The enrollment software, which allowed private parties to enroll people for Aadhaar has been compromised, HuffPost India reported following a three month-long investigation. Here’s what the report indicates, among other things:

  • The patch is available for around Rs 2500, and is still in widespread use
  • It allowed people to be enrolled into the Aadhaar database from anywhere in the world, by disabling the GPS tracking, which would have helped identify the location of the enrolment centre
  • It annulled the role of authorised enrollment operators by bypassing the biometric authentication of enrolment operators, and allowing enrollment using their photograph
  • A former enrollment operator had written to the UIDAI CEO about the existence of the patch
  • Operators whose license was canceled can still use the enrollment software

The UIDAI has said that:

  • This report is completely incorrect and irresponsible. The claims lack substance and are baseless. (MediaNama’s take: saying that it is baseless does not prove it)
  • Vested interests are trying to create confusion in minds of people. (MediaNama’s take: this is an ad hominem attack, and doesn’t address the concerns raised).
  • ‘Its further claim “to introduce information” into Aadhaar database is completely unfounded as UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar.’ (MediaNama’s take: This is false, and mixed biometrics have been allowed by the UIDAI software, as indicated by this New Indian Express story)
  • “All necessary safeguard measures are taken spanning from providing standardized software that encrypts entire data even before saving to any disk, protecting data using tamper proofing, identifying every one of the operators in “every” enrolment identifying every one of thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked.” (MediaNama’s take: Then why is it that UIDAI isn’t able to identify these enrollment agencies doing fake enrollments, and can only do so when the police file a case, or someone complains? Is tracking even possible if the GPS is disabled via a patch? All software can be patched.)
  • “It is further clarified that no operator can make or update Aadhaar unless the resident himself give his biometric. ” (MediaNama’s take: mixed biometrics are accepted, as the New Indian Express story indicated)
  • “Even in a hypothetical situation where by some manipulative attempt, essential parameters such as the operator’s biometrics or resident’s biometrics are not captured, blurred and such a ghost enrolment/update packet is sent to UIDAI, the same is identified by the robust backend system of UIDAI, and all such enrolment packets get rejected and no Aadhaar is generated. ” (MediaNama’s take: The New Indian Express story debunks this)
  • The reported claim of “anybody is able to create an entry into Aadhaar database, then the person can create multiple Aadhaar cards” is completely false. Some of the checks include biometric check of operator, validity of operator, enrolment machine, enrolment agency, registrar, etc. which are verified at UIDAI’s backend system before further processing. In cases where, any of the checks fails, the enrolment request gets rejected & therefore any claim of creating multiple Aadhaar & compromising the database is false. (MediaNama’s Take: spoofed biometrics of operators being used have been indicated by multiple reports. Other details mentioned can be spoofed too.)

A few additional concerns…

1. That this remains unresolved is a major concern and a national security risk: this issue of the software being patched is not new. The UP Police had arrested people and filed an FIR last year. Thus, this problem was reported in September 2017, and almost a year later, as per the HuffPost report, it seems that the UIDAI has not been able to address this patch. This indicates a lack of ability and/or intent to fix the issue.

As reported by HuffPost India, there are videos available on YouTube with details of how to use this software, and bypass authentication. The UIDAI has been informed in the past about WhatsApp groups where this information is circulating. This is also not new. Why hasn’t the UIDAI done anything about these videos and tried to track down misuse?

That the operators were able to enroll people even after their license was canceled is ridiculous.

The UIDAI has denied the authenticity of the HuffPost report. However, if the report is false, when why has the UP Police filed an FIR against enrollment operators?

We need transparency from the UIDAI: how many people where enrolled, how many fake IDs the Aadhaar database has, and what is being done about the fake IDs and the operators? There’s also lack of accountability: who is responsible for ensuring that these patches aren’t allowed to continue?

2. Can deduplication fix fake Aadhaar numbers? There are two scenarios here:

  • A foreign national could get enrolled for Aadhaar under a fake name, using their own fingerprints. There is no way that deduplication can address this, since the UIDAI doesn’t do physical verification, and merely takes other IDs for this without verifying the authenticity of the IDs.
  • Mixing of biometrics means that those enrolled may not be identified by the de-duplication engine. As per the New Indian Express story, which reported about mixed biometrics for almost 2 crore people, faulty biometrics are only identified when there is a complaint. Ask yourselves: how often do people authenticate with their fingerprints, instead of either using an OTP, or just showing a card or entering information into a form? The UIDAI has no mechanism for determining the fakes already present in the system.

3. This patch is sophisticated even if the enrollment operators are not. Thus, it needs to be investigated: who made this software, and distributed it to these private enrollment agencies? This is potentially a national security threat. Remember that a Pakistani Spy had a fake Aadhaar number. In another instance of Pakistanis getting Aadhaar numbers:

An official of the Unique Identification Authority of India (UIDAI) said this could be an isolated case. “An operator will not have the knowledge or skills to determine if the identity proof submitted is forged or obtained through illegal means. As and when such cases are brought to our notice, we will delete these numbers from our database,” he said. [source]