Aadhaar: A bit of resin is putting India’s welfare system at risk Prime Minister Narendra Modi’s welfare model is not new to India: Previous leaders have also subsidized food and fuel, as well as provided housing, toilets, and paid work to the rural poor. Modi’s competitive advantage stems from technology.
The government, then led by the Congress Party, had piloted direct cash transfers to beneficiaries a year before the 2014 election that brought him to power, inspired by former Brazilian President Lula da Silva’s popular Bolsa Familia program. All with the help of 12-digit numbers, Modi turned a modest $1 billion start into a $300 billion vote magnet.
These numbers, as well as the ID cards that contain them, are referred to as “Aadhar.” It’s a biometrics-based system that allows almost everyone in the world’s second-most populous country to prove their identity.
Aadhaar, which means “foundation” in Hindi, allows for over 450 million no-frills savings accounts and has increased the use of mobile internet for financial transactions in even the most remote villages. Five years ago, Nobel Laureate economist Paul Romer endorsed Aadhar as a global model.
However, it appears that there is a fair amount of epoxy putty—quite literally—in the very foundation of Modi’s welfare program.
It took a significant effort to fingerprint 1.33 billion people and store their personal information and iris scans in a central repository.
It was hoped that this extremely expensive database would pay for itself by reducing waste in government programmes and preventing theft. This was touted as a significant advantage in a corrupt country where state benefits are difficult to reach legitimate recipients.
However, activists have documented numerous instances of benefit denial. Fingerprints fade with manual labor, and correcting data-entry errors can be a nightmare. These problems have mostly gone unnoticed.
There is now a growing problem in the opposite direction: Aadhaar is being used very successfully by fraudsters. It’s the result of ubiquity combined with lax controls. While the unique ID was designed to improve the efficiency of welfare programs, private entities wasted no time.
In terms of realizing its potential, banks and telecommunications companies used Aadhaar to conduct online “know your customer” checks, which significantly reduced the cost of authenticating customers. As a result, Aadhaar became ubiquitous, and private data began to appear for sale on the dark web.
The government’s response has been to dismiss everything. Anything that calls the system’s integrity into question is ignored. That comes as no surprise: Policymakers have no other option for building trust in transactions now that they have chosen technology and made it universal.
The Indian Supreme Court restricted the database’s use in 2018, prohibiting private entities from using it for now-your-customer verification. Nonetheless, New Delhi has gone around opening legal back doors for them since then.
Last month, there was a wake-up call about identity fraud. The Unique Identification Authority of India, or UIDAI, issued a warning to people not to distribute photocopies of their ID cards “because they can be misused.” Furthermore, the notice stated that only authorized users may query the database to authenticate their identity; establishments such as hotels or movie theatres are not permitted to collect or keep copies.
People began to question why this warning was issued when everyone’s Aadhaar information was already widely circulated, so it was withdrawn the same day and replaced with new guidance that advised people to “exercise normal prudence.”
So, what exactly is going on? An Indian news website, The Morning Context, recently published an alarming account of scams. On YouTube, it appears that anyone can learn how to clone a fingerprint with epoxy putty and anyone can buy an identification card online.
Fingerprints can be extracted from digitized real estate sale deeds. To steal money from bank accounts, one could hack into a mobile app used by small village shops that double as Aadhaar-based micro-ATMs.
According to the May 30 article, there was a six-fold increase in overall Aadhaar fraud reported to the UIDAI last year. The Morning Context continued, “There is no data on the full extent of welfare benefits swindled, accounts degraded, or criminal complaints filed.”
More disturbing than the crime it is the government’s silence on its prevalence or severity. In its recently released Payments Vision 2025, the Reserve Bank of India acknowledges “significant growth in Aadhaar-enabled Payment System (AePS) through the business correspondent-assisted model.” Last fiscal year, over 2 billion micro-ATM transactions occurred, amounting to a $38 billion entanglement of Aadhaar with the banking system.
This is all on behalf of customers at the bottom of the economic pyramid. However, the RBI’s vision document, which includes “integrity” as a key pillar, says nothing about strengthening security for the deposit, withdrawal, and transfer services used by the poor.
Then there’s the social welfare plank: the Aadhaar Payment Bridge System is how the government transfers money to recipients. Even here, there are flaws. Former UIDAI chief Ram Sewak Sharma made his Aadhaar number public on Twitter in 2018 and dared privacy activists to do the same.
Show me one concrete example of how you can harm me! ” As it turned out, Sharma was registered as an eligible farmer, and the Modi government paid him three installments of free cash. The hacker had proven a point regardless of whether the vulnerability was in Aadhaar or elsewhere.
Modi’s new welfare state is based on Aadhaar. However, if there are flaws in the structure, they must be acknowledged — not to scare users away, but to make them more aware. Simultaneously, India requires a strong data protection law.
It’s bad enough to lose money. However, it is frightening if a bad actor can use a bogus transaction to place a person in a specific location or tie her to an activity. Sealing wax in the foundation of trust will not suffice.