Feasibility concerns In October 2010 R. Ramakumar, an economist at the
Tata Institute of Social Sciences, wrote in an editorial for
The Hindu that the project was being implemented without any cost-benefit or feasibility studies to ensure whether the project would meet its stipulated goals. He also pointed out that the government was obscuring the security aspects of Aadhaar and focusing on the social benefit schemes. He quoted a former chief of the
Intelligence Bureau Ajit Doval, who had said that originally Aadhaar aimed to weed out
illegal aliens. In March 2011 Rajanish Dass of
IIM Ahmedabad's Computer and Information Systems Group published a paper titled "Unique Identity Project in India: A divine dream or a miscalculated heroism". Dass claimed that even if enrolment was voluntary, it was being made mandatory by indirect means. He pointed out that essential schemes like the
National Food Security Act, 2013, was being linked to the UIDAI. He also stated that the feasibility of a project of this size had not been studied and raised concerns about the quality of the biometric data being collected. He cited statements of another researcher,
Usha Ramanathan, that the UIDAI would ultimately have to become profit-making to sustain itself. The debate on the feasibility of sustaining a project of the size of the population of India is settled as over 1.22 billion Indians are enrolled in Aadhaar as of July 2018, representing about 90% of the total estimated population. The scheme complements other initiatives taken by the government, for example
Digital India, to benefit people by giving easier access to public services. On 9 November 2012 the
National Institute of Public Finance and Policy (NIPFP) published a paper titled
A cost-benefit analysis of Aadhaar. The paper claimed that by 2015–2016 the benefits of the project would surpass the costs, and by 2020–2021 the total benefit would be against a total expenditure of . The benefits would come from plugging leakages in various subsidy and social benefit schemes. On 2 February 2013
Reetika Khera, a development economist at IIT Delhi, published a paper in the
Economic and Political Weekly titled ''A 'Cost-Benefit' Analysis of UID,'' in response to the cost-benefit analysis published by NIPFP. She argued that the seemingly large benefits were based 'almost entirely on unrealistic assumptions' and outdated data. The paper pointed to how the relative cost-effectiveness of Aadhaar in comparison with alternative technologiesthe basic premise of any cost-benefit analysiswas entirely ignored. Further, concerns regarding a possible conflict of interest were also raised. In March 2016 the
International Institute for Sustainable Development released a report that the benefit from Aadhaar-linked LPG subsidy scheme for 2014–2015 was and for 2015–2016 was . These sums were much lower than the number stated by Finance Minister Jaitley in the Lok Sabha. He had said in March 2016 that the government had saved from the scheme. The paper said that the government was also including the savings from the efforts of oil marketing companies (OMCs) prior to the introduction of Aadhaar. The method used by the OMCs to weed out duplicates and ghost customers was 15–20 times more effective than the Aadhaar-based method. The savings of from the scheme was not claimed by the government to be from LPG subsidy alone, but by plugging leaks and checking corruption with the help of Aadhaar in all the schemes administered by the government of India.
Lack of legislation and privacy concerns On 2 February 2015, the Supreme Court asked the new government to clarify its stance on the project. This was in response to a new PIL filed by Mathew Thomas, a former army officer. Thomas had claimed that the government was ignoring previous orders while pushing ahead with the project and that the project was unconstitutional as it allowed
profiling of citizens. In a reply on 12February the government said that it would continue the project. On 16 July 2015 the government requested the Supreme Court to revoke its order, saying that it intended to use Aadhaar for various services. On 21 July 2015 the Court noted that some states were insisting on Aadhaar for benefits despite its order. On 11 August 2015, the Supreme Court directed the government to widely publicise in print and electronic media that Aadhaar was not mandatory for any welfare scheme. The Court also referred the petitions claiming Aadhaar was unconstitutional to a Constitutional Bench. On 19 July 2017, a nine-judge bench of the Supreme Court began hearing the arguments on whether there is a fundamental right to privacy. On 24 August 2017 the nine-judge bench unanimously upheld the right to privacy as a fundamental right under the Constitution. A five-judge constitutional bench of the Supreme Court has heard various cases relating to the validity of Aadhaar on various grounds including privacy, surveillance, and exclusion from welfare benefits. As of 27 February 2018, senior counsels Shyam Divan, Kapil Sibal, and Gopal Subramanium, argued over a span of 13 days in this matter. In a majority opinion dated 26 September 2018, the Supreme Court upheld the use of Aadhaar.
Legality of sharing data with law enforcement In 2013 in
Goa the
CBI was trying to solve the case of a rape of a schoolgirl. It approached a Goa local court saying that they had acquired some fingerprints from the scene that could be matched with the UIDAI database. The court asked the UIDAI to hand over all data of all persons in Goa to the CBI. On 24 March 2014, the Supreme Court restrained the central government and the UIDAI from sharing data with any third party or agency, whether government or private, without the consent of the Aadhaar-holder in writing. Vide another interim order dated 16March 2015, the Supreme Court of India has directed that the Union of India and States and all their functionaries should adhere to the order passed by this court on 23September 2013. It observed that some government agencies were still treating Aadhaar as mandatory and asked all agencies to issue notifications clarifying that it was not. On 26 September 2018, the Supreme Court ruled that Section 57 of the Aadhaar Act was unconstitutional, meaning that private entities cannot compel their customers to provide their Aadhaar number as a condition of service to verify their identity, specifically citing requiring it for bank accounts, school admissions, and mobile phone service as examples of unlawful use cases. However, it did uphold its requirement for income tax filing and welfare programmes.
Land allotment dispute In September 2013 the
Delhi Development Authority accepted a complaint from the activist group
India Against Corruption and cancelled a land allotment to the UIDAI. The land was previously owned by
BSNL, and
MTNL had also laid claims on it. It had an estimated value but had been allotted to the UIDAI at a very cheap rate. The issue of constructing the UIDAI HQs and UIDAI Regional Office building in Delhi was resolved with the Department of Telecom (DoT), following which the Ministry of Urban Development issued a notification on 21May 2015 clearing the titles of the land in favour of the UIDAI, including projected land use.
Security concerns In an August 2009 interview with the
Tehelka, former chief of the
Intelligence Bureau (IB), Ajit Doval, said that Aadhaar was originally intended to flush out illegal immigrants, but social security benefits were later added to avoid privacy concerns. In December 2011 the Parliamentary Standing Committee on Finance, led by
Yashwant Sinha, rejected the National Identification Authority of India Bill, 2010, and suggested modifications. It expressed objections to the issuing of Aadhaar numbers to
illegal immigrants. The Committee said that the project was being implemented in an unplanned manner and bypassing the Parliament. In May 2013, deputy director general of the UIDAI, Ashok Dalwai, admitted that there had been some errors in the registration process. Some people had received Aadhaar cards with wrong photographs or fingerprints. According to Aloke Tikku of the
Hindustan Times, some officials of the Intelligence Bureau (IB) had criticised the UIDAI project in September 2013, with the officials saying that the Aadhaar number cannot be considered a credible proof of residence. As under the liberal pilot phase, where a person claimed to live was accepted as the address and recorded. In 2018,
R. S. Sharma, former director general of the UIDAI shared his Aadhaar number on Twitter, challenging people to show "one concrete example where you can do any harm to me!" Within hours, Twitter users managed to dig out his personal details like his personal mobile number(s), Gmail and Yahoo addresses, physical address, date of birth, his frequent flyer number, and that he uses an iPhone. After this incident, UIDAI tweeted urging users not to share Aadhaar numbers publicly. In September 2023, independent analyst
Moody's raised concerns about the Aadhaar system, highlighting its tendency to result in service denials, especially affecting manual labourers in hot, humid climates due to questionable reliability of biometric technologies. The Government of India refuted Moody's claims emphasizing the absence of reported security or privacy breaches within the Aadhaar System. The centre's stance was reaffirmed in response to parliamentary enquiries, where it unequivocally stated that no breaches had been reported from the Aadhaar database.
Overlaps with National Population Register reviewing the implementation of the National Population Register (NPR), at a meeting in New Delhi on 18 June 2014 The Aadhaar and the similar
National Population Register (NPR) projects have been reported to be in conflict. In January 2012 it was reported that the UIDAI would share its data with NPR and the NPR would continue to collect its own data. In January 2013 then-Home Minister
Sushilkumar Shinde said that Aadhaar was not an identity card but a number, while the NPR was necessary for national security purposes. The 2013 Supreme Court order did not affect the NPR project as it was not linked to any subsidy. In July 2014 a meeting was held to discuss the possibility of merging the two projects, Aadhaar and NPR, or making them complementary. The meeting was attended by Home Minister
Rajnath Singh, Law and Justice and Telecom Minister
Ravi Shankar Prasad, and Minister of State for Planning
Rao Inderjit Singh. Later in the same month, Rao Inderjit Singh told the Lok Sabha that no plan to merge the two projects has been made. On 23 September 2019, the then Union Home Minister Amit Shah announced an idea where the NPR and Aadhaar would be on the 2021 census and would be used with the census data to build a new unique national document, however, UIDAI confirmed that for 2021 census, the Aadhaar use would be voluntary, also saying that "Collection of biometrics is not been provided under Citizenship Rules".
Fraud In order to make Aadhaar accessible to often undocumented poorer citizens, obtaining an Aadhaar card does not require significant documentation, with multiple options available. In theory, the use of biometric facilities should reduce or eliminate duplication. So, in theory, while it may be possible to obtain the card under a false name, it is less likely that a person would be able to obtain another Aadhaar card under a different (or real) name. The Aadhaar card itself is not a secure document (being printed on paper) and according to the agency should not be treated as an
identity card though it is often treated as such. However, with currently no practical way to validate the card (e.g. by police at airport entry locations) it is of questionable utility as an identity card. "There are five main components in an Aadhaar app transactionthe customer, the vendor, the app, the back-end validation software, and the Aadhaar system itself." There are also two main external concernsthe security of the data at rest on the phone and the security of the data in transit. At all seven points, the customer's data is vulnerable to attack ... The app and validation software are insecure, the Aadhaar system itself is insecure, the network infrastructure is insecure, and the laws are inadequate," claims Bhairav Acharya, Program Fellow, New America. The Aadhaar card is usually printed on glossy paper, and the government has stated black and white copies are valid. Some agencies charge extra to laminate the document. Other agencies have been reported charging 50 to 200 to produce a PVC version of the card, and it is marketed by them as a
smart card, despite having no official validity and no chip. Certain
mobile apps claim to verify an Aadhaar card using a
QR code scanner. However, the QR code is not a secure representation of an Aadhaar card either and can be copied and edited. The only way to validate an Aadhaar card is to perform an online validation, which will confirm that the card number is valid, and confirm the postal code and gender of the holder (but not their name or photo). In theory, this means that is possible to create a false Aadhaar card using the number of a genuine holder from the same postal code with the same gender, with the card subject to a number of cases of counterfeiting. The digital document itself is self-signed by a non-internationally recognised certificate authority (n)Code Solutions, a division of
Gujarat Narmada Valley Fertilizers Company Ltd (GNFC) and needs to be manually installed on the PC. This is despite
Entrust assisting in the development of the solution.
Cloning of biometric data Aadhaar data is linked to the fingerprints of cardholders. This has been used by fraudsters to withdraw money from bank accounts. Most people have linked their bank accounts to their Aadhaar identity due to the mandatory nature of the linkage as promoted by the government. The Aadhaar programme automatically enrolls the bank customer into a payment system wherein money can be withdrawn from their bank account using their Aadhaar card numbers and fingerprints. Fraudsters obtain customers' fingerprints through websites where land-owning documents are public or where fingerprints can be sold to fraudsters by people who can obtain copies of victims' fingerprints through objects in their homes. Essentially, one's fingerprints work as a password that cannot be changed, unlike credit card PINs and many other similar protective services.
Application issues While the service is free for citizens, some agents have been charging fees. Despite the modern processes, there are cases where enrolments are lost in the system without explanation. mAadhaar is an official mobile application developed by the UIDAI to provide an interface for Aadhaar number holders to carry their demographic information including name, date of birth, gender, and address along with a photograph linked with their Aadhaar number in smartphones. In one case, every resident in a village in Haridwar was assigned a birthday of 1January.
Threat of exclusion Many private and public benefits are being linked to Aadhaar numbers and made contingent on it: food aid, cooking-gas subsidies, mobile connections, NREGA wages, government examinations, banking facilities, tax filings, etc. In fact, much of the massive enrolment resulted from the fear of being excluded from these benefits. There have been instances where people have been denied food aid because of issues with authentication arising from network issues or problems with identifying fingerprints (sometimes fingerprints become faded from age or manual labour). Documentary proof may be difficult to obtain, with the system requiring documents such as bank accounts, insurance policies, and driving licences that themselves increasingly require an Aadhaar card or similar documentary evidence to originate. This may lead to a significant minority underclass of undocumented citizens who will find it harder to obtain necessary services. Introducers and Heads of family may also assist in documentation; however, for many agencies and legitimate applications, this facility may not be practical.
Non-resident Indians,
overseas citizens of India, and other resident foreigners may also find it difficult to avail themselves of services they could previously freely obtain, such as local
SIM cards, despite assurances to the contrary. Since the Unique Identification Authority office first opened in Delhi, people have been allowed to designate their gender as "transgender" on their Aadhaar card, according to an August 2013 report.
Data leaks and security incidents The Aadhaar database has experienced multiple data leaks and security breaches since its inception. These have ranged from the sale of unauthorised access by database administrators, the exposure of personal information on government websites, and unauthorised use and access of Aadhaar data by private institutions. The detailed personal information being collected is of extremely high importance to an individual. However, once collected, it is not being treated with the required sensitivity for privacy concerns. Major financial transactions are linked with information collected in Aadhaar. Data leaks are a gold mine for criminals who now use sophisticated hackers. Government departments and various other agencies that collect this information such as banks cannot be trusted to maintain the secrecy of all this collected information. Another case occurred wherein Aadhaar data collected by Reliance Jio was leaked online, and the data may now be widely available to hackers. The UIDAI confirms more than 200 government websites were publicly displaying confidential Aadhaar data; though removed now, the data leaked cannot be scrubbed from hackers' databases. In July 2017 privacy issues with regard to the Aadhaar card were discussed in the Supreme Court. A report from the Center for Internet and Society suggests that the records of about 135 million Indians may have been leaked. A loophole was identified that allows all records to be accessed by anyone though hackers can find other routes.
2017 In February 2017, the Unique Identification Authority of India filed a police complaint after confirming that Axis Bank, a private banking institution, Suvidhaa Infoserve (a business news reporter) and eMudhra (an agency providing e-signature services) had illegally accessed the Aadhaar database and further, had impersonated people after illegally storing their personal data. In April 2017, the government of the state of Jharkhand exposed Aadhaar details and personal information of over 10
lakh (1 million) people as a result of a programming mistake on the website of the Jharkhand Directorate of Social Security, making this information available to any person who was logged on to the website. In March 2017, the UIDAI blacklisted a contracted agency charged with collecting biometric data, after they shared a photograph containing the personal information of Indian cricketer M.S. Dhoni. The photo was tweeted as part of efforts to promote Aadhaar enrolment in India, and showed Dhoni enrolling, including a visual of his enrolment form being fed into a computer. The image was retweeted by several people, including
Ravi Shankar Prasad, the then-Information and Broadcasting Minister of the Indian Government. In August 2017, a software engineer was arrested after he created an app that exploited vulnerabilities in the official Aadhaar app in order to allow him to re-route requests for data, after unlawfully accessing the networks of the
National Informatics Centre. He was able to exploit the Aadhaar app before detection for six months, between January and July 2017. Wikileaks tweeted on 25 August 2017 that the same American supplier of fingerprint and Iris scanning equipment that collaborated with the CIA to identify Osama Bin Laden was also supplying equipment to India. The complex structure of ownership is detailed in an article in Fountainink.in Concerns were raised as early as 2011 in the Sunday
Guardian regarding not following due process and handing over contracts to entities with links to the FBI and having a history of leaking data across countries. How the CIA can hack and access the Aadhaar database using a secret Expresslane project is documented in a report on the GGInews website and saved in an archive lest it be removed. Further communications have also identified the clauses under which data may have freely flowed to foreign agencies due to the nature and wordings in the Aadhaar contracts and archived here. The Centre for Internet and Society, a non-profit research organisation from India, reported that during 2017, the Aadhaar of 130 million people was leaked as a result of information exposed on websites relating to four government social security schemes. These schemes were the National Social Assistance Programme and the National Rural Employment Guarantee Act (managed by the Ministry of Rural Development), and the Daily Online Payment Reports under NREGA and Chandranna Bima Scheme (managed by the State Government of Andhra Pradesh). In May 2017, the Central Government of India admitted in the Supreme Court that Aadhaar data had been leaked several times in that year. Arghya Sengupta, the head of policy consulting institution,
Vidhi Centre for Legal Policy, argued that none of the leaks had come directly from the Aadhaar database, while the Attorney General, Mukul Rohatgi, defended the leaks and argued that, "one cannot have an absolute right over his or her body". The leak of Aadhaar data was further confirmed publicly by the Ministry of Electronics and IT.
2018 In 2018, the Aadhaar database suffered several breaches, resulting in 1.1 billion people's data being leaked and compromised. This was described by the
World Economic Forum 2019
Global Risks Report as the "largest breach" of personal information in that year. In the same year, Right to Information petitions filed by media organisations indicated that 210 Indian government officials and institutions had posted parts of the Aadhaar database in publicly accessible sources, resulting in the leak of personal data, resulting in post-facto removals of this data by the Unique Identification Authority of India. On 5 January 2018, media correspondents from The Tribune reported that they were, by posing as buyers, able to gain administrator access to the entire Aadhaar database for a payment of , revealing major security flaws. Acknowledging this data breach, the Unique Identification Authority of India suspended 5000 officials from accessing the database after an investigation revealed misuse and unauthorised usage. The incident was widely reported internationally. In response to the incident, UIDAI denied the breach, and filed a criminal complaint against the newspaper and journalists who reported the security flaws. On 8 January 2018, India's Union Government confirmed that three websites belonging to the Government of the State of Gujarat had exposed the personal Aadhaar data of citizens. These websites included the website of the University of Gujarat, the Gujarat government website, and the website of Gujarat's Director of Developing Caste Welfare. On 24 January 2018, a French security researcher posted on Twitter that the m-Aadhaar mobile application contained serious security vulnerabilities that could be used to compromise the personal data of users. In March 2018, an Indian security researcher noted that a vulnerability in the website of
Indane Gas, an Indian-government owned corporation supplying gas cylinders for domestic cooking, had resulted in exposing Aadhaar and personal data of every person enrolled with the Aadhaar database, and not just customers of Indane. American security website
ZDNet reported that they spent a month attempting to contact the National Informatics Centre, the UIDAI, and Indian consulate officials in the United States, but did not receive a response before they ran the story. On 20 March 2018, it was reported that Aadhaar data and linked personal information, including addresses, linked to a special scheme by the Government of Andhra Pradesh for women and girls had been left unsecured online and could be accessed by anyone, even though the scheme itself had been suspended in 2015. In May 2018, an Indian security researcher found that Aadhaar data linked to personal information, including caste identities, religious affiliation, bank accounts, and personal addresses and mobile numbers had been left unprotected on a website of the State Government of Andhra Pradesh, resulting in the leak of data belonging to 130,000 citizens. In September 2018,
R.S. Sharma, the chairman of the Telecom Regulatory Authority of India and former UIDAI chairman, disclosed his Aadhaar number on Twitter and challenged anyone to misuse it, in an effort to demonstrate the security of the Aadhaar programme. Using his Aadhaar, French researchers were able to access and disclose personal information belonging to Sharma, including his personal telephone number, tax identity card, his secretary's phone number, personal address, family photographs, date of birth, frequent flyer numbers, telecom operator, model of phone, details of personal purchases and transactions, and advised him to change his personal Gmail account password as a precaution. The information was later used to make an unauthorised symbolic deposit of in his personal bank account as well, to demonstrate the possibility of blackmail and compromise. In 2020, his Aadhaar number was also used to unlawfully register him for certain government subsidies for which he was ineligible, resulting in the fraudulent receipt of government funding. Sharma has blamed this incident on the state government's failure to verify his enrolment.
Virtual ID On 1 March 2018, Virtual ID aka VID was introduced and was made as an option for agencies to use Virtual ID by 1 September 2018. A Virtual ID is a 16-digit number that is generated using the Aadhaar number. This Virtual ID can then be used instead of the Aadhaar number to carry out some Aadhaar-related work.
Revolving door problem The question of the
revolving door phenomenon (where "individuals using experience, knowledge and clout gained while in public service in pursuit of profit for private companies") has been raised in the context of Aadhaar, as people who were involved in the creation, design, and popularisation of Aadhaar are now working in the private sector where they can use this knowledge for their own private enterprises which profit off this knowledge. Some examples of this are
Khosla Labs as well as
iSPIRT, a non-profit organisation which is dedicated to developing and supporting
India Stack's APIs has had many employees who were involved with UIDAI in various capacities.
CAG Report on the functioning of the UIDAI In April 2022, the
Comptroller and Auditor General of India published an audit report on the functioning of the UIDAI. The report contains observations and recommendations based on a performance audit – which included assessments of both the Enrolment and Update Ecosystems as well as the Authentication Ecosystems for the period 2014–15 to 2018–19. The press release lists the Summary of Performance, Significant Audit Findings, and the recommendations.
Drive to link Aadhaar with Voter ID card In 2022, the Election Commission started a drive to link the Aadhaar card with the voter ID card. The Union Government claimed that this linking will be voluntary, but the bill passed in the parliament contradicts the claim. The rules issued by the Union Government mention that the only "sufficient cause" for a person to not link their Aadhaar Card with the Voter ID Card is if the person does not have one. The election officials cited 'orders from above' to pressure voters into linking these documents. The linkage of Aadhaar with Voter ID cards has several concerns. First, Aadhaar is not a proof of citizenship and such a linkage will not filter non-citizens. Another problem is the
Unique Identification Authority of India in 2018 reported that Aadhaar-based biometric authentication had a 12% error rate and linkage of voter ID with Aadhaar in Andhra and Telangana in 2015 led to the disenfranchisement of around 30 lakhs (3 million) voters leading to Supreme Court cancelling the linkage process. Yet another problem is that such a linkage would assign Aadhaar's demographic information to an electoral database leading to misuse for profiling of voters, and India's lack of data protection laws makes it even worse. == See also ==