Why Misuse Of Aadhaar Information Is A Real Danger

Context: In a bizarre reversal, the Union government withdrew a notification from a Unique Identification Authority of India (UIDAI) office cautioning people against sharing photocopies of their Aadhaar card, just two days after the advisory was issued, claiming that it would be “misinterpreted”.

The advisory had urged people to use masked Aadhaar.

The masked Aadhaar facility has been in place since 2018 and this came about following a report by the Centre for Internet and Society that publicly available datasets had sensitive details such as full Aadhaar number details and also included bank account details of individuals.

Why UIDAI was right to issue the advisory?

The dangers of providing the full Aadhaar number to several agencies are evident in the way these numbers have been used by fraudsters for criminal purposes such as identity theft, Know Your Customer (KYC)-related fraud among others in recent years, and which have been documented in news reports.

The UIDAI has itself registered far more potential fraud cases related to the issue highlighted above in recent years compared to the past.

Other scams that are of a higher order have also been revealed recently, related to biometrics theft that have allowed scamsters to steal welfare benefits at the expense of genuine beneficiaries.

The Internet is full of leaked data and this poses a major threat to user privacy.

How identity can be verified using one’s Aadhaar copy?

One way is to scan the QR code on one’s Aadhaar copy (through UIDAI’s QR Code Reader app).

By scanning the QR code, the entity (that wants to verify your identity) receives a document with one’s personal details and photo. The entity can then match the details on one’s Aadhaar copy with this digitally signed document.

So, if someone morphs one’s Aadhaar copy, the fraud will be caught once the QR code is scanned, because details on the Aadhaar copy won’t match the ones on the QR Code Reader app.

Scanning the QR code tells the entity if the Aadhaar copy is genuine (or not). It won’t however tell them if the person who submitted the Aadhaar copy is you. To check this, the entity must match the photo thrown up by the scanned Aadhaar QR code with your face – in person. Or, like banks and other RBI regulated entities, conduct video verification.

Unfortunately, not all players follow this process. Often, service providers simply accept the Aadhaar copy as proof of identity without scanning the QR code on UIDAI’s QR Code Reader app. They also don’t verify through in-person, video or live selfie-based verification.

If a service provider fails to conduct this diligence, a fraudster can use a stolen Aadhaar copy to impersonate someone.

What happens if Aadhaar OTP or biometrics are also stolen?

Once a scammer has access to OTP or biometrics, it becomes easier to commit financial frauds. For instance: Telangana police’s recently warned about frauds perpetrated using the Aadhaar-enabled Payment System (AePS).

– AePS is a facility that lets one perform banking transactions like cash withdrawal and fund transfer. These transactions are done through a mini-ATM carried by a banking correspondent. For an AePS transaction, all you need is a person’s Aadhaar number, bank name and fingerprints.

So, criminals can withdraw funds from a victim’s bank account by stealing her Aadhaar number and biometrics. This type of AePS-related fraud recently happened in Haryana with criminals allegedly stealing victims’ biometrics from a government website.

A divided view on safety of Aadhaar

The UIDAI has been indecisive about the inherent dangers in the indiscriminate use of the Aadhaar number or the Aadhaar card by citizens. This is evident from its series of flip-flops on the issue, even before this latest withdrawal notice.

There seems to be a contradiction of views within the authority on the issue of potential misuse of the Aadhaar number.

– On the one hand, in statements advising caution and user discretion in revealing one’s Aadhaar number, it is seeking to treat these as sensitive information just like the biometrics provided by citizens to the authority.

– Yet, on the other, it has sought to universalise the open use of the Aadhaar as an identity document with missionary zeal and has downplayed the risks of doing so.

Way forward

The UIDAI must popularise the use of the masked Aadhaar facility as a start and rethink ways to tighten the scrutiny over how Aadhaar numbers are issued and utilised.

Law enforcement agencies must crack down on data leaks and websites carrying unmasked Aadhaar-related information.

Further, to protect the public against misuse of Aadhaar data, a data protection law is critical.

Source: This post is based on the following articles

– “Caution first: On the Aadhaar advisory” published in The Hindu on 1st June 22.

– “Why Misuse Of Aadhaar Information Is A Real Danger” published in The Times of India on 31st May 22.