What could Mehmood Akhtar – a Pakistani high commission staffer who was expelled from India after he allegedly engaged in espionage – and Lord Hanuman possibly have in common?

Strangely enough, publicly available evidence indicates the following. One, an Aadhaar number. Two, an LPG connection that is linked to their respective Aadhaar numbers. And three, a bank account that is also linked to their Aadhaar numbers.

On October 27, 2016, the Delhi police detained Akhtar for allegedly possessing sensitive defence documents. He however, identified himself as Mehboob Rajput, and produced an Aadhaar ’card’ bearing the name and an address in Old Delhi’s Chandni Chowk.

The address on the Aadhaar card – 2350, Gali Near Madari, Rodgran Mohalla, Chandni Chowk, New Delhi 110006 – is correct, except that the house is actually on G B Road, Delhi’s red-light area, nearly a kilometre away. He was promptly declared persona non-grata, and was asked to leave immediately.

Did the Pakistani spy really apply, and receive, an Aadhaar number? It’s theoretically possible – any resident of India can sign up and enrolments do not require proof of Indian citizenship.

While the Unique Identification Authority of India (UIDAI) was silent at the time, news reports quoted senior Delhi police officials who confirmed that Akhtar’s “Aadhaar document” had been obtained through “fraudulent means”, through a man named Yaseer (who supplied fake identification information) and with the involvement of one or more Aadhaar operators employed with an enrolment agency.

In other words, it appears as if Akhtar had not merely taken a piece of paper and photo-shopped random bits of information onto it, but had instead genuinely obtained an Aadhaar number by supplying fake information.

While only the UIDAI can confirm this for sure, there is no public evidence that contradicts the Delhi police’s account.

In Parliament, the Modi government has been evasive. In December 2016, Rajya Sabha MP K.V.P Ramachandra Rao asked whether it was “a fact that a Pakistani spy caught in New Delhi in October carried an Aadhaar card issued in his name” and “if so, whether the Government is assessing the possibility of misuse of Aadhaar cards.”

Junior IT minister P.P Chaudhary’s reply was a non-answer, refusing to clearly state one way or the other if the spy received a valid Aadhaar number. His reply, which comes along with a long boilerplate response of how “Aadhaar is generated after quality checks”, merely states that “Aadhaar is not proof of citizenship or nationality”.

FS summons Pak High Commissioner to convey that Pak High Commission staffer has been declared persona non grata for espionage activities — Raveesh Kumar (@MEAIndia) October 27, 2016

At the time, media organisations did publish this story widely (Scroll, Hindustan Times, Business Standard, Deccan Chronicle, Rediff), and in the process, reproduced his Aadhaar ‘card’, which also displayed his Aadhaar number (The Wire has withheld the number and has intentionally blurred it out in the picture below).

Here comes the kicker though.

As of last month (December 13, 2017 to be precise), Akhtar’s alleged Aadhaar number was still active. A screenshot from the UIDAI’s website (shown below), which allows users to check whether an Aadhaar number exists and is active, confirms this.

On December 13, 2017, The Wire sent an email questionnaire to UIDAI CEO Ajay Bhushan Pandey, asking specifically if Akhtar had succeeded in enrolling under the name Mehboob Rajput for an Aadhaar number and if the Aadhaar number that was published by various media organisations last year did actually belong to him and was genuine.

The Wire also asked whether it was possible if the number had been deactivated and reissued to another person. Pandey has not responded while Vikash Shukla, senior manager, communications and public outreach with UIDAI, promised that they would send a response within a couple of weeks.

However, two days after the The Wire’s email was sent – on December 13, 2017 – the status of the Aadhaar number on the UIDAI website changed. It is now no longer “valid” and has presumably been deactivated.

If one checks the status of Akhtar’s alleged Aadhaar number on the UIDAI website now, an error symbol pops up with a short message: “**** **** **** is not a valid Aadhaar.”

Before and after deactivation, however, it was possible to check, using the Indian Oil Indane’s website, that an LPG connection has been attached to the above Aadhaar number. A screenshot of the “OMC (oil marketing company)”-Aadhaar linkage is shown below.

Once the consumer number is known, it is easy to obtain the history of linked bank accounts with that account (through another public link).

A few things stand out here if indeed a valid Aadhaar number was issued to the Pakistani spy.

Firstly, Mehmood Akhtar was deported in October 2016. And yet, two bank accounts (shown in the screenshot above) were linked with the Aadhaar number on October 17, 2017 and October 26, 2017 – a full year after the alleged holder of the fraudulently-obtained Aadhaar was deported.

Secondly, an LPG connection, which has been receiving subsidy payments, was issued in the name of one “Mr Baijnath”, residing in Agra (Khuldabad Gas Service) and was also linked to this Aadhaar number.

Lastly, and curiously, the addresses don’t match. Before the Aadhaar number was rendered invalid, the UIDAI’s website listed a Delhi address (as confirmed by the Delhi police and the address listed on Akhtar’s Aadhaar “card”) whereas the LPG ID seems to indicate an Agra address. Most importantly, however, the names ( Baijnath versus Mehboob Rajput) don’t match either.

Employees at the Khuldabad Gas Service agency admitted to The Wire that no verification is normally carried out when it comes to linking Aadhaar to an LPG connection. Mr. Baijnath’s phone number has been unavailable (‘out of service’) for the last week.

Officials at the Indian Overseas Bank – the last bank account to which Akhtar’s Aadhaar number was linked – declined to comment on whether adequate verification had taken place while linking the Aadhaar number in question.

Lord Hanuman and bank seeding

‘Hanuman’ was given an Aadhaar number as early as 2014, and it was subsequently deactivated by UIDAI, three years ago. A Business Standard report from 2014 – which lists out the Aadhaar number issued – quoted UIDAI director general Vijay Madan as saying that the Hanuman incident was “an exceptional case”.

However, once again, a search shows that a bank account has been linked with this Aadhaar number very recently, on November 11, 2017 as can be verified, using Indane’s website (as shown in the screenshots below).

How and why does this happen? Typically banks are expected to perform validation of the Aadhaar number and the name of the account holder to check if the linkage is valid ( the UIDAI calls this demographic authentication). Name mismatches are however very common (PAN linkage, PDS, other documents) and every demographic authentication request, though very cheap, is still charged by UIDAI, and the costs add up as the volume increases.

Hence, it is possible that banks sometimes skip authentication, and instead accept the provided Aadhaar number at face value. Furthermore, a deactivated or cancelled Aadhaar number does not automatically invalidate all the linked accounts immediately yet.

Three paths

There are three possible conclusions that can be drawn from what we’ve discovered.

The first – which is the most probable and comes with the most serious consequences – is that the Akhtar and Hanuman were indeed issued valid Aadhaar numbers and that these numbers have now been seeded by totally different people in various places because the intermediaries (the LPG dealers and the banks) didn’t carry out proper verification.

The second scenario is that Akhtar and Lord Hanuman were never issued the Aadhaar numbers that were reported about widely in various mainstream news publications and that they had always been issued to other people. While unlikely, if this is true, it raises a troubling question: why was Akhtar’s number deactivated just two days after The Wire reached out to UIDAI?

Thirdly, the spy and Hanuman indeed signed up and received valid Aadhaar numbers, which were then deactivated and re-issued to new people. This is highly unlikely as a twelve-digit Aadhaar number can accommodate up to 80 billion people. It seems improbable, therefore, that the UIDAI re-issued a number to someone else as it cannot possibly run out of Aadhaar numbers in the foreseeable future.

Why UIDAI’s response is insufficient

The Unique Identification Authority of India (UIDAI) is not taking this problem seriously. The government of India continues to push Aadhaar linking to every aspect of a resident’s civil life, from birth to death. When publicly questioned about the purpose of linking Aadhaar to bank accounts, the UIDAI CEO has responded that it is required for eliminating benami accounts that are used for money laundering.

Yet in at least one case, it appears likely that a known Pakistani spy’s Aadhaar number was not cancelled or deactivated for more than a year – until it was pointed out explicitly – which in turn allowed bank accounts to be linked with that number during that period.

While it is superficially straightforward to blame the bank, or the oil marketing company, the true problem lies not in the usage of the Aadhaar number, but in its issuance. To keep enrollment costs low, the UIDAI has consistently preferred outsourcing to third parties, who optimized their own earnings, without any regard to the guidelines issued by the authority.

The scale of the problem can be understood by looking at the number of blacklisted operators.

Date Source Total number of Banned Enrolment Operators From 2011 to 27 th April 2016 LS SQ 59 11,974 From 2011 to December 2016 Hindu Business Line 33,000 From 2011 to 10 th April 2017 Hindu Business Line 34,000 From 2011 to 12 th Sep 2017 Times of India 49,000 Operators banned between 10 th April 2017 and 12 th Sep 2017 Difference between the above 2 columns (49,000 – 34,000) 15,000

Date Source Total number of Active Operators As of 19th August 2016 UIDAI 60,000 As of 9th April 2017 Indian Express 40,000 As of 12th Sep 2017 Operators banned between 10 th April 2017 and 12 th Sep 2017 (from the table above) 25,000 (40,000 – 15,000)

The urge for operators to maximise their earnings also resulted in the invention of the ghost kit, which probably pushed fake identities into the Aadhaar database for close to a year, without the UIDAI being aware of it. The news reports about the ghost kit were however met with the boilerplate response “Aadhaar is safe and reliable”.

The risks from a national security point of view, however continue to grow, both in scope and numbers, and there have been at least 18 known cases where Aadhaar numbers were issued to hostile actors from neighbouring countries, on the basis of bogus address and identity documents.

While UIDAI’s CEO claims that if everyone links their bank accounts with Aadhaar numbers, benami accounts can be detected with ease, the cases of the ISI spy Mehmood Akhtar and Lord Hanuman both appear to disprove this assertion.

In a constitutional democracy such as ours, elected governments inherit legitimacy and trustworthiness because of the inherent strength of the democratic process. For instance, bonds and currency issued by the government form the basis of all economic activities, because of the trustworthiness of the sovereign that guarantees them, and hence are tightly controlled by the Reserve Bank of India.

It can be useful to think of Aadhaar along similar lines, as an “identity currency”, backed by the sovereign might of a democratically elected government. Yet, it is neither proof of citizenship or age (as admitted by UIDAI), or even an address proof by itself, and 120 crore such “identity currency units” (Aadhaar numbers) have, so far, been largely created by third party enrolment agencies, a vast majority of whom have subsequently been dismissed on the grounds of being unscrupulous entities.

Further, unlike the RBI, which has a rigorous process for reporting and destroying fake currencies, UIDAI it appears is struggling with the institutional bandwidth to deactivate and deal with fake identities.

Anand Venkatanarayanan is a senior engineer at Netapp. Views expressed here are personal and do not reflect the views of his employer.