BANGALORE – Rising reports of financial fraud and a confusing government flip-flop are raising fresh concerns in India about the security of Aadhaar, the world’s largest biometric identification programme.
Last Friday (May 27), the Unique Identification Authority of India (UIDAI) which runs Aadhaar published an advisory warning Indians against sharing photocopies of this digital identifier with any organisation “because it can be misused”. It warned that “unlicensed private entities like hotels or film halls are not permitted to collect or keep copies of the Aadhaar card.”
Two days after the warning, India’s Ministry of Electronics and Information Technology said that the UIDAI advisory was being withdrawn to avoid “misinterpretation”.
The Ministry said: “Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers. Aadhaar Identity Authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder.”
Aadhaar, which links a unique 12-digit number to an individual’s fingerprints and iris scans, is mandatory when paying taxes, buying property, and accessing government benefits.
For other purposes, Aadhaar is legally just another proof of identity. But because the government has conveyed that it is the most preferred and secure identification, state and private entities like hotels, banks, telecommunications companies and hospitals commonly refuse their services without it.
The UIDAI says it has generated over 1.3 billion Aadhaar numbers, almost the entire population of 1.38 billion, since its inception in 2009. The agency has aggressively defended the security of the programme in the past, with one of its founders even tweeting his Aadhaar number in 2018, defying critics to harm him.
But fears about data safety and privacy have dogged Aadhaar for years. In 2018, The Tribune newspaper said that its reporters were able to log into the Aadhaar database and access information including user names, addresses and photos by paying an agent 500 rupees (S$8.82).
The UIDAI dismissed most reports over the years about Aadhaar data leaks, or court petitions about essential services refused without Aadhaar, with the repetitive claim that the data is secure and Aadhaar is not mandatory.
India’s Supreme Court had upheld the constitutional validity of the Aadhaar programme in 2018, saying it involved “parting with minimal information” to fulfill the larger public interest of the poor. But it ruled that private entities could not demand customers’ Aadhaar numbers. This did not stop Aadhaar from being made mandatory by default for many services.
In April, India’s national auditor published a report on the UIDAI’s “deficient data management”. Among other things, it said that the agency had not ensured that devices used for Aadhaar authentication were “capable of storing personal information… which put the privacy of residents at risk.”
Gaps in Aadhaar data security have already been exploited for fraud.
Recent months have seen a string of arrests in several states of individuals who allegedly siphoned government welfare payments made to Aadhaar-linked bank accounts. On May 7, police in Gwalior town in Rajasthan arrested four people they said had cloned the fingerprints of at least 23 villagers and stolen 500,000 rupees of government benefits intended for them.
On May 13, the Haryana police said that fraudsters had been lifting fingerprints off the state’s digital land revenue registry and patching them on duplicate silicon thumbs to withdraw money from Aadhaar-linked bank accounts.
Last week, the Telangana police tweeted: “If you lost money from an Aadhaar-enabled payment system without your knowledge, immediately disable your biometric link from your Aadhaar. Never share your Aadhar details with anyone.”