The Fault in Aadhaars


The Fault in Aadhaars

Illustration: Akshita Monga/Arré

In the latest episode of India’s longest-running crime drama, the government sort-of admitted yesterday that there were a few pretty serious security flaws in the Aadhaar system. The tacit admission came via the introduction of a new virtual ID and limited KYC details. The move comes a few days after an an explosive investigative story by The Tribune, in which a journalist accessed 1 billion Aadhaar details for ₹500. In a classic tragicomic move, typical of the way things unfold in India, an FIR was filed against unknown persons, but not the Aadhaar-issuing authority, the UIDAI.

The Aadhaar system, which attempts to give each Indian a unique number, is a mammoth task, no doubt. There are many criticisms of it, but the recent lapse goes back to the haphazard way Aadhaar has been implemented in the country and the way biometric data has been collected.

The atmosphere of panic, created by the sudden implementation, pitched Aadhaar like the antidote to a deadly disease in a low-rent Hollywood movie. Suddenly, you could find an Aadhaar card kiosk at every nukkad, every office lobby. Most of the people who issued these cards were unnamed, unbadged gentlemen with a very rough idea of what documents were required for corroboration and a rougher idea of how biometric data is collected, or how important it was.

In my case, an Aadhaar officer travelled to my office, a workspace with 12 photoshop subscriptions and two video-edit machines, to gather very original documents. He did no background check on any of my colleagues. Our address proof was skimmed through and handed back, no questions asked. The fingerprint/retina scanner looked like technology straight out of the 1980s. It took five attempts to finally gather a skewed version of one person’s fingerprint and another 15 minutes each for the eye scan. When compared with the ordered, sanitised system of getting a fresh passport at the passport office with all its regulations in place, the process of acquiring an Aadhaar seemed closer to getting a gym membership.

Sometime during the push, the UIDAI launched a door-to-door service for people who couldn’t travel to Aadhaar enrolment centres in Delhi. This essentially meant that once all biometric data was collected from that house, and all of our offices, they travelled together in a Maruti van with zero outside protection. It didn’t take too long for people to realise that these agents, just like your average person of authority in India, are also easily bribed and will enrol you for any number of Aadhaar cards with no address proof.

That’s just a day in the life of India, but it’s amazing to me, that we can be okay with just handing over all our data to these agents just because they say they’re from the UIDAI. People who argue that we share as much information on our “Facebook and Twitter so just chillout”, are advised to use their Facebook profile photograph the next time they need address proof.

In our case, the Aadhaar agent left with half our office’s biometric data in a rickshaw, giving us a glimpse into our Orwellian future. Let’s assume that the agent had a really bad day when he left office, or that we acted like assholes with him. The agent decides to hand over all our data to a passer-by and go home. The passer-by now has access to your biometrics, address, and eventually Aadhaar number. Now say he goes on to use your fingerprint scan to get seven SIM cards, and start a fraud phone call business. There’s technically nothing to stop the police from arresting you for the crime. Your fingerprints are literally all over the place.

"As the Tribune journalist revealed in her report, for an extra ₹300, she was given software that was capable of printing out any Aadhaar number she wanted on a card. This is particularly dangerous because the Aadhaar cards themselves (since they were never meant to be ID) have no holograms or identifying markers."

One of the problems of Aadhaar is that it slowly morphed from a number meant to help you avail subsidies and government benefits, into an identification for everything. To renew your passport you can use your Aadhaar details, to get a new Aadhaar you can use your passport details. But the Aadhaar was never meant to act as address proof either — in fact it was to be issued to homeless people as well.

As the Tribune journalist revealed in her report, for an extra ₹300, she was given software that was capable of printing out any Aadhaar number she wanted on a card. This is particularly dangerous because the Aadhaar cards themselves (since they were never meant to be ID) have no holograms or identifying markers. According to the original document (which was passed with 70-odd MPs present in parliament) even poorly taken, black-and-white printouts of Aadhaar cards are considered original documentation.

The cherry on this shitcake came yesterday, when an article (published on a site partially owned by UIDAI chairman Nandan Nilekani) argued that the “upper-class wine-and-cheese”-eating protesters should just shut up and take Aadhaar the way it is given to them, because it is meant to benefit the poor and hungry people in Jharkhand and not their privileged bums. It asserted that every time we use Netflix, or generate a flight PNR, we are essentially telling the government everything about ourselves anyway, so what difference would it make that the Aadhaar was a serious breach of privacy waiting to happen. The article completely ignored that biometric data are failing farmers in Chhattisgarh from getting pensions, and the people in Jharkhand who have died of starvation because their families couldn’t get access to any rations.

However, later in the day, the UIDAI announced “Oh shit”, and agreed that our Aadhaar numbers were actually a lot more valuable than we previously thought. The Virtual ID is, therefore, a new number generated at random, and linked to your Aadhaar number. When you hand over your VID, no person will be able to get your Aadhaar number from it. This marks a huge change from last week when the UIDAI was busy insisting that the Aadhaar was completely safe, sachi God promise.

The introduction of today’s measure should serve as a sign that exposing flaws can take us a long way, and that submitting will leave us with an imperfect system. Here’s to more wine and cheese protests. As for me, I only wonder what it will take for my bank to stop calling me to link my Aadhaar with my account.