India's Aadhaar ID system delivers benefits but at risk of widespread fraud

Prime Minister Narendra Modi’s model of welfarism isn’t new to India: Previous leaders have also subsidized food and fuel, and given the rural poor houses, toilets, and paid work. Modi’s edge comes from technology. A year before the 2014 election that brought him to power, the government, then led by the Congress Party, had piloted direct cash transfer to beneficiaries, inspired by the former Brazilian President Lula da Silva’s popular Bolsa Familia program. Modi took that modest $1 billion start and turned it into a $300 billion vote magnet: And he did it with the help of 12-digit numbers. 

Those numbers — and the ID cards that carry them — are known as “Aadhaar.” It’s a biometrics-based system through which almost everyone in the second-most-populous nation can prove who they are. Aadhaar, which means “foundation” in Hindi, supports 450 million-plus no-frills savings accounts and has bolstered the use of mobile internet for financial transactions even in remote villages. Five years ago, the Nobel Prize-winning economist Paul Romer endorsed Aadhaar as a template for the world.

Increasingly, though, it’s beginning to look like there’s a fair bit of epoxy putty — quite literally — in the very foundation of Modi’s welfare program. 

Also Read: Citing misuse, UIDAI suggests sharing masked Aadhaar instead of photocopies

Fingerprinting 1.33 billion people and recording their personal information and iris scans in a central repository was no mean feat. It was hoped that this super-expensive database would pay its cost by helping to reduce waste in public programs and by preventing theft. That was touted as a big advantage in a corruption-ridden country where state benefits have a hard time reaching legitimate beneficiaries.

However, activists have highlighted numerous incidents of denial of benefits: Fingerprints fade with intense manual labor; getting data-entry mistakes fixed can be a nightmare. Those issues have largely been ignored. 

Now there’s a growing problem in the other direction: Aadhaar is being very successfully used — by fraudsters. Blame it on ubiquity combined with lax controls. While the unique ID was conceived to make welfare programs more efficient, private entities didn’t lose any time in realizing its potential. Banks and telcos used Aadhaar to conduct online “know your customer” checks, which drastically cut their cost of authenticating customers. In the process, Aadhaar became all-pervasive and private data began to show up for sale on the dark web. 

The government’s response has been to brush it all away. Anything that casts doubt on the integrity of the system is ignored. That isn’t a surprise: Having chosen a technology and made it universal, policy makers have no other route to building trust in transactions. In 2018, the Indian Supreme Court restricted the use of the database — and barred private entities from using it for know-your-customer verifications. Nevertheless, New Delhi has since then gone around opening legal back doors for the private sector to keep tapping it.

Also Read: What is masked Aadhaar? Can it prevent misuse?

A wake-up call about identity fraud came last month. The Unique Identification Authority of India, or UIDAI, issued an advisory asking people not to give out photocopies of their cards “because it can be misused.” Further, the notice said that only users licensed with the authority can query the database to authenticate identity; establishments like hotels or movie theaters are not permitted to collect or keep copies. After people began to question why this warning was being issued when everyone’s Aadhaar information was already circulating everywhere, it was withdrawn the same day and replaced with new guidance that advised people “to exercise normal prudence.”

So what’s going on? The Morning Context, an Indian news website, recently gave an alarming account of scams. It seems anyone can learn how to clone a fingerprint with epoxy putty on YouTube; and anyone can buy an identification card online. Fingerprints can be lifted from digitized property sale deeds. Or, to steal money from bank accounts, one could hack into a mobile app used by small village shops that double up as micro-ATMs for Aadhaar-holders. There was a sixfold increase in overall Aadhaar fraud registered with the UIDAI last year, the May 30 article said. “There is no data on the full extent of welfare benefits swindled, accounts degraded and criminal complaints registered,” the Morning Context added. 

More disturbing than the crime is the official silence about its prevalence or severity. The Reserve Bank of India’s recently released Payments Vision 2025 gives a nod to the “significant growth in Aadhaar-enabled Payment System (AePS) through the business correspondent-assisted model.” More than 2 billion such micro-ATM transactions took place last financial year; that’s a $38 billion entanglement of Aadhaar with the banking system — all of which is on behalf of customers at the bottom of the economic pyramid. Yet the RBI’s vision document, which has “integrity” as a key pillar, has nothing to say about making security more robust for deposit, withdrawal and transfer services used by the poor.

Then there’s the social welfare plank: Aadhaar Payment Bridge System is how the government transfers cash to beneficiaries. Even here, there are weaknesses. Back in 2018, Ram Sewak Sharma, the former UIDAI chief, had made his Aadhaar number public on Twitter and dared privacy activists: “Show me one concrete example where you can do any harm to me!” As it turns out, someone managed to register Sharma as an eligible farmer and the Modi government paid him three installments of free cash. You can split hairs about whether the vulnerability was in Aadhaar or elsewhere, but the hacker had proved a point. 

Modi’s new welfarism rests on Aadhaar. But if there are cracks in the edifice, they need to be acknowledged — not to frighten users away, but to make them more aware. At the same time, India needs a strong data protection law. Losing money is bad enough. But it’s scary if a bad actor can put a person at a specific place or tie her to an activity with the help of a bogus transaction. Sealing wax in the foundation of trust simply won’t do.