The UIDAI appears to have removed the option to see demographic authentication log in the authentication log history facility where Aadhaar number holders can check where their number has been authenticated and whether the authentication was successful.
This is significant, because the previous logs contained notifications of demographic authentications and several people had posted on social media about unknown demographic authentications being shown in their logs just before this change was implemented.
— DataVyuh (@DataVyuh) January 24, 2018
According to the UIDAI website, demographic authentications are described as:
Demographic authentication: The Aadhaar number and demographic information of the Aadhaar number holder obtained from the Aadhaar number holder is matched with the demographic information of the Aadhaar number holder in the CIDR.
An obvious security flaw in this is that a photocopy of any Aadhaar card can be used to authenticate as the holder of the Aadhaar number, as demographic authentication merely matches the data on the card against the data in the CIDR record. The authentication history log was evidence of the demographic data being done and in the event of unrecognized or unauthorized authentications, the Aadhaar holder could raise a complaint with the UIDAI. Now, with the information on the demographic authentications concealed, the Aadhaar holders have no way of knowing if their demographic information has been misused to impersonate them.
Where previously, the facility offered logs of the following kinds of authentication: All, Demographic, Biometric, OTP, Demographic & Biometric, Biometric & OTP and Demographic &OTP, all logs showing demographic authentications are no longer offered. The logs that can be now viewed include only Biometric, OTP and Biometric & OTP.
How big is this difference? Here is an example of the logs of an Aadhaar card before the demographic authentication log was removed and after.
It is easy to see how much data is concealed by this change.
This may be related to changes going on with the UIDAI’s authentication methods. Earlier, the UIDAI used to allow partial matching of demographic data. However, a circular dated November 27, 2017 by the UIDAI (File No K-11022 / 631 / 2017-UIDAI(Auth-II) (Archived) announced the end of partial matching of demographic data to “remove any chances of wrongful identity verification using demographic authentication” W.E.F December 1, 2017.
On January 24, 2018, MediaNama had emailed UIDAI the following questions
- What methods of authentications were logged as demographic authentications?
- Are these authentications done with the informed consent of the Aadhaar holder?
- Are the Aadhaar holders notified about full/partial match authentications of their Aadhaar number?
- What was the reason for removing the information of demographic authentications from the logs available to Aadhaar number holders?
- Is this related to your circular dated 27th November 2017 disallowing partial match demographic authentications and allowing only exact match demographic authentications after 1st December 2017?
- What is the percentage of demographic authentications among the total authentications logged overall?
We have not yet received a reply, and will update this post if we receive one.