Fixing Aadhaar eKYC and other leaks

Personally identifiable information (name, bank account, aadhaar number among others) has been leaked a number of times from government websites (“Details of over a million Aadhaar numbers published on Jharkhand govt website“) and from companies with Aadhaar-based eKYC (“Jio users’ names, email addresses & more leaked online, but it is in denial“).

Because these departments and companies have gotten this information from the UIDAI’s Aadhaar infrastructure, calls for de-linking Aadhaar from other customer accounts grow stronger with every leak. This is barking up the wrong tree:

1. In Reliance Jio’s case, the company (likely registered as a KYC User Agency, KUA) requested data from UIDAI’s Aadhaar database by sending it the customer’s Aadhaar number. The customer then signalled his/her assent by having a fingerprint scanned and sent to UIDAI, which verified it and then sent Jio the KYC data packet. This packet has the personally identifiable information in question – name, date of birth, gender, phone, email, address and photograph – which serves as proof of identity and address, and which has since been leaked. (see Aadhaar eKYC API 2.0 specification, PDF)

I don’t see why any company that registers itself as a KUA to perform an eKYC should receive this data about the customer. UIDAI ‘knows’ the customer, and Jio (or any other company performing eKYC) trusts UIDAI. The KUA gains nothing from keeping its own copy of the data other than automatically filling in its customer profile. KYC is completely different from customer signup; data from one shouldn’t be used for another. As a customer I may want to give such entities a different phone number or email address than the one on record with UIDAI (which is likely my private, primary one).

The Authentication API (which returns a yes/no answer to prove identity) can be extended for KYC purposes: for example, whether a customer is 18 and over – to sign up for a SIM card – is also a yes/no question that UIDAI can answer. Nothing is gained by sending the KUA the exact date of birth.

2. Even if the entity receives no personally identifiable information (PII) from UIDAI, it still has the customer’s Aadhaar number, linked to a customer profile. When that data is breached, the customer’s PII and Aadhaar number are now public. Ideally, that shouldn’t be a security risk; any transaction involving Aadhaar requires either an OTP to the registered mobile number or a biometric scan as authentication. Simply showing up with an Aadhaar card is no proof of identity, nor is it meant to be – that is why the Aadhaar card is printed on simple paper and not on a smart card with a PIN – it’s laughably easy to forge an Aadhaar card because possession means nothing.

It turns out though that this isn’t widely known or understood in India. Therefore an Aadhaar card’s treated just like a driver’s license or voter ID card or PAN card: if the photograph on the card matches the holder’s, it’s taken as proof. This – a fundamental misunderstanding of how Aadhaar’s designed to work – is why such a data leak is problematic.

It is this misunderstanding we should tackle, not the linking of Aadhaar to mobile number, bank and other accounts. There are tremendous benefits to having a ubiquitous national ID that is digitally – and only digitally – verifiable – just look at how efficient Estonia’s interfaces to government are; it was the first country to design and issue such digital national cards over a decade ago. Aadhaar’s design in many ways is superior to Estonia’s (which relies on a chip and PIN card). Let’s stop making Aadhaar the bogeyman and identify and resolve the actual problems of misunderstanding and misuse.