised use of stored biometrics of one individual.

The letter also stated that the Authority had detected a firm that was illegally using a “licence key”. Section 15 (2) of the Authentication Regulations of the Aadhaar Act — the Aadhaar Regulations are currently in Parliament — say a requesting entity can permit another agency or entity to perform a yes/no authentication by generating a “separate licence key”. In this instance, the second entity performs electronic know-your-customer requirements for financial transactions, even though it had no permission to do so.

The letter leaked on Twitter by Sameer Kochhar on February 22.
The letter leaked on Twitter by Sameer Kochhar on February 22.

In an emailed response to, Kochhar said he had found out about the FIR against him from the Asian Age report, and that he had not yet been contacted by the Unique Identification Authority of India or the Delhi Police. “The story is available on and whatever other information and documents I have shared are on my Twitter timeline,” he stated. “I look forward to find out which parts of Aadhaar Act 2016 prohibit media reporting on its vulnerabilities.”

He also pointed out the Authority had not denied having issued the letter leaked by him.

Unique Identification Authority of India officials refused to share a copy of the police complaint or the basis of their action against Kochhar. “It may have been part of the original complaint against Axis Bank, and other, but we cannot share any details on this,” said Vikash Shuka, senior manager, communications and public outreach, at the Authority’s headquarters in Delhi. Shukla added that the Authority did not have a spokesperson who could publicly comment on the details of the complaint against Kochhar.

Shooting the messenger?

Prasanna S – a lawyer for petitioners who have challenged Aadhaar in the Supreme Court – said it was not clear that what Kochhar demonstrated was related to information gathered in authentication or enrollment, as Section 37 of the Aadhaar Act, which has been mentioned in the FIR against him, suggests. He accused the Unique Identification Authority of India of using Section 37 to stifle criticism and curtail speech. “If you criticise Aadhaar project, the government says ‘you are just saying so, you do not understand the project’,” the lawyer said. “Here, someone has demonstrated evidence of a security flaw and they are saying ‘how dare you expose its vulnerability’.”

“Do we now have to be worried about sedition against UIDAI?” he added, expressing concern at the Authority registering an FIR against a citizen for exposing a security vulnerability in Aadhaar.

Chinmayi Arun, executive director of the Centre for Communications Governance at the National Law University, Delhi said that “threatening concerned citizens who identify holes and errors that the authority should be fixing is foolish”. She added, “The UIDAI should be rewarding those who find its breaches – instead, we have attempts to intimidate them into silence through the abuse of the state’s police powers. The Aadhaar Act enables this intimidation and it is high time the Supreme Court put a stop to it.”

Kiran Jonnalgadda, co-founder of HasGeek, a community for start-ups for software development in Bengaluru, said Kochhar’s complaint and the Authority’s action against the three firms showed it had failed to provide sufficient technical protection against such attacks. “Replay attacks are a well-known problem, and the Application Programming Interface should not be storing the fingerprint on the device itself,” he said.

“The irregularities detected show they did not have sufficient technical protection, only legal protection against this,” he added. “The UIDAI provides for SMS, email alerts on authentication, but even this is optional.”

Jonnalgadda pointed out that new technical protection — of introducing registration of biometrics devices — was, in fact, added after Kochhar’s article. “The new technical protection kicked in after Kochar, a high profile individual, made an accusation, the video went public and UIDAI CEO replied on Twitter publicly saying, ‘Aadhaar is secure, do not spread rumours’, and then, after all this, they bothered to investigate,” he said.

He, too, said that someone raising a security issue in the system should be rewarded and not punished.

We welcome your comments at
Sponsored Content BY 

The ordeal of choosing the right data pack for your connectivity needs

"Your data has been activated." <10 seconds later> "You have crossed your data limit."

The internet is an amazing space where you can watch a donkey playing football while simultaneously looking up whether the mole on your elbow is a symptom of a terminal diseases. It’s as busy as it’s big with at least 2.96 billion pages in the indexed web and over 40,000 Google search queries processed every second. If you have access to this vast expanse of information through your mobile, then you’re probably on something known as a data plan.

However, data plans or data packs are a lot like prescription pills. You need to go through a barrage of perplexing words to understand what they really do. Not to mention the call from the telecom company rattling on at 400 words per minute about a life-changing data pack which is as undecipherable as reading a doctor’s handwriting on the prescription. On top of it all, most data packs expect you to solve complex algorithms on permutations to figure out which one is the right one.


Even the most sophisticated and evolved beings of the digital era would agree that choosing a data pack is a lot like getting stuck on a seesaw, struggling to find the right balance between getting the most out of your data and not paying for more than you need. Running out of data is frustrating, but losing the data that you paid for but couldn’t use during a busy month is outright infuriating. Shouldn’t your unused data be rolled over to the next month?

You peruse the advice available online on how to go about choosing the right data pack, most of which talks about understanding your own data usage. Armed with wisdom, you escape to your mind palace, Sherlock style, and review your access to Wifi zones, the size of the websites you regularly visit, the number of emails you send and receive, even the number of cat videos you watch. You somehow manage to figure out your daily usage which you multiply by 30 and there it is. All you need to do now is find the appropriate data pack.

Promptly ignoring the above calculations, you fall for unlimited data plans with an “all you can eat” buffet style data offering. You immediately text a code to the telecom company to activate this portal to unlimited video calls, selfies, instastories, snapchats – sky is the limit. You tell all your friends and colleagues about the genius new plan you have and how you’ve been watching funny sloth videos on YouTube all day, well, because you CAN!


Alas, after a day of reign, you realise that your phone has run out of data. Anyone who has suffered the terms and conditions of unlimited data packs knows the importance of reading the fine print before committing yourself to one. Some plans place limits on video quality to 480p on mobile phones, some limit the speed after reaching a mark mentioned in the fine print. Is it too much to ask for a plan that lets us binge on our favourite shows on Amazon Prime, unconditionally?

You find yourself stuck in an endless loop of estimating your data usage, figuring out how you crossed your data limit and arguing with customer care about your sky-high phone bill. Exasperated, you somehow muster up the strength to do it all over again and decide to browse for more data packs. Regrettably, the website wont load on your mobile because of expired data.


Getting the right data plan shouldn’t be this complicated a decision. Instead of getting confused by the numerous offers, focus on your usage and guide yourself out of the maze by having a clear idea of what you want. And if all you want is to enjoy unlimited calls with friends and uninterrupted Snapchat, then you know exactly what to look for in a plan.


The Airtel Postpaid at Rs. 499 comes closest to a plan that is up front with its offerings, making it easy to choose exactly what you need. One of the best-selling Airtel Postpaid plans, the Rs. 499 pack offers 40 GB 3G/4G data that you can carry forward to the next bill cycle if unused. The pack also offers a one year subscription to Amazon Prime on the Airtel TV app.

So, next time, don’t let your frustration get the better of you. Click here to find a plan that’s right for you.


This article was produced by the Scroll marketing team on behalf of Airtel and not by the Scroll editorial team.