Aadhaar breach: Gaping holes in data security and the unreliability of biometrics put a question mark on the project. UIDAI’s denials are increasingly unconvincing1.

Aadhaar breach: The UIDAI admitted this had happened, but said “that was not us”, the database is safe. Then they began to threaten those who exposed the leaks with criminal action. (Illustration by Subrata Dhar)Does it really not matter at all that the personal details of a billion people, including their name, address, gender, date of birth, parents’ names, possibly bank account number, mobile number, email address and photo have been exposed by anonymous sellers? Is the only thing valuable in the UID (unique identification) database the biometric data? If the demographic data is so easy to reach, how do we know the biometric data is safe?

The explosive report in The Tribune on January 4, which revealed the gaping holes in the security of the database, has provoked the predictable response from the Unique Identification Authority of India (UIDAI) — denial. The reporter explains the few simple and swift steps she had to take, and the Rs 500 she had to pay, to access a billion identities on the UID database. The UIDAI says this is “misreporting”, and what happened is not a breach — that the database is safe and secure. And that they will take legal action against those involved in the case — an implicit admission amidst much denial.

The leaks, breaches and misuses have become too frequent for the denial to be convincing.

The leaks have not been either sparse or rare. Among the ones that hit the headlines, with large numbers affected by the breach: In November 2017, 210 government websites and those of educational institutions displayed personal information along with UID numbers. The UIDAI admitted this had happened, but said “that was not us”, the database is safe. Then they began to threaten those who exposed the leaks with criminal action. In December 2017, it was discovered that Airtel had opened bank accounts in a payments bank that they had launched; and it had seemingly done that by fudging consent, procured while verifying sim cards. When people began complaining that they were not receiving their subsidies, the latter were traced to an Airtel account that customers did not even know had been opened for them. Now, this.

Some things have become clear over time. One, that the UID project is not just about the UIDAI. The UIDAI is certainly an important part of the project, but the project seeks to achieve ubiquity and universality and, in doing that, it involves private businesses. The Aadhaar Act 2016 does not permit private companies to mandate the use of the UID. So, the government uses its licencing powers to mandate that mobile companies and banks coerce mobile users into submission. Ever since the first MoUs between the UIDAI and various state governments, according to which the state governments were to act as registrars for the UID, the agreement was that the enrolment would include information that the UIDAI wanted for its database (KYR, or Know Your Resident) and anything additional that the government may collect (KYR+). Together, they were to become a means of getting a 360-degree view of people and communities. These now are the State Resident Data Hubs. They also come in various shapes and sizes. In Haryana, for instance, it is the Jan Kalyan and Suraksha Survey that captures every detail of every household, and of each individual in every household. See this to get an idea of how much the government wants to know you.

Ubiquity is achieved through mandating, either lawfully or otherwise, the inclusion of the UID number in every database. Hundreds of notifications, circulars, letters of instruction and many more such instruments compel people to get on the UID database, and to leave their “digital footprint” everywhere. Coercion was expected to help achieve universality — that is, everyone would be in the database. The “architecture” or “ecology” of the UID project involves leaving these digital footprints, by the use of state power and force if needed (and it has indeed been needed — people haven’t been happy to enrol, they have largely had to be pushed to the enrolment stations and also to the many, many other databases such as schools, hospitals, voter ID, ration, LPG, etc).

The UIDAI goes on about how biometrics are safe and out of reach. The truth is, biometrics are collapsing all round. The figures for biometric failure have been staggering. In Rajasthan, in the PDS, exclusion because of fingerprint failure has been close to 36 per cent — which means not even one person from 36 per cent households are able to authenticate using their fingerprints. Jharkhand has witnessed deaths because the poorest have had difficulty linking their UID number with their ration card. Documents in the UIDAI archive from between 2009 and 2012 show that biometrics was still in an experimental phase. That biometrics are not working as hoped is made evident in the Watal Committee report on digital transactions, in December 2016. At pp. 123-124, the committee says that biometric authentication requires the availability of internet and high-quality machines capable of capturing biometric details, making it contingent on these working. So, the committee asks that for digital transactions, the “OTP sent on registered mobile number of Aadhaar holder” be allowed, thereby downgrading biometrics.

Digital payments are in the business interest; not PDS. So, while fingerprints cause huge problems to the poor, the business interest shifts to other means because biometrics are not dependable.

The mantra has, in fact, been JAM — Jan Dhan, Aadhaar, mobile — three numbers that make up identity. It was in 2010 that Nandan Nilekani said to a reporter: “The slogan of “bijli, sadak, paani” is passé; ‘virtual things’ like UID number, bank account and mobile phone are the in-thing.” That is the imagination that is driving the project today. It is these three numbers that are being exposed in the breaches. Then, to say that all is well is clearly not quite the truth.

The project is putting people, and the nation, at risk. Those in court challenging the project have been demanding that the project be scrapped — not just the UIDAI, but the project. The breaches explain why what they are asking makes sense.