The UIDAI appears to be having a bad start to 2018 with security flaws crawling out of the proverbial woodwork. The latest in a growing list is a story by tech researcher Anand V in The Wire that follows up on two stories of Aadhaar being issued to questionable entities where the Aadhaar number was known.
In case of a Pakistani spy Mehmood Akhtar, who was deported in October 2016, it was found that he had a valid Aadhaar number, and a working LPG connection in the name of Baijnath; the Aadhaar card was invalidated only after The Wire reached out to UIDAI for comment. Two bank accounts were linked to the Aadhaar number in October, a full year after he was deported.
In the second case, Lord Hanuman, who was shown to have an Aadhaar card as far back as 2014, still had a linked LPG connection and a bank as recently as November 2017, despite the card being deactivated in 2014.
This report raises serious questions about Aadhaar enabling misuse of services while doing nothing to prevent misuse. Some of the questions thrown up by this report are:
- What is the process of invalidation of Aadhaar cards and what processes are in place to prevent misuse of invalidated cards?
- How can an Aadhaar Card in the name of Mehmood Akhtar from Delhi be linked to the LPG and bank accounts of Baijnath MR from Agra? There isn’t any similarity of names or even addresses whatsoever. Entirely different people in entirely different places, so how was Aadhaar enabling the delivery of subsidies to an unrelated person and what the point even is to link Aadhaar to various services if plugging in an Aadhaar number could be used to link anyone to the service and not necessarily the Aadhaar holder?
- What are the security and welfare costs implications of merely using an Aadhaar number or the photocopy of an Aadhaar card without authentication – as happens in the case of LPG connections?
- Other entities that also collect photocopies of Aadhaar cards, including schools, colleges, hospitals, private companies and crematoriums – the list is endless. Who is legally responsible for similar mis-linking, misuse and potentially outright fraud enabled by such reckless collection of sensitive data that provides illegal access to subsidies and other government funds?
- Can it be denied that an employee of any of the many schools, colleges, offices and so on will have access to an endless supply of Aadhaar numbers to misuse for services where authentication is not done?
- What does the UIDAI do to prevent leakage of subsidies from such misuse and ensure public funds are not stolen by their reckless proliferation of Aadhaar?
- In the case of crematoriums, there would be available a list of photocopies of people who are already dead and would thus not be able to raise any alarm if their Aadhaars were misused. Who is to prevent misuse of such Aadhaars that are also likely to have pensions attached to bank accounts – say a simple case of a bank account being opened using fraudulent documents and linked to the Aadhaar of a pension eligible dead person?
- What steps does the UIDAI take to ensure all Aadhaar numbers associated with fraudulent enrolments are actually deactivated?
What are ghosts here?
“Ghosts” is a term being used to describe fake beneficiaries. People who don’t actually exist, but draw salaries, pensions and other benefits from the government. Linking the Aadhaar ID to all beneficiary accounts is claimed to be a method of removing ghost beneficiaries from the system. The stopping of payments to such ghosts is said to prevent “leakage” of funds in welfare services. But are the claims of removal of ghosts valid, if bank accounts are linked to Aadhaar IDs that no longer exist or the wrong Aadhaar IDs, and LPG connections linked with such Aadhaar IDs are functional?
If ghosts are easily present in the system with the use of an Aadhaar number (that does not even match the name of the ones availing the service), which are the ghosts the UIDAI refers to as being removed from the system and resulting in savings for the government?
- 80,000 teachers found to be ghosts nationwide – an actual “ghost teacher” explained that the MHRD survey of teachers for 2016-17 was not able to record the details of teachers unless an Aadhaar number was provided. Those who did not have one or were unwilling to provide one did not get recorded, rendering them “ghosts”. On the other hand, today’s examples imply that if they had provided someone else’s Aadhaar number, they probably would have been recorded as “real” – whether they did so for their own names or invented names of actual ghosts.
- 53,000 people were deprived of pensions in Uttarakhand – this is 8-9% of the most vulnerable citizens in the state – the disabled (9%+), widows and the elderly – due to a lack of Aadhaar. In spite of being eligible for pensions, they were not recognized as real people receiving pensions and their pensions have been discontinued since October 2016.
So it needs to be asked what UIDAI calls ghosts. At least some of the ghosts are real persons who do not have or refuse to give an Aadhaar, while fraudulent IDs with Aadhaar have no problems accessing services.
It appears that the UIDAI now considers Aadhaar ID as a “real person” regardless of whether they exist, and considers those without an Aadhaar as fictional – even if they physically exist and have professions, bank accounts and more on record.