wordpress blog stats
Connect with us

Hi, what are you looking for?

FSMI expresses concern about Aadhaar Enrolment Software security

aadhaar enrollment slide
Aadhaar Enrollment: Slide from presentation made before the Supreme Court

The Free Software Movement of India has published an open letter addressed to Dr. AB Pandey, CEO of the UIDAI regarding “Security of the Aadhaar personal data and ECMP Software”. The letter describes the coverage of the ECMP Aadhaar Enrolment Software hack reported by Asia Times and draws the notice of the UIDAI to WhatsApp messages circulating about the patched version of the software.

The letter also highlights YouTube videos “which claim to demonstrate how using a software patch to the ECMP software, geo-location and bio-metric security protection can be bypassed”, similar to the one below that allow new Aadhaar enrolments without verification and updating of personal information of existing Aadhaar numbers. Such as this one:


The FSMI terms call this a very serious concern as it endangers the sanctity of the entire Aadhaar database and asks whether the UIDAI authority has carried out an examination of these claims and if there is any merit to these claims.

The letter also draws attention to a PayTM account mentioned in the YouTube video that was tracked down to a Bharat B. Who claimed to work for the Computer Sciences Corporation e-governance division. The letter asks the UIDAI whether the patched software could be the case of rogue insiders misusing their access to the software to create an illegal patched version.

Advertisement. Scroll to continue reading.

The letter asks UIDAI the following questions regarding the reported hack:

  • What are the steps the UIDAI is taking to make the Aadhaar system safe, as the security problems seem to emanate from inherent design flaws in the Client-Server architecture of Aadhaar?
  • Also, given that it appears that solicitations to sell the patched version of software seem to have been uploaded to the net, and doing the rounds of WhatsApp from at least the last one year, what is the sanctity of information stored in the Aadhaar database?
  • What steps is UIDAI taking to verify the validity of data already uploaded by private players to the Aadhaar database? And whether it has been corrupted by such rogue patches being sold in the black market?

The letter concludes by saying that the ongoing silence of the UIDAI on the issue is “fuelling speculations and rumours regarding what is supposed to be India’s key data service.”

MediaNama’s take

The UIDAI hasn’t actually been silent about the issue. It has promptly issued a canned denial that does not actually address the hack reported, as our article points out.

The letter raises valid questions. Several credible organizations and individuals working with software and security have raised similar questions in the past as well. The Mozilla Foundation has expressed concern about this reported hack as well. Earlier this year, Troy Hunt had been sceptical about UIDAI’s unsubstantiated claims of security in a post on his blog.

There are several videos that appear to demonstrate the bypassing of UIDAI’s security features in the ECMP software for Aadhaar Enrolment – most of them appear to provide a phone number to contact in order to get the patch for the software and payments through PayTM. The illegal access reported in the Tribune expose was offered on WhatsApp as well, and required the payment to be made via PayTM.

So far, there are no reports of any of the people selling illegal hacks to access the UIDAI database being traced or arrested, even though a few people to purchase hacked software have been arrested. This also raises serious questions about UIDAI’s ability to not just prevent misuse, but also investigate it after it has happened. The role of PayTM in enabling criminal transactions too needs to be investigated, given that payments are made through the platform and yet no one has been traced or arrested.

The letter refers to Bharat B as working for the Computer Sciences Corporation. Actually, Computer Sciences Corporation is a US Company and the CSC that Bharat B is likely to have worked for is likely to be the Common Service Centers that are physical facilities for delivering Government of India e-Services to rural and remote locations. Now familiar French Researcher Elliot Alderson / Baptiste Robert appears to have done a rudimentary investigation on the number provided for payment and says he worked for Common Service Centres as well.

Advertisement. Scroll to continue reading.

It is this CSC – Common Service Centres – that had a contract with the UIDAI for conducting enrolments and has, in fact enroled about a fifth of the Aadhaar numbers in the database. Earlier this year, the UIDAI refused to renew its contract with the CSC citing complaints of corruption and enrolment process violations.

Ironically, the CSC website displays a newsletter containing a notification of an updated penalty structure where the UIDAI has imposed a penalty of a lakh rupees for bypassing biometrics during enrolment, even as it publicly denies that this is possible. The second point in the notification quoted by the CSC newsletter says “Due to various cases of bypassing the operator biometric capture being reported, UIDAI has decided to impose a penalty of Rs 100,000 per enrolment station found to be bypassing the operator biometric”.

Written By

Vidyut is a commentator on socio-political issues with a keen interest in behavioral sciences, digital rights and security and manages to engage her various proficiencies to bring an unusual perspective to issues related with the intersection of tech and people.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ