<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act Archives « Aam JanataSkip to content

1

Linking Aadhaar to bank accounts is a recipe for creating benami[2] bank accounts and scaling benami bank transactions. It threatens to destroy your bank accounts and destroy the country’s banking system. It’s devastating that the integrity of banking processes is being destroyed by dividing, outsourcing and privatising processes integral to core banking so that they become the responsibility of no one.

Linking Aadhaar[1] to bank accounts is a recipe for creating benami[2] bank accounts and scaling benami bank transactions. It threatens to destroy your bank accounts and destroy the country’s banking system. It’s devastating that the integrity of banking processes is being destroyed by dividing, outsourcing and privatising processes integral to core banking so that they become the responsibility of no one.

Destroying the banking system

India’s Department of Revenue (DoR) has done it again.

On June 1, 2017 vide Notification №2/F .No. P.12011/11/2016-ES Cell-DOR it mandates the linking of every bank account with an Aadhaar number before December 31, 2017. While lawyers point out several illegalities, including the scope, of the notification of this subordinate legislation under the Prevention of Money Laundering Act (PMLA), the failure of the DoR to consistently protect national interest is unbelievable.

A few days back a co-panelist on a TV channel defended the DoR arguing that linking Aadhaar to Bank Accounts will weed out money laundering by verifying bank accounts. What my co-panelist did not say is money laundering is facilitated by creating benami accounts. It is also facilitated by benami transactions. Nor did my co-panelist explain how benami accounts happen or how benami transactions are scaled by money-launderers.

This latest notification ensures that the Trojan horse that they instilled into the banking system on January 27, 2011, will destroy the Indian economy along with the Indian banking system. As feared by the Reserve Bank of India before January 2011, Aadhaar is yet the best state sponsored enabling mechanism for money launderers to enable benami bank accounts. Aadhaar can even help the money launderer to take over your bank accounts. Aadhaar is also the enabler to scale benami transactions.

Here are just 5 ways in which linking the Aadhaar to PAN[3] or a bank account will hurt you, destroy India and, for those who care, an explanation of how Aadhaar creates benami bank accounts and scales benamitransactions.

The innocent will lose money, reputation and access to justice, dignity and livelihood

One, the innocent will lose money, reputation and access to justice, dignity and livelihood as their Aadhaar numbers can act as mules for money laundering, their subsidy and other Aadhaar enabled payments can be easily compromised, their access to their own bank accounts be denied, or they can be framed for economic offences. Helpless citizens and businesses may also find themselves at the receiving end of covert human rights violations as even their access to money and existence is disabled by deactivation or blocking of Aadhaar leaving no recourse to survival.

Linking Aadhaar to bank accounts or PAN converts India into the new tax haven for money launderers

Two, linking Aadhaar to bank accounts or PAN converts India into the new tax haven for money launderers as it becomes easy to remotely create benamiaccounts and operate benami transactions while claiming complete legitimacy. This will destroy India’s economy and governance.

Financing crime and terrorism will grow uncontrollably

Three, financing crime and terrorism will grow uncontrollably as it becomes increasingly difficult to discover, report or close down such operations. This will make it impossible to ensure national security as the rule of law is destroyed.

Corruption will increase

Four, corruption will increase as it becomes easier when proceeds will not be traceable to the corrupt. It will be increasingly difficult to restore swarajya and impossible to ensure suraiya.

Banks will not be able to contain non-performing-assets

Five, banks will not be able to contain non-performing-assets, fraud and financial misappropriation as the real users of banking services will be untraceable. The economy will be completely out of control as the black and white economies become indistinguishable.

We are in a policy vacuum as the NITI Aayog and the bureaucracy have failed to recognise the Trojan horse and protect national interest. Unless the RBI de-licenses the payments systems based on Aadhaar (AEPS) immediately and the government stays linking Aadhaar to PAN and bank accounts, our leadership will have failed to protect India from this fast colonisation of India by the private interests driving Aadhaar.

Enabling Benami Bank Accounts

Benami accounts get created when banks fail to identify the real customers who own the accounts. The Panama Papers exposed data of thousands of benami accounts created through a Panamanian law firm, Mossack Fonseca. The Panama Papers exposed one modus operandi of hiding the real owners of the assets in tax havens.

panama papers modus operandi
The use of Aadhaar as KYC for bank accounts is similar to the note from Panama Law Firm Mossack Fonseca saying “they are an honest client”

Prudent bankers recognise the importance of knowing who they bank with. It is no wonder that the RBI had warned, right from before the Trojan horse was instilled in to the RBI in 2011, that the Aadhaar enrolment process does not have due diligence. It pointed out that for Aadhaar enrolment verification is not compulsory, as confirmed by the UIDAI in the Demographic Data Standards and Verification Procedure, and does not require document based verification.

The RBI also highlighted that such use of Aadhaar as third party identification is against Prevention of Money Laundering Act, the Financial Action Task Force (FATF) and the paper issued on Customer Due Diligence (CDD) for banks by the Basel Committee on Banking Supervision and circulated to scheduled commercial banks by the RBI on November 29, 2004.

The RBI also observed that a fixed time document like the Aadhaar cannot be a Proof of Address. It further cautioned using Business Correspondents (BC), to open bank accounts or undertake banking transactions, as the vulnerability of the system has not been tested and co-mingling funds of different banks in the hands of BC’s was a major operational risk to the banks. While resisting the use of Aadhaar, the RBI also highlighted the Government’s concern about the perceived misuse of such accounts for terrorist financing.

Under pressure from the UIDAI and the Department of Revenue, Ministry of Finance, the RBI, through its circular dated January 27, 2011, allowed bank accounts to be opened exclusively on the basis of Aadhaar number. However the RBI required such accounts to be put to restrictions and be subjected to conditions and limitations prescribed for small accounts.

Not happy with the restrictions, the UIDAI pressed the RBI to lift the restrictions placed on accounts opened with Aadhaar numbers under the PMLA. On September 28, 2011, again through the Department of Revenue, the UIDAI succeeded in getting the RBI to backtrack and suspend the restrictions of the PMLA on bank accounts opened solely through Aadhaar. The UIDAI also succeeded in causing the RBI further to accept eKYC or remotely using information associated with an Aadhaar number as KYC. According to the UIDAI eKYC brings scale to the ease of onboarding customers.

To put the problem in perspective, Aadhaar enrolment was completely outsourced to private parties by the UIDAI with the sole aim of building the worlds largest biometric database. Mr. Nilekani’s UIDAI repeatedly emphasised that they merely provided a framework to issue a number and store the (unverified and unaudited) data.

RTI says Aadhaar has never been verified or audited
UIDAI admits that the Aadhaar (UID) database has never been verified or audited

No one from the UIDAI or even the government even sign the Aadhaar card that is mailed back to the enrolee. The very same organisations that were declared by the UIDAI as holding databases full of ghosts and duplicates were asked to serve as “Registrars” to the enrolment process. They were even given flexibility in the collection, retention and use of the data (including biometric) that they collected.

Without a verification and audit Aadhaar enables duplicates and ghosts
Without a verification and audit Aadhaar enables duplicates and ghosts

No one in the Aadhaar enrolment process was required to identify anyone. At best they had to merely verify documents that were submitted for enrolment. Needless to say anyone in possession of your documents could enrol with minor changes in any demographic information or with different biometrics. Field stories of enrolments are replete with descriptions of biometric jugaad including using combination of persons, use of biometric masks, biometric modifications, and other ingenious methods to maximise registrations.

According to the IT Minister Ravi Shankar Prasad, 34,000 operators who tried to make fake Aadhaar Cards have been blacklisted. Even if each operator worked for a year before being blacklisted, at about 100 cards a day amounts to over a billion cards. That is more than 95 percent of the database. The Aadhaar enrolment has been unlike that of any other identity document, easily scaling the creation of duplicate and ghost identities.

Excrept of IT Minister Ravi Shanker Prasad’s reply in Rajya Sabha on April 10, 2017
Excrept of IT Minister Ravi Shanker Prasad’s reply in Rajya Sabha on April 10, 2017

While there is widespread belief that biometric authentication at time of opening a bank account prevents benami, it ignores the field realities of mobile phone SIM cards being issued on Aadhaar photocopies and used to open bank accounts, of having remotely “downloadable” accounts, and also plain simple use of photocopies of Aadhaar or parallel Aadhaar databases to open bank accounts. With Aadhaar, banks do not have any trace of the real customer. The real customer is simply masked by a benami owner using an Aadhaar number.
Even your Aadhaar can be used, without your knowledge, by a perpetrator to open multiple accounts in order to use it to collect bribes, park black money, or siphon your subsidies. In the eyes of law enforcement, if these accounts are discovered, you will be the criminal.

benami money laundering aadhaar bank account
Is Aadhaar the new Panama?

To compound the problem, UIDAI has no liability for benami bank accounts opened with Aadhaar. After the introduction of the Aadhaar to open bank accounts, the accounts and deposits have doubled in 5 years. No one knows who really controls these accounts.

Growth of bank accounts and deposits in India
Growth of bank accounts and deposits in India

Enabling Benami transactions

Even when it had no mandate to develop banking platforms, in 2009, the UIDAI signed an MoU with the National Payments Corporation of India (NPCI), a non government company, to develop an Aadhaar Enabled Payment System (AEPS). In this MoU the UIDAI has no responsibility for your banking transactions and the NPCI has no obligation to the RBI. The payment system uses the Aadhaar linked to a bank account as a financial address to do electronic money transfers from one Aadhaar number to another.

Company data for NPCI
Company data for NPCI

Unless an Aadhaar is linked to the account, the AEPS cannot access the bank account. Linking a PAN to the Aadhaar will have the same effect as linking the Aadhaar to a bank account as the PAN is already linked to the bank account. Such accounts become Aadhaar enabled. Aadhaar enabled bank accounts are ready to be used by the AEPS for Aadhaar to Aadhaar money transfers.

Linking an Aadhaar to a bank account is done through a process called as “seeding” an Aadhaar number to a bank account. After receiving the Aadhaar number from the customer, the bank uploads such numbers’ into a “NPCI mapper” or a repository of Aadhaar numbers and Institution Identification Number (IIN) numbers used for the purpose of routing transactions to the destination banks. The IIN is a unique 6-digit number issued by NPCI to the participating bank. If you or anyone else seed your Aadhaar with another bank account, the NPCI mapper is overwritten with the new banks’ IIN. Money transferred to an Aadhaar number, using the Aadhaar Enabled Payment System, gets transferred to the bank account linked to the Aadhaar number at the branch recognised by the IIN.

A money launderer can transfer money to an account linked to an alternate IIN and then re-seed the NPCI’s mapper with the original IIN for the Aadhaar number, completely wiping out any trace of money to the alternate IIN. Like transactions of bearer shares in Panama, such money transfers becomes no different from a hawala[4] transaction between real parties who remain anonymous or benami[5].

Your Aadhaar number can be used to facilitate such benami money transfers. If these money transfers linked to your Aadhaar number are detected by investigation officers or tax authorities, you, not the real operator will be held on suspicion of economic offences.

The NPCI’s idea of Aadhaar to Aadhaar banking itself is flawed. It is surprising if the RBI has licensed this payment system under the Payment and Settlements Act.

All money is ultimately stored in bank accounts and not in the name of a person. Nowhere in the world does one transfer money to a person, you transfer it to a persons account. Money transfers to and from a bank account makes every money transfer traceable from source to destination making money laundering difficult, if not impossible.

Hawala schemes make money transfers untraceable by eliminating the bank accounts. Money transfers that, like the hawala, are based on the premise that you do not share an account number, with someone transferring money to you, are inherently flawed in auditability as they wipe out the money trail.

The idea of a mapper, as used by NPCI’s AEPS, does not allow for instructions from sender but relies on periodic update of IIN in the NPCI’s table mapping Aadhaar numbers from banks. As multiple banks have to upload the Aadhaar numbers seeded with accounts held by them, this cannot guarantee desired results.

Perhaps the worst aspect of the mapper is that it slices the business process and outsources parts. This destroys the responsibility of the payment system from any single party as was in the case of NEFT or RTGS. Neither the NPCI, the UIDAI or the banks are responsible in such money transfers. They merely provide “look-up” services. In this system, a single compromised or rogue bank branch, or the perpetuator’s ability to exploit a good one, is enough to siphon off subsidy, park black money or take bribes.

Such money transfers would be difficult, if not impossible, to trace without a whistleblower. A few cases have been reported that suggest the large scale play of this scenario already. For example more than 40,000 erroneous transfers were reported through AEPS in DBT transfers meant as part of drought relief for farmers in Karnataka. The government allegedly blamed the banks for failure to seed the correct Aadhaar numbers with the beneficiaries.

Governments across India had been using the RBI’s own payment system, the NEFT or RTGS, to undertake electronic money transfers. This is also evidenced by the fact that Aadhaar Leaks has exposed that bank details are already present in every record of the leaked data. There is absolutely no reason to switch public payments from NEFT to AEPS, run by a non-government company.

The replacement of a time tested standard of electronic money transfers under government regulation by a non-standard payment system run by a non-government company raises several serious questions of national and public interest, propriety and possible conflicts of interest.

Preventing disaster

If the government and the Supreme Court implement the wisdom of 7 orders of the Supreme Court of India on the use of Aadhaar, they can yet save the country from disaster resulting from the colonisation of India by the new East India Companies or the private interests driving Aadhaar.

In its first order of September 23, 2011 the Supreme Court had indicated that “no person should suffer for not getting the Aadhaar card inspite of the fact that some authority had issued a circular making it mandatory and when any person applies to get the Aadhaar Card voluntarily”.

On August 11, 2015, the 3 member bench restricted the use of Aadhaar and indicated that it may not be used for any other purpose.

On October 15, 2015, a 5 member bench led by the Chief Justice had emphasised that “the Aadhaar card Scheme is purely voluntary and it cannot be made mandatory till the matter is finally decided by this Court”. It had restricted the voluntary use of Aadhaar to public distribution system (PDS) Scheme, the liquefied petroleum gas (LPG) distribution scheme, the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions), Prime Minister’s Jan Dhan Yojana (PMJDY) and Employees’ Provident Fund Organisation (EPFO).

In the meantime, following Mahatma Gandhi’s footsteps and refusing to link Aadhaar to anything may be the only option left for you.

On 10 January 1908 Mahatma Gandhi was arrested for the first time in South Africa for refusing to carry an obligatory identity document card commonly known as the ‘pass’.

[1] Aadhaar is a 12 digit random number assigned by India’s Unique Identification Authority of India to unaudited and unverified demographic and biometric information submitted by private enrollers.
[2] Accounts and transactions undertaken using a ghost or a duplicate identity are called benami.
[3] Permanent Account Number or PAN is a number used to track financial transactions and file income tax returns in India.
[4] Hawala is an alternative or parallel remittance system that works outside formal banking systems.
[5] This was first highlighted in September 2014 in http://www.moneylife.in/article/how-aadhaar-linkage-can-destroy-banks/38736.html

 

Originally published here.

Something strange came to my attention today. An otherwise anonymous Twitter profile, but it had an Aadhaar UID number in the place of the name. The profile said the person was a IITian, a Brajwasi, Swayamsewak, BJPite, Gaurakshak and slave of the Indian state. Oooookay.

After speaking and tweeting and writing critically about the Aadhaar (as well as the Modi government), finding Modi supporters who will go to any extents, however insane to defend whatever he does has sort of started looking like a normal occurrence.

I believed that the Twitter handle was challenging those who claim that Aadhaar to be vulnerable to hack it and prove it. After all, Aadhaar's greatest fake troll profile, run by Sharad Sharma himself had once tossed out a number saying it was an Aadhaar number as a challenge. It wasn't inconceivable that another person would pull a similar stunt.

And honestly, after the brazen arguments the government had made in court to deny Indians a right to privacy, I was pisssed enough to want to show someone just how far a person could go with an access to an Aadhaar number. So, the first order of the day was to check whether the number was an actual Aadhaar number. For those who don't know, this part is easy. UIDAI will do it for you without giving out too much identifiable information without authentication. The number was real.

Okay, so that raised the stakes a bit. Someone's UID was out there. You read "gourakshak" on a profile and given the sort of news making headlines on a daily basis, you want to make sure at the very least that it is their own identity they are compromising and not some hapless other persons. So I decided to find out who he was. It was fairly easy to find his Facebook profile. That gave me his name and surname. Searching for that name and surname along with "Uttar Pradesh" (from the UIDAI website in above screenshot) got me one potential hit on a relatively less known networking site.

I now had an email and phone number. The last three digits of the phone number didn't match those on the UIDAI website - last digit was different. As far as phone numbers go, a non-match is a non-match, but I remember making a note of it. I plugged the number I had into truecaller. That number gave me a domain name as his website.

The .in TLD doesn't offer privacy - I know this as someone who owns .in domains. So the chances were good that the information he provided the registrar while booking, was public. So I checked the whois data of that website, and voila. I had a phone number for him with three digits that matched the UIDAI website, as well as an address. Incidentally, it differed from the first number by only one digit.

Truecaller showed his name for the second number as well. This isn't a careless man. This phone profile hardly had much public information and it was used for what you'd call digital assets - ownership of a site, ownership of digital identity. The other seems to be the one for more casual use. But he'd made a big mistake using it for buying a domain that didn't protect his contact information.

How far can a person go with this information? I don't know. Available information suggests very very far, with some skill and tenacity. But it was about as far as I was willing to go to make a point about an irritation on Social Media. So far everything I had accessed was publicly available information, only collected from various sites and the address and three digits of the phone number matching that gave me the verification of the anonymous profile was publicly available information. The government may not believe citizens have a right to privacy, but I do, so I did not proceed further. I had all this is in less than 15 minutes of idling around on my computer. No major effort needed.

I may have drawn an ethical line, but I wasn't done being irritated with the foolishness and decided that at the very least, a good scare was in order. I would ask him why he had put that number there, and if he issued a Sharad-like challenge to hack it, I'd reply with partial data for his personal information to show how easy it was to know his Aadhaar number and the phone number linked to it and given the straight matches in data, I wouldn't be surprised if the address was correct too.

So I asked him. And I was in for the shock of my life. You may read the Twitter conversation that followed from this tweet on Twitter:

Suffice it to say, this man is batshit crazy. He is also probably the only Modi supporter I respect. He believes in Modi, but he is alarmed about several of his decisions and is definitely against Aadhaar. He is being forced to link his Aadhaar to everything, so in a protest of extreme compliance, he is attaching his Aadhaar to his identity EVERYWHERE. Twitter included. As you see in the thread, once I realized what he is doing, I was uncharacteristically polite with him. Because damn hell, if this isn't a Gandhian Satyagraha being done by a bhakt no less. Talk of the mind benders Twitter can throw at you. Long story short, I tried and failed to convince him to protect himself. I even told him the information I found out about him and how easily, but he did not relent.

"First they ignore you, then they laugh at you, then they fight you, then you win." - Mahatma Gandhi

Done ignoring him, laughing at his folly, fighting to convince him, I had to concede he won. So I am now helping make sure his sacrifice does not go in vain. Yep. Let history note this moment, I'm openly supporting the actions of a staunch supporter of Modi - of all people.

Here is his explanation for why he is doing this. I hope the Modi and his cartel realize the kind of faith gullible people invest in them and try to serve citizens honestly instead of this digital colonization being imposed on the country without regard for individual or national safety.

I am an IITian. I studied Computer Science & Engineering for about half a decade at IIT Kharagpur. I thereby am quite initiated into the innate nuances and implications of the universe of computing. However my personal convictions took me to serve my homeland in Braj - the land of Sri Krishna - where I have been fighting relentless battles to protect, preserve and restore the heritage associated with Krishna's pastimes.
 
I have been chased by mining mafia on gun point for resisting their attempt to decimate the heritage hills of Krishna frequented by millions from across the globe; have been wounded by encroachers in our bid to transform sludge tanks back to their natural splendour; have been extended death threats by the goons of religious organisations for pressing the practice of the precept; have been booked under various malicious sections of the IPC by errand officials of the state who couldn't respond to the intellectual contest thus posed. I have been a fighter who has put my entire self to risk to bring home a point. So I don't fear anything.
 
I do revere Prime Minister Narendra Modi, have immense respect for his sincere hard work, original thinking and political gravitas, but am getting extensively alarmed with his inordinate push for policies, projects and platforms without mulling over their far reaching implications both internally and internationally. Developing India within a single generation is a laudable vision, but can it be advanced at once by pushing the simpleton citizenry of this country to a precipice, remains a perpetual concern for me as a die-hard nationalist, developmental professional and technical insider.
 
Aadhar is one such platform which never had had enticed me since inception. I have seen it as an abrogation of personal liberties in consonance with Gandhi's discomfort of carrying a fingerprinted ID paper while being in South Africa. Gandhian protest of those times sufficed with the doctrine of Passive Resistance and mass scale Civil Disobedience. But the dynamics in an ever inter-connected information age call for a different set of techniques to protest the supposed wrong doings on the part of powers of the day where citizens are being robbed off their basic liberties by a host of sinister but smart machinizations. You can only offer a creative resistance to such an oppression which does unfurl itself in ennobling eccentricities and eclectic excuses.
 
I thereby have chosen to 'purge' this all pervading monster of Aadhar by laying it open in the public domain. I chose this 98th Anniversary of Lokmanya Bal Gangadhar Tilak's death as it's somewhere the death of the ideal of Swaraj which he propounded and charged up the nation toiling under the clutches of British tyranny. The Aadhar tyranny is not going to be any different, it would be even worse.
 
If this is the ID, which would ensure my very existence, let it be out in the open. Let I surrender and forfeit my social identity of my name, surname, caste, religion et al and simply graduate to this all powerful ID. If this ID is required to make India a surveillance state, I am all out eager to wear a badge to this effect and to take a gps tracer injected in my blood stream so that the agents of the state can keep track of me in real time - What all I do, how much I do, how much more productive I can be.
 
I am all out to surrender myself as the Slave of Indian State, a condemned inmate who has got no rights & liberties. Let this Creative Resistance of mine be explicitly known to the mandarins of the state whose fetish for power is incessantly insatiable. Let me persecute & purge my own self dignity which was dearer to me more than my physical life for this incessant striving for a supposed national transformation. I invite the Indian State and all its actors to pounce upon me and squeeze out the minutest strands of self-pride, honor and self-respect left in me. I am after all an inmate of World's largest prison called India. I am all out to celebrate this. Are you game?

~ Raghav

3

With the government making the Aadhaar-PAN linkage mandatory, many people now find themselves in a position where the government has them by their money. Either forfeit the tax deducted at source or get an Aadhaar. Welcome, you prosperous people, to what those climbing trees to get their right to food have been going through for a while now. Give up your biometrics, or give up your hard earned money. Maybe you don't need to do either.

I was forced to get an Aadhaar when my father died because it got too much to handle all the places needing a change of name and wanting an Aadhaar. With disabled kid and mom, I didn't have the resources to get into protracted wars and I caved. I still regret it. But maybe some preventative measures could prevent you from sharing my fate.

Now I find various like minded people who have determinedly refused to get an Aadhaar made being forced to choose between their money and their security by a government hell bent on forcing security risks on citizens.

I don't know if this will work. But it is worth a shot. Even if it doesn't work fully, whichever parts of it work will bring some measure of privacy, if you are in a position to not be able to give up large sums of money due to you and find yourself forced to get an Aadhaar made. And frankly, why should any blackmailer make a monetary profit from their blackmail?

Step 0: Get an Aadhaar with as little non-disposable information as possible

Don't fill in any information that is not mandatory. Use a rented address rather than your permanent one. Or someone else's address - if homeless people can get Aadhaar, surely you can find a place, not yours to call home temporarily. Buy a separate SIM for Aadhaar use. Don't use your real number for it. I'd probably be doing all I could to make sure my fingerprints too appeared different, but I have no practical ideas on how to achieve it. Maybe use sandpaper. Or work on a construction site before going to make an Aadhaar? God knows enough poor labourers have been denied food because of such damage to fingerprints creating a mismatch.

Update: Some people said you can no longer get a SIM without Aadhaar. In this case, get the Aadhaar with your normal SIM and after you get Aadhaar, get a new SIM and update your Aadhaar to use that SIM.

Step 1: Get a bank account using the Aadhaar

Apparently, you don't get a tax refund unless your Aadhaar is linked to your PAN as well as a bank account (you end up providing bank account while filing anyway). So use a disposable bank account for that. Withdraw your refunds from ATMs. Don't transfer to your real accounts. Don't link your other accounts with Aadhaar.

Step 2: Use your Aadhaar wala phone with this bank account

Don't use this SIM for anything other than the bank and Aadhaar.

Step 3: Link this Aadhaar with your PAN

File taxes online as normal, give your Aadhaar number to the spy state and "prove" that your PAN is real. Get a refund into your bogus real account.

Step 4: Keep this toxic circus safe from your real life

Withdraw your refunds from ATMs. Don't transfer to your real accounts. Leave the phone with the SIM at home and don't take it around with you. Better still, someone else's home. Keep your physical Aadhaar card in a locker and forget about it. Do not photocopy, do not submit anywhere.

Last step

When Aadhaar inevitably fails, throw that SIM away, close the damn bank account and console all the scammed people.

 

To worshippers of Aadhaar who will outrage at this subversion - note, none of this is illegal

You can do what you wish with your own body, including work hard on a construction site and wreck your fingerprints. Buying SIM cards is legal, creating bank accounts is legal, renting homes is legal. The government wants to "authenticate" that people filing taxes are "real" people and are pretending entire bank statements don't prove it. Well, unless the government intends to use the information to spy on people, this stripped version of compliance that protects our data to at least some extent, shouldn't be a problem for them.

So go fuck yourself.

6

The ongoing denial of UIDAI and the government of Aadhaar vulnerabilities remains a concern. Many people don't understand how Aadhaar could be a problem. There are many and documented ways where the integrity of Aadhaar data is already rendered questionable, but here are some ways that anyone could pull off with some effort.

For the purposes of this post - you are a scammer. A criminal.

Step 0: Acquire a few photocopies of Aadhaar

This is the starting point. Your Aadhaar number is supposed to be known only to yourself, but the reckless linking of Aadhaar with everything has ensured that photocopies of Aadhaar are, in reality, being handed out to anyone from international couriers to schools. If you're inclined to be a criminal, there is probably no shortage of sources of Aadhaar numbers. No, it doesn't matter even if people have written the purpose and signed on them. You could probably randomly collect a few photocopies of Aadhaar from people by making it "mandatory" - like your driver or maid must give you a copy of their Aadhaar to get their salary, or for police verification, etc. Help old people in the neighbourhood to book railway tickets and ask for Aadhaar number - you don't need it, but gullible people don't question. Just invent an excuse - it doesn't have to be true - you are a scammer, after all. If one person refuses, ask another. Not many refuse. You'll soon hit pay dirt. Govt has taught people to hand around their Aadhaar for anything and everything. And just like that, the allegedly secret number is yours.

Now, depending on what kind of a criminal you wish to be....

You're a terrorist, or stalker or need to share fake news on WhatsApp.... you need a phone number.

Give that photocopy to any telecom operator and get a SIM card - this one is easy. Frankly, it will work with any ID. Not just Aadhaar. But Aadhaar is better, because then you attach it to the new phone number and sort of build that identity proper to be the foundation of other scam documents to be a full and proper ghost.

Say you have black money you need to park, etc. Things that need you to actually be a person.

Go to the UIDAI website. Download the form for updating Aadhaar details by post. Photocopy some ID, change the name and address to match that of your target Aadhaar you want to take over and attach to form. Fill the form, but in the place of the phone number, put the new number you got in the previous scam. Just in case someone is alert at UIDAI, save it on a couple of phones with that name and install true caller. Feel free to add a fake email also. So someone checking the number sees right name in true caller as well as telecom operator's records. Post the form. That Aadhaar card will now be updated to work with your OTP. Enjoy. You can get an Udyog Aadhaar and qualify for a business loan, you can validate it for passport, etc. There is no way for the person to easily realize that the phone number was switched, so it will be a while before they realize what has happened. Even if a duplicate Aadhaar card gets posted to them, it will have no changed information (phone isn't on the card - or even biometrics - they could have an empty document and not know it). By then, unless they do biometric PDS, you could use an OTP to switch the biometrics for you too and properly make it yours.

Rent a flat using that Aadhaar, register the lease, open bank account. Put some money there to evade taxes. Whatever. Oh, get another PAN if it is a lot of money. No one would believe Aadhaar can create a ghost. After all, govt has guaranteed it removes ghosts.

You are an illegal immigrant living in some slum. You'd like PDS, but you don't qualify.

Fikar not. Aadhaar makes it easy. Keep an eye out for someone who dies in your area. Say you know people in the rationing office and can get the name of the dead person removed from their card for them. Take the card, update the dead person's name with your Aadhaar. Aadhaar overwrites the person's data on the ration card - name, age, sex, everything. Voila. You are now on their card. I suppose you should now remove your name from it and apply for a separate card, "because you've moved out to your own place". Oh, don't forget to return the ration card of those nice people, with the dead person's name nicely removed and all. Oh, congratulations! You are also a citizen, if you weren't, before.

*****

There are endless ways, really, because the reckless imposition of Aadhaar has resulted in it being accepted for far more than what Aadhaar data is capable of actually verifying. Money transfers via Aadhaar? No problem. The government has gone to great lengths to enable it during demonetisation. Need more gas cylinders than your subsidy gives you to use in your restaurant? Sure, just scramble the address a bit, so computer doesn't recognize as identical.

This is a threat to individual safety as well as national safety. Both physical and financial.

And I haven't even mentioned leaked databases (there you go - thousands of aadhaar numbers and addresses) or privacy issues (govt says we don't have a right to privacy, apparently) or denial of basic necessities to poor and desperate people (we don't care about them anyway). I haven't even talked of countless mobile SIM service people who could simply duplicate your SIM - and the Aadhaar number to verify is attached to the phone number! I suppose soon scammers will be paying bribes to get jobs in mobile operator service centers.

Are you still a fan of Aadhaar?

 

Disclaimer: This post is for educational purposes and does not endorse anyone actually indulging in criminal activities. I have not done any of the above. I would like those still insisting that Aadhaar is safe to explain how they would prevent any of this.

 

2

Guest post by @St_Hill examines some problems in the use of Aadhaar where the use of the UIDAI authentication goes beyond what it was designed for and compromises the privacy or security or both of users. However, stopping use that compromises security would mean much reduced adoption of Aadhaar.

Most debates around UIDAI and Aadhaar focus on privacy concerns, security of the database and on the legality of making Aadhaar mandatory. Even if these three issues get sorted out, there are four other basic issues that need attention. In all these four issues, you will see the following common themes

  • It is very likely that UIDAI knows the existence of the issue
  • Entities other than UIDAI are using Aadhaar incorrectly and sometimes dangerously
  • UIDAI has framed policies protecting itself from implications of these wrong usages
  • UIDAI is unlikely to address these issues, because solving them may reduce the usage and acceptance of Aadhaar

Issue #1: UIDAI knows that Aadhaar is not an address proof, and that the industry uses it as an address proof, but will choose to remain silent about it.

Various entities allow Aadhaar to be used as both an identity proof as well as an address proof — banks for example use biometric eKYC to onboard new customers. But the reality is that UIDAI does not validate the address of every applicant. Though applicants are asked to provide an address proof for Aadhaar enrolment, it is optional — the enrolment process (and form) is designed to allow anyone to get an Aadhaar without any documents (mainly because Aadhaar is meant even for those sleep under the flyover).

aadhaar enrollment form
Aadhaar enrolment form screenshot. If you don’t have (or choose not to give) an address proof, you can choose Introducer or Head of Family based verification and get any address updated in Aadhaar. (Attestation by the introducer is all it takes)

UIDAI is aware of this flaw, which explains why the Aadhaar Bill has multiple mentions of Aadhaar being a proof of identity, but has NO mentions of it being a proof of address.

aadhaar not proof of address
Note the strategic absence of “proof of address” in the Aadhaar Bill

It would be appropriate of UIDAI to clarify to RBI and other authorities that Aadhaar is not a proof of address, but that would mean banks and telcos would no longer be interested in eKYC — imagine if banks are asked to collect a second document as address proof despite performing a biometric eKYC. Thus if UIDAI were to “fix” this issue, eKYC (Aadhaar’s core feature) will become useless and Aadhaar’s acceptance will be impacted.

Issue #2: Aadhaar is not a proof of citizenship, but it can be used to either apply for a passport, or obtain other identity documents which can then be used to apply for a passport.

The Aadhaar Bill Section III.9 states the following:

Screenshot from Aadhaar Bill Section III.9

But this hasn’t stopped the Passport office from listing Aadhaar as an acceptable document — they go even further to state that “Furnishing of Aadhaar card will expedite processing of passport applications”.

From the Passport Seva website

Even if Passport office were to stop accepting Aadhaar as a valid document, a non-Indian can apply for a bank account or water connection or electricity connection using an Aadhaar number, and then apply for a passport using the bank statement or utility bill as an acceptable document.

The only way for UIDAI to address this is to declare that Aadhaar cannot be used for passport applications, public utilities, bank accounts and any other services which may then be used to apply for a passport. But of course, this would limit the usage and acceptance of Aadhaar, reducing its relevance.

Issue #3: Possession of a physical Aadhaar card should not be considered as identification in airports, trains and other places.

UIDAI does not include holograms or physical signatures or any other security information in the Aadhaar cards that are sent to applicants — it is just a colour printout of your Aadhaar information. You can also download and print your Aadhaar (even in black and white) as your Aadhaar card — print multiple ones and each one will be considered “original”.

aadhaar black and white printouts are valid
Clarification from UIDAI that black and white printouts of Aadhaar info are as valid as the Aadhaar card sent to you or the plastic cards that someone laminated for you

This is because UIDAI does not consider possession of an Aadhaar card as authentication that it belongs to you. UIDAI instead asks entities to authenticate the Aadhaar number based on OTP or biometrics by connecting to the UIDAI system, prior to usage.

See last sentence in Aadhaar Bill Clause 4: Aadhaar can be used as proof of identity “subject to authentication”

But in reality, the ticket checker in trains, the security guard at the airport entrance and many other places consider a physical Aadhaar card as a valid identity document.

If UIDAI were to publicly clarify that the physical Aadhaar card is irrelevant and electronic authentication is required prior to being used, it would mean that the airport security guard or the train ticket inspector carries a biometric device with them for validation. This would slow down their entire process and they would instead insist that you provide an ID proof other than Aadhaar. So if UIDAI tried to fix this problem, it would mean reduced acceptance of Aadhaar in public life, again reducing its relevance.

Issue #4: Aadhaar numbers are probably meant to be secret to avoid misuse, but UIDAI does not stop organizations from putting Aadhaar information out in public.

Only a professional counterfeit artist can recreate passports or driving licenses — this is because there are security features like holograms in an original document. But this does not apply to Aadhaar — there is no concept of an “original” Aadhaar card (See Issue #3 above). A printout of Aadhaar information is being treated by various entities as a valid document, so it is easy for a fraudster (even an amateur) to print out your Aadhaar card if he knows your basic information like Aadhaar number and name), and start submitting in different places where the Govt asks us to.

UIDAI is aware of this issue, and hence Section 29 of the Aadhaar Bill states that entities which use your Aadhaar number should ensure the following:

Aadhaar numbers shall not be posted publicly by organizations collecting them

This basically puts the onus on 1000s of different organizations to ensure that they do not make your Aadhaar number public. Do a Google search for “Aadhaar number name filetype:xls” and prepare to be stunned at what is out there. Among those multiple excel sheets in the results, you will even find a Ministry website which has uploaded many excel sheets of 1000s of people’s information including name, DOB, address, and Aadhaar number.

websites have uploaded personal aadhaar information
Websites have uploaded excel sheets of people’s information including Aadhaar numbers
website has uploaded personal aadhaar information for 1360 people
One such excel sheet has all this information of 1360 people out there in public

Printing their Aadhaar cards will probably take a few minutes of effort for a fraudster with a computer and a black and white printer.

UIDAI can stop this by identifying such entities and stopping them from putting out Aadhaar numbers in public, but it is a mammoth monitoring effort. The other solution for UIDAI is same as the solution for Issue #3, which will again reduce Aadhaar’s relevance.


As is now evident, UIDAI is faced with two choices in each of these issues. They can either fix the issue running the risk of Aadhaar irrelevance in public life, or they can choose to stay silent running the risk that something may go wrong at a large scale in the future.