On Wednesday, the Unique Identification Authority of India said that it had blacklisted the enrolment agency that had inadvertently leaked details of former Indian cricket team captain MS Dhoni’s application to join the Aadhaar programme.

The day before, Dhoni’s wife Sakshi had sent a tweet to Information and Technology Minister Ravi Shankar Prasad informing him of a breach when the cricketer visited the Common Services Centre in his home town of Ranchi to register for the programme, which aims to give all Indian residents a 12-digit Aadhaar number linked to scans of their fingerprints and irises.

The Unique Identification Authority of India administers the centralised database in which the information of the 112 crore people who have enrolled for the programme is stored.

After the cricketer’s visit, excited staff at the Common Services Centre shared the his personal Aadhaar details on Twitter. The tweet was later deleted.

On Wednesday, this data leak and the Authority’s action were even debated in Parliament.

Police complaint



This isn’t the first controversy the Unique Identification Authority of India found itself facing this week. On Tuesday, newspapers reported that the Unique Identification Authority of India had registered a First Information Report against a CNN-News 18 journalist after the television network aired a report demonstrating that it was possible to obtain two enrolment numbers, or enrolment IDs, in Aadhaar despite submitting the same set of biometrics.

Enrolment IDs are temporary numbers issued immediately after a resident submits the demographic and biometric data necessary to obtain an Aadhaar number. In its recent notifications making Aadhaar necessary to access a number of services and programmes, such as mid-day meals for students, the government has permitted these temporary enrolment identity numbers to be used as an identity proof.

The CNN-News 18 report on March 22 showed that journalist Debayan Roy fraudulently obtained two enrolment IDs from an enrolment centre in NOIDA in Uttar Pradesh. The report noted he was unable to obtain two Aadhaar numbers but emphasised that it aimed to highlight concerns about corruption and security at the enrolment stage. On March 24, the television channel interviewed ABP Pandey, the Chief Executive Officer of the Unique Identification Authority of India, about the safeguards in Aadhaar’s systems.

However, three days later, on March 27, the UIDAI deputy director Delhi regional office Ramesh Kumar filed a police complaint against the reporter, Debayan Roy, for “impersonating”, leading commentators to ask if the government was more concerned with managing its public image than improving security.

Was this the first case of fraud involving a person enrolling for the programme multiple times?

If it was not, what action has the UIDAI taken on complaints?

After the Aadhaar regulations were notified in September, as part of Scroll.in’s ongoing Identity Project series on the implementation of Aadhaar, this reporter submitted several right-to-information applications posing questions to the Unique Identification Authority of India about the complaints received against enrolling agencies and registrars, the action taken by the UIDAI in response to each complaint, and whether the UIDAI had filed any criminal cases against any enrolling agencies and registrars. The period for which information was sought was from September 2010, when the first Aadhaar number was issued, till October 31, 2016. Most of the replies from the Authority’s regional offices were received in December and January, with a final response coming in on March 1.

Previous complaints resolved, closed, dropped

While the Aadhaar number is issued by the Unique Identification Authority of India, the actual process of collecting demographic information and capturing biometrics is done by enrolment agencies, most of which are private firms, hired by registrars. These agencies are paid a fee by the Authority for every enrolment that they process.

The UIDAI has regional offices in Delhi, Mumbai, Lucknow, Chandigarh, Ranchi, Guwahati, Bengaluru and Hyderabad that supervise enrolment and data collection by these firms across all states and union territories.

Replying to Scroll.in’s query, the UIDAI stated that there are currently 556 enrolment agencies and 125 Registrars working with it. The UIDAI stated it had received 1,390 complaints about enrolment agencies between September 29, 2010, when the first Aadhaar number was issued, and October 31, 2016, when more than 80% of all Indian residents had been enrolled.

Out of 1,390 complaints registered by residents as well as local officials, the UIDAI filed a police complaint against enrolling agencies in only three instances. All three police complaints were filed by the Authority’s regional Bengaluru office, which has a jurisdiction over Karnataka, Tamil Nadu, Kerala, Puducherry, and Lakshadweep.

In all other over 1,300 instances of complaints against enrolment agencies, the cases were “resolved” or “dropped” or “closed” without a criminal complaint.

Till the police complaint against journalist Roy, no criminal complaint had been received or registered at the UIDAI’s regional office at Delhi (jurisdiction over Madhya Pradesh, Rajasthan, Uttarakhand, Delhi) as per the RTI reply by UIDAI deputy director Ramesh Kumar.

UIDAI regional office, Delhi did not receive any complaint and did not register any case till the FIR against a TV journalist recently.

All three FIRs registered by the UIDAI's eight regional offices till date were at Bengaluru regional office.

The maximum number complaints – 1,050 – were recorded at the Authority’s Lucknow office, which has jurisdiction only over Uttar Pradesh, according to the UIDAI’ss reply.

Of these, 759 were recorded as complaints against enrolment agencies, stated the UIDAI regional office at Lucknow. The UIDAI did not file a criminal complaint or a lawsuit in any of these complaints, which were lodged by residents, as well as by district officials.

UIDAI's regional office at Lucknow got over 750 complaints against enroling agencies but did not register a single police complaint against any enrolment agencies.

From bribes to fake enrolments

In the replies shared by the UIDAI’s eight regional offices, 90% of the complaints they received related to agencies charging bribes for enrolment, even though the Aadhaar programme is to be free of cost.

The UIDAI’s recent police complaint against journalist Roy states that he violated sections 34, 35 of the Aadhaar (Targeted Delivery of Financial and Other Benefits, Subsidies and Services) Act, and the Information Technology Act, and other sections of the Indian Penal Code, when he attempted to enrol multiple times in the Aadhaar database.

However, the RTI replies received by Scroll.in show that though several complaints related to enrolment agencies registering the same person multiple times, no action was taken by the UIDAI. In one case of an operator of enrolment agency CMS Computers Ltd “using a rubber thumb to carry out fake enrolment” in Amroha district, the case was closed without a police complaint.

Other cases related to JNet, Virinchi, India Computers, Lankipalli and other agencies that were “delinquent [in] carrying out enrolment without permission” were also “resolved” without a criminal case.

The complaints show repeated instances of enrolment agencies registering fake data, misbehaviour by agency staff, agencies running centres in areas where they had no legal authorisation, and centres found running without verifying staff on inspection. There are also repeated complaints of agencies refusing to accord the biometric exception to children below 5 years, who are not required to provide finger prints or iris scans.

Even in cases where a complaint was made by an official, the UIDAI did not make a police case. For instance, in Allahabad, the district magistrate complained that enrolment agency Virgo Softech Ltd was illegally charging money from residents. The case was closed. No criminal complaint was registered against the firm.

The other cases that were resolved without criminal cases include:

In Azamgarh, Meerut and Auraiya, “Goddess Saraswati”, “Lord Ganesha”, “Jhansi ki Rani” were enrolled in the Aadhaar biometrics database.

In Basti, Gautam Budh Nagar and Ghazipur districts, Aadhaar enrolment numbers issued to a cow, a puppy and “Mantu Dog”.

In Meerut, a complaint about enroling agency Smart Chip Limited case was closed.

In Lucknow district, enrolling agency KDMSL enrolled same person multiple times but the case was resolved without a police complaint.

Residents complained about misbehaviour by the staff of enroling agency Agro Tech Engineers, but the case was closed.

In Hapur district, enrolling agency Wipro Ltd. enrolled a puppy, and then enrolled same person multiple times

Complaints pile up



The Authority’s Mumbai office (covering Gujarat, Maharashtra, Goa) said that it recorded 509 complaints, of which 447 were about agencies charging bribes. The enrolment agencies were blacklisted – no duration has been specified – but no criminal complaint was filed in even a single case.

No complaints were recorded at the UIDAI regional office in Ranchi, which works in Jharkhand, Bihar, West Bengal.

A total of 85 complaints were registered against enrolment agencies at the Hyderabad regional office (covering Andhra Pradesh, Telangana, Chhattisgarh, Odisha), of which 61 were in Telangana. UIDAI did not register a a criminal complaint in any case.

A total of 85 complaints were registered against enrolment agencies at the Hyderabad regional office. UIDAI did not take legal action in any of these instances.

The only office that filed criminal complaints against the agencies was Bengaluru. Its reply shows that of a list of 35 complaints against enrolment agencies, most of which relate to bribery allegations, the agencies were blacklisted for one year in 19 instances, and for five years in one instance.

Legal experts pointed out even though the Aadhaar Act was passed only in March 2016, the Authority could have reported these instances to the police under the IT Act, 2000, or under various sections of the Indian Penal Code. “It is surprising the Authority did not take legal action against these enroling agencies,” said Prashant Reddy Thikkavarapu, a lawyer and a researcher specialising in technology policy at the Singapore Managment University. “Even before the Aadhaar Act, the IT Act and other laws also make impersonation and misuse of data a crime.”

He added: “Also, if the enrolling agencies are being paid per enrolment under a contract, it is not enough to merely blacklist them for a few years, the Authority should also take steps to recover the payments made to these agencies.”

Suspension, no legal action

Officials of the Unique Identification Authority of India in New Delhi said it was the prerogative of the regional authorities to take legal action against the agencies. “The decision to initiate a criminal complaint or file a FIR with the police lies with the regional offices, for the enrolling firms working in their areas as per guidelines,” Vikash Shukla, senior manager, communications and public outreach with UIDAI told Scroll.in when the agency responded to RTI applications.

While nearly all details of complaints were shared by the regional offices, the UIDAI Headquarters at New Delhi stated in a reply that from September 2010 till October 2016, the Authority’s Enrolment and Update Division has suspended six agencies and canceled their empanelment.

Till date, the Authority’s Enrolment and Update Division has suspended six agencies – M/S 4G Identity Solutions, IL&FS, E-Centric Solutions, Madras Security Printers, CSS Technology and Multiwave Innovations – and canceled their empanelment, according to the reply from its New Delhi office.

The UIDAI headquarters did not provide reasons for suspension of these agencies. Here too, the Authority did not take any action against the firms, limiting itself to suspending their contracts for violating processes.

Of these, CSS — now known as Cosyn — still claimed to be working for the UIDAI on its website.

Legal experts have criticised the UIDAI for lacking clear streamlined processes in its functioning and operating without clearly designated roles and public accountability.

“The UIDAI clearly has had an ongoing transparency problem and the Aadhaar legislation enables this instead of restricting it,” said Chinmayi Arun, executive director, Centre for Communications Governance at the National Law University. “This is unconscionable from an information security as well as an essential service delivery point of view. Instead of stepping back and course-correcting the state continues to steamroll us into making ourselves very vulnerable.”



Read all Right to Information replies on complaints here.