Public Interest   Exclusive
The dark side of UID-1: Weaving a web of worries around U, I and Destiny of the nation

By creating a lucrative database under UID, we are creating incentives for the wrong interests—from hackers to enemy nations. The world has studied, debated and moved on from the idea of unified personal ID. Indians should not allow ourselves to be the guinea pigs of some thoughtless “thought leaders”

“The public distribution system would have zero leaks.”

“Terrorists would be identified even if they are like needles hidden in a haystack.”


These are two big-ticket promises that originally sold Aadhaar to the common man. Many signed up for a seemingly harmless 12-digit number and believed the promise that Aadhaar would help solve two of the biggest curses on Mother India—corruption and terrorism. So all ye patriots, you ain’t one till you have one—Aadhaar card.

For those pressed for time and money, UID is free and it came to your doorstep. You are a techie? Oh, how can you be away from the best thing to happen to the country? Nandan Nilekani drives it and he sure knows it all, man. You can build apps on the Aadhaar platform. C’mon, let us join hands. If the entrepreneurial among the literate and urban middle-class were wooed thus, the biggies had their own reasons to cheer. After all, the multi-billion dollar unique experiment for the world has all sorts of tech companies salivating for a share of the pie. Some more resistance thus taken away by getting some more to join the bandwagon.


Different things were promised to different people and at different times. It was said in the initial days that Aadhaar is not mandatory to buy gas cylinders or for any civic activity. It was optional. The situation today is such that even to get married one may need Aadhaar card. (Keep your UID cards ready to get married, buy house). The Delhi government is thinking of making Aadhaar card mandatory for all government work

(  But it is still not enough. So, next to follow—cash to your accounts through UID, gas cylinder discounts only through UID, and more. Now this is where it hurts the most. The Aam aadmi cares for nothing as much as his shrinking wallet. No Aadhaar, no gas cylinder subsidy. Sign up or pay more!

Cash to accounts will get the poor to have their Aadhaar ID. Gas subsidy refunds, shaadi and dream home would get middle-class to sign up. What more? Divorce or kids or treatment in hospitals ONLY through Aadhaar? What is the law on such boundaries on the usage of Aadhaar, if there is such law? Sorry. No such law. The tipping point achieved, nothing stops the UIDAI (Unique Identification Authority of India) from getting every resident under its scanner. Literally.

In whose hands is your personal data today?

PAN card links all your credit card, banking, income tax returns, house and other cash or immovable assets data.

Mobile number can track you down to your location. It can reveal your network of friends and expose your affiliations to activists or NGOs. It is not too difficult to get tower level data and call records for any number in India. Just requires a suitable price to the right person and a pen-drive.

Your Facebook and twitter data is at a click for regulators. Recent policy changes by both social networking giants mean they would reveal anything at drop of a hat to government agencies. If not government, all such personal data is already released to commercial entities at a price. By the way, India ranks right on top, only after US, in government surveillance over internet, indicated by number of requests seeking data from Google. India's requests for web content removal, user details rise: Google

Emails? Again, as L’affaire Patraeus showed, that be you ever so high, you would never be secure—given your digital footprint, even if mails were unsent and merely saved as drafts on a common shared account. (what-terrorist-trick-did-petraeus-and-his-mistress-use-to-cover-email-tracks) Anything on the servers of the world is within reach of a snooping government.

CCTV cameras track your every moment in every mall, toll plazas on highways, public places. CCTV feed is stored for years now, given the near-zero cost of storage these days. Every other residential society today has CCTV cameras everywhere except your bedroom (and who knows?), from elevators to corridors to gyms and halls.

Your office has RFID and other ID detecting systems that track all your movements.

Your credit card company has all information on your travel, purchases, hospital payments, fine dining, personal habits like pubbing and more.

Combine and contrast all the above with Wikileaks, RTI, social media, open data movement, data liberation, big data, high processing power and low data storage cost, etc, on the other side where citizens too have more access to establishment data. And that is not liked by the mighty. And hence the increased urge to get back at the citizens.

Enter the Big Daddy of all IDs of the citizens—Aadhaar.

Moneylife is conducting a seminar on “Why UID/Aadhaar is a medicine worse than disease”, with no cost to you, in Mumbai, on 12 January 2013. Register now! For details on registration and the event, please click here.

Why should you worry?

If you attended any Aadhaar presentations or speaker sessions, they do not tire themselves of stating that Aadhaar is fully secure technology, has validation checks, safe storage of records, secure biometrics that have 99.99% accuracy, etc. And then, their convincing arguments go further—Aadhaar is only a number, with your name, biometrics id and bare minimum information like address and the like. “We do nothing more at UIDAI than just validate your identity to the querying department of the government like PDS agencies. UIDAI would not store any of your data other than this.”

And the UIDAI is right. But it is also being economical with truth.

A number by itself is like a dot. A dot has no weight, volume, length, area. But what they do not tell is that these dots get connected to form a web. This web of worries is around you. Worried? Let me share few examples of things to follow. Before that, what is the state of affairs on other identification methods you have today? The same Indian ‘system’ will handle Aadhaar too. Let us see how safe your ID today is with the powers that control and use/misuse your ID.

Aadhaar has the potential to link all that you have by way of multiple IDs today. Reach of Aadhaar through this web the centre of whose universe is Aadhaar itself as the master-index key to your full personal database that includes but is not limited to all that we just saw above in this section. Aadhaar links mobile, credit card, PAN number, employment, property, assets, address, family and through a two-step link all else like social media, travel data, health history and the rest. It has potential to track your entire school history and possibly then your grades and what remarks your class teacher wrote when you were in kindergarten and how many times you tweeted from a fake id as a teenager. Read this cbse-schools-get-uid-registration-noc-for-now

NATGRID (National Intelligence Grid) proposes to link 21 databases and is a privacy nightmare. Telecom networks would be linked real-time and would be obligated to provide all subscriber information as feed to it. PAN, visa, passports, driving licenses, banking system, etc, all link up to it. UID enables it. What next? DNA profiling? Would that get us rid of all corruption and terrorism? Seriousness of the government’s stated goals to end corruption and terrorism/crime as its motive, if true, would have shown up in other areas like Jan Lokpal bill or police reforms, but we observe opposite stance there. Reality is UID is the state’s intent to control the subjects, and terrorism and corruption are convincing arguments to make people give up resistance. But they are just arguments, not practical steps in the direction.

It does not matter to all of us if Aadhaar is made most secure or that it is a harmless dot. What worries is that in whose hands the web of connected dots that nets all personal information by using Aadhaar would be. It is the government and therein lies the worry. If the government builds in all laws and institutes systems and processes to implement them to secure safety of personal data, it may be acceptable to have Aadhaar. Such laws and processes would mean custodians, authorizing agencies for access, agencies with legislative powers are all distinct with iron walls. If the CBI or police or courts can authorize drawal of any data based on the Information Technology Act provisions as it is today, one would like all these agencies themselves to be free of possibilities of misuse, and incapable of being influenced. Any local politician can get your information through these agencies and any wealthy citizen can pay his way to get this information given the weak IT Act implementation. Credibility of all these, except redeeming few in judiciary, is abysmal. And abuse of personal information easy and rampant. In proposed NIAI bill, an authorized joint secretary can order release of information collected under national security clause.

Whistle-blower on IIT-JEE irregularities, Prof Rajiv Kumar alleges his personal cellphone data is illegally taken over by IIT authorities, Ratan Tata complained of selective leakage of Radia tapes data, Facebook posts and twitter tweets led to arrests of citizens repeatedly, Pranab Mukherjee’s office had bugging controversy, CBI joint director VV Lakshminarayana's call data record (CDR) was leaked. It is all happening surreptitiously taking advantage of loopholes in the IT Act.

One may also note that such data is selectively leaked, obtained through the back-door, selectively used, not shared publicly but lands up at media houses, allegations made without showing proof, etc—all to undermine political opponents and not just target terrorists or end corruption. It is a global phenomenon and Wikileaks is full of proof of all levels and classes of public figures from all nations indulging in such information abuse. The IT Act in India may have safeguards in making illegal any securing of your personal data but if your telephone call and location data is suddenly with all media houses, whom do you complain against? And who would have such access to your private information so easily? Government with Aadhaar. We need to just jog our memory on misuse of state powers through back door, on all recent challengers to governmental corruption in previous paragraph.

Moneylife recently published a 9-part series on how and why Aadhaar is a bane more than a benefit. To read the complete analysis, click here.


(Sandeep Khurana is an independent consultant and researcher. Views expressed are personal. He can be reached at his twitter Id @IQnEQ.)

  • Like this story? Get our top stories by email.




    7 years ago

    Lakh crore spent on UID card
    I have none
    MY family has none
    Ration card ;i do not have; too much corruption
    Voter id card;post 60 i am not enumerated or my family;needs too much follow up.
    CENSUS records of our family done twice;This is the only dept that works.CENSUS dept is british gift

    Ashok Kalbag

    7 years ago

    Today PAN, Passport, & Credit Card numbers can be used to collate most of the information of the financially significant part of the population. Aadhar is essentially for those who have not been able to get the benefits government provides due to lack of ID of the individual.
    Have the Aadhar protestors not acquired most of the existing identities and prospered, but want to deny similar benefits to those who cannot get them?
    Which system cannot be abused by a determined individual? Does it imply no system be introduced for the greater good?


    Sandeep Khurana

    In Reply to Ashok Kalbag 7 years ago

    You have a point in saying that even now govt is misusing its discretionary powers and access to information on public. It selectively targets and gets information against activists and politicial opponents- be it Radia tapes and Tata, or Anna's army records or tapping phones etc. That does not justify obvious increase in such power and potential after UID.

    However, it is not agreeable to suggest that some unknown protesters you refer to made it big in life because they have PAN, passport and credit cards. On the contrary, tax evaders are loathe to hold credit card and PAN

    Also, not true is the statement that benefits will be denied to poor. Subsidy distribution can be done through election I-cards too and enough economists have said about failure of Aadhaar to secure PDS. Why link all information of an individual in hands of govt? Law must have safeguards it does not have now.

    As for abuse by determined individual, we act to minimize such opportunities not maximize through creating an attractive database of interest to terrorists, enemies, marketers, politicians and wait for ticking time bomb to explode. Bring in division of power and authority over use of Aadhaar, build safeguards, make it voluntary like in US SSN etc- than just accept everything govt does without murmur.

    Ashok Kalbag

    In Reply to Sandeep Khurana 7 years ago

    Aadhar does not entitle you to any benefit. It is only a means to authenticate the individual.

    Benefits to poor are lost as they have no means to authenticate themselves in the absence of any documentation. Hence the denial to poor.

    Election I Cards need other documentary evidence for issue and no means to authenticate the holder as a unique individual. Fakes and duplicates are known to exist rampantly.
    "Bring in division of power and authority over use of Aadhaar, build safeguards, make it voluntary like in US SSN"
    That is exactly my point! It is voluntary, like US SSN (try opening a bank account in US without SSN!)
    UID does not have any database other than the biometric data and address for correspondence, etc. The data of different agencies who rely on UID is only for authentication of the individual, to eliminate fakes, and duplicates. Hence the data is distributed with the various agencies who need to maintain it.
    UID does not give any data, it only authenticates the biometric data submitted with the claimant in just a Yes or No to the query.
    Any one who wants to collate the data of persons of influence can do so in the existing system without recourse to UID (with PAN, Passport, etc.).
    Persons with only UID, and no other ID such as PAN, Passport, etc., are already on the margins of society and can only be exploited by diverting benefits accruing to them. Hence the benefit of UID to ensure they get benefits from the government directly.
    If there is a better means, it is yet to be considered for acceptance.

    Sandeep Khurana

    In Reply to Ashok Kalbag 7 years ago

    On election cards- if what you say is true, then you should be agitated. If it is not good to distribute subsidy, it is not good to elect government. Why not secure that than create more IDs.

    SSN is voluntary in US "by law". Await article part 2 for details.

    You have missed the point I make at very beginning of the article on UID being just a harmless dot. There is more to dots that can connect to be a web.

    240p FLV

    In Reply to Ashok Kalbag 7 years ago

    Aadhar is essentially for those who have not been able to get the benefits government provides due to lack of ID of the individual.

    Ok. So, why should you Aadhar be MANDATORY IN PRATICE for YOU & ME?

    Ashok Kalbag

    In Reply to 240p FLV 7 years ago

    Aadhar is voluntary (see
    Who has asked you for Aadhar number to state MANDATORY IN PRATICE?

    Sucheta Dalal

    In Reply to Ashok Kalbag 7 years ago

    Mr Kalbag.. you are obviously not reading the newspaper. Otherwise you would be aware that municipal unions are protesting against the drive to make it mandatory by withholding salaries.

    Also check what is happening at elite clubs etc.
    Better still, if you are in Mumbai, do attend the talk tomorrow at the Yacht club. See details at the top left of our home page!

    Akshay Iyer

    7 years ago

    Insightful article Mr. Khurana! It is indeed scary to believe that life can imitate art to this extent. This is very similar to what George Orwell wrote in
    "1984" when he envisioned "Big Brother". I believe we're gradually getting there. Unfortunately, we are not even realizing the implications of having an Aadhaar card.


    Sandeep Khurana

    In Reply to Akshay Iyer 7 years ago

    Dear Akshay,
    Your clairvoyance has me impressed. I have also mentioned of threat of becoming an Orwellian state in part 2 of the article that follows soon.

    Ubaldo C DSouza

    In Reply to Akshay Iyer 7 years ago

    It is not that we are not realising the implications of the AAdhar card. Do we have a choice when the card is being progressively and increasingly made mandatory at every step of the way?

    Sandeep Khurana

    In Reply to Ubaldo C DSouza 7 years ago

    You are right. Even today, TOI news says "Sheila Dikshit for Aadhaar numbers into university degrees, birth certificates". Please read part 2 of this article (to be published) for some answers to your query. Needless to say, public awareness and support is first step.

    Ubaldo C DSouza

    7 years ago

    Moneylife, Tehelka and Insight (CERC) are currently the best things on the Indian media scene.

    Is UID anti-people?-Part 9: Law makers as law breakers

    The Indian government, the PM and Nilekani have chosen to ignore the Parliamentary Committee's report on UID. They have continued to implement the UID scheme with greater vigour. Their disdain for the Committee report establishes their arbitrariness and they have given to the “Rule of Law”

    I am not an advocate. Hence, I make no claim to knowledge or expertise in law or on legal questions. However, I do enjoy the study of law and legality. Therefore, in this article, I give my views on the legality of the government’s actions in implementing the UID (Unique Identification) scheme from my ‘layman’s’ perspective. I have led a coir suit against UID.


    I believe in the “Rule of Law”. Let me elaborate it as I understand this phrase.


    Rule of Law and UID/UIDAI

    “Rule of Law” is a principle that governs modern civilised society. The principle behoves governments to act in accordance with the law and justice. It circumscribes governments from acting with any arbitrariness. No one, including the government itself or any of its officials, are exempt from the rule. They are all to abhor arbitrariness. Hence, no government functionary can act without a law or statute that permits his actions. (the word ‘his’ whenever used here, includes the feminine gender, is synonymous with the feminine form of the word and is used for the sake of convenience to represent both genders. It is not to be construed as having any bias.) The government did many acts, which are arguably outside the pale of law.


    Firstly, the prime minister appointed Nandan Nilekani as head of Unique Identification Authority of India (UIDAI) and granted him the rank and status of a Cabinet minister. While it is the prerogative of a PM to appoint anyone of his choice to any position, this privilege or right, if you will, is not be a whimsical or arbitrary exercise. Not only must that be so, but the act (of appointment) be seen to be done with adequate reasonableness. Mr Nilekani is admittedly a successful business person in the IT field. There are many others equally successful, equally qualified and perhaps, even more qualified. Taking people from business into government through executive appointments is a peculiarly western, largely US, practice. It has not been successful. McNamara, appointed from being president of Ford Motors to the Kennedy cabinet, as Defence Secretary, led the disastrous Vietnam War. Cheney too as Bush's Defence Secretary during the Iraq war was anything but a success. Nilekani's appointment was non-transparent. It is not known how or why the PM chose him.


    Granting him a Cabinet rank and status makes it worse. Appointment to the Cabinet is also the PM's singular privilege. This too is governed by Article 74 of the Constitution. Art 74 (1-A) stipulates that the number of ministers is not to exceed 15% of the total number of members of the Lok Sabha. Art 74 (5) says that a minister, who for a period of six consecutive months is not a member of either House of Parliament, shall at the expiration of the period cease to be a minister. Art 74 (6) provides for salaries and allowances of ministers to be governed by Parliament. Nowhere does the Constitution or any law provide for the grant of rank and status of a Cabinet minister to any individual. I am told that Nilekani does not draw any salary. We do not know whether he is paid any allowances of enjoys any pecuniary advantages of the rank or status. If so, he and the government are in violation of the Constitution.


    Serious consequences follow when these Constitutional provisions are skirted. Art 74 (4) of the Constitution mandates that before a minister enters office the President shall administer the oath of office and secrecy to him. Nilekani has not taken the oath. As one with the rank and status of a Cabinet minister, it is reasonable to presume that he must have attended Cabinet meetings. Nothing prevents him from disclosing the proceedings of the meetings and he cannot be taken to task for such disclosure.


    NIDAI Bill

    The PM and his government are fully aware of the need for a law to authorize the implementation of the UID scheme. This is the reason why they brought a Bill before Parliament. The Bill, called “The National Identification Authority of India, (NIDAI) Bill 2010”, was placed before Parliament. It was referred to the Parliament Standing Committee on Finance. The Committee, in a near unanimous decision, rejected not just the Bill, but it also trashed the UID scheme.


    The Committee was scathing in its criticism of the UID scheme, calling it directionless, lacking clarity of purpose and raising serious concerns regarding national security. The Committee's report is with the government since December 2011. The government, the PM and Nilekani have chosen to ignore the Parliament Committee’s report. They have continued to implement the UID scheme with greater vigour. Their disdain for the Committee establishes their arbitrariness and go by they have given to the “Rule of Law”.


    Article 73 of the Constitution

    The UIDAI justified its implementation of the UID scheme during its appearance before the Parliament Committee that it could continue to implement the UID scheme without a law. The Authority justified this stand by quoting the Attorney General's opinion that the power of the Executive is coextensive with that of Parliament under Art 73. The Committee said that it is not satisfied with the position UIDAI took to continue its implementation of the UID scheme. The proviso to the Article makes it clear that the power of the Executive does not extend to matters with respect to which the legislature of the state has the power to make laws. All purposes for which UID scheme is ostensibly implemented, such as public services, public health, local government, etc, are in the “State List” to the Seventh Schedule under Art 246 of the Constitution.


    Hence, implementation of the UID scheme without a law violates the Constitution. The government and UIDAI have thus made a complete mockery of the “Rule of Law”. The scant regard that the government and UIDAI have for the “Rule of Law” is seen in the draft NIDAI Bill. The Bill legitimizes all acts that UIDAI has done before the law was passed. In other words, the government and UIDAI think that they could do anything and everything as they please and in the event their acts are questioned they could get away with it by brining a law to give legal sanctity to their acts. A principle of “Rule of Law” is that the government cannot give retrospective legitimacy to its acts.


    Right to privacy

    This is inherent in the right to life guaranteed under our Constitution. When the government proposes to gather personal and biometric data of the people it intrudes into their privacy. Such acts cannot be done without the sanction of law. Knowing this, the UIDAI and the government brought forward a law. Even after the Parliament Committee rejected it, they have continued to implement the UID scheme.


    Jeopardising national security

    One of the UIDAI's contractors is L1 ID Solutions (L1 for short). The company’s history, to put it mildly, does not inspire confidence. A lot of information trawled from the internet is in the annexure to the Monograph. The company was formed through the efforts of La Penta, which merged two companies, Viisage and Identix to set up L1. Viisage was under investigation by US Securities and Exchange Commission (SEC) for certain offenses. According to a website “AxXiom for Liberty”, Louis Freeh (former Director of FBI), Admiral Loy (former head of Transportation Security Agency) George Tenet (former Director of CIA), Frank Moss (former program manager for the State Department's E-Passport program) and many others who held key positions in the (US) federal government joined Viisage/L1 as members of the board of directors or as paid employees.


    In a page on the website (AxXiom) titled, “The Revolving Door at Never Stops Turning—Look who's doing your Biometrics Now!”, the author, Mark Lerner, alleges, “It must be really sweet to sign off on contracts worth millions of dollars, tens of millions or more in fact and then turn right around and go on the payroll of the same company that you awarded the contracts to. Sure, Tenet, Freeh and the others may not have had to sign the actual contracts but certainly they are responsible for knowing who the contracts went to when they were in charge of their respective agencies and departments." The website also alleges that “Viisage is the same company that had a state driver’s license contract voided by the Georgia State Supreme Court for misrepresentation.”


    It is interesting to note that the UIDAI chief also came into government through a revolving door from business. This is the fashion today in some democracies that follow the US pattern.


    L1 is now taken over by another company, Safran, headquartered in France; but L1 still has operations in the US, with intelligence agencies and government departments. Is it prudent or even sensible to contract with such a company for biometric services for the entire population of this country? When Huawei, a Chinese company obtained a contract to supply modems to BSNL, there was a hue and cry in media, and by activists and politicians, raising security concerns. When the Indian Institute of Science (IISc) signed an agreement with Huawei for collaboration in research, again there were loud protests and IISc had to rescind the agreement. Why is everyone silent on the deal between UIDAI and L1? The Parliament Standing Committee on Finance, which examined the National Identification Authority of India Bill 2010, rejected the Bill as well as the UID scheme, they also expressed serious concerns about the effect UID would have on national security. Did they have in mind the contracts with companies like L1?


    Law-makers and law-breakers

    When the government and their collaborators wilfully ignore the law, they would be guilty of breaking the law. There is no excuse for breaking the law even for good purposes or with good intentions. Skirting of the law by interpretations of one’s choice, could never be condoned or ignored. When the acts of the law-maker also have elements of jeopardising national security, as is the case here—through contracting with companies of questionable backgrounds—when information relating to the contracts are denied to the people, the acts could be construed as brazen. It is time that all right-thinking people rise up to question such acts. This is exactly what some of us have done. We have approached the courts. We would agitate the matter through the judicial process, as well as on the political and social planes until success is achieved and diabolical machinations of those who indulge in such activities are exposed and halted. In this we, take inspiration from Roger Clarke who campaigned for twenty years to scrap the Australian ID card. Two of his writings from his website are in the annexure. One article gives the general issues relating to ID cards and the other on the specifics of the Australia ID card. He is our model to follow.


    Here is the UN review on Rule of Law


    The principle of the rule of law embedded in the Charter of the United Nations encompasses elements relevant to the conduct of State-to-State relations. The main United Nations organs, including the General Assembly and the Security Council, have essential roles in this regard, which are derived from and require action in accordance with the provisions of the Charter.


    “For the United Nations, the rule of law refers to a principle of governance in which all persons, institutions and entities, public and private, including the State itself, are accountable to laws that are publicly promulgated, equally enforced and independently adjudicated, and which are consistent with international human rights norms and standards. It requires, as well, measures to ensure adherence to the principles of supremacy of law, equality before the law, accountability to the law, fairness in the application of the law, separation of powers, participation in decision-making, legal certainty, avoidance of arbitrariness and procedural and legal transparency.”


    (S/2004/616) (Report of the Secretary-General on the Rule of Law and Transitional Justice in Conflict and Post-Conflict Societies)

    (Col (Retd.) Mathew Thomas is a former defence services officer and missile scientist turned civic activist campaigning against state database control of the people.)

    (This is the concluding part of a nine-part series)

    You may also want to read the earlier posts of this 9-part series of articles on how UID is anti-people.

    Is UID anti-people?–Part 8: UID’s security is flawed
    Is UID anti-people?–Part7: Incarnation of new geo-strategic tools, NCTC, NATGRID, UID, RFID and NPR
    Is UID anti-people?–Part 6: The foundation for incessant intrusion
    Is UID anti-people?–Part 5: Why UID is impractical and flawed “Ab initio”
    Is UID anti-people?-Part 4: Does the implementation smack of corruption and negligence?
    Is UID anti-people?-Part 3: Tall claims and tomfoolery of UID
    Is UID anti-people? –Part 2: A bundle of contradictions, misconceptions & mirages
    Is UID anti-people? The database state –Part1


  • Like this story? Get our top stories by email.



    Design and People

    6 years ago

    Very useful information. Thank you Moneylife.

    This is to bring your attention the Design & People "Aadhaar ka Anaadar" campaign launched recently in South Bangalore, the constituency chosen by Nandan Nilekani to contest the Lok Sabha election. Campaign details:

    Continue to publish such stories that benefit ordinary masses in this country.


    7 years ago


    Krishnaswami CVR

    7 years ago

    Appears to be logical thoughts. Would certainly go through the Australian case. appears to be sane article, deserves a legal probe. If we can emulate US in some cases, why not follow their law on privacy also?

    Is UID anti-people?–Part 8: UID’s security is flawed

    There is a distinct difference between identification and authentication. Worldwide, biometrics is mainly used for identification rather than authentication when the sample size is large. Yet, in India, the government and the UIDAI are trying hard to use the UID number for both identification and authentication

    Given that the UID project—now branded as the Aadhaar project does not have legal sanction yet—the National Identification Authority (NIA) Bill was sent back by Parliament’s own standing committee, no cost benefit analysis yet, no feasibility study of any kind yet, it is interesting to look at the security issues of this project.


    First of all, no expert worth his/her salt would believe that authentication using fingerprints works for a population anywhere close to this size. Worldwide, biometrics is mainly used for identification rather than authentication when the sample size is large. There is a distinct difference between identification and authentication which I would like to take some time to explain.


    For instance, the US Federal Bureau of Investigation (FBI) has a biometric database of around 50 million or so people (note that this is not the biometric of American population which totals more than 250 million) which is checked against a fingerprint found in a crime site to see if a suspect is found among the people whose fingerprints are in the FBI database.


    Matching of fingerprints for identification purposes requires careful, high resolution checks to see if two fingerprints are the same. Even with such a high resolution check, the FBI has made mistakes. In case of a terrorist incident in Spain a couple of years ago, it mistakenly nailed a lawyer from California based on fingerprint matching only to retract later. The FBI was later sued by the lawyer and it paid hefty compensation to the lawyer for its mistake.


    Authentication is the process of checking only one fingerprint and at much lower resolution to see if the fingerprint in the database is the same as the one that is being produced for authentication.


    Now how are the two different, you may ask?


    To understand it, one needs to understand an important aspect, namely that this authentication at least as proposed by is done remotely and digitally. And herein lies the crucial difference. Thus, for instance if I have a digital image of your fingerprint, I can authenticate in your name. That is, I can impersonate you because I have the digital copy of your fingerprint. Now, it is not difficult to make a digital copy of your fingerprint. For instance, I can give you a glass of water to drink and when you touch that glass, your fingerprints will appear on that glass. By following a procedure—and instructions for such a procedure are available easily and even on the internet—I can then make a fake fingerprint made out of say ‘Fevicol’, wear it on my finger, and then use it for authentication. Thus, for all purposes, and as far as is concerned, I have impersonated you and I can now be eligible for the cash transfers that you are eligible for.


    Please note that the above is possible in all circumstances—namely if authentication is to be done in automated fashion in say an ATM like machine or in a supervised condition where a supervisor picks up my fingerprint via a fingerprint scanner which he/she carries.


    Now that the government is going to use UID for vast amounts of cash transfers, and given the proliferation of frauds in this country, one can imagine the windfall for fraudsters due to this. And add this to the fact that middle-men/agents who may carry this task in this country aren't exactly saints. They can lay their hands on fingerprints of a huge number of people either via digital copies or via making faking fingers and steal the entitlements of the people. Most people not knowing the technology behind all this would be clueless as to what is happening.


    The above is by no means the only security issue with the UID project. There are many more serious security issues in this UID project. One of the other main ones is that of de-duplication. The whole UID project rests on the thesis that your identity, that is your biometrics—fingerprints and iris scans—are unique. Which means that each of the billion fingerprints in the database—assuming the database is say a billion strong—corresponding to the billion people are unique. That is, no two fingerprints corresponding to a particular finger in the database are the same. And how does ensure this? They claim to ensure this through a process which they call de-duplication.


    Now what is de-duplication?


    De-duplication is the following. Whenever a person’s biometrics—that is his/her fingerprints, and iris scans—are to be inserted in the database for the first time, there is a check made to ensure that these are not already present in the database, that is, they are not duplicated. That is, for each of the ten fingerprints of the person, a check is made against each and every fingerprint already present in the UID database corresponding to the particular finger to see if a similar fingerprint already exists in the database. Only if no similar fingerprint exists is the newly to be introduced fingerprint considered unique and introduced into the database. The UIDAI claims that this process is almost 100% accurate; that is, except for a small minute percentage, it will catch all the duplicates. And herein lies the problem. This claim is made by the UIDAI. However, there is no independent verification by any unbiased third party of this claim.


    And this is the whole issue; should any sensible person believe the UIDAI’s claim when does not allow any independent third party access to verify its claim? Given that thousands of crores are at stake for and say finds that de-duplication is not working do you expect it to come out and say it?


    There is no good reason to believe what UIDAI says is correct mainly because it has been completely non-transparent about the project, hasn't sincerely answered questions raised as part of RTI queries, as also has gone back on promised commitments to meet with independent experts who are part of civil society to discuss such issues.


    I would not be surprised if de-duplication is not working and there are many persons out there, who have more than one UID allocated to them.


    This is not all. There are other security issues as well. In any financial system based on authentication—and the UIDAI's system will deal with money worth thousands of crores to be doled out as cash transfers—there is a concept of a password. For instance, in case of internet banking or an ATM transaction, we have a PIN and we have different kinds of passwords such as login passwords or transaction passwords. No one in this world designs a system assuming 100% security. Perfect security does not exist and a good design while taking as much care on the security front has to always have a backup in case security is breached. That is the standard practice worldwide accepted among experts. Thus, for instance in case of a banking system, if my password is stolen, I call the bank, ask it to deactivate my current password and send me a new password. This basic principle is broken by because in the case of the system, the password is your biometric which cannot be changed. Thus, if you lose your biometric—and I have mentioned a way above by which your fingerprint image can be stolen—you are doomed. Because, you cannot get a new fingerprint, and your data will be lost forever to the person who stole your password. This is such a fundamental design flaw that it cannot be overemphasized. With how much ever care and how much ever security, there is a finite possibility that some people will lose their biometrics. In the current system, they will be shut down from the system for good.


    In a way the above has already happened. In Mumbai, some fraudsters masquerading as official agents of for UID recruitment picked the biometrics of about 1,000 people. Now, these peoples’ identities are stolen for good; all the entitlements that they may be eligible for can be stolen by the fraudsters. The authorities, very stupidly, has asked these people to re-register for UID, something that is not going to help them because their biometrics is already lost and is with fraudsters and while re-registering them will pick the same biometrics from them again. Also, there has been a case where a laptop on which enrolment data was present was stolen.


    Apart from all the other issues, there is always a possibility that the database itself is hacked into and stolen. Database could be a good target for terrorists. If I am not wrong, biometrics in this database is stored unencrypted, again a fatal mistake. Thus, if even part of this database is stolen, it is irreplaceable unlike a bank database where all that needs to be done is to deactivate the passwords and give new passwords to the customers. In the case, the only way out is to ask every Indian to undergo a surgery to change their fingerprints surgically, a practical impossibility not to mention other serious issues.


    The UIDAI has no answers to the above questions, because there are none. The system’s security is flawed from the conception stage itself and it cannot be fixed so easily. It is indeed better to scrap this project and save taxpayers' money.


    This is eighth part of a nine part series on UID


    (Dr Samir Kelekar has a B Tech from IIT Bombay and PhD from Columbia University, New York. He is a security professional and runs a consultancy firm Teknotrends Software Pvt Ltd. He is also a holder of a critical US patent in the area of network security. Dr Kelekar consults in the area of security with banks, telecom companies and others.)

    Is UID anti-people?–Part7: Incarnation of new geo-strategic tools, NCTC, NATGRID, UID, RFID and NPR
    Is UID anti-people?–Part 6: The foundation for incessant intrusion
    Is UID anti-people?–Part 5: Why UID is impractical and flawed “Ab initio”
    Is UID anti-people?-Part 4: Does the implementation smack of corruption and negligence?
    Is UID anti-people?-Part 3: Tall claims and tomfoolery of UID
    Is UID anti-people? –Part 2: A bundle of contradictions, misconceptions & mirages
    Is UID anti-people? The database state –Part1

  • Like this story? Get our top stories by email.



    Ashok Kalbag

    7 years ago

    The arguement for identification and authentication seems flawed. Aadhar authentication (depending on the level - 3 levels available)is confirming the Aadhar number stated matches online with the biometric presented. Hence an instant authentication of the individual is feasible. Therefore identification of an individual from fingerprints (FBI case) is irrelevant here. UID cannot be used for this purpose.

    De-duplication is to ensure the uniqueness of the biometric data identified by a random 12 digit number. Hence, to commit a fraud one would need the UID number AND the biometric data to impersonate - to get the dole the government is giving to the underprivileged.

    Database available with the agents while collecting data is worthless without the Aadhar number for subsequent fraud after allocation of number directly to beneficiary.

    No system is fool-proof but the effort required to crack the system do not justify the ill-gotten gains for a good system.


    7 years ago

    It is good that Mr. Samir Kelkar is bring out the other side of the story in Adhar. But this is a negative approach to whole thing, why does he want to kill the whole project, and second thing just because it is not done anywhere in the world does not mean we cannot try anything new, The other way to deal with this is try and integrate all security measure which he as an expert would like to suggest
    Typical Indian mentality of pulling other down.


    Hemant Karandikar

    In Reply to AJIT KUMAR 7 years ago

    Criticism is not pulling other down. If the scheme has so many holes in it, why is the Cong pushing it? For electoral gains alone. For other problems in the schem read

    Hemant Karandikar

    7 years ago

    I agree. For a policy level critique of UID based cash transfer read

    We are listening!

    Solve the equation and enter in the Captcha field.

    To continue

    Sign Up or Sign In


    To continue

    Sign Up or Sign In



    online financial advisory
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 3 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)
    FREE: Your Complete Family Record Book
    Keep all the Personal and Financial Details of You & Your Family. In One Place So That`s Its Easy for Anyone to Find Anytime
    We promise not to share your email id with anyone