The Maharashtra case shows pitfalls of Aadhaar use
By ANUPAM SARAPH | 4 November, 2017
The problem affecting tens of thousands of crore loan waiver in Maharashtra to benami Aadhaar bank accounts exposes the inability of Aadhaar to 100 per cent identify individuals or always prevent money laundering. Aadhaar is not a magic wand, it is merely a number to access an unaudited or unverified record from UIDAI’s database. The Maharashtra Aadhaar issue calls to question the methods now used to link it to bank accounts, SIM cards or others
FARM LOAN WAIVER SCHEME
The Chhatrapati Shivaji Maharaj Shetkari Sanman Yojana (CSMSSY), or the Maharashtra Farm Loan Waiver Scheme, invited online applications at the official website of CSMSSY 2017 www.csmssy.in for registration of farmers under the scheme for loan waiver. Applicants on the website were required to choose either OTP or biometric to authenticate the mobile phone or biometric associated with Aadhaar. Applicants could also physically fill the application form along with the photocopies of the Aadhaar card, PAN card (if applicable), and bank savings passbook to any of the Aaple Sarkar Seva Kendra.
Till 22 September 2017, the website received 10,512,040 registrations from farmers in Maharashtra from which 5,659,187 applied for farm loan waiver under the scheme. Under this scheme, farmers who had defaulted on crop loan or term loan between April 2009 and June 2016, if found eligible, would be given a loan waiver of Rs 1.50 lakh.
Various newspapers reported that the government has discovered that lakhs of farmers, according to the data provided to the government, have identical Aadhaar and savings account numbers. They quoted Principal Secretary (IT) V.K. Gautam as having been perplexed with duplicate Aadhaar numbers: “We are perplexed to see the identical Aadhaar and savings account numbers of several thousand farmers.”
This difficulty clearly exposes the inability of Aadhaar to always identify persons uniquely, prevent leakages, and participate in banking. The unwillingness or inability to audit the processes that deliver subsidies, benefits and waivers affects its intention to clean up the corruption and theft. Aadhaar is not a magic wand, it is merely a number to access an unaudited or unverified record from UIDAI’s database.
AADHAAR DOES NOT IDENTIFY ANYONE
The complex “ecosystem” and the processes for creation of these records provided multiple opportunities to create records for ghosts and duplicates. According to IT Minister Ravi Shankar Prasad, 34,000 operators who tried to make fake Aadhaar cards have been blacklisted. Even if each operator worked for a year before being blacklisted, at about 100 cards a day amounts to over a billion fake records. That is more than 95% of the database.
No one from the UIDAI or even the government even sign the Aadhaar card that is mailed back to the enrolee. The very same organisations that were declared by the UIDAI as holding databases full of ghosts and duplicates were asked to serve as “registrars” to the enrolment process. They were even given flexibility in the collection, retention and use of the data (including biometric) that they collected. The very same documents that were called suspect by the UIDAI, were used as proof of identity or address to enrol for Aadhaar. Aadhaar enrolment has been unlike that of any other identity document, easily scaling the creation of duplicate and ghost identities.
No one in the Aadhaar enrolment process was required to identify anyone. At best they had to merely verify documents that were submitted for enrolment. Needless to say, anyone in possession of your documents could enrol with minor changes in any demographic information or with different biometrics. Field stories of enrolments are full with descriptions of biometric jugaad, including using combination of persons, use of biometric masks, biometric modifications, and other ingenious methods to maximise registrations. There is also no evidence of any biometric de-duplication of ever having happened, let alone being able to demonstrate duplicates and ghosts cannot be enrolled.
Aadhaar is often unable to identify anyone. It is also not geared to remove ghosts and duplicates from other databases as it was built upon those very databases it claims to clean.
AADHAAR IS PROBLEMATIC
There is a widespread myth that biometric or OTP authentication at the time of transaction—enrolment for loan waiver, for example—is proof of consent of the person whose biometric it is. It ignores the reality that the biometric or OTP authentication could have been phished from a victim. It ignores that a stored biometric could have been used. It ignores that OTP generated on a SIM obtained and associated with an Aadhaar could be used. There are multiple possibilities. Above all, it ignores that mere authentication of a biometric or OTP does not imply a person is consenting to any process or transaction.
This belief of use of Aadhaar as consent to a transaction also ignores the field realities of processes using plain simple photocopies of Aadhaar or parallel Aadhaar databases to undertake transactions like on-boarding beneficiaries, delivering subsidies or waivers, issuing SIM cards or even open bank accounts. The CSMSSY also used mere photocopies of Aadhaar to enrol farmers. The use of Aadhaar to replace traditional processes to obtain consent opens up a Pandora’s Box of legal illiteracy and denial of human rights and justice.
With Aadhaar, no one has any trace of the real beneficiary or customer. The real beneficiary or customer may simply be masked by a benami owner using an Aadhaar number. Even your Aadhaar can be used without your knowledge by a perpetrator to claim multiple benefits multiple times, obtain SIM cards, open multiple bank accounts in order to use it to obtain loans, collect bribes, park black money, or siphon your subsidies. In the eyes of law enforcement, if these benefits or accounts are discovered, you will be the criminal.
PROBLEM OF LINKING AADHAAR
The Maharashtra difficulty exposes the loopholes in the government’s plan to link mobiles and bank accounts to Aadhaar numbers. It calls to question whether public interest and national interest are being protected by the bureaucracy. It calls to question the understanding of bureaucracy about processes delivering subsidy, benefits or waivers, and their audit. It calls to question their understanding of consent and shows the inability of authentication processes to capture consent. It calls to question their comprehension about Aadhaar. It highlights their inability to recognise that Aadhaar is not an identity or consent; it is merely a framework to store and retrieve records.
Traditionally, bank accounts are opened with strict KYC that leaves customer records with the branch for the lifetime of the accounts and branch managers are liable to ensure the identification of every customer they onboard. Aadhaar eKYC has incorrectly, as in the case of enrolment for CSMSSY, assumed identification. Aadhaar eKYC does not leave any customer acquisition records with the branch. It does not identify any person and give branch managers any confidence that they are not dealing with ghosts or benami individuals managing shell bank accounts.
SIM cards do not identify the user. At best they identify the location they are used from. It makes absolutely no sense to insist on a KYC or to link a SIM to an Aadhaar and treat OTP from the SIM as a means to authenticate the person.
For more than a decade, governments across India have been using the RBI’s own payment system, the NEFT or RTGS, to undertake electronic money transfers. This is also evidenced by the fact that Aadhaar leaks have exposed that bank details are already present in every record of the leaked data. There is absolutely no reason to switch public payments from NEFT to any Aadhaar enabled payment systems, run by any non-government company. The replacement of a time tested standard of electronic money transfers under government regulation, by a non-standard payment system run by a non-government company, raises several serious questions of national and public interest, propriety and possible conflicts of interest. The CSMSSY issue has called to question the reliability of using Aadhaar for governance and banking. The coercion behind linkage of Aadhaar to bank accounts and mobile phones to enable the Aadhaar payments raises serious questions of those who continue to push it despite repeated caution and alternatives. Prime Minister Narendra Modi must himself look at the entire matter and ensure only fail-safe modes of identity and transactions are used, as the scheme still has several of the defects that caused him as Chief Minister to oppose its mass introduction.
Professor and Future Designer @AnupamSaraph is an internationally renowned expert on governance of complex systems.
