An edited version of this piece appeared as two posts in Global Voices here and here. They were republished in Business Standard here and here.

Collecting image of iris for Aadhaar, Photo via Wikimedia Commons, by Kannanshanmugam. CC BY 3.0

In the last few months, the Indian twittersphere has been awash with concerned citizens pointing to government websites leaking ‘Aadhaar’ numbers.

Aadhaar is a scheme launched by the Union government of India in 2009 under which the Unique Identification Authority of India (UIDAI) will issue for all residents of India, Unique Identity numbers (UID). Under this scheme, the UID number contains basic demographic and biometric information –photograph, ten fingerprints and iris -of each individual which is stored in a centralized database.

The scheme has so far enrolled 1.13 billion Indians making it the world’s largest biometric database.

The Information Technology Minister Ravishankar Prasad (@rsprasad) tweeted.

Expanding Progams:

Aadhaar has been built to be used as an identity authentication service, which offers the possibility of multiple services being built on top of it. Ravi Shankar Prasad writes in the Times of India blog:

The government started using Aadhaar in programmes like Indian Public (food) distribution system, Pahal, Rural Employement Guarantee Scheme MGNREGS, pensions, scholarships, etc now extended to around 100 programmes. This ensures benefits reach only intended beneficiaries and cannot be siphoned off by unscrupulous middlemen.

The scheme was run under an executive order since 2009 until the Aadhaar Act was passed in 2016. The way in which it was passed met with controversy and has been challenged in the Supreme Court. In a Right to Information (RTI) application filed by by Ujjainee Sharma and Trishna Senapaty, the UIDAI has revealed that as of June 2015, a mere 0.03 per cent of all Aadhaar numbers issued were for people without any existing identification documents.

Though the UIDAI has maintained that the scheme is voluntary, in order to expand it to as much of the population as possible, the Central government has pushed the state governments to include UID for most interactions with the government. Aman Sharma at Economic Times blog writes:

Make no mistake. Enrolling for Aadhaar is now mandatory if you wish to avail a government benefit or subsidy. The alternative mechanism to deliver you the service if you do not have an Aadhaar will kick in, that too temporarily, only if you enrol for an Aadhaar at once.

The independent news portal, Scroll regularly covers issues related to UID’s linkages with various welfare programs through its Identity Project. In Delhi, food rations are being denied to those without UID numbers, in Ajmer district of Rajasthan, UID-enabled food subsidies repeatedly recorded authentication failures, in Ranchi, only 49% of beneficiaries received foodgrains after UID was made mandatory. In spite of multiple court orders making UID voluntary and limited to selected schemes, the government continues to expand its scope.

Inadequate Infrastructures:

According to economist Jean Drèze, the new system of authentication requires a lot of fragile technologies to work at the same time, such as a point of sale machine, internet connectivity, biometrics, remote servers and mobile networks. He also notes that the main cause of corruption in disbursement of food subsidies is related to the quantity of rations distributed or quantity fraud which UID doesn’t address. Drèze goes on to criticize media claims of ‘ghost students’ availing Mid-Day Meals (school lunch program to improve nutritional status of school-age children) which have been allegedly eliminated through the scheme’s linkage with UID. Another economist who has worked extensively on these issues, Reetika Khera points out that the exclusion of large number of people from welfare schemes has not been because of lack of an identity, but ‘measly budgets and exclusion errors’.

Contention With The Court:

The Supreme Court issued two orders, in September 2013 and March 2014 which stated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled”. On August 11th, 2015, the court issued yet another order which limited the use of UID to food, kerosene and cooking gas subsidies. On October 15th, it further expanded it to four more schemes: the National Rural Employment Guarantee Scheme, Pradhan Mantri Jan Dhan Yojana (a scheme for financial inclusion), and schemes related to pension and provident fund after the government argued that it would be difficult to roll back UID now that it is the most used national identity and is linked to service delivery in several major welfare schemes.

Security Flaws and Database Thefts:

Following the repeated arguments by the state that UID makes it possible to weed out ‘ghost beneficiaries’ and ‘de-duplicate’ multiple IDs, revelations of fake ‘UID cards’ started doing the rounds. These UID cards were issued in the name of pets, historical figures, one alleged spy and even Gods!

More recently, the Indian twittersphere has been vocal pointing to government websites leaking sensitive information from the UID database. In February, security researcher Srinivas Kodali exposed a parallel database containing UID numbers and other details of five to six hundred thousand children.

In another case, UID numbers of scholarship-holders was on a state government website for over a year.

On March 22nd 2017, techie @St_Hill exposed the severity of the problem by showing spreadsheets of personal data that show up with a single google search.

This was immediately taken down. But new ones still keep coming up with a simple google search.

In yet another case, the McDonald’s India app leaked the data of 2.2 million Indians.

Under the hashtag #AadhaarLeaks, it is possible to find numerous such cases on various government websites. The leaks gained popular attention on social media when former Indian men’s cricket team captain MS Dhoni’s UID was tweeted by a UID enrollment operator.

The Government Response

The UIDAI’s response to this was the campaign #AadhaarStars in which parents of young children were encouraged to put up 30 second videos of what UID meant to them.

This was rejected by angry twitterati through the hashtag #AadhaarFail which is a compendium of tweets about UID-based authentication failures.

In spite of this, various government spokespersons maintain that UIDAI collects minimal information. While that is true, services based on UID collect more than minimal information. @kingslyj provides an example of two state government entities that do precisely that.

Another concern of privacy and security experts is of the potential of UID to be used as a tool for mass surveillance.

Some more concerns were raised by citizens on UID as an instrument of surveillance here, here and here. Their worst fears were found to be true when a private company tweeted out a picture of what they could do with UID. The tweet has been deleted since then. But here is a copy of it tweeted by @raj_s.

Centre for Internet and Society, a multi-disciplinary think tank, in one of seven open letters to the Parliamentary Standing Committee on Finance that was scrutinizing the then National Identification Authority of India Bill, 2010 had laid down the inherent problems and pitfalls in using biometrics as an instrument of authentication.

Dr Anupam Saraph, a global expert on complex systems wrote about how UID “quoted on forms, displaying it on certificates and documents, storing it in registers or databases is completely illegal and punishable with a fine and imprisonment under the Aadhaar Act 2016”. Several other people have since tagged the @ceo_uidai and @uidai raising alarms against potential misuse of biometrics and leaks of UID data. But the twitter handles of some of those who voiced the criticism have been banned by the government handles. However, even more worryingly, in an RTI application asking the government whether they have banned anyone from their twitter accounts, the government claims otherwise.

New Delhi-based lawyer Apar Gupta tweeted:

Revelations by legislative researcher Meghnad from a debate in the Lower House of the Parliament earlier in 2017 wasn’t comforting either.

In the last couple of months, after the privacy and security-related concerns became louder, the UIDAI has shut down enrollment operators, websites and payment applications for misuse of biometrics data. The central government has even warned state departments against leak of UID data on their portals. The UID architect, Nandan Nilekani admitted that privacy regulation is an ‘afterthought’ of innovation and that India needs strong privacy laws after claiming for years that the scheme has in-built privacy and security features.

Member of Parliament of the Upper House, Rajeev Chandrasekhar did not fail to miss Nilekani’s change of heart.

In another instance, when Chairperson of the Skoch Group, Sameer Kocchair showed how the UID can be hacked, the UIDAI responded by accusing him of violating the Aadhaar Act though it is still not clear which sections Kocchar is in violation of. A case was also filed against a journalist who showed on television how it was possible to obtain two separate UID numbers. More worryingly, one may never know if their data has been breached even under RTI.

Another point of concern is that the Attorney General of India has argued in court that ‘privacy is not a fundamental right’ and has even gone on to refer to it as a concern of the elite or the corrupt. But noted legal scholar and one of the earliest critics of the UID scheme, Usha Ramanathan urges the Supreme court to hear the pending cases “before the government further inhibits people’s rights and liberties under the facade of ’empowerment’”.

As the uncertainty looms, privacy researcher Amber Sinha and aforementioned security researcher Srinivas Kodali estimated the size of #AadhaarLeaks.

The report said: “These are cases in which the data has not been treated as confidential at all, and the government agencies in question have, in fact, taken pains to publish them. Rather than leaks or security breaches, these are willful and intentional instances of treating Aadhaar numbers and other PIIs (Personally Identifiable Information) as publicly shareable data by the custodians of the data.”