The Aadhaar digital ID system for providing welfare services in India faces “hurdles, including the burden of establishing authorization and concerns about biometric reliability”, noted a report on ‘Decentralised Finance and Digital Assets’ by Moody’s Investors Service, on September 21, 2023. In what can be seen as a quick review of India’s Aadhaar project, the global risk-assessment firm further stated, “The system often results in service denials, and the reliability of biometric technologies, especially for manual laborers in hot, humid climates, is questionable.”
The report essentially looked at emerging decentralised identification systems that it claims can provide services across sectors and ensure the security of people’s data in a better manner. In doing so, the firm has observed that there’s a shift towards a decentralised digital identity system as a “strategic response” to the “security and privacy vulnerabilities posed by centralized ID systems like Aadhaar”.
India’s IT Ministry quickly issued a press release dismissing the firm’s claims on the grounds that the report did not provide any primary or secondary data to back their assertions. More so, the government touted Aadhaar as the “most trusted digital ID” in the world.
Why it matters:
The government has presented an immediate rebuttal to the claims made in Moody’s report, but the review does shed light on issues that have been reiterated for years now. Whether it is about the exclusion of vulnerable groups from welfare benefits or the uncertainties regarding the security of Aadhaar data, there are critical problems that raise doubts over the government’s claim that the Aadhaar system is foolproof. As the Aadhaar project is considered a foundational “digital public infrastructure” for digital governance projects across sectors, the authorities need to acknowledge the underlying concerns discussed below.
On unreliability of Aadhaar: Addressing the concern that biometric technologies have led to the exclusion of manual labourers from welfare services, the Ministry said that it was an “obvious reference” to the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS). The government claimed that the seeding of Aadhaar in the MGNREGS database has been done without requiring the workers to authenticate using biometrics and that they are paid directly through bank accounts without having to authenticate their biometrics.
However, it is important to note that in January this year, the government mandated the Aadhaar Based Payment System (ABPS) for payment of MGNREGS workers’ wages. In February, the NREGA Sangharsh Morcha, a national coalition of NREGA workers and organizations, expressed their worries about the implementation of an “unreliable payment system.” They believed that this system would worsen the problems of delayed and denied wages through coercive means. Their basis of concern was that the ABPS requires linkage of the worker’s bank account with both Aadhaar and the National Payments Corporation of India (NPCI), and to meet KYC requirements, biometric authentication is necessary. Issues such as inconsistencies in data related to bank accounts and Aadhaar have led to complications that have ultimately impacted the workers’ rights to access their wages and other benefits in time.
The Ministry also stated that biometric submission is also possible through contactless means like face or iris authentication and by using mobile OTP. However, technical issues associated with the process, coupled with a lack of access to sophisticated mobile phones, have reportedly caused errors, raised apprehensions among workers about being excluded from the database, and have affected their right to be paid within 15 days. Additionally, not only MGNREGS workers but complications related to Aadhaar-linked direct benefit transfer have also affected students’ rights to avail government scholarships for pursuing higher education.
On privacy and security of Aadhaar data: Dismissing issues concerning privacy and security vulnerabilities, the Ministry claimed in its press release that “till date, no breach has been reported from Aadhaar database” and that “state-of-the-art security solutions” are established along with a federated database and mechanisms for encryption of data, both at rest and in motion.
In July, responding to questions regarding numerous Aadhaar-related bank frauds, the government had reiterated in the parliament that “No breach of Aadhaar card holders’ data has occurred from the Central Identities Data Repository (CIDR) maintained by the Unique Identification Authority of India, in which the database of biometric and demographic information of Aadhaar is maintained. CIDR is not linked to any external database, such as bank databases.”
However, past reports of alleged data leaks from the CIDR cannot be ignored. For example, in 2019, a complaint by UIDAI Hyderabad office to the Cyberabad police shed light on a suspected data theft from the CIDR or the State Resident Data Hub by IT Grids Pvt Ltd, which was found in possession of 7.8 Crore Aadhaar records from Andhra Pradesh and Telangana.
“The investigation revealed that the structure and size of the database, and the fact that the database contained Aadhaar Enrolment IDs (EIDs), strengthened this suspicion,” MediaNama noted in its report.
Similarly, numerous reports of fraud related to Aadhaar-Enabled Payment System (AePS) have exposed major vulnerabilities in the systems that store people’s biometric data linked to the UID numbers. Multiple states like Andhra Pradesh, Uttar Pradesh, West Bengal, etc., have warned people against gangs, who exploit such biometric data to siphon off money from people’s bank accounts. Moreover, the Comptroller Auditor General of India had pulled up the UIDAI for not being able to assure that the entities involved in the authentication ecosystem meet the required standards for biometric data safety, among other faults.
According to a report by The Wire, certain government agencies and banks have access to the CIDR data through the government’s internal tools like the Direct Benefit Transfer Seeding Data Viewer. It is worth questioning if entities that carry out Aadhaar authentications have access to the CIDR database; are there no chances of a leak somewhere that may have led to the exploitation of the system through several channels? However, the government has continually failed to acknowledge such rising instances of data leak, in the Parliament.
Also Read:
- Why Are Labour Groups Protesting India’s Push To Digitise National Employment Schemes?
- Summary: What The CAG Report Says About UIDAI’s Functioning And Security Of Aadhaar Vaults
- Govt Denies Aadhaar Data Leak, Fails To Answer Questions On Investigation Into Aadhaar-Related Breach
- 7.8 Crore Aadhaar Records On IT Grids’ Database; CIDR Possibly Breached, Aadhaar Data Stored On AWS Servers
Support our journalism:
For You
- Sign up for our Daily Newsletter to receive regular updates
- Stay informed about MediaNama events
- Have something to tell us? Leave an Anonymous Tip
- Ask us to File an RTI
- Sponsor a MediaNama Event