Facts & Myths

Statement on Data Disclosures around Aadhaar – The Facts

In the last few days, several Aadhaar ‘data leaks’ or more accurately, ‘data disclosures’ have come to light. You may have been alarmed by the sensational reporting around these . Be reassured: your digital identity remains secure!

SupportAadhaar brings you the facts - click here to read the full statement!

  • The data disclosures reveal Aadhaar numbers and demographic information. This alone cannot be used to steal your digital identity.
      • Just as someone knowing your bank account number or debit card number, does not mean they can steal your money.
      • Your bank account number is printed on every cheque, without compromising your security. Demographic information is used in KYC and thus known to any bank or telecom provider you have taken services from, again without compromising your security.
      • However, no data disclosure is good. We strongly urge the UIDAI to take prompt action and ensure all providers do not reveal Aadhaar numbers publicly.

 

  • The disclosures have NOT revealed any biometric information. Your biometric information and the central Aadhaar database remain secure
    • As long as your service provider uses biometric authentication and keeps its systems secure, you are not at risk. All service providers using Aadhaar authentication should ensure biometric verification.

 

  • The benefits of Aadhaar remain unaffected by this disclosure. None of the use cases of Aadhaar are affected.
    • Verifying identity & authenticity: Aadhaar authentication through biometrics remains unaffected. Digilocker allows Aadhaar document to be verified through QR code even without connectivity. This too remains unaffected.
    • Instant e-KYC, used to open bank accounts or secure SIM cards: Biometrics & 2 factor authentication make e-KYC more secure than earlier process that relied solely on physical documents. This too remains unaffected.
    • Aadhaar as a payment address: This use case is not affected by the leak, as long as the bank links the account to Aadhaar using customer authentication. In fact, this is useful, since there is no need for the government to track the bank account of the customer!
    • Aadhaar as a means for Direct Benefit Transfer: This relies on Aadhaar as a payment address. As discussed above, this use case remains unaffected. The benefits remain – direct deposit into the recipient’s bank account means middleman cannot divert it, and the recipient can choose to receive the service from any provider, creating competition among providers.

 

  • Aadhaar, by design, is more secure than most other forms of identity, including Social Security Number
    • Through biometric authentication, Aadhaar makes identity theft very difficult!
    • Aadhaar is more secure than existing systems in India – e.g. paper documents, which can and do get forged
    • Aadhaar is more secure than existing systems abroad – e.g. identity theft in the United States through Social Security Number is easier because there is no biometric authentication
    • Best practice is to use Aadhaar authentication along with other layers of security (e.g. PIN / password / etc.), depending on the value and risk level of the transaction

 

  • However, no data disclosure is good. We strongly urge the UIDAI to take prompt action and ensure all providers do not reveal Aadhaar numbers publicly.
    • We hope that the reports revealing the data disclosures will trigger prompt action from UIDAI, to ensure providers do not reveal Aadhaar numbers publicly
    • These reports make the necessary debate on personal information and the proposed privacy law even more important. We hope these reports will help move the discussion forward

 

  • Any technology has benefits and risks. For India to progress, we must embrace technology and use it in the right way. This requires a sensible discussion by all.
    • The kind of sensationalism we are seeing on this issue only misleads people and holds India back from becoming a developed nation! We strongly oppose this sensationalism.
    • We support all efforts to improve the Aadhaar system. Let us make constructive suggestions and take all action to help improve the system!

Facts & Myths

Myth: Universal ID (like Aadhaar) has no significant benefits.

Fact: Universal ID (like Aadhaar) is the basis for provision of government services in developed countries. If India is to become a developed nation, we need a Universal ID.

Universal ID systems help countries become economically prosperous, secure, efficient, protect human rights, and deliver benefits to people.

Without official identification, a person can struggle to access public services like financial services (such as opening a bank account or obtaining capital and credit) and social benefits (including access to rations, pensions, or cash transfers). Without unique and verifiable identification, services suffer from fraud and duplicates.

In the developed world, 99% of births occur in hospitals. Thus the birth registry system ensures uniqueness (location, time, and parents). However, universal coverage of birth registries is only a dream in the developing world. In 2008, the World Bank estimated that only 52.8% of births in India were attended by skilled staff.

So how can India establish a unique national ID? The UIDAI designed Aadhaar and selected biometrics for this purpose. Thus, in India, Aadhaar is the universal and unique ID that can be secured by all residents.

 

Myth: Aadhaar was not needed, since most of the country already had an Identity.

Fact: Aadhaar provides Individual ID’s with a much larger and universal coverage and uniqueness check.  Enabling crucial benefits beyond the electoral ID or ration card.

The most common identity before Aadhaar was the electoral Photo ID card (EPIC). However, the EPIC neither unique nor universal. For instance, people below voting age cannot get this, and people who move simply get a new one without surrendering the old one.

The second most common identity was the ration card. The ration card is a family document, and has details of the household head, and a list of family members with their ages (not date of birth) at the time of issue! The ration card is not recognised beyond the state of issue and only useful to identify the household head. This is gender biased, with many women lacking a usable identity.

With Aadhaar, each person has an independent identity that is portable, unique, electronically verifiable and accepted across the country.

 

Myth: If my Aadhaar number is known to someone, they can steal my digital identity.

Fact: Aadhaar number alone cannot be used to steal your identity. Just like someone knowing your bank account or credit card number does not mean they can steal your money.

Aadhaar number alone cannot be used to steal your digital identity, since Aadhaar number cannot be used to search the Aadhaar central database. Thus, it cannot be used to steal your biometric information. Any system that uses biometric information and/or mobile OTP and/or password/PIN based system as part of your authentication, will remain secure.

In some cases, data leaks have revealed Aadhaar numbers linked to demographic information (e.g. address, age, gender). This information is available in all ‘Know Your Customer’ forms used to secure SIM cards or open bank accounts, and again, it cannot be used to steal your digital identity!

However, best practice does indeed suggest that Aadhaar numbers should be kept private, as an additional security measure in case your service provider does not maintain a secure system that uses biometric, mobile OTP or password/PIN based systems for authentication. This is similar to why you should keep your bank account or credit card number private.

Any data leaks that reveal Aadhaar numbers in public run afoul of the Aadhaar Act, and action should be taken by UIDAI immediately.

Moreover, all service providers should maintain robust and secure authentication systems. Aadhaar authentication must include biometric authentication.

 

Myth: If Aadhaar authentication fails, service is denied to the person.

Fact: Service providers should ensure no denial of service to rightful beneficiaries.

The PDS in AP, and Telangana have made all attempts to bring down the failure rate. In spite of this, when there is a failure, an official adjudicates to ensure that no one loses out on their essential supplies. Reducing, and monitoring of exceptions is essential to prevent fraud, but services cannot be denied.

 

Myth: Aadhaar authentication failure are high.

Fact: Aadhaar ensures deployment of independently verified very low authentication failure rates devices.

STQC (an independent agency for device testing) certifies sensors which achieve a true accept rate of at least 98% in field tests. All service providers should be able to get similar results. In the past, UIDAI has provided guidance to all service providers on how to reduce failure rates.

 

Myth: The Savings through Aadhaar are not worth the Costs.

Fact: Aadhaar brings efficiency and empowers individuals. This is spurring widespread adoption.

Aadhaar was designed to bring efficiency to government service delivery. Apportioning credit from efficiencies is a tough job!

However, adoption is growing, because Aadhaar is seen to work. Aadhaar empowers individuals and brings accountability into every retail transaction with the government. Opposition will come from those who benefited from the leaky old system and feeling the pinch with the new system, or from proponents of alternate ID systems (such as smart cards, which have been leapfrogged).

 

Myth: Aadhaar will result in loss of control of personal data.

Fact: The Aadhaar Act does not allow organisations to use or share your Aadhaar information for any purpose other than its original application.

Private companies collect a lot of data about you, without any accountability – e.g. your phone number is in Truecaller (associated with your name) because you are in someone else’s phone book. In the case of Aadhaar, the law protects your data. We can demand more such protections – best practices of privacy protection from across the globe could be a constructive criticism for Aadhaar.

 

You can read the FAQs on Aadhaar published by UIDAI here: https://uidai.gov.in/images/aadhaar_question_and_answers.pdf

And read an analysis of the Aadhaar criticisms by a technology enthusiast here:

Answering the Aadhaar criticism