Concerns over India's national biometric ID persist despite withdrawal of security warning

Fears about data safety and privacy have dogged India's biometric identification programme Aadhaar for years. PHOTO: REUTERS
Rohini Mohan
India Correspondent
Updated
Jun 01, 2022, 09:57 PM
Published
Jun 01, 2022, 08:33 PM

BANGALORE - Rising reports of financial fraud and a confusing government flip-flop are raising fresh concerns in India about the security of Aadhaar, the world's largest biometric identification programme.

Last Friday (May 27), the Unique Identification Authority of India (UIDAI), which runs Aadhaar, published an advisory warning Indians against sharing photocopies of this digital identifier with any organisation "because it can be misused". It warned that "unlicensed private entities like hotels or film halls are not permitted to collect or keep copies of the Aadhaar card".

Two days after the warning, India's Ministry of Electronics and Information Technology said the advisory was being withdrawn to avoid "misinterpretation".

It said: "Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers. Aadhaar Identity Authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder."

Aadhaar, which links a unique 12-digit number to an individual's fingerprints and iris scans, is mandatory when paying taxes, buying property and accessing government benefits.

For other purposes, Aadhaar is legally just another proof of identity. But because the government has conveyed that it is the most preferred and secure identification, state and private entities like hotels, banks, telecommunications companies and hospitals commonly refuse their services without it.

UIDAI says it has generated over 1.3 billion Aadhaar numbers, almost the entire population of 1.38 billion, since its inception in 2009. The agency has aggressively defended the security of the programme in the past, with one of its founders even tweeting his Aadhaar number in 2018, defying critics to harm him.

But fears about data safety and privacy have dogged Aadhaar for years. In 2018, The Tribune newspaper said its reporters were able to log into the Aadhaar database and access information including user names, addresses and photos by paying an agent 500 rupees (S$8.85).

UIDAI dismissed most reports over the years about Aadhaar data leaks, or court petitions about essential services refused without Aadhaar, with the repetitive claim that the data is secure and Aadhaar is not mandatory.

India's Supreme Court had upheld the constitutional validity of the Aadhaar programme in 2018, saying it involved "parting with minimal information" to fulfil the larger public interest of the poor. But it ruled that private entities could not demand customers' Aadhaar numbers. This did not stop Aadhaar from being made mandatory by default for many services.

In April, India's national auditor published a report on UIDAI's "deficient data management". Among other things, it said the agency had not ensured that devices used for Aadhaar authentication were "capable of storing personal information… which put the privacy of residents at risk".

Gaps in Aadhaar data security have already been exploited for fraud.

Recent months have seen a string of arrests in several states of individuals who allegedly siphoned government welfare payments made to Aadhaar-linked bank accounts. On May 7, police in Gwalior town in Rajasthan arrested four people they said had cloned the fingerprints of at least 23 villagers and stolen 500,000 rupees of government benefits intended for them.

On May 13, the Haryana police said fraudsters had been lifting fingerprints off the state's digital land revenue registry and patching them on duplicate silicon thumbs to withdraw money from Aadhaar-linked bank accounts.

Last week, the Telangana police tweeted: "If you lost money from an Aadhaar-enabled payment system without your knowledge, immediately disable your biometric link from your Aadhaar. Never share your Aadhar details with anyone."

More On This Topic
Renewed push in India for controversial move to link voter cards with biometric details
India's use of facial recognition tech during protests causes stir

On Monday, The Morning Context news site published an investigation that cited sources in the Rajasthan and Uttar Pradesh police who were investigating hundreds of gangs involved in Aadhaar-related frauds.

Its reporters found several online video tutorials on how to clone fingerprints and get around Aadhaar payment security. They also found websites selling copies of Aadhaar cards.

The Times of India, the country's largest English newspaper, on Monday cautioned that "governments have been too permissive about private and public entities seeking and collecting personal data". India does not yet have a data protection law.

For many, however, the damage hass already been done. Responding to last week's UIDAI advisory, Twitter user @_NairFYI said: "I might have stayed in almost a 100 hotels who kept a copy of my Aadhaar! Now this."

More On This Topic
Coronavirus: India pushes digital health plan despite privacy concerns
India fast-tracks digitalisation of its food security programme amid economic downturn

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top