Questions about Aadhaar

Govt needs to be transparent about threat levels

The government’s withdrawal — in just two days — of an advisory warning citizens not to share photocopies of their Aadhaar card with hotels, cinemas, or organisations that lacked a user licence from the Unique Identification Authority of India (UIDAI), citing risk of misuse, has raised more misgivings about the security of this massive database of citizen information. The sharply worded advisory had also suggested that card holders should not use public computers to download an e-Aadhaar and to log into the website and mask all but the last four digits of the number. The press statement on Sunday employed more emollient language, stating that the advisory from its Bengaluru office had been rescinded “in view of the possibility of the misinterpretation”. This implies that the Bengaluru advisory was not wrong per se but reflected poorly on the veracity of the UIDAI’s security systems. It was, in other words, just bad PR. The fact that Sunday’s clarification goes on to state that Aadhaar card holders were advised to “exercise normal prudence” in sharing their numbers scarcely helps. Neither statement explained how to check the veracity of a UIDAI “user licence”, a document of which most citizens were unaware of till its appearance in the advisory.

In the light of the confusion caused by these contradictory statements, it is critical that the government clarify matters in as transparent a manner as possible. How safe, really, is a citizen’s data stored with the UIDAI? What steps has the organisation taken to secure this data? How often are these security systems checked? Which organisations are legally authorised to ask for Aadhaar numbers? Given its ubiquity in India today and the fact that all manner of institutions demand it as a means of identification, the Aadhaar card has metamorphosed from its original voluntary nature to a near-compulsory one. Where its use was originally mandated for people accessing government scholarships and welfare schemes, banks and telecom companies are now authorised to use Aadhaar to gather know-your-customer details.

With hotels, cinema halls, schools, and municipal services demanding Aadhaar identification, its widespread use as a default identity document has not, however, been accompanied by commensurate safety assurances from the government. The lack of a privacy law aggravates these doubts. The weakness of the system was purportedly demonstrated in 2018, when a Delhi-based paper was able to download for Rs 500 over a billion Aadhaar card numbers and accompanying personal details. Instead of addressing the breach, the crime branch of the Delhi police filed a case against the journalist who reported the hack. Three years later, the police withdrew the case, stating that the database had not been accessed illegally, but offered no explanation of how it came to this conclusion.

Apart from honest clarifications, the UIDAI could also deploy the reportedly formidable technological backbone at its disposal to make Aadhaar-based verification safer and hassle-free. Instead of requiring the submission of photocopied cards, a simple OTP system of the kind banks use for online banking or the income tax department requires for filing returns should suffice to enable instant verification without breaching card security. Having subjected Indians to the process of vouchsafing critical personal and biometric information, the government owes it to them to ensure their security.