Call Us Now

+91 9606900005 / 04

For Enquiry

Questioning the Safety of Aadhaar


Two days after issuing an advisory asking people to refrain from sharing photocopies of their Aadhaar Card, the Unique Identification Development Authority of India (UIDAI) opted to withdraw the notification.

  • It stated that the action was to avert any possibility of ‘misinterpretation’ of the (withdrawn) press release, asking people to exercise “normal prudence” in using/sharing their Aadhaar numbers. 


GS II- Polity and Governance

Dimensions of the Article:

  1. What did the UIDAI advisory say?
  2. Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016
  3. Is identity theft via Aadhaar possible?
  4. The Unique Identification Authority of India (UIDAI)
  5. Structural problems that the UIDAI faces

What did the UIDAI advisory say?

  • The withdrawn notice had suggested holders use a masked Aadhaar card instead of the conventional photocopy, adding that the document must not be downloaded from a cybercafé or public computer and if done for some reason, must be permanently deleted from the system.
    • ‘Masked Aadhaar’ veils the first eight digits of the twelve-digit ID with ‘XXXX’ characters. 
  • The notice informed that only entities possessing a ‘User Licence’ are permitted to seek Aadhaar for authentication purposes.
    •  Private entities like hotels or film halls cannot collect or keep copies of the identification document. 

Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016

Aadhaar authentication:

  • It makes clear that Aadhaar authentication is necessary for availing subsidies, benefits and services that are financed from the Consolidated Fund of India.
  • In the absence of Aadhaar, the individual is to be offered an alternate and viable means of identification to ensure she/he is not deprived of the same. 

Know Your Customer (KYC):

  • Separately, Aadhaar has been described as a preferred KYC (Know Your Customer) document but not mandatory for opening bank accounts, acquiring a new SIM or school admissions.  
  • The requesting entity would have to obtain the consent of the individual before collecting his/her identity and ensure that the information is only used for authentication purposes on the Central Identities Data Repository (CIDR). 
    • This centralised database contains all Aadhaar numbers and holder’s corresponding demographic and biometric information.

Forbids sharing Core Biometric Information:

  • Additionally, the Aadhaar Act forbids sharing Core Biometric Information (such as finger print, iris scan, among other biometric attributes) for any purpose other than Aadhaar number generation and authentication.

Other provisions of the Act: 

  • The Act makes it clear that confidentiality needs to be maintained and the authenticated information cannot be used for anything other than the specified purpose.
  • More importantly, no Aadhaar number (or enclosed personal information) collected from the holder can be published, displayed or posted publicly.
  • Identity information or authentication records would only be liable to be produced pursuant to an order of the High Court or Supreme Court, or by someone of the Secretary rank or above in the interest of national security. 

Is identity theft via Aadhaar possible?

  • As per the National Payment Corporation of India’s (NCPI) data, ₹6.48 crore worth of financial frauds through 8,739 transactions involving 2,391 unique users took place in FY 2021-22.  
  • Since the inception of the UID project, institutions and organisations have endowed greater focus on linking their databases with Aadhaar numbers, including for bank accounts especially in light of the compulsory linkage for direct benefit transfer schemes.
  • The NPCI’s Aadhaar Payments Bridge (APB) and the Aadhaar Enabled Payment System (AEPS) facilitate direct benefit transfer (DBT) and allow individuals to use Aadhaar for payments.
    • This requires bank accounts to be linked to Aadhaar.
  • In 2017, researchers at the Centre for Internet and Society (CIS) acquired information of various beneficiaries of such social security and employment schemes such as their Aadhaar numbers, bank account details, job card status, mobile number etc.
  • The same year, the UIDAI in response to an RTI stated that more than 200 central and State government websites publicly displayed details of some Aadhaar beneficiaries such as their names and addresses.
  • Both were made possible by the lack of robust encryption.
  • This data could be potentially used to fraudulently link the rightful beneficiary’s Aadhaar with a distinct bank account, embezzling the beneficiary by impersonation, made possible by the sizeable identity documents available. 

The Unique Identification Authority of India (UIDAI)

  • UIDAI is an agency under the central government of India mandated to collect demographic and biometric information of the country’s residents, store the data in a central database, and issue to each resident of the country a 12-digit unique identity number called Aadhaar.
  • UIDAI was established as per the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
  • The act is also called the Aadhaar Act 2016 in short.
  • UIDAI is therefore a Statutory Body.
  • It comes under the Electronics & IT ministry.

Structural problems that the UIDAI faces

No specified encryption algorithm:

  • The Aadhaar Data Vault is where all numbers collected by authentication agencies are centrally stored. Its objective is to provide a dedicated facility for the agencies to access details only on a need-to-know basis.
    • Comptroller and Auditor General of India’s (CAG) latest report stipulated that UIDAI neither specified any encryption algorithm (as of October 2020) to secure the same nor a mechanism to illustrate that the entities were adhering to appropriate procedures.
  • It relied solely on audit reports provided to them by the entities themselves. 

UIDAI’s Unstable record:

  • Further, UIDAI’s unstable record with biometric authentication has not helped it with de-duplication efforts, the process that ensures that each Aadhaar Number generated is unique.
    • The CAG’s reported stated that apart from the issue of multiple Aadhaars to the same resident, there have been instances of the same biometric data being accorded to multiple residents.

Duplicate Aadhaar numbers:

  • As per UIDAI’s Tech Centre, nearly 4.75 lakh duplicate Aadhaar numbers were cancelled as of November 2019. The regulator relies on Automated Biometric Identification Systems for taking corrective actions.
    • The CAG concluded it was “not effective enough” in detecting the leakages and plugging them.

Biometric authentications:

  • Biometric authentications can be a cause of worry, especially for disabled and senior citizens with both the iris and fingerprints dilapidating.
  • Though the UIDAI has assured that no one would be deprived of any benefits due to biometric authentication failures, the absence of an efficient technology could serve as poignant premise for frauds to make use of their ‘databases’.  

-Source: The Hindu

December 2023