In a year of data breaches, India’s massive biometric programme finally found legitimacy

Should old biometrics be forgot, and never brought to mind?
Should old biometrics be forgot, and never brought to mind?
Image: REUTERS/Saumya Khandelwal
We may earn a commission from links on this page.

After almost a decade since its launch, India’s controversial biometric identity programme, Aadhaar, finally got a measure of clarity and legitimacy in 2018—but not before a few egregious breaches were exposed.

Having enrolled over 1.22 billion Indians till November, the project saw several breaches and multiple accounts of data leaks being reported this year, intensifying fears about its security. There was even an instance of a senior official, out to prove a point about Aadhaar’s security, being left red-faced. The project also had a tragic side to it as several reports of starvation deaths across the country were traced back to the ID programme’s faulty implementation.

At the end of it all, though, Aadhaar did find redemption: In a long-awaited verdict, a clutch of petitions against the Unique Identification Authority of India (UIDAI) has a record of trying to muzzle critics challenging the very legitimacy of the programme was brushed aside by the supreme court of India. Thus Aadhar’s constitutional status was upheld.

However, this verdict may not be the end of the story yet. Recent developments indicate that the government is looking to work around the restrictions imposed by the apex court to facilitate India’s private sector.

Once more into the breach

In early January, a report in The Tribune newspaper said that access to any Aadhaar-holder’s demographic details could be purchased for just Rs500 ($7). The UIDAI, the government body that administers Aadhaar, dubbed it misreporting. However, it also filed a criminal complaint against the newspaper—the UIDAI has a record of trying to muzzle critics—for which it was widely castigated.

Though critics in India had already spoken of Aadhaar’s compromised data security practices, The Tribune report was perhaps the first to stir up an international media storm. In the months that followed, other incidents of vulnerability and breach in Aadhaar’s technical foundations were reported. This included a case in which a utility company’s website leaked Aadhaar-holders’ data (the UIDAI denied this report and reportedly considered legal action). Another report claimed that over 70 government sites had a faulty API that disclosed Aadhaar data.

Vulnerabilities in the enrolment system also came up for scrutiny this year: For instance, an alleged Pakistani spy and the Hindu god Hanuman were found to have Aadhaar numbers issued to them.

Reports even said that a version of the enrolment software had been manipulated to let individuals generate Aadhaar numbers without submitting biometric data and illegally access the UIDAI’s database.

Once again, the UIDAI denied these reports.

To prove that such security breaches weren’t possible, India’s telecom regulator, and the first director-general of the UIDAI, tweeted out his Aadhaar number in July, challenging anyone to try and do him harm. The Twittersphere obliged, with some even creating fake Aadhaar cards that passed as genuine when submitted as online ID proofs.

The awkwardness of the situation forced the UIDAI to issue a statement urging people to not reveal their Aadhaar numbers in public. 

Another major development in privacy-related news this year was the July release of the draft bill by the BN Srikrishna committee, tasked with developing a privacy law for India. The draft bill is largely reticent on Aadhaar. However, it does suggest that the Aadhaar Act be amended to bolster data protection.

Following the Aadhaar judgment, reports of security vulnerabilities have died down somewhat—but that may also be because the news cycle has moved on.

“More security breaches come out when more people are paying attention to the issue,” said Anand Venkatanarayan, a cybersecurity researcher who has done extensive work on Aadhaar. The technical architecture that Aadhaar was built upon is weak, he said, and therefore breaches “will keep happening” as long as the digital identifier is still used.

Those hit hardest

The supreme court judgment confirmed that basic benefits such as rations, pensions, and daily wages would require Aadhaar. This seemed to have overlooked a key problem: the acute hardship faced by rural India.

Certain state welfare benefits, such as food rations, are distributed after biometric Aadhaar authentication, where a person must undergo fingerprint scanning to prove one’s Aadhaar identity. However, authentication failures have been frequent in rural India, wherein people’s fingerprints do not scan properly due to multiple reasons, including weather-beaten hands. This problem disproportionately affects labourers and the elderly.

Often, such technical failures have resulted in people being denied their rations and, in extreme cases reportedly leading to starvation deaths. So far in 2018, up to 28 starvation deaths—14 of which were Aadhaar-related—have been documented, according to a report this September.

“The starvation deaths are one very extreme manifestation of the problem,” Reetika Khera, an economics professor who has researched Aadhaar extensively, told Quartz. “But the fact is that on a day-to-day basis, the problems are on a massive scale and as serious—the fact that there’s no certainty of getting your ration, through no fault of your own, because the technology’s so unreliable.”

The suffering seems to continue, with two Aadhaar-linked starvation deaths reported in Jharkhand in November.

Besides, this year, Aadhaar was also made mandatory for many government health programmes, including nutrition schemes and prime minister Narendra Modi’s massive health insurance plan.

Resurrected fears

The supreme court judgment’s ban on private-sector Aadhaar use was expected to diminish much of the coercion that Indians faced—bombarded with messages by telecom firms and banks.

But recent reports now indicate that Modi’s cabinet, the reports claim, approved the idea of amending the law to let private companies use Aadhaar on a voluntary basis, including seeding it alongside mobile-number data and bank-account data. “The supreme court stepped in and to a large measure through its judgment curtailed the power of the programme,” said Apar Gupta, director of the Internet Freedom Foundation. “It is a matter of regret that, through various measures, the court’s judgment is not being respected and in instances even openly flouted—most notably by private operators still insisting on its use.”

Another report from this month even said that the election commission of India is preparing to back the mandatory linkage of Aadhaar with one’s voter ID. Some worry this may even invite dangerous profiling and targeting of voters.

This year, it was revealed that Aadhaar-voter ID linking has been instituted before, though only for a few months in 2015. The effects of that campaign seem to have lasted till this day, potentially causing the disenfranchisement of millions of Indians.

The prospect of the return of voter ID linking, Khera said, is emblematic of the way Aadhaar has spread into nearly everything. “Initially, they said Aadhaar is for welfare. Then they tried it with mobile, bank, and everything. And now that function creep is coming back,” she said. “Tomorrow, they’ll say ‘we want to do biometric authentication at the time of voting.’”