Aadhaar Could be a Single Target for Cyber Criminals: RBI Researchers
A recent investigation alleged that unrestricted access to details of over one billion Aadhaar numbers can be purchased at as little as Rs 500
The benefits of Aadhaar, India’s biometrics-based unique national identity system–the world’s largest–are unclear and the impact of direct benefit transfers it will be used to deliver to the poor is not studied enough, a new study published by an arm of the Reserve Bank of India (RBI) has concluded.
The paper, ‘Biometric and Its Impact in India’, was a part of Staff Papers series published in its October 2017 edition. It is written by S Ananth, an adjunct faculty at the Institute for Development and Research in Banking Technology (IDRBT), which was established by the RBI as an autonomous institute.
Aadhaar is becoming central to India’s public policy with increasing number of programmes being linked to it. And its scope is constantly increasing. In the seven years following its introduction, 1.12 billion Indians or 88.2% of the population have enrolled for Aadhaar, IndiaSpend reported in March, 2017.
Established by Unique Identification Authority of India (UIDAI) under Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, Aadhaar is now used for direct benefit transfers as well as distribution of foodgrains and essential commodities–under the public distribution system (PDS)–by the state. It includes various payments linked through Aadhaar-enabled payment system.
The Supreme Court has extended the deadline of linking of Aadhaar with various welfare schemes up to March 31, 2018.
The paper has flagged issues related to Aadhaar such as problems of access to the last mile, issues with the quality of authentication, unclear financial benefits and security concerns and said there needs to be caution in the manner in which the government is linking more economic programmes and activities with Aadhaar.
Ever since its inception, Aadhaar has been caught in various debates, especially over the issue of the citizen’s right to privacy and threat of information leak. The latest of these controversies is an investigative story reported in The Tribune on January 3, 2018. It alleged that unrestricted access to details of over one billion Aadhaar numbers can be purchased at as little as Rs 500.
By paying Rs 300 more, the details of any Aadhaar card can be printed, the report said. “..[It] is a major security breach,” the deputy director of UIDAI regional officer Chandigarh was quoted to have said.
‘Could be a single target for cyber criminals’
The protection of the data under its control is a major challenge for the UIDAI. “Thanks to Aadhaar, for the first time in the history of India, there is now a readily available single target for cyber criminals as well as India’s external enemies,” the paper said. Any attack on UIDAI data can cripple Indian businesses and administration and would result in a huge loss to the country’s economy and the privacy of its citizens.
Also, since Aadhaar is required for a number of transactions, it is available in the database of a large number of service providers and any breach can compromise the information contained in it. The UIDAI allows private players to build an ecosystem–that is, services and applications–around Aadhaar, which raises questions about the security of the database.
In December 2017, the UIDAI barred Bharti Airtel and Airtel Payment Bank from opening new accounts. It was found that Airtel used the Aadhaar-based verification to open payment bank accounts of their customers without their informed consent. There are allegations that these accounts were linked to receive LPG subsidy. No penal action was taken by the UIDAI for the violation of the Aadhaar Bill.
The paper calls for a more robust and comprehensive law on the use and misuse of the massive amount of data being generated and collected.
Problems with last-mile reach
Financial inclusion was one of the goals of Aadhaar since its inception, but a biometric solution tends to be long on promise and short on delivery, according to Ananth.
The paper has cited the example of undivided Andhra Pradesh to prove this. This was one of the first states to embark on a massive modernisation programme for its administrative apparatus by creating various databases that mapped public schemes. It began in 2002 and by 2014, the state had mapped self help groups, the National Rural Employment Guarantee Scheme, pensions, student scholarships, disability benefits, health insurance and so on.
But the growing emphasis on the use of Aadhaar as a compulsory ‘know your customer’ (KYC) norm is emerging as an obstacle in banking access for those who had registered with the earlier system in Andhra Pradesh, the report found.
In Kurnool district of Andhra Pradesh, those who opened accounts between 2010 and 2013 are now having problems of access, according to bank correspondents (agents who provide banking services in underbanked areas). Banks have blocked access to those who have not submitted their Aadhaar numbers.
This lack of access has inconvenienced customers who need an account for various direct benefit transfers (DBT). In the case of accounts closed by banks due to non-linking with Aadhaar, money has returned to government agencies. The customer then has to open a new bank account in another bank and then run to various government offices to change their bank account number registered under the scheme.
“Problems with withdrawal of money at a time when it is needed the most either due to non-working channels or problems with KYC compliance has convinced people that the best place for their money is their pocket or at home under the mattress,” the paper noted.
Also there is one significant disparity between financial inclusion accounts–zero balance accounts opened for individuals who didn’t have a bank account–and ordinary bank accounts. Customers with financial inclusion accounts are not allowed access to their accounts from non-home branches, but regular accounts are.
Contradicting cost-benefit analyses
There are contradicting cost-benefit analyses about Aadhaar, the paper stated. The government, in a paper put out by the National Institute of Public Finance and Policy, claims that till date it has saved about Rs 146.720 billion using Aadhaar through DBT schemes. But a Canadian non-profit, International Institute of Sustainable Development, has claimed that the government has incurred a loss of Rs 970 million.
Does the change in the system of subsidy delivery–from the current practice of providing tangible commodities and services to cash transfers–actually benefit the poor? There are no clear answers, said the paper. It may inconvenience public distribution system beneficiaries and “the long-term benefits of DBT on the poor (sic) are as yet largely unstudied (sic) and most of the expectations are based on theoretical assumptions”, the paper said.
Biometric authentication: The problem of quality
The Aadhaar Act allows the government to establish the citizen’s identity as a condition for the delivery of subsidies, benefits or services. In such cases, biometric authentication allows the government to reach genuine beneficiaries.
But for this, the biometric authentication system has to be flawless which is not the case in India currently. Failures in biometric authentication between January and June 2017 have fallen by half–from 7.14% to 3.56%, according to Andhra Pradesh’s UID data. However, there was also a 61% fall in the number of authentications in June as compared to January.
Aadhaar allows a beneficiary to access benefits like PDS in any location irrespective of where he is registered. But a high failure rate was detected in this provision in districts with high levels of migration.
Authentications and failures were found to be the highest when a large number of people–migrants and non-migrants–were present in the village. These flaws in the biometric system raised the question if a government can provide benefits to citizens irrespective of where his/her Aadhaar was registered.
“There is no way of cross verifying the quality of biometrics stored, especially by the person who has enrolled,” the study noted.
In a worst case scenario, a flawed biometric authentication system can lead to ‘identity denials’–wherein a person can be denied the fact that they are who they are, the paper said.
Even assuming that only 5% of Indians are denied government benefits due to issues with Aadhaar, we are still looking at 50 million citizens, said the paper. That is more than population of many European countries. “Does it mean this exclusion of a small minority is condonable in a democratic society?” the author has asked.
Courtesy: (Yadavar … principal correspondent with IndiaSpend.)