The Unique Identification Authority of India (UIDAI) started off with Aadhaar enrollments back in 2010. It has been close to seven years since, and the 12-digit Aadhaar number is much more than just an identity number now, with over 1.1 bn Indians already enrolled on the Aadhaar platform.
Since the demonetisation drive which started on 8 November 2016, Aadhaar has suddenly come into the limelight as it is being positioned as a one-stop solution for everything from distribution of benefits and salaries, to making online transactions, to authenticating your identity and more.
While that's good, more recently we came across a report of UIDAI filing a complaint with the Delhi Police against Axis Bank, Suvidhaa Infoserve and eMudhra for violating Aadhaar regulations by storing biometric data. So there are some concerns as well.
Aadhaar as a one-stop platform
When enrolling for Aadhaar, you have to submit your demographic data as well as your biometric data such as fingerprints and iris scans. Considering your fingerprint and iris scans are locked to the 12-digit number, there is no need for you to remember any login / password details, as you are always carrying that on your body.
Aadhaar is now connected to around 582 banks, brokerages and government departments which are registered users permitted access to Aadhaar data. RBI allows the use of Aadhaar to verify customers for new accounts as well. Aadhaar Enabled Payment System (AEPS) links to around 119 banks and up to 27 January, there were around 338.7mn transactions that were recorded using Aadhaar identity according to Union Minister Ravi Shankar Prasad.
Using Aadhaar authentication for disbursal of benefits really does help bring down any leakages. Aadhaar linked bank accounts are used extensively for Direct Benefit Transfer schemes, which has helped the govt save over Rs 36,000 cr in the last two years, when it comes to public distribution of subsidies for LPG as well as MNREGA worker daily wages payout.
Also thanks to Aadhaar linked bank accounts, it will not matter how many times you change your banks, as your money is being paid to your Aadhaar number and the subsequently linked bank. Government organisations are already using Aadhaar for salary disbursements and maintaining employee records. Private organisations are just about getting started with this.
The Bharat Interface for Money (Bhim) app is going quite aggressive with its integration with Aadhaar. There are a number of payment options currently supported by the Bhim app. Users can use a QR code tied to the account, generate a QR code for a single transaction, transfer money with a UPI address or through an IFSC code. All of these payment options require some kind of authentication or set up by the user, which can be discouraging to people who are unfamiliar with technology. Using the Aadhaar number for payments will make the process even simpler, and will require no additional authentication steps. Payment made through the Aadhaar number will not require mobile banking activated on the bank account, biometric authentication, or a UPI address.
At its Future Decoded event, Microsoft CEO Satya Nadella showed how Aadhaar authentication could also be used for Skype calls between a job seeker and his interviewer.
One of the good things about Aadhaar is that the unique number remains the same for life. This can bypass the need to change your bank details every time you change organisations. But this same advantage could also prove to be the Achilles heel. While Aadhaar may seem like an ideal solution to get a centralised database, for a country as big as ours, everything isn’t a bed of roses. In fact, since back in 2012, there have been critics of the program.
Speaking to Tehelka, former army officer and a critic of UIDAI, Mathew Thomas had said, “The (Aadhaar) database is to be linked to other databases like banks, phone companies, etc. Once a person hacks into the UID database, s/he can gain access to any other database. We are handing over data to anyone who would like to take it.”
According to Rajesh Bansal, senior advisor at BFA and former assistant director general at UIDAI, “UIDAI has various levels of firewalls, end to end encryption mechanisms to ensure that only authorised entities have access to Aadhaar database. Also, fingerprints are never stored on the servers, only the templates are stored. Till now, there hasn’t been a single case of any compromise on this data.”
But recently we came across a report of UIDAI filing a complaint with the Delhi Police against Axis Bank, Suvidhaa Infoserve and eMudhra for violating Aadhaar regulations by storing biometric data. Now in this case, though the central Aadhaar data base was not compromised, it was third parties which were authorised by UIDAI, which were found lax in terms of following regulations. This case shows how the Aadhaar data could be compromised if there is a weak link in the system. UIDAI detected the problem when it found multiple transactions done using the same fingerprint. The official who spoke on conditions of anonymity to Livemint, said that this would not have been possible without storing biometric data.
Back in 2013, the Maharashtra government had lost the personal data of around 3 lakh Aadhaar applicants, when the data was being uploaded from the state IT department to a central server in Bengaluru. Thankfully the data was encrypted.
According to Centre for Internet and Society policy director Pranesh Prakash, “The government, as per press reports, is going ahead with using fingerprints for authentication of Aadhaar Enabled Payment Systems (AEPS) transactions. While the security architecture of AEPS might in itself be good, the idea of providing your fingerprints to merchants for financial transactions is a terrible idea since that is like asking you to give your bank password to a merchant, and the merchant can reuse that password, and you can’t ever change the password.”
Lack of strong privacy laws
Another area of concern and a major question mark right now is the lack of strong privacy laws. In cases such as the one seen above, where a government agency loses your biometric data, what happens to user privacy? Who do you go to get a resolution of your fears and concerns? There aren't many issue redressal forums to address such issues.
Passwords and two-factor authentication (2FA) still do provide some sort of safety net. If any database is compromised, you can change password or 2FA. But with a fingerprint or iris scan data being compromised, there is no way to change that. And then using just that one measure of authentication for things such as financial transactions, one needs to be 100 percent sure about the security loopholes and have them plugged in time.
There could also be extreme scenarios, where the victim may be coerced by the perpetrator to authenticate monetary transactions by (the victim’s) fingerprint. For instance, an abusive partner using force to get the victim to authenticate transaction using fingerprint. We are just thinking out loud here, but it could be the case.
The Aadhaar framework is quite innovative and the government is quite bullish on using it for authentication in various fields. This cuts down on time, saves money, plugs leakage of benefits and much more. But at the same time the dangers associated with it, which have been expressed by critics are also not to be taken lightly.
Also the potential to profile individuals is quite high, with that deep an access to personal information. Running computer programs across the Aadhaar databases to identify patterns, could prove to be a double edged sword as well. Population profiling based on caste lines could be a disaster.
Tying in the Aadhaar Bill with a robust Privacy law is definitely the need of the hour.