By Nikhil Pahwa and Anand V

In October 2016, Delhi Police busted an Inter-Services Intelligence (ISI) spy ring and found that Mehmood Akhtar had an Aadhaar card naming him as Mehboob Rajput. In May this year, the Central Crime Branch found that three Pakistanis had obtained Aadhaar cards in Bengaluru through a middleman for Rs 100 each. More recently, Zeebo Asalina, an Uzbek national arrested in Orissa, had an Aadhaar card naming her as Duniya Khan.

Telecom Regulatory Authority of India (Trai) chairman and former CEO of the Unique Identification Authority of India (UIDAI) R S Sharma suggested in an article in this publication (‘The Phoney Aadhar Bogey’, ET Edit, Nov 23, goo.gl/supsVq) that security agencies may have a better chance of nabbing potential terrorists if all mobile connections are verified using Aadhaar. There is a major flaw in this assertion.

Shaky Aadhaar of the ID

What is common in the aforementioned cases is that these Aadhaar cards were based on forged documents. Since UIDAI does not conduct verification by itself, it retains the flaws of these documents and is not ‘fraud-resistant’. In fact, once they have Aadhaar, things may get easier for potential terrorists, given the incorrect perception that it is foolproof.

Sharma rightly points out that paper IDs are not good for privacy since they can be reused for other purposes. However, Aadhaar is worse, because once data is shared with hundreds of third parties, it is no longer secure. Some of this was made evident by the fact that, in July, a site called magica pk.com briefly allowed anyone to check personal information of Reliance Jio mobile phone users. Allegedly, this was due to a security vulnerability with a Reliance Jio vendor.

While we do agree with Sharma’s assessment that electronic Know Your Customer (KYC) is cheaper for telecom operators and banks, it is costlier for citizens: the cost of the loss of personal information is much higher than the benefit of collecting it. UIDAI has no control once data leaves its system via eKYC, which has a tick-box approach to consent and, apparently, no checks thereafter.

HDFC Bank’s terms and conditions authorise it to use and disclose customers’ Aadhaar numbers and other details to third parties. Next year, there is a plan to roll out Aadhaar-linked programmes like a Public Credit Registry with transaction data, and the National Health Information Network electronic health records. The risk of personal information leaks increases with more services getting linked to Aadhaar due to security vulnerabilities, or sheer incompetence of the government or third parties.

Some Aadhaar-related data has already been compromised. UIDAI admits that over 210 government departments had published personal information and Aadhaar numbers online.

According to a Centre for Internet & Society (CIS) India report (‘Information Security Practices of Aadhaar (or Lack Thereof)’, Amber Sinha & Srinivas Kodali, goo.gl/xWhi91), such data for 130 million had been published by four schemes alone. This, despite the fact that disclosure of Aadhaar numbers is illegal as per Section 29 (4) of the Aadhaar Act.

This law treats the Aadhaar number on par with biometrics in terms of sensitivity of information. So, Sharma’s contention that only biometrics need to be kept secure is misplaced. In any case, biometrics are the least secure form of authentication, given that they can be cloned from photographs, and you leave fingerprints on every glass of water you pick up.

Social Security Itself Lacks It

When data for millions of people has already been compromised by the government, Sharma’s ad hominem allegation that critics are “alarmists” and “motivated” is an unfortunate tactic to divert attention from badly designed architecture, execution mistakes, security failures and the yet-tobe-addressed risks.

The fact remains that National IDs and associated data do get hacked and leaked. Estonia, the poster child of digital governance, has had to suspend its digital ID cards due to cybersecurity-related vulnerabilities. Spain is facing similar issues. The recent Equifax hack in the US left social security numbers for nearly half the country (143 million Americans) compromised. The government’s cavalier attitude towards privacy — that privacy cannot be at the cost of innovation — which Union information technology minister Ravi Shankar Prasad put forth at the prestigious Global Conference on Cyberspace (GCCS) in New Delhi on November 23, indicates the willingness to put citizens’ personal safety at risk: that your privacy is a price that GoI is willing to pay for making it easier for businesses to be built around your data.

While there are benefits that might accrue from customisation of thousands of services that might otherwise not have had your data, a government that forcibly takes sensitive and personal information from you, and a court that has allowed this to happen despite appeals to stop it, has acted against you and 1.3 billion others.

All your data, linked to a single ID for de-duplication, and accessible to the government under unspecified ‘national security’ considerations, without sufficient checks and balances and judicial oversight, is also dangerous in the hands of a future government that might look to retain power by any means necessary. Mass surveillance, of which Aadhaar is an enabler, is an unnecessary and disproportionate infringement of rights, and dangerous for democracy. You can’t make citizens safer by making them more vulnerable.

(Pahwa is founder, MediaNama, and Anand is an independent researcher on the Aadhaar project)