On Friday, 27 May, the Unique Identification Authority of India (UIDAI) said, "Do not share photocopy of your Aadhaar with any organisation as it can be misused. Alternatively, please use a masked Aadhaar which displays only the last four digits of your Aadhaar number."
This warning was withdrawn within two days "in view of the possibility of the misinterpretation".
UIDAI now says "normal prudence" is enough and existing mechanisms provide "adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder".
Experts have questioned UIDAI's statements.
Why Now?
UIDAI, in its second circular, said the initial release was issued in the context of an attempt to misuse a photoshopped Aadhaar card.
The Bengaluru office of the UIDAI had received complaints that Aadhaar numbers and sensitive details like addresses of the cardholders were being photoshopped and misused, The Economic Times reported, quoting government sources.
However, Aadhaar's vulnerabilities are not a recent discovery.
"While (photoshopping) could be the possible prompt for the circular, the vulnerability in the Aadhaar ecosystem is not a recent discovery as various data breaches and misuse incidents of the Aadhaar database have been reported across the country."Kazim Rizvi, Founding Director, The Dialogue
Rizvi pointed to reports of Aadhaar details of individuals, including their names, addresses, and mobile numbers being on sale for as little as Rs 5, as well as companies storing user data for voter profiling.
Chinks in the Armour
Rizvi explained that the Aadhaar ecosystem has three layers: the infrastructure, data-linking, and application.
"While the data-linking layer is encrypted, the other two layers are owned and used by the third parties without prescriptions on privacy and security safeguards. This shows that the Aadhaar is vulnerable to privacy and security risks at the ecosystem level, spread across the data lifecycle," he said.
"During the data collection stage, the involvement of intermediary agencies like Common Service Centres (CSC) and middle-man like agents within the ecosystem increase the chances of agent fraud, snooping, identity theft, misuse etc, due to poor monitoring systems."Kazim Rizvi
As an example, he pointed to a report in The Tribune where a journalist was able to access the data of about a million individuals by paying only Rs 500 to an agent.
UIDAI Both Regulator & Promoter of Aadhaar
Apart from an increase in Aadhaar-related fraud due to active digitisation of government services, a catalyst behind the statement could have been the recent CAG report criticising the UIDAI, said independent researcher Srinivas Kodali.
Among other things, Comptroller and Auditor General of India (CAG) found that the quality of biometric data was sub-par and that not all Aadhaar numbers in UIDAI's database were supported with documents, causing doubts about the "correctness and completeness" of the data.
Kodali claims that the 'masked Aadhaar' option was offered by UIDAI in response to a 2017 report of his on the leak of 130 million Aadhaar numbers.
"Anyone can easily modify an Aadhaar using photoshop, people rarely verify the details on a Aadhaar card. This is a issue which UIDAI should have worked on before distributing billion Aadhaar cards," Kodali told The Quint.
"The UIDAI is both the regulator and promoter of Aadhaar, resulting in it issuing two opposing statements. This idea of a regulator becoming the promoter is bad for any industry."Srinivas Kodali
'Normal Prudence' a Vague Term
After withdrawing its initial circular, UIDAI said that Aadhaar card holders are "only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers."
It adds that the Aadhaar ecosystem provides "adequate features" for protecting and safeguarding the identity and privacy of the cardholders.
However, such a statement appears to be irresponsible, given the kind of incidents that have already been reported on.
"The government states that 'normal prudence is enough' for the safe use of Aadhaar, but that is very vague, and there is less clarity in terms of what is considered normal prudence," said Kazim Rizvi.
"Besides, in a country like India, with vast differences in education and awareness levels, expecting individuals to exercise normal prudence is suboptimal and not pragmatic."Kazim Rizvi
Kodali said that the Indian government does not want to acknowledge frauds related to Aadhaar.
"It only wants status quo where they only react when something big happens. While this is their standard response, they are reluctant to respond to people who are victims of Aadhaar fraud," he said.
(With inputs from The Tribune)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)