Security issues plague UPA’s flawed Aadhar model

Security issues plague UPA’s flawed Aadhar model

By ANUPAM SARAPH | 1 April, 2017
UPA’s flawed Aadhar model, Security issues, Aadhar model, Aadhar card, PM Modi, UK Prime Minister, David Cameron, RTO, UID, Social Security Numbers, SSN
As predicted for UK by David Cameron, the UID has denied benefits, rights and entitlements to crores of Indians.

When Prime Minister Narendra Damodardas Modi launched his innings in 2014, promising good governance with minimum government, many, especially his admirers, looked forward to the end of UPA’s flawed, obsolete and draconian model to deliver services, benefits and entitlements using the Aadhaar or UID number. After all, Modi himself had long been amongst its most effective and powerful critics.

PM Modi is tech savvy and sharp in recognising the flaws in a system. It is time, therefore, to call to account those with vested interests who seek to build Digital India around a failed idea. To ensure the success of our PM’s vision of transforming every Indian’s life for the better, Modi will have to look at world best practices and adapt them in place of failed and flawed models of the UPA era. Only PM Modi can accomplish the leadership challenge of letting go the flawed Aadhaar to recapture the good governance plot.

In the United States, there were 12.6 million victims of identity fraud in 2013. That is at least one victim every three seconds. According to the Treasury Inspector General for Tax Administration, fraudsters will net $26 billion into 2017. After 9/11, the Bush administration called for deleting the unnecessary use of SSN. The Americans are, therefore, debating why the Social Security Numbers (SSNs) should not be scrapped altogether.

It is then no wonder that in 2009, the then UK Prime Minister, David Cameron, had risen to the challenge and scrapped the UK national ID to fulfil his election promise. Cameron had highlighted that with such an ID, instead of the state being the servant to the citizen, the state suddenly becomes the master.

Cameron, like other enlightened leaders, had stressed that the benefits or entitlements had, as predicted by David Cameron for the UK, changed the relationship of the bureaucracy across the state to suddenly becoming a master denying the rights at whim. Some claim that the UIDAI has demonstrated insufficient restraint, transparency, responsibility and understanding of best practices across the world. It needs to resist the temptation to acquire draconian powers to turn on or off or modify any UID at whim. The Aadhaar Act needs a relook as a flawed, UPA-era construct may work to deny justice, liberty, equality and dignity.

When the Reserve Bank of India’s (RBI) data indicates that 94.7% of India’s villages lack a simple bank branch and when the idea of using individuals representing banks as “Business Correspondents” has been documented by the RBI as a less than a success, the UIDAI has advocated financial inclusion using the UID number and linking banking through business correspondents. Instead of strengthening the banking network in every district, the identity number replaced the safe KYC norms of the RBI and caution of the Prevention of Money Laundering Act.

The UID number has also forced its way to replace RBI run safer payment systems, like the NEFT. Most alarmingly, it promoted un-auditable payment systems, built by a non government private company, the National Payments Corporation of India (NPCI), to transfer money between UID numbers, instead of account numbers. Instead of correcting the operational problems, the UIDAI and government babus have pushed the use of the UID number as a “solution”. The UID has replaced any real solution and is pushed as a catch all “solution”, just like Cameron had predicted in the UK.

Citing that various Indian databases are full of fraudulent and duplicate identities, the UIDAI sought to seed the UID number into every database and declare those records that did not match or have an Aadhaar linkage as frauds. Consequently, as predicted for UK by David Cameron, the UID has denied benefits, rights and entitlements to crores of Indians, declaring them as non-existent. In Rajasthan, Uttarakhand, Andhra Pradesh, for example, more than 40% beneficiaries have been reported to have been denied benefits for reasons of the UID failure. For those who were seeded, the rights have become subject to private intermediaries, mobile apps and the existing government babus, who declared failure of authentication. The CAG needs to audit these for siphoning off the benefit. The CAG needs to certify if corruption has decreased, or it has grown exponentially.

The UID number is simply a random number that is assigned to unverified and unaudited data submitted by private enrolment agencies. The UID database has never been audited by the CAG or the Registrar General of India. The UIDAI has never established how many of the billion numbers they have issued are to genuine persons living in genuine places. Unlike the Passport Officer, the RTO, the Election Officer, the UIDAI doesn’t certify anything. Under these circumstances, it is dangerous to use this number for any purpose, and more so to connect to Consolidated Fund of India.

The regular channels for enrolment have not been designed to safeguard the persons enrolling or protect them from fraud and deception either. The UIDAI made agreements with Registrars and then with Enrolment Agencies that allowed the enrolment data and the assigned UID number to be retained and used in any way these private entities desire.

Those who enrolled for UID, lost their data the minute they enrolled. Even if accomplished hackers do not get to the UID data centre, the data is already with data brokers across the country. Mainstream media have exposed the existence of such data brokers as well as large volumes of this data being available in the deep web for anyone to scrape.

Field stories about enrolments are full of examples of how enrolments happened with fake documents, biometrics of multiple persons being combined to create non-existent persons, same persons enrolling multiple times with various biometric hacks. Various investigations and sting operations across the country have unearthed how easy it was to buy a fake UID. Unfortunately, to compromise national security all that would be required is one rogue agency creating fake IDs.

Field stories of using the UID for authentication are as worrisome. In many cases it has been reported that the intermediary simply tells the beneficiary that the biometric did not work, sends the beneficiary away and claims the benefit. In other cases, there is local authentication on the UID data stored locally. In yet other cases, the biometric data is simply submitted from a stored biometric for authentication. The presence of the beneficiary is not required. In yet other cases, the data is used and authentication is claimed when none actually happens. In other cases, they simply declare the beneficiary as missing or dead and cite this as a saving or plugging a leak.

Reports of the use of the UID number to onboard customers or transfer money are no less needful of UIDAI attention. Fake customers or fake on-boarding to issue multiple SIMs, for example, in the customer’s name without their knowledge has reportedly become simpler by using the UID number. The biometric captured at the time of on-boarding, in case of a genuine customer, can also be reused for every future verification request for money transfers. If OTP is used, the SIM is now in the possession of a criminal.

Anyone in possession of the biometrics of an industrialist, politician, bureaucrat or judge is in a position to create a fake identity in their name and misuse it for political, economic or terror purposes. This could turn the ID into a perfect Trojan horse that is waiting to harm the nation.

Anybody having obtained a mobile SIM using a UID number and demographic information is in a position to make unsolicited Aadhaar based money transfers to or from the UID number. The person can even open new bank accounts, link to government subsidy, benefits or pensions. The person can also obtain a PAN, buy vehicles, transfer properties, marry with other UID numbers, obtain driver’s licence, passport and PDS/LPG connection. The person can also change the information associated with the UID, including mobile number and biometrics. The person can commit frauds, crimes and spread terror assuming the demographic or biometric profile associated with the UID number. It is therefore the most dangerous number to be assigned to any person, or shared, or lost or stolen.

Unlike other IDs, UID makes it possible to hack any person’s identity and existence to take over property, money and records. It destroys governance, financial institutions, and national security. It is not a tool of disruptive innovation, it is a Trojan horse capable of the destruction of India and the government.

Prime Minister Modi had been the earliest to recognise and declare as the UID as a political gimmick and security risk. Hence, his team needs to be pro-active in working out the consequences of forcing the UID linkage to every database. The mandatory linkage of UID to every scheme shows indifference and possible ignorance of the risks that it poses to governance, national security, rule of law and the promise of justice, equality, liberty and dignity made by the Constitution.

Finance Minister Arun Jaitley had also in the past highlighted his own worry about the government’s use of Aadhaar as a precedent for various activities, from registration of marriages to property documents. He had indicated that “Will those who encroach upon the affairs of others be able to get access to bank accounts and other important details by breaking into the system? If this ever becomes possible the consequences would be far messier.”

For at least 30 years now, best practices elsewhere in the world do not require any ID to be able to deliver services, benefits and entitlements. Internally, the system captures the person they delivered a service or benefit to, and queries an internal system to verify any information that may be required to determine eligibility. This system, therefore, does not put to risk the individuals or the systems that deliver these services and benefits. Such systems work best because they are inclusive, non-intrusive, auditable and fail safe.

The resort to issuing out IDs is obsolete, flawed and dangerous in a modern, connected world. It is super-dangerous as cyber wars are not fiction, but fact.

PM Modi must re-examine this flawed system. Only he is able to destroy this UPA-era UID time bomb. This is needed to fulfil his dream to transform India and deliver minimum government and good governance. With 2019 in mind, PM Modi has just two years to cleanse India from the UID blowback and replace it with global best practices that will deliver services, benefits and entitlements without requiring anyone to flash an ID. Then PM Modi will have established himself as the first leader to substantively deliver on the promise of the Constitution Preamble to grant justice, equality, liberty and dignity to all citizens.

Add new comment

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.