Author: Anand Venkatanarayanan

Fingerprints, Aadhaar and Law Enforcement – A Deadly Cocktail Is in the Making

Why does the National Crime Records Bureau want to amend the Aadhaar Act?

In June 2018, the National Crime Records Bureau (NCRB) sparked public outrage when its director Ish Kumar made a strong pitch for giving India’s police “limited access” to Aadhaar data for the purposes of investigating crime and tracing unidentified bodies.

This request, reportedly widely, was predictably met with a swift public denial by the Aadhaar authority, with the Unique Identification Authority of India (UIDAI) stating that Aadhaar data had never been shared with any crime investigating agency.

How credible is this denial, though? After all, there is evidence from as far back as 2013, before the enactment of the Aadhaar Act, to show that the police already had limited access to the Aadhaar database (often through court orders) and that the UIDAI had helped state police on a number of occasions.

In the last two years, there is more recent evidence to show how police departments across the country want to use Aadhaar. But before we get to that, it is important to understand why NCRB wants to access the Aadhaar database and how it would be able to do so.

Why does the NCRB need the UIDAI’s fingerprints?

India’s central fingerprint bureau is the nodal agency for setting standards, tools and processes for the collection, storage and analysis for fingerprints.

As fingerprint matching is considered crucial for nabbing repeat-offenders, standardisation of fingerprint images and allowing officials to search through them using an automated fingerprint identity system (AFIS) is important. The bureau’s 2015 report traces the trend towards automated searches and less reliance on manual processes. As of 2015, it holds 28 lakh fingerprints of arrested and convicted persons. 

What bothers the NCRB the most, however, are first-time offenders because their fingerprints are not available in the AFIS. This is where the UIDAI comes in, because these fingerprints are very likely to be available in the Aadhaar database, considering how big it is.

NCRB’s Ish Kumar explains it the best:

“There is need for access to Aadhaar data to police for the purpose of investigation. This is essential because 80% to 85% of the criminals every year are first-time offenders with no records [of them available] with the police. But they also leave their fingerprints while committing crime. There is need for limited access to Aadhaar, so that we can catch them.”

How would this work though? From the NCRB’s point of view, access to biometric data available in the Aadhaar database through a simultaneous search will likely work as shown in the diagram below.

For this type of simultaneous search to work seamlessly, the fingerprint capture image formats must match with the stored image formats and must be standardised across both organisations.

This was done by NCRB in 2013 and were published as shown below:

Biometric captured Explanation Standard used
Finger image The raw image of the fingerprints ISO/IEC 19794-4
Minutiae images The patterns in every fingerprint that is used for comparison ISO/IEC 19794-2
Mug shots Facial photographs used ITL – 1- 2011 (JPEG)

Crucially, the UIDAI has also used these same standards from its inception (Page 15, Section 9) for finger and minutiae images. The standardisation thus allows fingerprint capture by all existing devices used in Aadhaar authentication and enrollment.

Two types of search

The NCRB’s fingerprint bureau holds annual conferences, which almost always have discussions on Aadhaar because of the sheer possibilities that a potential integration would offer. 

With the imminent roll out of facial authentication by UIDAI, and the presence of a large fingerprint database, NCRB believes, in theory at least, that it can tap into the Aadhaar database in order to identify potential suspects (their demographic details and Aadhaar number) if they have latent fingerprints and CCTV mugshots of the perpetrators.

The process by which law enforcement searches for a list of potential suspects is usually referred to as a ‘1:N search’, meaning given a mugshot and fingerprint, the system could provide many potential suspects and their Aadhaar numbers.

These Aadhaar numbers can then be used to query various databases to obtain a detailed profile of the potential suspects, which can then be used to further narrow down potential suspects (often referred to as ‘1:1 search’).

The NCRB’s interest to “limited access” to the Aadhaar database can be understood from the minutes of meeting available from each of its annual conferences.

  • The 15th conference on 2013, was attended by the UIDAI deputy director general Ashok Dalwai, in which it was told that “UIDAI would eventually converge with the police department over time”.
  • The 16th conference on 2014 requested access to UIDAI database for identification of dead bodies.
  • The 17th conference (2015) requested amendments to the Identification of Prisoner Act, 1920 to add other biometrics. It reiterated the request to access UIDAI database for identification of dead bodies and also made the crucial observation that the removal of non-convicts post their acquittal from the fingerprint database must be prioritised.
  • The 18th conference (2017) reiterated the amendment to the Identification of Prisoner Act and said, “Aadhaar may be linked to identify dead bodies”.
  • The 19th conference, (2018) discussed the need to amend the Aadhaar Act and the Prisoner Act for “identifying first time offenders and also for identifying dead bodies”.

The 1:1 search

India’s state police departments do not have to depend upon the UIDAI at all when it comes 1:1 search. There are already various state and central databases which are seeded with Aadhaar numbers. Hence once the suspect’s Aadhaar number is known, the local enforcement agencies can simply ask the various public entities that own or operate these numerous databases to provide them with the required information.

For instance, India’s state police can merely ask local banks to provide all information associated with a particular Aadhaar number, including linked phone numbers. 

This is how seeding Aadhaar numbers into various databases, referred to as “cross-seeding”, makes it easier to create 360-degree profiles, that are available on request for the law enforcement agencies without even needing a warrant.

Hidden backdoors for 1:1 search already exist

In October 30, 2017, the Times of India reported that a missing woman was identified from her half charred body using Aadhaar.

How could the police identify the woman from just a fingerprint? The back-door that allows this functionality is the “name/UID search” feature, which allows printing of an Aadhaar card, for those who have misplaced their Aadhaar number, using their fingerprints.

It is also obvious that a “fingerprint mould” was used by the police, since the woman was already dead. To know the identity of the missing woman, the police department obtained the names of all missing persons as reported in the district, during a specific time. It then used the “name search” feature along with their fingerprint mould to print their e-Aadhaar.

 

Screenshot of name/UIDAI feature. Credit: The Wire

Screenshot of name/UIDAI feature. Credit: The Wire

Automating the 1:1 search

The southern state of Andhra Pradesh, has already created a vast fully interlinked resident database that has merged the crime and civilian aspects.

For instance the local state hub, has information about all its residents, the GPS coordinates of their homes, medicines they use, food rations they eat, what they say about their chief minister on their social media accounts, their caste, bank accounts on which they receive scholarships, pensions and their Aadhaar numbers.

This design allows the state police or any state official to know everything about an Aadhaar number holder by just typing their Aadhaar numbers.

A very similar exercise is under progress in the state of Telangana. The state hub hosts both the crime data and the Aadhaar data of the residents in one single entity called “Integrated Information Hub” and is also managed by the Hyderabad police.

Since the state police runs the state data hub, it also allows them full unlimited access to all the schemes that every family is enrolled into, along with access to authentication logs, thereby allowing real time tracking of the population, if need arises.

Telangana also offers an ongoing lesson on how a civil database (Aadhaar) and a crime database (used by NCRB and the various states) can converge. For instance, not only are the Aadhaar numbers of drunken drivers were seeded into the crime database, their family members’ Aadhaar numbers were also seeded.

Even those who are acquitted would continue to reside in the crime databases, and would be forced to share their Aadhaar numbers and their biometrics and also their family members’ details, until the courts directs them to stop doing so.

Purpose limitation is futile after a certain scale

Media reports over the last two years also indicate that the various crime databases maintained by the state and central bureaus are being cross-seeded with Aadhaar numbers and demographics, thereby converging the civilian and the crime database via a staged approach as described below:

The cross-seeding of Aadhaar numbers with digital police systems such as the CCTNS (crime and criminal tracking network system) was something shunned by the initial team behind the biometric authentication programme.

“Nandan [Nilekani] told us that if they allowed us to do it, the people would never trust Aadhaar,” a former director-general of prisons of a large north Indian state told The Wire.

And yet, an early version of the software behind the Integrated Criminal Justice System (ICJS) – a programme that seeks to link the police’s criminal tracking system (CCTNS) with the digital information-technology systems for India’s courts and prisons – shows that Aadhaar was meant to serve as a crucial component of the overall ecosystem.

A screenshot of an initial version of how ICJS would look. Credit: The Wire

A screenshot of an initial version of how ICJS would look. Credit: The Wire

The image above is from 2016, showing that the NCRB, which implements the CCTNS and ICJS projects, had hoped to have the Aadhaar Act amended by now.

Parsing the UIDAI’s denial

The UIDAI in its denial asserted that “use of Aadhaar biometric data for criminal investigation is not allowed under the Aadhaar Act” and quoted Section 29 of the Aadhaar Act as corroboration.

The denial thus is limited to access to the biometric data (1:N search) and does not cover other cases like automated 1:1 access or request-based access to other entities. Furthermore, it also does not explicitly deny the creation of parallel biometric databases.

For instance, both the Hyderabad police (Entry 105) and the Chandigarh police (Entry 125) are on the list of Authentication User Agencies (AUA) and KYC User agencies (KUA) AUAs and KUAs are entities that are given access to the central Aadhaar database (CIDR) for authenticating Aadhaar holders.

This KUA access is sufficient for the police of both states to forcefully authenticate any arrestees to obtain their demographic information from the Aadhaar database.

Once KYC authentication fetches the demographic information, the police can use the Identification of Prisoners act, 1920 to obtain their fingerprints in the same standardised form used by the UIDAI to create a parallel database which mirrors the CIDR. The only catch is that unless the Aadhar Act is amended, the police cannot legally store other biometric parameters such as IRIS scans and vein prints. This is why successive NCRB conferences have recommended amending the Aadhaar Act.

UIDAI’s denial might look like a principled opposition, but it is also a reflexive mechanism to ensure that NCRB or other agencies don’t catch onto the fact that there are serious quality issues that plague the Aadhaar biometric database. For instance, biometric mixups affect (officially) nearly 2 crore Aadhaar holders and while the image formats are compatible, the minimum quality of capture for Aadhaar is a mere 52%.

Parallel biometric datbases

While Section 29 of the Aadhaar Act only deals with sharing of biometrics, it does allow limited access to the demographic data by allowing police to become KUA/AUAs and through other means.

The limited access to demographic data also allows the state police to build their own parallel fingerprint databases – something that is currently happening in at least three states. What’s worse is that entries are typically not deleted, as mandated by the Identification of Prisoner act, if an arrestee is acquitted later.

This allows convergence of the crime and civilian databases, as indicated by the-then deputy director general of the UIDAI, Ashok Dalwai, way back in 2013, leading to the implication that this had always been the original design.

A vast database that allows other entities (including states) to build their own parallel (and bigger) databases with parallel biometrics, by design, is exactly the architecture that an all encompassing surveillance state would need. Such an architecture makes the legal construct of “consent and purpose limitation”, as enunciated by the nine-judge privacy bench, impractical and unimplementable by design.

This is why the Srikrishna committee, while recommending amendments to the Act, has kept Aadhaar out of the purview of the proposed data protection bill. 

The typical response of the Supreme Court is to issue guidelines that needs to be followed by the state (PUCL vs Union of India, 1996), when it encounters complex questions, such as balancing the right to privacy and the requirements of law enforcement agencies.

But what if such an approach would meet nothing but failure, because the architecture of the project is designed to make guidelines based on “consent and purpose limitation” irrelevant?

While the software revolution sweeps by and eats the world, will it also end up eating the law and weaken constitutional rights? With the Supreme Court set to rule on the Aadhaar case, we will know soon enough.

(With inputs from Anuj Srivas)

Are People Who Sign up for Aadhaar Actually Who They Say They Are? UIDAI May Not Know

With the Aadhaar agency noting that there is a significant gap between enrolments done and documents handed over by operators, what does this mean for e-KYC and fraud?

The Unique Identification Authority of India (UIDAI) has for six years quietly struggled with a problem that has consequences for its ability to detect fraudulent enrolments and implications for its utility as a sprawling and integrated identification system.

The problem: Are the people who sign up for an Aadhaar number actually who they say they are?  Or, to be more precise,  are all of UIDAI’s enrolment agencies  actually collecting and verifying the ID proof of people who sign up for Aadhaar?

Internal UIDAI documentation shows that for a substantial chunk of enrolments, it just may not be sure.

According to the agency’s internal correspondence with its regional offices, this is mainly because a large number of enrolment agencies and registrars have dragged their feet over a crucial part of the sign-up process: handing over to UIDAI the physical documents that are part of each Aadhaar enrolment they handle.

While these prolonged delays have multiple explanations, some of which are mundane, they nevertheless raise troubling questions over the issue of fraudulent enrolment.

One internal UIDAI estimate – which was part of a set of documents sent by a whistleblower to nine Supreme Court justices in late 2017, a couple of months before the Aadhaar hearings – indicates that the agency allegedly does not have access to identification documents (proof of identity, proof of address) for up to 38% of total Aadhaar enrolments. While parts of these documents could be corroborated, The Wire could not independently verify the final estimate.

How does this work?

Aadhaar identity, to put it simply, consists of two parts: body (biometrics) and biography (demographics).

When enrolment agencies sign up people for Aadhaar, they take their biometrics through scanning and record their demographic information by asking them to submit a number of documents. This includes documentation that verifies a person’s proof of identity (PoI), proof of address (PoA) and date of birth (DoB). These documents can be photocopies of anything from a driver’s licence to a ration card.

The UIDAI’s document management policy – which was written along with Hewlett Packard (HP) – outlines the process that all enrolment agencies and registrars must follow in collecting and collating physical documents submitted during enrolment.

A crucial part of process involves handing over these physical documents to HP, which is what UIDAI calls the the document management system (DMS) agency. HP will then store those documents and digitise them for future access by UIDAI.

An Aadhaar enrollment generates an enrollment ID (EID) and documents are typically attached with an EID, digitised and stored for later retrieval in the CIDR.

Why is this important? Namely because the process of digitising the physical documents allows UIDAI to audit the values entered by the operator at the time of enrolment, if the need arises. It is an important check to ensure the trustworthiness of the Aadhaar database for eKYC.

‘Significant gap’

In December 2015, in an office memorandum circulated to all of its regional offices, the UIDAI noted sternly that there was a “significant gap in enrollments done and documents submitted by Registrars/EAs to the DMS agency for Phase 1 as well as Phase II”.

The note then goes lay out a new process to be followed for the “reconstruction of missing DMS” whereby the DMS agency would share a list of all enrolment IDs for which accompanying documents are “missing”.

Using this information, the UIDAI stressed, all enrolment agencies and registrars were supposed to hurry up and hand over the physical documents (photocopies of PAN cards, ration cards, passports, driver’s licenses etc) they took during the enrolment process.

Screenshot of UIDAI's office memorandum in December 2015. Credit: The Wire

Screenshot of UIDAI’s office memorandum in December 2015. Credit: The Wire

These instructions came after a slew of show-cause notices issued to non-state registrars in October 2015 over “non-submission of documents” and plans to schedule “reconciliation meetings” that would track the process of reconstruction in the months ahead.

Despite this increased push, the UIDAI, it appears, wasn’t satisfied with fidelity of the process. In April 2016, it quietly rolled out a feature that allowed enrolment agencies (EAs) to scan the identification documents themselves. In a notice titled “Mandatory Scanning of Documents Through Enrolment Clients”, it announced that individual EAs no longer had to hand over documents to the DMS agency but could scan it themselves.

The only catch? This system was rolled out only for states where Aadhaar saturation was greater than 80%. There are two broad implications of this decision:

1) Firstly, UIDAI knew that the existing offline document management system had problems, both security and logistical in nature, and yet introduced it anyway.

2) It appears as if the agency initially preferred the quicker, and less secure, method of using a flawed document management strategy to increase Aadhaar penetration.

Stemming the dam

Nearly nine months later, the UIDAI issued a set of guidelines in January 2017 that appeared to allow “offline scanning of ADMS documents” to all enrolment agencies and registrars across the country.

In the accompanying office memorandum, the Aadhaar authority once again acknowledges the problem that it faced, stating that a “large number of documents” had not been handed over by enrolment centres.

“It is understood that there are a large number of documents lying at enrolment centres, for which the EA [enrolment agency] is responsible for safe-keeping. Thus, to mitigate Registrar and EAs liability in case of loss of documents, the UIDAI is providing an opportunity for EAs to scan the pending documents at their end and upload to CIDR,” the notice states.

How big is the problem?

In November 2017, a person who only identifies himself as a “qualified and responsible citizen” sent a series of documents to nine Supreme Court justices. At least two judges confirmed to The Wire receipt of the papers.

These documents, which The Wire has reviewed, contain a list of Aadhaar enrolment agencies and a corresponding number of enrolments that are allegedly missing accompanying documentation.

It estimates that 38% of total Aadhaar enrolments (45 crore out of 115 crore successful enrolments) have “missing documents”. That is, enrolment agencies and registrars have not transferred the accompanying PoI (proof of identity) or PoA (proof of address) documentation of 45 crore enrolments to UIDAI.

To what extent can we trust these figures? The Wire corroborated a number of things including the enrolment agency codes (publicly available with UIDAI) and successful total enrolments by operator, but could not independently verify the final estimate of 38%.

A detailed questionnaire asking about the extent of missing documents was sent to UIDAI CEO Ajay Bhushan Pandey and Vikash Shukla, Head of Media Outreach and Publicity, last week. This story will be updated if and when a reply is received.

It is noteworthy that right to information (RTI) queries on this issue have been stonewalled. An RTI request filed by Anupam Saraph, had asked UIDAI to provide the breakup of PoI/PoA for every Aadhaar generated; what methods of identification (passport, ration card etc) were used.

The request was met with the response “the information is not compiled/available”, even though as per the office memorandum, we know that the UIDAI has that information broken down to the enrolment agency level.

A more official source of missing documents, however, comes from UIDAI itself (archive).  A tucked away corner of its website gives details of “DMS pendency” for over 600 enrolment agencies for four months in 2016: a significant 7.8 crore Aadhaar enrolments were missing accompanying physical documentation between February 2016 and June 2016.

Why is this a threat?  

There could be multiple explanations for why these documents are missing.

Some of the reasons are mundane. For instance, logistical problems between enrolment agencies, registrars and the DMS agency could delay in the handing over of documents. A senior executive of one large enrolment agency confirmed that delays in picking up documents are natural, especially in less-connected and rural parts of the country, as it involves multiple levels of coordination.

Other reasons include physical documentation getting lost or destroyed by accident – a terrible nuisance for Aadhaar holders, who are forced to re-submit their documents or re-apply all over again.

There is another reason, however, whose implications are more troubling and sinister: namely that some of these documents are ‘missing’ because they simply don’t exist and that they are representative of fraudulent enrolments.

In 2012, the ‘missing documents’ problem translating into fraud came back to haunt the UIDAI and prove this last point. The Wire has it in its possession the FIR details of the ILF&S- Hyderabad scam, which while reported in 2012, did not nearly get the attention it deserved.

The scam involved  two different modus operandi:

1) The criminals enrolled ‘people’ through the biometric exception route to bypass the UIDAI’s deduplication system.

2) They also enrolled ‘people’ using their ration cards as proof of identity/proof of address with the document management system.

As per initial media reports, the operator enrolled 30,000 people in 2 months of which 870 were biometric exceptions. The kicker? Most of these enrolments were fraudulent.

When the investigators tried to locate the proof of identity/proof of address documentation, they found that the DMS agency did not have a copy of the identity documents and hence all of them were fraudulent.

When the whole enrolment system was audited for biometric exception misuse, the UIDAI discovered that operators all over the country had fraudulently enrolled 3.84 lakh people through the biometric exemption route.

It is puzzling therefore that the UIDAI not conduct an audit or launch an investigation into the issue of missing documents to determine how many potentially fraudulent PoI/PoA-based enrolments there could be out there.

The UIDAI may believe that the answer is zero – but that clearly isn’t the case. Would such an exercise have raised uncomfortable questions over the rapid speed of Aadhaar enrolment over the last six years?

National security issues

Over the last six years, missing documents have been a continuously-repeating story.

The following publicly-reported incidents prove that Aadhaar generation  without PoI/PoA documentation or verification are quite common. What makes this situation worse is that the government has implicitly encouraged the usage of ‘Aadhaar cards’ as a commonly accepted method of identification, even thought it was never meant for that purpose.

–> Zeebo Asalina, an Uzbek national was caught with a “real” Aadhaar that identified her as Duniya Khan, residing in Delhi. –

–> Pakistani, Bangladeshi and Rohingya refugees have been arrested with Aadhaar.

–> A Chinese national was arrested with Aadhaar (June 2018).

–> Only 188 of the 418 consumers were traceable in Delhi, after Aadhaar based PDS was introduced (55% were untraceable in their current address)

Aadhaar as a society-wide identification method

The basis for using Aadhaar as eKYC is the assumed sanctity of the database. When a significant percentage of the database has missing PoI/PoA documents and the UIDAI refuses to provide straight answers to these questions, it is obvious that the problem is indeed large, as the above checks show.

The biggest problem with  ‘missing documents’  – if a single Aadhaar is repurposed or one person gets two Aadhaar numbers – becomes less of an issue if the UIDAI’s system of ‘deduplication’ and authentication works as advertised. However, there is enough public data available to show that at least 5.32 lakh Aadhaar duplicates do exist and these are acknowledged duplicates, till August 2017.

As acknowledged by Triveni Singh, the IPS officer who investigated the UP Aadhaar hack scam, one of the operators arrested did have two Aadhaar numbers (7:18). Even if one of them had a missing PoI/PoA, then that Aadhaar is a “pure ghost”. Thus missing identity documents create scope for fraud, when biometric deduplication itself is not deterministic and is probabilistic.

Besides this, the UIDAI’s behavior does not leave its users with a sense of confidence. While it did ban enrollment agencies with questionable or fraudulent behaviour temporarily, they are allowed to come back to the ecosystem, as it would impact metrics (enrollment coverage). This is very similar to how it allowed Airtel Payment bank to restart operations – in what some believe as an attempt to shore up falling authentication attempts – after banning it from using e-KYC services.

In this aspect, the system of Aadhaar enrolment resembles a poorly-run ponzi scheme, where any fall in expansion brings the curtains down. So agents delegated to run the enrolment scheme may get banned for cheating too much, but are always brought back quietly when the storm dies down.

How a SIM Card Operator in Hyderabad Apparently Created His Own Aadhaar Database

For P. Santosh Kumar, the cost of replicating a physical fingerprint and fraudulently activating a SIM card was a cool Rs 125.

That the central Aadhaar database has never been breached and can’t be breached is an often-made claim, especially by the Unique Identification Authority of India (UIDAI) and its CEO.

According to the UIDAI, sharing your Aadhaar number is also not an issue, since biometric authentication is required for misuse.  

There is, however one place, where both Aadhaar numbers and fingerprint scans are available freely outside the central database — your local sub-registrar office.

If you have at any point of time been a buyer or seller of property (or even a witness), it is ridiculously easy for anyone who can access registered property documents to create their own Aadhaar database and then become “you”.

Last month, a SIM card distributor in Hyderabad discovered this by accident and managed to activate 6,000 SIMs using fingerprints and Aadhaar numbers harvested from property registration documents.

The modus operandi of the crime is devastating as it brings down the cost of stealing your identity to only Rs 125. It also can’t be stopped unless you are tech-savvy, which automatically leaves millions of Indians defenceless.

But how did a SIM card distributor possess the technological and financial means to create his own CIDR?

Obtaining Aadhaar and fingerprints

Property registration documents submitted in a sub-registrar’s office, by law, need to have the following information:

1) Names and addresses of buyers, sellers and witnesses.

2) Their fingerprints.

There are also states which ask for Aadhaar during property registration and also print them in the documents. These can be obtained by a simple Google search (as shown below). In some cases, you will find a few state governments leaking this data through an online dashboard (for example, Andhra Pradesh).

An example of how Aadhaar is asked for a deed of simple mortgage.

An example of how Aadhaar is asked for a deed of simple mortgage. The personal details in this deed have been blurred out by The Wire.

They also contain demographic information (like a scan of PAN copy) and fingerprints.

These fingerprints are merely sample taken from NIST Image database for illustration purposes only.

These fingerprints are merely a sample taken from NIST Image database for illustration purposes only.

The cost to obtain these documents legally through the registration department in Telangana is only Rs 210-235.

Every property document will contain at the least one buyer, one seller and two witnesses. Hence the cost to create an Aadhaar database (name, date of birth, address, fingerprints) for one person is only Rs 50-60.

Converting fingerprints to moulds

Now, it’s difficult to use a mere scan of a fingerprint to cheat a biometric reader. The devices need moisture to recognise fingerprints. So the prints on the property document need to be converted to a mould.

The Times of India article on the Hyderabad SIM seller makes reference to polymer printing using a special printer that purchased online. Incidentally, polymer printing was also used in the Uttar Pradesh Aadhaar hack case to create fingerprint moulds.

This practice is very similar to printing photographs on a film as described below:

1) The negative of the image to be printed is first created (a simple color inversion of scanned fingerprints will do).

2) The negative is then printed on a transparency film and is then submerged with the photopolymer resin solution with the polymer plate.

3) The polymer plate is then exposed to UV light for 90 seconds, which will create the fingerprint.

The materials generally used are:

1) Printo print enhancer (to increase the depth of the printout), at Rs 114 per litre.

2) Polymer plates on which the fingerprints are etched (Rs 2 per square centimeter)

3) LaserJet Transparency papers to print the negative (Rs 70 a sheet)

4) LaserJet printer (Rs 9,000)

5) UV Exposure Unit with Lamps (Rs 15,000).

If a single transparency sheet is used to print a fingerprint of an Aadhaar holder into a single polymer plate, the running cost for replicating a fingerprint is approximately Rs 75.

Incidentally, this method of using online scans or even photographs to replicate fingerprints is an age-old technique. In 2013, the Chaos Computer Club made waves by producing a physical fake fingerprint and using to cheat Apple’s biometric TouchID security system.

The table below outlines the business model that was created by the SIM card distributor to take over the identities of thousands of Aadhaar holders.

Item Cost (in rupees)
Capital Cost 24,000
Cost to get Fingerprints of an Aadhaar holder  50 – 60
Cost to print the fingerprints  75
Effective Operating Cost Rs 125 – Rs 135
Commision from the telco paid to the dealer for every prepaid SIM card Rs 15
Maximum SIM cards allowed per Aadhaar number 9
Maximum Possible Commission Rs 15 * 9 =  Rs 105

Economics of fingerprint forging

If the dealer committed the forgery only for getting commissions from the telecom companies, then the business itself is not viable, since the cost exceeds the benefit.

However pre-activated SIM cards without the need for e-KYC activation are very much sought after in the black market, for a going rate as high as Rs 500.

If this is taken into account, the economics however change dramatically for the forger and even with a single pre-activated SIM, he makes a profit of Rs 385 and the initial capital cost of Rs 24,000 can be recovered by activating and selling just 62 SIM cards.

According to news reports, the SIM card distributor in question, one P. Santosh Kumar, managed to activate 6,000 SIM cards. And if it were not for his incredibly naive approach of using the same biometric scanner (e-KYC device) in one month, which is what tipped off the UIDAI, he would have made Rs 23 lakh eventually.

Furthermore, he could have used these Aadhaar numbers and fingerprint moulds to link a mobile number with these Aadhaar numbers, get PAN cards issued using the e-PAN approach or even open bank accounts.

The only solution that UIDAI currently offers against identity takeover attempts using publicly available documents is what it calls “biometric locking”, which requires a permanent phone number always attached to the Aadhaar number.

This is why SIM phone clone frauds are on the rise since an identity take over is now possible if one’s phone is either lost (OR) cloned with no possible recourse.

The cost of a full Aadhaar identity takeover has now fallen to Rs 125. In other words, the cost of creating a parallel Aadhaar database is now within the reach of common conmen, with a 3X guaranteed return if they play the game low and slow. The Telangana and Andhra Pradesh governments are now scrambling to restrict access to online property documents, but the cat is already out of the bag.

While UIDAI and it’s CEO, Ajay Bhushan Pandey, will keep insisting that “Aadhaar is safe”, it is far more pertinent to ask whether the people of this country are safe from Aadhaar.

For P. Santosh Kumar, SIM distributor and collector of fingerprints, that safety can be breached by spending Rs 125.

UIDAI, and its CEO, are Yet to Say Anything That Can Help us Trust Them

With only one biometric authentication, and five failed attempts, Ajay Bhushan Pandey’s authentication history for five months doesn’t exactly spark more faith in the UID system.

Dear Mr. Ajay Bhushan Pandey,

Over the last five years, I have received multiple requests – some polite, some forceful, but mostly threatening – to hand over my data to the Unique Identification Authority of India (UIDAI), the organisation you head. Each time, I have most respectfully declined.

Trusting any third-party with items of importance is a task best handled with care. It also involves ascertaining that the organisation that you are handing over your data to is absolutely capable of taking good care of it.

It seems to me, from your public statements and Aadhaar authentication history – portions of which you made public in the ongoing Supreme Court hearings – that it is likely you might not be able to do so. Let me explain.

First up, finding and eliminating bugs in the Aadhaar system – which can lead to critical data leaks – is not one of your priorities.

India has pushed and cajoled over a billion people into signing up, and there is no official public policy on how concerned security researchers can report potential vulnerabilities. This is akin to saying that ‘all is well, there are no problems because nobody has told us we have an issue’.

And yet, you say that hacking threats (from domestic and foreign entities) give you sleepless nights. Perhaps a bug-reporting policy would give you an extra couple of hours each night? “There are attempts almost every day to hack [the] Aadhaar system, but none has succeeded,” you said recently.

No one has succeeded? The real question is whether you would tell us if an attempt had been made, given your controversial and often misleading history of denials.

Indeed, you deny too much. In the past month, you said that the UIDAI has “trashed” the ZDNet report and “refuted” the Aadhaar data leak by a Delhi researcher.

However, when you don’t say anything, it’s equally revealing. And there have been no public tweets denying The Tribune’s expose. I checked and checked, yet could not find any.

Moving on, you believe that the advent of Aadhaar and Aadhaar-linking cannot possibly result in any state or potentially hostile private entity constructing a 360-degree profile.

In the ongoing Supreme Court case, to prove this point, you made public your Aadhaar authentication history, but it actually revealed the following:

Between November 2017 to March 2018, you authenticated your Aadhaar identification a total of 26 times, of which five attempts failed. While it isn’t a good enough sample to derive any concrete conclusions, it’s more proof of how probabilistic Aadhaar is as an identification technology.

There’s a good chance that you currently hold three accounts in ICICI bank (bank accounts or credit cards), which are Aadhaar linked. It is possible to conclude that these are three distinct accounts, because the “UKC” fields are different, thus implying that these are different transactions and hence not the same account number (Linking one account number is usually a single transaction).

A screenshot of Pandey’s authentication attempts.

You also have an IDFC account, which is curiously not Aadhaar-linked, since it failed once and there were no further attempts to link it again in the history.

While there is an Aadhaar-linked Vodafone postpaid SIM card in your name, you probably don’t have your insurance accounts linked with Aadhaar. There are probably no insurance policies linked with Aadhaar, since there were no attempts from AUAs which are insurance companies.

Unlike your predecessor, Nandan Nilekani, you don’t appear to use the Aadhaar-enabled biometric attendance system as you enter your office and start a day’s work. If you did, there would be more authentication attempts recorded.

Also unlike the famous Matunga hotel in Mumbai, whose owner eats there – and hence first-hand knows the potential problems with the food cooked there – you don’t generally use biometric authentication (only once) and hence may find it difficult to empathise with the troubles facing some of India’s poorest and most vulnerable.

You are indeed a good bureaucrat who loves demos and follows up on progress methodically. And you certainly do spend time at work when there is a crisis.

I hope that I have demonstrated to you with the examples and analysis so far, why I find your proposal to hand over my data very unconvincing. Since you hold a doctorate in computer science, might I remind you of an old joke about what metadata can reveal about a person:

“I know you called your doctor, then your insurance company, then your doctor again, then two cancer treatment centers, then your ex-girlfriend, then your wife. But don’t worry, I have no idea what you talked about.”

Actually, jokes are redundant when your out-of-touch responses themselves generate laughs, as when you claimed that there were no privacy concerns with the Aadhaar ecosystem because the main database is behind “13 feet-high, five-feet thick walls”.

This is not looking good at all. If you can’t laugh at yourself, it may be difficult to handle the stress of all those hacking threats and take prompt action.

I sincerely hope that you consider my rejection to hand over my data in the right spirit. As a citizen of the country, whose tax money helps fund your organisation, we are all in this together – even if we don’t see eye to eye on about my private data and your capability to keep it safe.

A Pakistani Spy and Lord Hanuman Walk Into an Aadhaar Centre. What Does the UIDAI Do?

Do Mehmood Akhtar and a Hindu god really get LPG cylinders delivered to them?

Do Mehmood Akhtar and a Hindu god really get LPG cylinders delivered to them? Does the government have the institutional capacity to stamp out the problem created by its flawed enrolment ecosystem?

The UIDAI needs to use this opportunity to clarify whether it has the institutional capacity to deal with fakes like Lord Hanuman and a Pakistani spy. Illustration credit: Karnika Kohli

What could Mehmood Akhtar – a Pakistani high commission staffer who was expelled from India after he allegedly engaged in espionage  – and Lord Hanuman possibly have in common?

Strangely enough, publicly available evidence indicates the following. One, an Aadhaar number. Two, an LPG connection that is linked to their respective Aadhaar numbers. And three, a bank account that is also linked to their Aadhaar numbers.

On October 27, 2016, the Delhi police detained Akhtar for allegedly possessing sensitive defence documents. He however, identified himself as Mehboob Rajput, and produced an Aadhaar ’card’ bearing the name and an address in Old Delhi’s Chandni Chowk.

The address on the Aadhaar card – 2350, Gali Near Madari, Rodgran Mohalla, Chandni Chowk, New Delhi 110006 – is correct, except that the house is actually on G B Road, Delhi’s red-light area, nearly a kilometre away. He was promptly declared persona non-grata, and was asked to leave immediately.

Did the Pakistani spy really apply, and receive, an Aadhaar number? It’s theoretically possible – any resident of India can sign up and enrolments do not require proof of Indian citizenship.

While the Unique Identification Authority of India (UIDAI) was silent at the time, news reports quoted senior Delhi police officials who confirmed that Akhtar’s “Aadhaar document” had been obtained through “fraudulent means”, through a man named Yaseer (who supplied fake identification information) and with the involvement of one or more Aadhaar operators employed with an enrolment agency.  

In other words, it appears as if Akhtar had not merely taken a piece of paper and photo-shopped random bits of information onto it, but had instead genuinely obtained an Aadhaar number by supplying fake information. 

While only the UIDAI can confirm this for sure, there is no public evidence that contradicts the Delhi police’s account.

In Parliament, the Modi government has been evasive. In December 2016, Rajya Sabha MP K.V.P Ramachandra Rao asked whether it was “a fact that a Pakistani spy caught in New Delhi in October carried an Aadhaar card issued in his name” and “if so, whether the Government is assessing the possibility of misuse of Aadhaar cards.”

Junior IT minister P.P Chaudhary’s reply was a non-answer, refusing to clearly state one way or the other if the spy received a valid Aadhaar number. His reply, which comes along with a long boilerplate response of how “Aadhaar is generated after quality checks”, merely states that  “Aadhaar is not proof of citizenship or nationality”.

At the time, media organisations did publish this story widely (Scroll, Hindustan Times, Business Standard, Deccan Chronicle, Rediff), and in the process, reproduced his Aadhaar ‘card’, which also displayed his Aadhaar number (The Wire has withheld the number and has intentionally blurred it out in the picture below).

An edited screenshot of Rajput's Aadhaar card. Credit: The Wire

An edited screenshot of Rajput’s Aadhaar card. Credit: The Wire

Here comes the kicker though.

As of last month (December 13, 2017 to be precise), Akhtar’s alleged Aadhaar number was still active. A screenshot from the UIDAI’s website (shown below), which allows users to check whether an Aadhaar number exists and is active, confirms this.

On December 13, 2017, The Wire sent an email questionnaire to UIDAI CEO Ajay Bhushan Pandey, asking specifically if Akhtar had succeeded in enrolling under the name Mehboob Rajput for an Aadhaar number and if the Aadhaar number that was published by various media organisations last year did actually belong to him and was genuine.

The Wire also asked whether it was possible if the number had been deactivated and reissued to another person. Pandey has not responded while Vikash Shukla, senior manager, communications and public outreach with UIDAI, promised that they would send a response within a couple of weeks.

However, two days after the The Wire’s email was sent – on December 13, 2017 – the status of the Aadhaar number on the UIDAI website changed. It is now no longer “valid” and has presumably been deactivated.

If one checks the status of Akhtar’s alleged Aadhaar number on the UIDAI website now, an error symbol pops up with a short message: “**** **** **** is not a valid Aadhaar.”

Before and after deactivation, however, it was possible to check, using the Indian Oil Indane’s website, that an LPG connection has been attached to the above Aadhaar number. A screenshot of the “OMC (oil marketing company)”-Aadhaar linkage is shown below.

Once the consumer number is known, it is easy to obtain the history of linked bank accounts with that account (through another public link).

A few things stand out here if indeed a valid Aadhaar number was issued to the Pakistani spy. 

Firstly, Mehmood Akhtar was deported in October 2016. And yet, two bank accounts (shown in the screenshot above) were linked with the Aadhaar number on October 17, 2017 and October 26, 2017 – a full year after the alleged holder of the fraudulently-obtained Aadhaar was deported.

Secondly, an LPG connection, which has been receiving subsidy payments, was issued in the name of one “Mr Baijnath”, residing in Agra (Khuldabad Gas Service) and was also linked to this Aadhaar number.

Lastly, and curiously, the addresses don’t match. Before the Aadhaar number was rendered invalid, the UIDAI’s website listed a Delhi address (as confirmed by the Delhi police and the address listed on Akhtar’s Aadhaar “card”) whereas the LPG ID seems to indicate an Agra address. Most importantly, however, the names ( Baijnath versus Mehboob Rajput) don’t match either.

Employees at the Khuldabad Gas Service agency admitted to The Wire that no verification is normally carried out when it comes to linking Aadhaar to an LPG connection. Mr. Baijnath’s phone number has been unavailable (‘out of service’) for the last week.

Officials at the Indian Overseas Bank – the last bank account to which Akhtar’s Aadhaar number was linked – declined to comment on whether adequate verification had taken place while linking the Aadhaar number in question.

Lord Hanuman and bank seeding

‘Hanuman’ was given an Aadhaar number as early as 2014, and it was subsequently deactivated by UIDAI, three years ago. A Business Standard report from 2014 – which lists out the Aadhaar number issued – quoted UIDAI director general Vijay Madan as saying that the Hanuman incident was “an exceptional case”.

However, once again, a search shows that a bank account has been linked with this Aadhaar number very recently, on November 11, 2017 as can be verified, using Indane’s website (as shown in the screenshots below).

How and why does this happen? Typically banks are expected to perform validation of the Aadhaar number and the name of the account holder to check if the linkage is valid ( the UIDAI calls this demographic authentication). Name mismatches are however very common (PAN linkage, PDS, other documents) and every demographic authentication request, though very cheap, is still charged by UIDAI, and the costs add up as the volume increases.

Hence, it is possible that banks sometimes skip authentication, and instead accept the provided Aadhaar number at face value. Furthermore, a deactivated or cancelled Aadhaar number does not automatically invalidate all the linked accounts immediately yet.

Three paths

There are three possible conclusions that can be drawn from what we’ve discovered. 

The first – which is the most probable and comes with the most serious consequences – is that the Akhtar and Hanuman were indeed issued valid Aadhaar numbers and that these numbers have now been seeded by totally different people in various places because the intermediaries (the LPG dealers and the banks) didn’t carry out proper verification.

The second scenario is that Akhtar and Lord Hanuman were never issued the Aadhaar numbers that were reported about widely in various mainstream news publications and that they had always been issued to other people. While unlikely, if this is true, it raises a troubling question: why was Akhtar’s number deactivated just two days after The Wire reached out to UIDAI? 

Thirdly, the spy and Hanuman indeed signed up and received valid Aadhaar numbers, which were then deactivated and re-issued to new people. This is highly unlikely as a twelve-digit Aadhaar number can accommodate up to 80 billion people. It seems improbable, therefore, that the UIDAI re-issued a number to someone else as it cannot possibly run out of Aadhaar numbers in the foreseeable future.

Illustration credit: Karnika Kohli

Why UIDAI’s response is insufficient

The Unique Identification Authority of India (UIDAI) is not taking this problem seriously. The government of India continues to push Aadhaar linking to every aspect of a resident’s civil life, from birth to death. When publicly questioned about the purpose of linking Aadhaar to bank accounts, the UIDAI CEO has responded that it is required for eliminating benami accounts that are used for money laundering.

Yet in at least one case, it appears likely that a known Pakistani spy’s Aadhaar number was not cancelled or deactivated for more than a year – until it was pointed out explicitly – which in turn allowed bank accounts to be linked with that number during that period.

While it is superficially straightforward to blame the bank, or the oil marketing company, the true problem lies not in the usage of the Aadhaar number, but in its issuance. To keep enrollment costs low, the UIDAI has consistently preferred outsourcing to third parties, who optimized their own earnings, without any regard to the guidelines issued by the authority.

The scale of the problem can be understood by looking at the number of blacklisted operators.

Date Source Total number of Banned Enrolment Operators
From 2011 to 27th April 2016 LS SQ 59 11,974
From 2011 to December 2016 Hindu Business Line 33,000
From 2011 to 10th April 2017 Hindu Business Line 34,000
From 2011 to 12th Sep 2017 Times of India 49,000
Operators banned between 10th April 2017 and 12th Sep 2017 Difference between the above 2 columns (49,000 – 34,000) 15,000

 

Date Source Total number of Active Operators
As of 19th August 2016 UIDAI 60,000
As of 9th April 2017 Indian Express 40,000
As of 12th Sep 2017 Operators banned between 10th April 2017 and 12th Sep 2017 (from the table above) 25,000 (40,000 – 15,000)

The urge for operators to maximise their earnings  also resulted in the invention of the ghost kit, which probably pushed fake identities into the Aadhaar database for close to a year, without the UIDAI being aware of it. The news reports about the ghost kit were however met with the boilerplate response “Aadhaar is safe and reliable”.

The risks from a national security point of view, however continue to grow, both in scope and numbers, and there have been at least 18 known cases where Aadhaar numbers were issued to hostile actors from neighbouring countries, on the basis of bogus address and identity documents.

While UIDAI’s CEO claims that if everyone links their bank accounts with Aadhaar numbers, benami accounts can be detected with ease, the cases of the ISI spy Mehmood Akhtar and Lord Hanuman both appear to disprove this assertion.

In a constitutional democracy such as ours, elected governments inherit legitimacy and trustworthiness because of the inherent strength of the democratic process. For instance, bonds and currency issued by the government form the basis of all economic activities, because of the trustworthiness of the sovereign that guarantees them, and hence are tightly controlled by the Reserve Bank of India.

It can be useful to think of Aadhaar along similar lines, as an “identity currency”, backed by the sovereign might of a democratically elected government. Yet, it is neither proof of citizenship or age (as admitted by UIDAI), or even an address proof by itself, and 120 crore such “identity currency units” (Aadhaar numbers) have, so far, been largely created by third party enrolment agencies, a vast majority of whom have subsequently been dismissed on the grounds of being unscrupulous entities.

Further, unlike the RBI, which has a rigorous process for reporting and destroying fake currencies, UIDAI it appears is struggling with the institutional bandwidth to deactivate and deal with fake identities.

Anand Venkatanarayanan is a senior engineer at Netapp. Views expressed here are personal and do not reflect the views of his employer. 

The Curious Case of the World Bank and Aadhaar Savings

The World Bank’s estimate that Aadhaar has the potential to save $11 billion in subsidies every year has repeatedly been used by the Cente to justify the programme. But does this figure hold up under close scrutiny?

The World Bank’s estimate that Aadhaar has the potential to save $11 billion in subsidies every year has repeatedly been used by the Centre to justify the programme. But does this figure hold up under close scrutiny?

The organisation has admitted that its referencing was incomplete but says that its $11-billion figure is based on an internal extrapolation of two other studies. Credit: PTI, Reuters

Evidence-based policy-making usually proceeds by outlining the problem at hand, discussing various solutions, conducting studies to understand the effectiveness of these solutions and then prescribing a course of action based on accumulated evidence.

It’s safe to say that the media and policy narrative surrounding India’s biometric authentication programme hasn’t followed this process at best and has been skewed in favour of speedy implementation at worst.

For instance, it is clear that both the previous UPA-II and current NDA government painted a highly-exaggerated picture of savings from direct benefit transfers for LPG – a narrative that was largely accepted by an unquestioning mainstream media.

Another figure that has floated around over the last two years is that the Aadhaar project has the potential to save $11 billion in subsidies every year.

There is enough evidence to show that this figure – which originates from the World Bank – doesn’t hold up against close scrutiny.

Most recently, this $11 billion statistic was used as part of the Centre’s argument before the Supreme Court, as part of its reply to a writ petition filed by Shantha Sinha challenging the government’s notifications that made Aadhaar compulsory for various welfare schemes.

A screenshot of the affidavit submitted by the Centre to the Supreme Court. Credit: The Wire

A screenshot of the affidavit submitted by the Centre to the Supreme Court. Credit: The Wire

The affidavit by the government of India (shown above) also attaches the relevant portions of a 2016 World Bank report on digital dividends (page 195, shown below).

A clipping of the World Bank's 2016 report. Credit: The Wire, World Bank

A clipping of the World Bank’s 2016 report. Credit: The Wire, World Bank

The World Bank study specifically talks about how India’s digital ID programme can potentially save “over US$11 billion per year in government expenditures through reduce leakage and efficiency gains”.

The reference for this sentence, as can be seen, is provided in a footnote (number 4) which refers to a separate study. Crucially, this other study referenced by the World Bank was not attached in the government’s affidavit before the Supreme Court.

What is this study that backs up the $11 billion savings figure? On page 197 of the World Bank report, the footnote 4 corresponds to a study carried out by Shweta Banerjee in 2015.

The term ‘CGAP’  referred to here is the Consultative Group to Assist the Poor – a global partnership of research organisations that is housed out of the World Bank.

On closer examination, the CGAP study mentioned in the link above shows a very different story than the one put forth by the Indian government in its Supreme Court affidavit.

A clipping from the 2015 Banerjee study. Credit: The Wire

A clipping from the 2015 Banerjee study. Credit: The Wire

The last sentence of the brief (shown above) is enlightening. The CGAP report does not talk about savings as a result of adopting a direct cash transfer model – but about the quantity or total value of the money that has been transferred.

If this is taken at face value, it shows that World Bank was quite clearly mistaken. Is it possible that the government was not aware of this mistake? Very unlikely, since this potential goof-up was extensively discussed and laid out by IIT Delhi professor Reetika Khera in July 2016.

Since then, the claim, however, has been repeated by IT minister R.S. Prasad (September 8, 2016) and by UIDAI’s CEO (May 13, 2017). Capping it off, of course, was reference to the $11-billion figure in the SC affidavit on April 27, 2017.  

So what gives? Did the World Bank make a mistake – or did it produce a different study and forget to cite it?

World Bank response

This author, and others, reached out to the World Bank in July 2017. The first email sent asked about the issue of the value of transfers versus value of savings. Specifically,  the organisation was asked how it referenced Banerjee (2015) as the source for the $11-billion figure when that study made no such claim.

The World Bank replied with the following response:

“The potential savings of over $11 billion in government welfare programs is an extrapolation based on two rigorous papers that estimated the reduction in leakages in the National Rural Employment Guarantee Scheme (NREGS) and the government’s domestic fuel subsidy program respectively due to Aadhaar. Muralidharan et al (2014) estimate that biometric registration, authentication, and payments in NREGs led to a 10.8 percentage point reduction in the leakage of funds (the difference between the wage payment outlays reported by government officials and those reported by households). Barnwal (2015) estimated the UID-based transfer policy reduced fuel purchases in the domestic fuel sector by 11-14%, suggesting a reduction in subsidy diversion. Extrapolating these leakage reduction rates to all Government of India welfare programs – amounting to roughly $70-100 billion in government expenditures—yields savings in the range of $8-14 billion. Instead of reporting this range, we reported the midpoint of $11 billion as potential savings.”

The words extrapolation, estimate and potential are important in this response. The World Bank response basically implies that there are two other inputs (research papers by Barnwal and Muralidharan), and these two inputs were extrapolated using a calculation to generate the final potential savings figure.

A follow-up question was consequently sent to the World Bank, asking it if the organisation’s extrapolation calculations could be shared and also as to why Banerjee (2015) was quoted as a reference in the 2016 report if the institution had actually performed separate research to support its claim.

The World Bank replied as below:

“It turns out we have shared with you all information we could. There is one small caveat to add – the footnote 4 is incomplete and should also have included a reference to Muralidharan et al (2014)  and Barnwal (2015), the latter two papers being cited elsewhere in the report.”

Let’s recap the Aadhaar savings narrative so far. The government has officially claimed $11 billion in potential savings based on a World Bank report. The actual report contains a reference to a study that does not talk about $11 billion in savings, but $11 billion in transfers.

When asked, the World Bank admitted that the referencing in its report was incomplete and pointed to two papers (one by Barnwal which is on LPG and the other by Muralidharan which looks at smart cards in NREGA).

Barnwal (2015)

Barnwal (2015) was first brought to the public’s attention when chief economic adviser Arvind Subramanian referred to in a New York Times article and used it as a basis to state that Aadhaar could potentially save $2 billion. The Barnwal study has since then been debunked by the Comptroller and Auditor General of India (CAG), the International Institute for Sustainable Development and various articles in Economic and Political Weekly.

The government itself has admitted that LPG savings were due to other factors in Parliament: “Lower subsidy during the successive years is due to various factors, including introduction of direct transfer of subsidies into the accounts of consumers (PAHAL Scheme), fall in international crude oil prices and “GiveItUp” campaign.”

Rahul Lahoti, who is associated with Germany’s University of Goettingen and has written extensively on the issue of Aadhaar savings, has pointed out that extrapolation of LPG savings to other schemes is “not advisable”.

“The current analysis of LPG savings are based on very big assumptions, which might not hold. If these assumptions about exclusion/identification of duplicates are violated the actual savings might vanish. But additionally there are several other important caveats. In LPG – it is not clear how much of the savings are due to Aadhaar vs. the direct bank transfer. It might be the case that DBT without Aadhaar itself was effective in eliminating a majority of the leakages claimed by Aadhaar. So Aadhaar might not be necessary in its implementation,” he said, in response to a questionnaire sent by The Wire.

Lahoti went to add:

“LPG subsidy as is well-known and I show in my previous EPW piece is mostly a benefit enjoyed by urban rich/middle class. This group of beneficiaries is different than ones using PDS/mid-day meal. PDS is enjoyed by relatively more rural and poor population where infrastructure is less developed.

In LPG subsidy there is only a one-time linkage between Aadhaar number and the bank account, whereas use of Aadhaar in PDS requires biometric authentication each time the benefit is availed and that process can be error-prone/dependent on infrastructure (electricity/internet connection). “

Muralidharan (2014)

The second paper the World Bank used as part of its extrapolation is by Muralidharan (2014) which studies not Aadhaar but the usage of biometric smart cards in the Centre’s NREGA programme.

The salient features of the Muralidharan paper are:

  1. It measured the impact of introduction on biometric smart cards for NREGA and Social pensions and found that the introduction did not change the fiscal outlays (Section 4.2, Page 16).
  2. It found a miniscule number of “ghosts” in the NREGA program after biometric smart cards were introduced and only 1.1% of ghosts in the Social pension scheme (Table 5, Page 36), which is entirely consistent with other studies.

The first point requires more explanation. What really is savings? There are two distinct categories of savings:

  1. Fiscal savings implies that if ₹100 is spent on a particular program and if introducing biometric smart cards removed duplicates which reduced expenditure to ₹90, then savings is 10%.
  2. Efficiency implies that If ₹100 is spent on a particular program and only ₹80 was reaching the beneficiaries, it means program efficiency is at 80%. If introducing biometric smart cards increases efficiency to 90% when ₹100 is still spent, it is efficiency improvement but does not affect fiscal outlays.

Muralidharan (2014) explicitly said that there are no fiscal savings because of introduction of biometric smart cards and there are only efficiency improvements. Hence using this paper as an input to forecast/extrapolate fiscal savings would be inaccurate.

On this point, Lahoti in his emailed response further clarified on the question of using Barnwal and Muralidharan as basis for calculating Aadhaar savings on other social welfare schemes as “unclear”.

“The problem with using Barnwal’s findings to extend Aadhaar to other spheres is that LPG subsidies are different as argued before. Maybe both in NREGA and LPG, having just a direct benefits transfer to the bank might reduce leakages and it’s not clear if biometric authentication (smart cards or Aadhaar) adds any value,” Lahoti said.

World Bank and Aadhaar savings

Taking a step back, there is no publicly available information that shows how an extrapolation of these two papers can be used to derive potential Aadhaar savings in the range of $8 to $14-billion.

The World Bank has refused to share these calculations – and indeed glosses over the fact that the Banerjee article that was actually referenced talks about value of “transfers” and not “subsidy savings”. Further attempts made by The Wire to reach out to World Bank officials and World Bank chief economist Deepak Mishra went unanswered.

In the absence of a specific study or proof-of-work, the simplest explanation is that the World Bank mistakenly equated value of “transfers” with “savings in subsidy” in its 2016 study.

In the right to privacy case, the attorney general made two specific references to the World Bank report to argue against right to privacy, implying that it would impact the state from pursuing its economic and welfare goals of lifting it’s citizens from poverty.

Further Justice Chandrachud while ruling with other judges in the same case that privacy is indeed a fundamental right observed the following:

Data mining with the object of ensuring that resources are properly deployed to legitimate beneficiaries is a valid ground for the state to insist on the collection of authentic data. But, the data which the state has collected has to be utilised for legitimate purposes of the state and ought not to be utilised unauthorizedly for extraneous purposes.

The raison d’être for the Aadhaar project in welfare is that it allows the government to target the subsidies to legitimate beneficiaries.The study by the World Bank that Aadhaar can potentially save $11 billion every year is one of the most important intellectual scaffoldings on which such a claim stands as it was repeatedly cited by the government in multiple public forums and also in the Supreme court.

That the stakes have risen so high over a potentially murky claim is troubling and raises the following questions: If the World Bank had conducted independent research, why did it not make that clear in its 2016 report?

Secondly, if the research report’s referencing was incomplete, as it admits, why was it not corrected or an explanation put out after pointed out by Khera?  Thirdly, if it erred in not making it clear in the first place, why does it refuse to make the study and its calculations public now?

Lastly, and perhaps more importantly, if the origin of the data is murky, why does the government cite it so often?

Anand Venkatanarayanan is a Senior Engineer at Netapp. Views expressed here are personal and do not reflect the views of his employer. 

The author would like to thank Reetika Khera for her inputs on the World Bank savings claim, twitter user databaazi for this thread which formed the basis for this report and Sam Jawed for the original follow up questions to the World Bank.