Articles

UIDAI’s house is on fire but it wants to pretend all is well

What does the Unique Identification Authority of India, or UIDAI, want exactly? The Aadhaar breach story reported in The Tribune, where journalist Rachna Khaira was able to buy access to the central UIDAI database for a paltry Rs 500 over Whatsapp, is a clear indication that UIDAI is not in control of the situation.

But instead of providing answers regarding the breach and why it happened, the UIDAI decided to first deny it and then one of its deputy directors filed a first information report against Khaira. This is not the first time UIDAI has threatened journalists who exposed flaws in Aadhaar and this is unlikely to be the last time.

UIDAI be like…

Let’s back up a bit. The whole reason why this FIR nonsense is happening is because the Aadhaar Act allows it. Section 47 of the Act prevents anyone who is not authorised by UIDAI from filing complaints regarding matters related to Aadhaar. There are many such problematic sections in the Act and in the regulations. They only exist because the Act itself was bulldozed through Lok Sabha as a Money Bill, preventing thorough scrutiny by the Rajya Sabha.

Since the UIDAI is the only one that can file complaints, if UIDAI itself messes up and puts citizens’ information in peril, then it would have to lodge an FIR against itself. Bizarre, I know. On top of this, UIDAI has been terribly selective about who they go after and file FIRs against. Take the case of recent Airtel Payments Bank fraud, which the Aadhaar’s wacky design enabled.

In this instance, when people went to get a SIM, Airtel made them swipe their fingerprints on the machine twice. One was used to issue a SIM card and the other was used to open a Payments Bank account. All of this was done without the customer’s consent!

According to the system design, once a Payments Bank account was opened, there is a table called “Aadhaar Mapper” which got updated. This table is maintained by National Payments Corporation of India (NPCI), which handles this Gormint’s dream project: Direct Benefits Transfer (DBT).

DBT is what is being used to transfer subsidies directly to bank accounts. What this Aadhaar Mapper thingy does is that it tells the Gormint which Bank Account the money should go to. By doing its shady Payment Bank Account opening fraud, Airtel made itself the default bank for DBT. According to reports, the subsidy of 55.6 lakh people worth Rs 138 crore went to Airtel’s payment bank.

What did UIDAI do in this case? It suspended Airtel’s e-KYC license for all its services…and then gave it back partially in five days flat. Now Airtel can still do SIM card verifications but cannot use Aadhaar for Payment Banks, DTH and other services. The subsidy money was returned to the original bank accounts of customers. But, there are zero reports of FIRs filed against Airtel.

Allow me to draw your attention to a particular section of the Act that shows how weird this is.

The only reason I can think of as to why nobody from Airtel was punished is because the design flaw in the Aadhaar-enabled payments system is what caused this fiasco. But then wasn’t the breach exposed by The Tribune also a design flaw?

Here’s an explainer of what happened in The Tribune case and how the breach took place.


Both Quint and Buzzfeed News did follow-up investigative reports on The Tribune story explaining how the breach took place. UIDAI flat out denied that the breach happened and said their demographic search function was misused.

The Indian Express quoted the FIR as saying, “The above-mentioned persons have unauthorisedly accessed the Aadhaar ecosystem in connivance of the criminal conspiracy…” On top of it, UIDAI’s Chandigarh regional office wrote to The Tribune editor asking: “was at all possible for your correspondent to view or obtain fingerprints and iris scan of any person through the aforesaid access to UIDAI portal” and “how many Aadhaar numbers did the correspondent actually enter through the said login user id and password and whom did those Aadhaar numbers belong to”.

UIDAI, on one hand, maintains that there has been no leak of biometric information and that demographic information by itself cannot be misused and, on the other hand, initiated criminal proceedings against the journalist who exposed this massive flaw in their system. UIDAI has consistently advised people not to share their Aadhaar numbers and printed copies with anyone. There is a weird dissonance in how UIDAI is behaving currently.

One thing is becoming clear from this Aadhaar breach saga: UIDAI’s whole house is on fire and the CEO is staring at the camera and telling the whole country, “Everything is fine!”