‘UIDAI Is Both Regulator & Promoter of Aadhaar’: Experts Question Govt Advisory

On Friday, 27 May, the Unique Identification Authority of India (UIDAI) said, "Do not share photocopy of your Aadhaar with any organisation as it can be misused. Alternatively, please use a masked Aadhaar which displays only the last four digits of your Aadhaar number."

This warning was withdrawn within two days "in view of the possibility of the misinterpretation".

UIDAI now says "normal prudence" is enough and existing mechanisms provide "adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder".

Experts have questioned UIDAI's statements.

UIDAI, in its second circular, said the initial release was issued in the context of an attempt to misuse a photoshopped Aadhaar card.

The Bengaluru office of the UIDAI had received complaints that Aadhaar numbers and sensitive details like addresses of the cardholders were being photoshopped and misused, The Economic Times reported, quoting government sources.

However, Aadhaar's vulnerabilities are not a recent discovery.

Rizvi pointed to reports of Aadhaar details of individuals, including their names, addresses, and mobile numbers being on sale for as little as Rs 5, as well as companies storing user data for voter profiling.

Rizvi explained that the Aadhaar ecosystem has three layers: the infrastructure, data-linking, and application.

"While the data-linking layer is encrypted, the other two layers are owned and used by the third parties without prescriptions on privacy and security safeguards. This shows that the Aadhaar is vulnerable to privacy and security risks at the ecosystem level, spread across the data lifecycle," he said.

As an example, he pointed to a report in The Tribune where a journalist was able to access the data of about a million individuals by paying only Rs 500 to an agent.

Apart from an increase in Aadhaar-related fraud due to active digitisation of government services, a catalyst behind the statement could have been the recent CAG report criticising the UIDAI, said independent researcher Srinivas Kodali.

Among other things, Comptroller and Auditor General of India (CAG) found that the quality of biometric data was sub-par and that not all Aadhaar numbers in UIDAI's database were supported with documents, causing doubts about the "correctness and completeness" of the data.

Kodali claims that the 'masked Aadhaar' option was offered by UIDAI in response to a 2017 report of his on the leak of 130 million Aadhaar numbers.

"Anyone can easily modify an Aadhaar using photoshop, people rarely verify the details on a Aadhaar card. This is a issue which UIDAI should have worked on before distributing billion Aadhaar cards," Kodali told The Quint.

After withdrawing its initial circular, UIDAI said that Aadhaar card holders are "only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers."

It adds that the Aadhaar ecosystem provides "adequate features" for protecting and safeguarding the identity and privacy of the cardholders.

However, such a statement appears to be irresponsible, given the kind of incidents that have already been reported on.

"The government states that 'normal prudence is enough' for the safe use of Aadhaar, but that is very vague, and there is less clarity in terms of what is considered normal prudence," said Kazim Rizvi.

Kodali said that the Indian government does not want to acknowledge frauds related to Aadhaar.

"It only wants status quo where they only react when something big happens. While this is their standard response, they are reluctant to respond to people who are victims of Aadhaar fraud," he said.

(With inputs from The Tribune)