Needed better security & data protection law: Poor more prone to Aadhaar frauds

• Gorakhpur cops bust fingerprint cloning racket

• Biometric fraud in Bihar panchayat polls

• Fraudsters steal thumb prints from land records

• 8 held for foodgrain racket in Ahmedabad

• Hyderabad Police shuts down illegal Aadhaar operation

• Two arrested for forging Aadhaar cards

(News headlines since 2021)

A 5-member constitution bench of the Supreme Court led by the then Chief Justice of India Dipak Mishra ruled in September 2018 that linking the Aadhaar number to bank accounts would be a thing of the past.

Four years down the line, even as people continue to share their Aadhaar numbers and biometrics, the Bangalore regional office of the Unique Identification Authority of India (UIDAI) issued a press note dated May 27 advising people not to share photocopy of their Aadhaar with anyone because it could be misused. Alternatively, it said that a masked Aadhaar which displays only the last four digits of the Aadhaar number, could be used.

However, the press note was withdrawn within 48 hours with the authorities citing its misinterpretation. “In view of the possibility of misinterpretation of the press release, the same stands withdrawn with immediate effect,” read a statement issued by Press Information Bureau on behalf of the head office of UIDAI in Delhi on May 29.

The National Payments Corporation of India (NPCI), the body responsible for monitoring Aadhaar enabled payment system recorded six-and-a-half crore complaints of fraud. A look at the past three years shows this number to be closer to 10 crore, a majority of them reported by the banks and not account holders.

There is, therefore, the possibility that the number is an underestimation. Frauds reported by an account holder need to go through a number of verification checks before they are communicated to NPCI.

Fraudsters having access to an Aadhaar number can steal and clone the identity. But monetary losses are unlikely unless biometric details are also shared. Poor villagers, often illiterate and not educated enough or not used to digital devices, often share their fingerprints without realising why they are being demanded.

Srinivas Kodali, an independent researcher and technology activist, believes that the guidelines recommended by the Supreme Court have been largely ignored because of the Government’s insatiable need for surveillance on citizens, wanting to know everything from their telecom details to hotel stays.

Kodali also explains that this applies to the private sector as well, where surveillance capitalism is the new buzzword and first-party data is being captured. Questions to be asked, Kodali says, are where is the money going, who is behind it, and who is vulnerable?

A close look at the frauds by technology activists and researchers reveals that monetary frauds are being carried out at various levels and are prevalent across the country with mostly the poor and the uneducated being the victims.

Cyber security expert Ritesh Bhatia says that fraudsters come in all shapes and sizes. Various media reports show that Business Correspondents, Common Service Centre agents, government staff and gangs running an organised crime syndicate are believed to be part of the racket. Business Correspondents are appointed by banks for providing banking and financial services. On the other hand, the Common Services Centre (CSC) programme is an initiative of the Ministry of Electronics and IT (MeitY), Government of India, and serves as an access point for the delivery of various electronic services to villages in India. The CSCs have been set up by the Ministry of Electronics & IT under the Companies Act, 1956 to oversee the implementation of the CSC scheme. But unfortunately, many of these staff have been found to be a part of the Aadhaar-enabled payment system or AePS-related frauds.

Kodali mentions that problems begin with the way Aadhaar has been designed. “I don't know where and how I am using it. And this is a problem,” he says, pointing to news reports from Haryana where some fraudsters are believed to have stolen many if not all of the Haryana land registry fingerprints database. It is not just Haryana. Cases of AePS fraud are emanating from all over. Police in Mumbai, Jharkhand and Haryana, Uttar Pradesh, and Telangana have cases under investigation.

“The fingerprints are not just in the UIDAI database. When you go to get a driver's license, the RTO also takes your fingerprints. You also give fingerprints to the Passport department. There are many places where you give your fingerprints and even if the fingerprints in any one of these places get leaked and they have your Aadhaar number it can always be misused to withdraw your money,” he explains.

Is there a solution to this sort of misuse? As a matter of fact, there is. Recently Telangana police sent an advisory asking people to lock their biometrics if there is Aadhaar related fraud. “The solution that the UIDAI has for this is to lock your biometrics. There's an option available to do that but not everybody is aware of this and very few actually do it,” Kodali says.

For Locking UID, residents should have 16-digit VID number, which can be generated by sending SMS (GVID space last 4 or 8 digits of UID; eg GVID 1234) to 1947.

The question however is, why should someone even link their bank account with Aadhaar when the Supreme Court has clearly said one should not. “Yet the RBI directions force you to link it and even the Union Finance Minister Nirmala Sitharaman is backing it,” says Kodali.

So, while the debate is on for a long time, the absence of implementation of guidelines and better systems in place ensures that frauds are being repeated without any fear.

“Aadhaar today is not needed everywhere. You only need it for tax purposes, for PAN Card linking, and for Aadhaar subsidies. I don't need to give it to my bank or a hotel agent, telecom, or internet service provider. I don't need to give it to anyone else. But we are being forced to do that and eventually, the data belonging to the poor and vulnerable get leaked,” he says.

Yogesh Deshmukh, Madhya Pradesh Police’s Additional Director General, Cyber-crime, is among police officials whose teams are trying to curb such frauds.

“Earlier this week we arrested four persons who were involved in committing fraud with the help of biometric machines in the Gwalior region. They had learned to commit fraud by watching YouTube videos,” he says. The fraud surfaced with complaints against customer service center staff of Dabra municipality. Deshmukh reveals that the gang of four cheated over 30 villagers and siphoned off Rs. 5 Lakh from their accounts.

“The modus used was to open bank accounts of the villagers in which money from the government-run schemes was to be deposited. They would store the Aadhaar information of these villagers in an application and later use it to siphon off money from the bank accounts of these villagers. The fraudsters later withdrew the amount for their use. The timely busting of this racket ensured that the number of people cheated was 30. They had data pertaining to 982 people and it was a matter of time before others would have been targeted,” Deshmukh reveals.

(This was first published in National Herald on Sunday)