Decoding the push to link Aadhaar with mobile numbers and bank accounts

It boils down to a simple reason: Aadhaar is not a communications address

Everyone’s use of Aadhaar is two-way:

Sometimes you need to authenticate yourself to avail of a service. This is the standard use case for Aadhaar, involving either biometric or demographic authentication. Other times, UIDAI needs to get in touch with you.

Why would UIDAI need to get in touch with you?

To send you an OTP to authenticate a transaction (to your email, or as an SMS). To send you an alert about your Aadhaar being used somewhere (email or SMS). To send you some money, because Aadhaar was originally for the delivery of subsidies (in this case, to your bank account).

Nothing in Aadhaar’s design helps to authenticate that an email address or phone number or bank account actually belongs to you, and yet UIDAI needs to know this to make Aadhaar work for you.

Sure, they can ask for your biometrics before allowing you to update your email/phone/bank account, but nothing stops you from giving someone else’s email/phone/bank account. UIDAI has no way to verify they belong to you.

The public record is full of stories of people who have been denied benefits because their Aadhaar number got “seeded” with someone else’s phone and bank account. All it takes is a friendly agent helping you through the process while you aren’t paying attention.

This has been a growing crisis for some time because it threatens to undermine everything Aadhaar stands for. What is the point of secure biometric authentication, supposedly better for the underprivileged because their fingers and eyes can’t be confiscated from them, if the next step is wide open for anyone to abuse?

As is now typical with Aadhaar, given a hammer, every problem looks like a nail.

If UIDAI cannot verify your numbers, maybe do it the other way around. Force all the banks and telecom companies to link every one of their customers to Aadhaar.

This is exactly what the government is doing, in direct violation of Supreme Court orders, and with no due process. They provide all kinds of bullshit reasons, from counterterrorism to money laundering, but not the real one: Aadhaar’s design is so fundamentally defective that it is unusable without such coercion.

My bet for what is coming next: telecoms and banks will be forced to provide Aadhaar seeding data to UIDAI so that your Aadhaar number cannot be seeded with someone else’s phone and bank account. This data sharing is for your benefit, of course. (Update from Srikanth @logic: it’ll be via Digilocker. See his response to this post.)

Notice we stopped talking about email midway. Surely this explanation requires email also to be forcibly linked to Aadhaar?

Email service providers are not regulated businesses like telecom service providers. There is no TRAI or DoT to twist their arms into submission. No license to threaten cancellation of. The top three email service providers in India are likely Google (Gmail), Yahoo and Microsoft (Hotmail and Outlook). All three are multinational companies. The rest of the world doesn’t have Aadhaar, so everyone can reclassify as non-Indian to get around a mandatory link. (This technique is common to get around other country-linked restrictions.) Imagine the hue and cry if you forced a non-regulated multinational business to clamp down on Indian users or quit India. Doesn’t everyone love China for making this so straightforward?

For UIDAI’s purposes, since email businesses are uncontrollable, and (fortunately) most of India doesn’t depend on email for communications, the email hole can simply be ignored for now.

But telecoms and banks? Have muscle, will press.