These numbers – and the IDs they carry – are known as “Aadhaar”. It’s a biometrics-based system that almost everyone in the second most populous nation can use to prove who they are. Aadhaar, which means “foundation” in Hindi, supports more than 450 million no-frills savings accounts and has promoted the use of mobile internet for financial transactions even in remote villages. Five years ago, Nobel laureate in economics Paul Romer endorsed Aadhaar as a role model for the world.
Increasingly, however, it looks like there’s a whole lot of epoxy putty – literally – at the basis of Modi’s welfare program.
Fingerprinting 1.33 billion people and recording their personal information and iris scans in a central repository was no easy task. It was hoped that this super-expensive database would support its costs by helping reduce waste in public programs and deter theft. This has been touted as a major benefit in a corruption-ridden country where government benefits have a hard time reaching legitimate beneficiaries.
However, activists have highlighted numerous cases of underperforming: fingerprints fade from intense physical labour; Getting data entry errors fixed can be a nightmare. These issues have been largely ignored.
Now there’s a growing problem going the other way: Aadhaar is being used very successfully – by scammers. This is due to its ubiquity combined with lax controls. While the unique ID was designed to make welfare programs more efficient, private organizations wasted no time in realizing its potential. Banks and telcos used Aadhaar to conduct online know-your-customer checks, which drastically reduced their costs of authenticating customers. In the process, Aadhaar became ubiquitous and private data appeared for sale on the dark web.
The government’s response was to sweep everything away. Anything that raises doubts about the integrity of the system will be ignored. That’s no surprise: once they’ve chosen a technology and made it universal, policymakers have no other way to build trust in transactions. In 2018, India’s Supreme Court restricted use of the database — barring private companies from using it for know-your-customer verification. Nonetheless, New Delhi has since opened legal backdoors for the private sector to further tap into.
Last month came a wake-up call about identity fraud. The Unique Identification Authority of India (UIDAI) has issued an advisory urging people not to give out photocopies of their cards “because they can be misused”. The release goes on to say that only users licensed with the agency can query the database to authenticate identity; Establishments such as hotels or cinemas are not permitted to collect or store copies. After people began to wonder why this warning was being issued when everyone’s Aadhaar information was already circulating everywhere, it was withdrawn the same day and replaced with new guidance advising people to “exercise normal caution”. .
So what’s up? The Morning Context, an Indian news website, recently gave an alarming report of fraud. It seems anyone can learn how to clone a fingerprint with epoxy putty on YouTube; and anyone can buy an ID card online. Fingerprints can be taken from digitized real estate sales deeds. Or, to steal money from bank accounts, one could hack into a mobile app used by small village shops that double as micro-ATMs for Aadhaar owners. According to the May 30 article, the total number of Aadhaar scams registered with UIDAI has increased six-fold. “There is no data on the full extent of the defrauded benefits, account demotions and criminal charges being registered,” the Morning Context added.
More disturbing than the crime is the official silence about its extent or seriousness. The Reserve Bank of India’s recently released Payments Vision 2025 points to the “significant growth of the Aadhaar-Enabled Payments System (AePS) through the Economic Correspondent-supported model”. More than 2 billion such micro-ATM transactions were carried out in the last financial year; this is a $38 billion entanglement by Aadhaar with the banking system – all on behalf of customers at the bottom of the economic pyramid. (1) Yet RBI’s vision document, which has “integrity” as its key pillar, has nothing to do with saying how to make security more robust for deposit, withdrawal and transfer services used by the poor.
Then there’s social assistance: using the Aadhaar Payment Bridge system, the government transfers cash to beneficiaries. There are weaknesses here too. Back in 2018, Ram Sewak Sharma, the former head of UIDAI, publicized his Aadhaar number on Twitter, challenging privacy activists: “Show me a specific example where you can harm me!” As it turned out, someone, Sharma, succeeded to register as a legitimate farmer, and the Modi government paid him three installments in cash. It’s debatable whether the vulnerability was in Aadhaar or elsewhere, but the hacker had proved a point.
Modi’s new welfare state is based on Aadhaar. But if there are cracks in the building, they need to be acknowledged – not to deter users, but to make them more aware. At the same time, India needs a strong data protection law. Losing money is bad enough. But it’s scary when a bad actor can use a bogus transaction to get a person to a certain place or tie them to an activity. Sealing wax in the trust base is simply not enough.
More from the Bloomberg Opinion:
• Facebook’s bigger threat is the law, not lawsuits: Parmy Olson
• Why aren’t there more public toilets in New York?: Stephen Mihm
• Trust, privacy and India’s need to protect both: Andy Mukherjee
(1) The more established digital payments public utility in India is Unified Payments Interface or UPI, which is widely regarded as a remarkable innovation to emerge from a developing country.
This column does not necessarily represent the opinion of the editors or of Bloomberg LP and its owners.
Andy Mukherjee is a columnist for Bloomberg Opinion, covering Asian manufacturing and financial services. He previously worked for Reuters, the Straits Times and Bloomberg News.
For more stories like this, visit bloomberg.com/opinion