In multiple notices issued last month, the government has made Aadhaar, a 12 digit unique-identification, mandatory for at least 34 schemes, including children’s mid-day meal services, Sarv Shiksha Abhiyan, National Social Assistance Programme and Deendayal Antyodaya Yojana. In a bid towards a cashless economy, the government is also encouraging Aadhaar-enabled Payments System (AEPS), which ostensibly ensures secure digital transactions through the Aadhaar Pay application, launched by IDFC Bank in association with the government (currently only available to Android phone users).
While the decision to make Aadhaar mandatory for availing benefits of central schemes is in direct violation of a Supreme Court Order, this is not the only concern as far as AEPS is concerned.
What is AEPS?
In 2009, the United Progressive Alliance initiated the Unique Identification project for the inclusion of people who did not have government identification of any kind. AEPS would “speed track financial inclusion in the country”, through Aadhaar-based transactions in a shift towards a digital economy. Developed by the National Payments Corporation of India (NPCI), AEPS allows cash withdrawals, deposits and fund transfers through any bank at Point of Sale (PoS) machines or Micro-ATMs using Aadhaar-authentication.
Besides facilitating transactions through door-to-door services in rural villages, the launch of Aadhaar Pay was to encourage cashless transactions using biometrics – a key component of the Aadhaar-based system. In other words, all a person had to recall was their Aadhaar number, which is linked to their bank account, and authentication would be done by fingerprints.
In a release issued by the Press Information Bureau, the Ministry of Electronics and Information Technology claimed that as of now, AEPS was live in 119 banks throughout the country. “More than 33.87 crore transactions have taken place through AEPS, which was only 46 lakhs in May 2014,” the release read. However, according to NPCI data, 2.65 million transaction were made under the AEPS whose worth stood at Rs 316 crore.

(Source: Medianama)
As of 2011, the total saturation of Aadhaar stands at 91.7 per cent, which is impressive but makes it imperative that the loopholes in the Aadhaar system be fixed before making any further policy decisions. According to a report in the Navbharat Times, the centre has taken cognisance of the matter and the Prime Minister’s Office has sought an audit report on cyber security within the month.
No criticism allowed
On February 11, a post on the company blog by Sameer Kochhar, Chairman of Skoch Group (a Gurugram-based think tank), questioned the credibility of the Unique Identification Authority of India (UIDAI) and the Aadhaar system. He posed questions to the UIDAI and pointed out security loopholes and vulnerabilities in AEPS in a video. “Apparently, when you use an Aadhaar enabled front-end application, your biometric is scanned and stored on the device along with your Aadhaar number,” he said, claiming that this should be heavily encrypted but is not. These breaches were so alarming wrote Kochhar, that to not bring them to light “would be tantamount to treason.”

Following the publication of the blog post, a First Information Report (FIR) was filed on February 28 against Kochhar by the UIDAI for “spreading rumours” and violating Sections 34, 37, 9, 5 of Aadhaar regulations and Section 17-sub section 1 of chapter 3 of the Aadhaar act. Kochhar has gone on record to state that neither the police nor UIDAI had informed him about the FIR until March 2, 2017. Newslaundry tried to reach out to him but he is yet to respond.
UIDAI has also lodged a criminal complaint with the cyber cell against Axis Bank, eMudhra and Suvidhaa Infoserve for attempting to store data and make transactions through AEPS. In the notice (which was leaked online) served, UIDAI observed that close to 400 biometric transactions were performed in a span of seven months (July 14, 2016 to February 19, 2017). However, the Chief Executive Officer (CEO) of Suvidhaa Infoserve, Paresh Rajde, claimed that the company was testing the application. “While testing the application, the developer had sent four transactions concurrently, which is not allowed. There was no financial loss. It was a test transaction,” he told the Times of India.

This exemplifies how UIDAI, instead of engaging with vulnerability testers and security researchers, has decided to clamp down on them.
Speaking to Newslaundry, Apar Gupta, a Delhi-based lawyer working on cyber security acknowledged the absence of a fair engagement process. Calling it the first persecution under the Aadhaar Act, he said, “Rather than engaging in any vulnerability and threats, they have resorted to adopt a criminal process in which other people in the public will be prevented from carrying out such acts.”
Legal remedies
Speaking to Newslaundry, Srinivas Kodali, an internet researcher, said that he had also reported on the UIDAI’s vulnerabilities in terms of mass data leakage when he discovered that the details of five to six lakh children were publicly available. He tried to bring this to the notice of authorities, but says nothing came of it. “I filed an instant report with UIDAI. Nowhere has UIDAI ever acknowledged this,” he told Newslaundry. “And the consumer can’t go to the court because only the UIDAI has the right to go to the court,” he added. Chapter seven of the Aadhaar Act states that remedies under the act can only be invoked by the authorities.
A sore point between the government and critics of Aadhaar is that the Aadhaar Act 2016 gives complete technological control to UIDAI and makes very little provisions for consumer redressals. Gupta said civil and criminal remedies under the Aadhaar Act were deficient. For example, the act doesn’t put UIDAI under any obligation to inform Aadhaar card holders about security breaches, if any. Currently the only grievance redressal mechanism is to either call or e-mail.
However, Tata Consultancy Services (TCS) has been tasked with handling the grievances on the toll-free number (1947). “I’m mentioning TCS because it is a private body tasked with dispensing an essentially judicial state function. It is under no obligation to give an order or to place a request on behalf of the user,” Gupta said. “Essentially, you deal with a government office to make a request and at the very least, they are obliged to give you a formal written order agreeing or disagreeing with you.”
Gupta also pointed out that basic civil and criminal remedies are insufficient. The Information Technology Act, for example, is no help because it involves an appeal to the Cyber Appellate Tribunal, which is practically defunct and hasn’t passed any orders for the past five years.
We reached out to UIDAI officials with a list of questions:
1. On February 22, Sameer Kochhar had tweeted a leaked notice from the UIDAI to Axis bank, eMudhra and Suvidha for a possible security breach. Is it true that Aadhaar data can be misused?
2. How did UIDAI ascertain that there was a security breach?
3. How does UIDAI ensure that Aadhaar data is secure?
4. The video in the following link claims that biometric data can be stored in the device that enables Aadhaar-linked payments. The article and the video claim that Aadhaar data can be stored in the device. What are your comments on it?
5. Does UIDAI have a system to detect a security breach? How does that system work, if you could explain?
6. If you suspect any possible security breach by an entity, what sort of actions can UIDAI take?
7. If there is a leak, does UIDAI have a system in place to restore the Aadhaar account?
This story will be updated if and when they choose to respond. Its refusal to acknowledge security concerns in the system and instead penalise those that bring it up is especially alarming.
Digital natives?
Is India capable of taking the digital plunge? “No,” said Srikanth Lakshmanan, a software engineer developing “Cashless Consumer” (a consumer awareness initiative about digital payments). He said that the Watal committee report on digital payments claims that over 60 per cent of inter-bank AePS transactions are failing. “This is partly because of tech infrastructure and different banks being at different levels of supporting Aadhaar. This success rate is not related to authentication of person, rather just transaction going through (after successful) authentication,” he said. Another problem is that there isn’t a payments regulator. Without it, as Lakshmanan pointed out, “consumer protection is literally non-existent.” “The digitisation is largely being built without accountability provision,” he said.
Kodali said that for India, going digital “should be a 10-year plan”. “You can’t choose to go digital overnight,” he told Newslaundry, “and that’s what they are trying to do.”