Aadhaar: Promising identity, delivering - what, exactly?

India’s Unique Identity, Aadhaar, once touted as the cure-all for the woes plaguing the distribution of welfare benefits and government subsidies, today stands on the verge of becoming a universal identity number for residents of India. This, thanks to an extremely overzealous two-step dance (called voluntarily/mandatory) involving the Centre and various State governments, and the Unique Identity Authority of India (UIDAI).

Much of this is grossly in contempt of Supreme Court orders, but since the Supreme Court is still fiddling away, average Indians are finding themselves herded into the Aadhaar net by practically every agency in the land.

What seems to have awoken the Great Indian Middle-Class to the Aadhaar conundrum is the requirement to link Aadhaar to the PAN, selling a concocted narrative that fake and duplicate PANs are a huge problem (they are not). Then the double whammy - link Aadhaar to bank accounts and prepaid mobile services. This opened the floodgates, quite literally. Banks and mobile service providers then treated Indians to a drip-drip daily torture of SMS messages and emails, with random deadlines that (needless to say) kept getting pushed.

One of the authors of this piece took a screen shot of two SMS messages from Airtel within the span of a week in which, despite no court pronouncements or government notifications being issued, linking Aadhaar to mobile numbers went from being “aavashyak” (necessary) to “anivarya” (mandatory)!

The brazen arrogance with which Supreme Court orders have been flouted in harassing citizens to link their mobile numbers to Aadhaar subverts the very idea of justice: not only does the Department of Telecommunications order wilfully misinterpret the Supreme Court direction given in the Lokniti Foundation case, it seeks to do so in a manner that does not inform the average citizen of her rights.

Contrast the sheer volume of SMS messages sent out demanding, even threatening that Aadhaar be linked to mobile services with the total failure of the Government to communicate an earlier Supreme Court order: that Aadhaar could not be made mandatory and no one should be denied any benefits for want of an Aadhaar !

Also, notable in the Lokniti Foundation case is the Attorney-General (then Mukul Rohatgi) omitting entirely the assurance he himself had given to the five-judge Constitution bench in 2015 that Aadhaar would remain voluntary. That we should continue to trust the government - and the UIDAI - despite such callous omissions, in the Supreme Court no less, is asking for the moon.

Equally dubious is the push to link Aadhaar to bank accounts, for which the Know Your Customer norms are already notified by the Reserve Bank of India - allowing use of any of six “officially valid documents” (OVDs) of which Aadhaar is just one. Most existing bank customers could not have opened their account without one of these OVDs. Notwithstanding the RBI issuing a press release supporting the amendment GSR 538(E) to the Prevention of Money-laundering (Maintenance of Records) Rules, 2005, linking Aadhaar to bank accounts might well be counterproductive to the intent of linking, as Dr. Anupam Saraph spells out in this piece.

Broadly speaking, the government has repeatedly tried to frame the argument for Aadhaar as the push for providing people with a reliable identity document. Yet Aadhaar is no proof of citizenship, and its hasty implementation, through enrollment centres whose personnel are not hired or trained through any transparent policy, has already sprung a whole host of leaks and scams (even without counting the number of government websites leaking Aadhaar numbers).

To take just two examples, consider the Kanpur case where a fake Aadhaar cell was busted, and a scam alert from the police in Delhi NCR.

The Kanpur case was stunning because it brought to light how hackers could bypass both fingerprint- and retina scan-based identification to access the UIDAI system and produce fake Aadhaars. The police investigation, rather chillingly, called for a security audit of the Aadhaar enrolment process after finding that the UIDAI’s security policy was “not followed by registrars, enrolment agencies, supervisors, verifiers and operators”.

UIDAI, meanwhile, has refused to divulge details of this security policy citing national security concerns, and has not bothered about the security audit either.

The other scam, which has the police in Delhi NCR befuddled is far simpler, and exploits a utility that the UIDAI offers citizens - the ability to update details online. Again, the lack of transparency in the UIDAI’s operations has ensured that despite switching to a more digitised identity system, the average Indian remains in the dark about how this system can be manipulated.

The use of the United Payment Interface-supported app reveals the danger of linking Aadhaar to bank accounts as these links are automatically mapped by applications accessing the Aadhaar ecosystem. Authentication mechanisms are usually meant to be discreet to ensure greater security - a password you remember and a OTP you receive on your phone are separate methods which together verify who you are.

If the Aadhaar number is both user id and password and, thanks to mobile service linking, the OTP can be scammed, your identity is up for grabs for anyone devious and conniving enough to get your Aadhaar.

If India’s push towards digitising its financial ecosystem continues in this haphazard manner without first ensuring not merely digital literacy but a thorough understanding of digital security principles - at every level of society starting from the government, a system offering unparalleled access like Aadhaar is a trap waiting to be set and sprung.

The stakes are massive - a person’s entire existence could be stolen without their knowledge. And why suspect hackers or foreign powers when the UIDAI itself can randomly deactivate Aadhaar numbers without any prior intimation or public acknowledgement?

(James Wilson works for the inter-state Water Advisory Committee of Government of Kerala and writes on big data while Godavar is a member of Rethink Aadhaar, a group of concerned citizens trying to build greater awareness on the Aadhaar scheme, its shortcomings, and government's inaction on the same).