Vulnerable To Frauds, Fakes & Breaches: Why Govt Auditor Served A Warning To Aadhaar

01 Jul 2022 0 min read  Share

India’s national auditor says that Aadhaar, the national identity database and one of the world’s largest, is not finding and plugging leaks as it should. That is leading to rising frauds, hacks, data breaches and other misuse. Some of its failures have denied government services to the country’s most vulnerable. Experts advise restricting Aadhaar’s use and spread, but the government is not open to even addressing or fixing its problems.

Aadhaar Card biometric data/BMNNETWORK, CREATIVE COMMONS

New Delhi: At least 470,000 unique identity numbers (UIDs) issued by India’s 13-year-old national identity database, Aadhaar, over nine years were fraudulent. The system is susceptible to being hacked or otherwise undermined, and its own recent warnings of misuse reveal its vulnerabilities. About 30 million of the poorest Indians have lost access to government ration over the last few years.

These findings sum up the result of a new study by the government’s own auditor, various studies and stories by researchers (here, here and here) and journalists (here, here and here) over the past 12 years, and a now-withdrawn warning issued in May by the Unique Identification Authority of India (UIDAI), Aadhaar’s promoter and regulator.

Now issued to 1.3 billion Indians, Aadhaar cannot verify if any of the holders of its unique identification numbers (UIDs) is actually “resident” in this country; and at least 145 duplicate UIDs were generated each day over nine years, according to the first-ever audit of its operations in April 2022 by the Comptroller and Auditor General of India (CAG).

The CAG report was the first-ever audit of Aadhaar since the first UID number was launched by the then Prime Minister Manmohan Singh in September 2010 marking the “beginning of a big effort for the welfare of the common man”.

The only other two official comments on its workings came in 2011 from a parliamentary standing committee; and in 2015 and 2018 from the Supreme Court when it was hearing cases related to Aadhaar.

Aadhaar’s vulnerabilities first came to recent attention in May, when UIDAI’s Bengaluru regional office issued an advisory cautioning Aadhaar holders against sharing their photocopies and details with “unlicensed private entities'”. The advisory was withdrawn within 48 hours.

Article 14 sought comment from the UIDAI on the controversy, the CAG’s observations and reports of misuse, submitting a detailed questionnaire over email and calling its Bengaluru regional office. There were no responses. We will update this story if they do.

Aadhaar was marketed as a “unique identification” of an individual, but the CAG report revealed that at least 145 duplicate UID numbers generated each day over nine years to 2019 had to be cancelled.

The CAG report said “the fact that residents reported 860 cases of multiple Aadhaars in Bengaluru RO (regional office) alone during 2018-19 suggested that the self-cleaning system employed by UIDAI was not effective enough in detecting the leakages and plugging them”.

“It's like the government is finally accepting that they have a problem,” said Srinivas Kodali, a privacy activist and researcher, who over several years has pointed to privacy and fraud in the Aadhaar database, as indeed have others over the years.

However, UIDAI’s creaky grievance redressal system, faulty biometrics, the lack of transparency in its functioning, and a conflict of interest in its framework have created an environment that allows frauds and other hacks, said experts.

Faulty Biometrics = Exclusion From Food & Welfare Services

In 2017, in the state of Jharkhand, one of India’s poorest by per capita income, 11-year old Santoshi Kumari died of starvation when her family was denied six months’ ration when her family’s ration card could not be linked to the Aadhaar with the family's database.

To mark a year of Santoshi’s death, right-to-food activists in 2018 released a list of 56 hunger-related deaths in India, of which 25 were linked to Aadhaar.

Similarly, in 2018, a 40-year-old Adivasi, Rajendra Birhor, starved to death in Ramgarh, another district in eastern Jharkhand. He belonged to what is official parlance is called a ‘particularly vulnerable tribal group’ and should have had access to at least two welfare measures that could have saved his life: a pension and a ration card.

Like Birhor, 13 others died that year in Jharkhand from a lack of food or money, the denial of services to them linked to glitches in the Aadhaar authentication system after the government made it mandatory for those seeking subsidised food to have an Aadhaar UID.

Aadhaar glitches have been reported in making payments via Aadhaar authentication to poor, rural workers enrolled in India’s national jobs-for-work programme under the Mahatma Gandhi National Rural Employment Guarantee Act (MNREGA), 2005.

In 2015, the government made it mandatory to link MGNREGA rolls and bank accounts to Aadhaar and make payments only after identities were biometrically authenticated, meaning using their eyeballs or fingerprints as recorded in the database.

Workers reported a score of technical issues, including different names or spelling mistakes between jobs cards, muster rolls and bank accounts and Aadhaar IDs, leading to missing employment records and unpaid wages, according to a 2020 study.

The CAG report noted that during 2018-19 more than 73% of the total 30 million biometric updates were “voluntary updates”, meaning people themselves volunteered to updating their biometrics, possibly because of glitches they were facing during authentication, indicating that the quality of data captured to issue initial Aadhaar was “not good enough”.

The CAG noted the UIDAI takes “no responsibility for deficient biometric capture” and that the onus of updating biometric is passed on to the Aadhaar holders, which “did not seem appropriate”. The denial of welfare due to the failure to link Aadhaar with ration card, or failure of biometric authentication continues, as does UIDAI’s refusal to take responsibility.

Yet, the government is expanding Aadhaar requirements.

As the Reporter’s Collective reported for Article 14 on 30 June 2022, the government has threatened to cut funds to states that do not make Aadhaar compulsory—despite the 2015 and 2018 Supreme Court to the contrary and another CAG report saying it was not required—for children under six, pregnant and lactating mothers from poor families to access free, nutritious food.

The Bengaluru Advisory And A Hurried U-Turn

In December 2021, Nayeema Taj, a 32-year old woman living in Bengaluru, panicked when she received notices from banks asking her to repay loans that she had never taken. A man who she had met had collected her Aadhaar and PAN card details to enroll her in a “highly rewarding multilevel financial scheme”.

Soon, Nayeema, a 10th standard dropout, was asked to sign off on documents that she did not understand. The man turned out to be a member of a bigger gang duping people by opening and running bank accounts in the names of Aadhaar holders and taking loans to purchase motorcycles and mobile phones.

Nayeema’s case is one of many aadhaar-related frauds reported from Bengaluru and other cities (here, here and here).

So, when the Bengaluru unit of the UIDAI issued its May 2022 advisory, cautioning citizens to restrict their use of Aadhaar UIDs, privacy experts welcomed it as a step in the right direction. But after the commotion this caused on social media, the union government withdrew the advisory, citing potential to be “misinterpreted”.

The trigger for the UIDAI advisory, the Indian Express reported in June 2022, was an incident in Bengaluru, where a man, allegedly part of an international narcotic drugs racket, was caught using fudged Aadhaar cards to book an illegal export cargo of prohibited substances. Several experts also linked this advisory to Aadhaar enabled frauds mushrooming across the country (here, here & here).

The advisory would have restricted the possibilities of Aadhaar details reaching fraudsters and those not authorised to use them, including malls, banks, hotels and hospitals. In withdrawing it, the union government has ignored its own regulations and created further confusion about when Aadhaar ID details can be shared.

The government asked Indians to exercise “normal prudence”, without explaining what that meant.

The Conflict Between Privacy & Ubiquitous Use

Regulation 16A(3) of the Aadhaar (Authentication And Offline Verification) Regulations 2021 requires any offline entity, called “Offline Verification Seeking Entity” or OVSE, such as hotels, to store only Aadhaar UIDs with the number partially masked, if it so wishes, while complying with UIDAI data storage regulations.

Regulation 5 requires such OVSEs to inform a person of other viable means of identifying themselves, such as a passport or driving licence, wherever possible, and not deny services if they refuse to present an Aadhaar ID.

The problem with storing unmasked Aadhaar data, said Prasanna S, a Supreme Court advocate involved in several challenges to Aadhaar, is that it could result in “dangerous consequences”, either now or in future, such as financial frauds and identity theft. 

Four in every 10 Indians have experienced identity theft in some form, and identity thefts involving Aadhaar data are widely reported.

“Hence, the Supreme Court’s  (2018) Aadhaar judgement said that privacy harms and privacy violations are not foreseeable and, therefore, have to be protected as a fundamental right”, said Prasanna.

The union government, said experts, violates its own rules because there is a dichotomy in restricting Aadhaar use and its policy of making UIDs ubiquitous.

Even though a 2015 Supreme Court order restricted the use of Aadhaar to the public distribution system for food grain and cooking fuel, by 2018, at least 22 government welfare schemes could not be used without submitting Aadhaar IDs. Soon after, a variety of private companies and others, from telecom operators to banks to malls, followed suit.

The Rising Dangers Of Aadhaar Authentication

In May 2021, Ajay Kumar Srivastava, a 32-year old man from Lucknow, found that Rs 30,000 was missing from his account with a public sector bank. He was told that, according to bank records, he had withdrawn the amount on three dates, bank holidays, using what is called an Aadhaar-enabled Payment System (AePS).

An AePS allows customers of a bank account linked to Aadhaar to withdraw or transfer money using point-of-sale machines carried by business correspondents of any bank via Aadhaar authentication. Customers can be defrauded via the AePS, when cloned fingerprints are used to authenticate transactions.

One way to create a cloned fingerprint is to copy the thumb impression of the person on butter paper and then create duplicate silicone thumbs. The Internet is filled with videos that explain how to do this.

Such AePS frauds are on the rise. In March 2022, the government told the lower house of Parliament, the Lok Sabha, that frauds worth Rs 10.1 crore were reported over the past three years, with more than 60% reported over the past year alone.

These are only officially reported cases. The government also acknowledged the use of “gummy fingers”, or artificial fingers made of gelatin, to illegally access Aadhaar authentication systems.

“UIDAI uses various methods/audits/advocacy to ensure that the Aadhaar system is robust and highly secure,” government told Parliament. “The security of its entire authentication system is reviewed from time to time”.

But the possibilities of Aadhaar misuse are not just financial.

In 2018, former US Intelligence contractor-turned-whistleblower Edward Snowden described Aadhaar as “a mass surveillance system” and said “something is seriously wrong with it”. By rapidly linking Aadhaar with most welfare services, experts fear the government is moving towards achieving a surveillance society.

In December 2021, the union government authorised the linking of voter IDs with Aadhaar. For now, that is voluntarily. It has discussed linking the controversial National Population Register (NPR) with Aadhaar, a move with many possibilities, many of them dangerous, said experts.

The UK Scrapped A National ID Project, In India It Spreads

Voter profiling, with demographic data, such as religion and caste, linked to Aadhaar, could make its way into the hands of state or non-state actors allowing targeted political advertising, disenfranchisement based on identity, commercial exploitation of private sensitive data and increased surveillance.

NPR data could be used for delimitation or redistricting, the process of carving out new constituencies, which could exclude of sections of society, an allegation now being made in Jammu and Kashmir and Bengaluru.

Prasanna, the Supreme Court lawyer, said that the government need not necessarily have a “sinister idea” in mind. A mass surveillance regime is already underway in India, and it is being woven into the structure of governance.

“Once a database exists, it could be used for any wrong,” said Prasanna, the Supreme Court lawyer. “If not by the government of the day, then by a government in the future. Rule by lists is an anathema for the rule of law.”

In the United Kingdom, a project for a unique, biometric ID was scrapped in May 2010, when researchers found it was impossible to guarantee the security of such a database.

Aadhaar suffered a data leak in 2018, when the records of 1.1 billion registered citizens were potentially compromised. It was described as being the world’s largest data breach that year.

Despite widespread evidence that Aadhaar data is not secure, the union government and the UIDAI have not made, said experts, even basic architectural changes to the Aadhaar ecosystem. In 2018, the government said no more than that the data were safe behind “thick walls”.

Scrap Aadhaar Or Tweak Aadhaar?

A major hurdle to check the misuse of Aadhaar, said experts, is that there is no effective independent oversight over the UIDAI.

The original Aadhaar Bill had a whole chapter on independent oversight, but it was dropped without explanation. In 2018, the Supreme Court, while hearing a challenge to Aadhaar, expressed concern over the lack of regulatory oversight.

“The only way to stay secure is by limiting Aadhaar’s use,” said Prasanna, the Supreme Court lawyer.

“That is what the Supreme Court attempted to do,” he said. “It struck down section 57 of the Aadhaar Act that allowed private companies to use Aadhaar because it knew that temptation would always exist and there would be no mechanism to keep a check on its misuse.”

Srinivas Kodali, a researcher of digital domains, said despite two major Supreme Court judgements on Aadhaar Aadhaar’s architecture was unchanged.

“In the computer world, code is law,” said Kodali. “Unless there are changes in the code, changes in law are useless. The government should start implementing the Supreme Court’s (2018) Aadhaar judgement sincerely.”

Much has been reported about what is called the UIDAI’s “revolving door problem”—the phenomenon of officials using experience, knowledge and influence while in public service to benefit private companies.

Several executives who had worked in the UIDAI have gone on to occupy senior positions in private companies, creating a potential conflict of interest.

Some examples include OnGrid, a private company that provides background checks for companies hiring blue-collar workers by using Aadhaar data and data from other sources to find out employment history, criminal background, and more. OnGrid’s co-founder Piyush Peshwani was earlier a UIDAI manager at the UIDAI.

Similarly, Khosla Labs, a business incubation and investment firm, also has an Aadhaar-enabled authentication and verification product, called Aadhaar Bridge. The company was also licensed by the UIDAI to access Aadhaar holders’ demographic data.  Its CEO Srikanth Nadhamuni was former head of technology at the UIDAI.

There are no rules governing what these former UIDAI executives can or cannot do when they join the private sector. If Aadhaar is here to stay, as it most likely is regardless of which party is in power, then the government must, said experts, get a separate and independent regulator for UIDAI.

(Saurav Das is an independent investigative journalist.)