Guest post by @St_Hill examines some problems in the use of Aadhaar where the use of the UIDAI authentication goes beyond what it was designed for and compromises the privacy or security or both of users. However, stopping use that compromises security would mean much reduced adoption of Aadhaar.
Most debates around UIDAI and Aadhaar focus on privacy concerns, security of the database and on the legality of making Aadhaar mandatory. Even if these three issues get sorted out, there are four other basic issues that need attention. In all these four issues, you will see the following common themes
It is very likely that UIDAI knows the existence of the issue
Entities other than UIDAI are using Aadhaar incorrectly and sometimes dangerously
UIDAI has framed policies protecting itself from implications of these wrong usages
UIDAI is unlikely to address these issues, because solving them may reduce the usage and acceptance of Aadhaar
Issue #1: UIDAI knows that Aadhaar is not an address proof, and that the industry uses it as an address proof, but will choose to remain silent about it.
Various entities allow Aadhaar to be used as both an identity proof as well as an address proof — banks for example use biometric eKYC to onboard new customers. But the reality is that UIDAI does not validate the address of every applicant. Though applicants are asked to provide an address proof for Aadhaar enrolment, it is optional — the enrolment process (and form) is designed to allow anyone to get an Aadhaar without any documents (mainly because Aadhaar is meant even for those sleep under the flyover).
UIDAI is aware of this flaw, which explains why the Aadhaar Bill has multiple mentions of Aadhaar being a proof of identity, but has NO mentions of it being a proof of address.
It would be appropriate of UIDAI to clarify to RBI and other authorities that Aadhaar is not a proof of address, but that would mean banks and telcos would no longer be interested in eKYC — imagine if banks are asked to collect a second document as address proof despite performing a biometric eKYC. Thus if UIDAI were to “fix” this issue, eKYC (Aadhaar’s core feature) will become useless and Aadhaar’s acceptance will be impacted.
Issue #2: Aadhaar is not a proof of citizenship, but it can be used to either apply for a passport, or obtain other identity documents which can then be used to apply for a passport.
The Aadhaar Bill Section III.9 states the following:
But this hasn’t stopped the Passport office from listing Aadhaar as an acceptable document — they go even further to state that “Furnishing of Aadhaar card will expedite processing of passport applications”.
Even if Passport office were to stop accepting Aadhaar as a valid document, a non-Indian can apply for a bank account or water connection or electricity connection using an Aadhaar number, and then apply for a passport using the bank statement or utility bill as an acceptable document.
The only way for UIDAI to address this is to declare that Aadhaar cannot be used for passport applications, public utilities, bank accounts and any other services which may then be used to apply for a passport. But of course, this would limit the usage and acceptance of Aadhaar, reducing its relevance.
Issue #3: Possession of a physical Aadhaar card should not be considered as identification in airports, trains and other places.
UIDAI does not include holograms or physical signatures or any other security information in the Aadhaar cards that are sent to applicants — it is just a colour printout of your Aadhaar information. You can also download and print your Aadhaar (even in black and white) as your Aadhaar card — print multiple ones and each one will be considered “original”.
2 thoughts on “Problems with Aadhaar card – it can provide utility or security, not both”
It is very easy to print an e-copy of the Aadhaar of the elderly. Most elderly people and middle aged women do not have their mobile numbers registered with their Aadhaar cards. In that case any mobile number can be entered at (https://eaadhaar.uidai.gov.in) for OTP and the e-copy can be downloaded. The Aadhaar-center guy did this for my mother when she had lost her Aadhaar card.
I don’t think you can download Aadhaar from the UIDAI website without authentication (OTP) so just having numbers and details may not be enough for immediate download of copies in bulk, but databases having phone numbers as well easily allows one to report a SIM card as stolen and get a replacement to authenticate the numbers – they will eventually verify your identity, but all you really need is for it to work long enough to get an OTP. A more time consuming, but still easily possible process. In my view, phone numbers and Aadhaar being saved in the same database is a pretty severe security risk for a country thinking to allow banking transactions using Aadhaar. (even if data is not made public, it can be sold by corrupt employees)