Mansi Thapliyal / Reuters Authorised Aadhaar-enrolment operators used to be the most visible sign of India’s quest to capture the fingerprints, iris scans and personal details of over a billion citizens into a vast, centralised database.

Earlier this month, HuffPost India reported on how many of these operators were using a malicious software patch to find their way into the Aadhaar framework they had ostensibly been barred from. Earlier this year, this reporter wrote of how personal information from the Aadhaar database was being sold for as little as Rs 500.

These unemployed operators have used WhatsApp to organise themselves into thousands of messaging groups, creating a swarm of well-networked digital touts eking out a living by charging a minor fee to navigate Aadhaar's increasingly unwieldy bureaucracy.

As a consequence, the UIDAI has created a security nightmare by giving hundreds of thousands of poorly supervised private individuals access to the world's largest biometric database, and then robbing them of their employment overnight.

Today, these operators who have a rudimentary formal education but an instinctive grasp of the Aadhaar ecosystem, have turned into the system's Achilles' heel by participating in a thriving grey market to enrol new users without verifying supporting documents, to update user information without authorisation, and to extract reams of sensitive information despite the UIDAI's ardent claims to the contrary.

By February 2017, over 628,000 people from across the country had signed up as certified Aadhaar operators and supervisors. So when the Unique Identification Authority of India (UIDAI)—the agency overseeing Aadhaar—barred private operators from the Aadhaar enrolment process, hundreds of thousands of them were left jobless and on the brink of poverty.

A year ago, these men with their battered laptops, matchbox-sized biometric scanners and GPS dongles, were authorised Aadhaar-enrolment operators—the most visible sign of India's quest to capture the fingerprints, iris scans and personal details of over a billion citizens into a vast, centralised database. Some worked for private enrolment companies, others had set themselves up as "village-level entrepreneurs" (VLEs) under a government scheme.

JALANDHAR, Punjab — On Wednesday, hours after the Supreme Court upheld the constitutionality of Aadhaar , India's controversial biometric identity project, WhatsApp groups populated by hundreds of young men sitting in rickety computer kiosks installed in villages, cities and hamlets across the country were abuzz with activity.

'A Stable Source Of Income'

Ram Lal became an enrolment operator in 2016, when a road-widening project in Punjab's Sangrur district uprooted the small cell phone and downloading shop he ran on the highway just outside Khanauli village.

Lal was 37 years old at the time, and with few prospects of employment.

"It was the most difficult time for me," said Lal, who dropped out of school in Class 10. "I was unable to pay school fees for my two children. We were reduced to eating one meal a day."

There are few jobs to be had in Khanauli, where the local economy is still almost entirely supported by farming. So when Lal heard that the local Common Services Centre (CSC) had openings for Aadhaar enrolment operators, he paid Rs 12,500 to the local district manager to sign up as a VLE. CSCs are a network of village computer centres to help rural residents access e-governance services such as pensions, student scholarships and ration cards, for a minor transaction fee paid to the VLEs who run them.

At the time Lal signed up, CSCs had emerged as an important node for Aadhaar enrolment. Till date, CSCs have enrolled close to 190 million Indians into the Aadhaar framework, making them the single largest contributor to the scheme. As of 2015-16, the most recent data published by the government, printing Aadhaar cards accounted for the largest number of CSC transactions. As per an agreement with the UIDAI, enrolment operators would be paid Rs 50 for every successful Aadhaar enrolment.

For Lal, running an Aadhaar enrolment centre seemed like a stable source of income.

To make this happen, he took a loan, and sold his wife's ornaments to buy the biometric devices needed for Aadhaar enrolment. "As I was unable to buy new machines, the district manager bought me old ones for Rs 59,000," he said.

Lal was not alone. The millions of jobs promised by the Narendra Modi government never materialised, and in an economy where youth unemployment is running at 16%, and 82% of men and 92% of women earn less than Rs 10,000 a month, the role of an Aadhaar operator carried a faint patina of white-collar work, and the gloss of the prime minister's frequent invocations of the promise of "Digital India".

"Many of these youths who have studied up to the senior secondary level dipped into their family savings of up to Rs 3 lakh to set up computer kiosks to offer e-governance services to the common citizens," said Ravneet Singh, former district manager for CSC in Sangrur.

The costs include the biometric devices to capture biometrics and iris scan, the computer, printer, hiring an assistant and paying rent for the shop. Start-up costs often include bribes of up to Rs 50,000 to the enrolment agencies to get their enrolment credentials activated out of turn.

In 2017, a year after Lal set up his shop, the UIDAI terminated Aadhaar services at CSCs, and his life was upended once again. Under pressure for faulty enrolments, data leakage and a lax approach to security, the authority turned the most vulnerable links in its data-chain into scapegoats by pinning the blame for all the system's flaws—structural problems, human error, and poor planning—on the enrolment operators.

The authority mandated that all enrolments move to government premises and banks, terminated all private enrolment agencies and discontinued its contract with CSCs. Lal was jobless once again.

"People used to stand in long queues since morning," Lal said, recalling the heyday of Aadhaar enrolments, when the government sought to make an Aadhaar number mandatory for accessing practically every public and private service. "However, the place got deserted soon after the service was taken away from us. The footfall now is restricted to only 4-5 people on a single day."

"I ran from pillar to post for the next six months to get myself enrolled as an Aadhaar operator in a bank or a post office," he said. "But the local agents demanded around Rs 50,000 to get me a place in any of the government premises. I could not pay."

The family survived on the pension of his father, who retired as a driver from Punjab Roadways, while Lal's computer, printer and biometric reader gathered dust, the interest payments on his loans piled up.

Bypassing UIDAI's Security

The only qualification to become an Aadhaar enrolment operator is to be above the age of 18, and to have an Aadhaar number. Candidates are expected to have passed their Class 12 examinations, but HuffPost India interviewed a number of enrolment operators who had dropped out of school much earlier.

Operators are not required to go through any police verification, and merely have to sit through perfunctory training. The operators were made to clear a customary exam to activate their credentials and each operator is assigned to a particular computer registered by the UIDAI.

The enrolment software has a rudimentary security feature where it checks the operator's physical fingerprints against a copy of their prints stored on the computer to ensure that only authorised operators can use the system.

"We were promised a commission of Rs 50 on every successful generation of new Aadhaar number," said Srikant Singh, a Varanasi-based enrolment operator and secretary of the Jan Sewa Sanchalak Samiti, which runs CSCs in Uttar Pradesh. "While we enrolled hundreds of citizens every day, majority of us used to get only Rs 3,000-6,000 monthly,"

A review of police FIRs and press reports suggests that many enrolment centres came up with ingenious ways to enrol as many people as possible. One of the earliest instances of enrolment fraud came to light in 2012 when the Andhra Pradesh police and UIDAI found that a 22-year-old enrolment operator had enrolled 30,000 people in six months from 20 different centres in Hyderabad's old city—suggesting he had farmed out his operator credentials.

In subsequent years, security breaches of this sort became so routine that they often stayed on the city pages of local newspaper editions. In one well-known method, operators were found to be using synthetically created "fake fingers" to spoof biometric readers, until a freely available malicious software patch made it possible to bypass the enrolment software's security features all together.

Operators set up their own WhatsApp groups, YouTube channels and Google forums to help each other find ways to work around the UIDAI's security protocols. Over time, enrolment agency and WhatsApp groups came to resemble a low-tech version of the user-forum form of knowledge sharing that is hard-coded into the DNA of the internet.

Promising Access

When the the UIDAI terminated all private enrolment, the numerous WhatsApp groups focused their energies on ways of working around the system.

In October 2017, a few days after the UIDAI barred private operators, some operator WhatsApp groups lit up with the following message: