‘Aadhaar is useless for identification’
AN expert on complex systems, governance and informatics, Anupam Saraph advises governments and businesses across the world. A teacher and former IT Adviser to Goa Chief Minister Manohar Parrikar, he challenged Aadhaar as part of the Nagrik Chetna Manch. In the wake of the Supreme Court judgment, he spoke to Frontline on its implications. Excerpts from the interview.
How will the Supreme Court verdict affect companies such as Paytm that require Aadhaar for authentication?
Companies that use Aadhaar for authentication are now saved from the mistaken belief that Aadhaar authentication is more secure than traditional username and password challenges. Unlike Aadhaar biometrics which are neither certified nor controlled by the person to whom they belong, passwords are in the control of users. Unlike biometrics, which can’t be changed if compromised, passwords can be reset.
Aadhaar biometrics are not certified by the UIDAI [Unique Identification Authority of India] as belonging to the person who is being authenticated. The biometrics associated with an Aadhaar number can be changed by processes (both legitimate and illegitimate) outside the control of fintech companies. They, therefore, had no way of guaranteeing risk-free outcomes with Aadhaar.
These companies will now be required to shift back to a more robust non-aadhaar KYC [know your customer] that reduces significantly the risk of benami, or proxy, bank and wallet accounts using Aadhaar.
This is a win for fintech companies that want to prevent money laundering and financial terrorism. This is a win for the RBI, which prior to 2011 had clearly indicated that the use of Aadhaar in banking was not only against its own extant guidelines but also against the Prevention of Money Laundering Act, the Basel Standards and the government’s concerns about financing terrorism. It had highlighted that nowhere in the world are third-party identification systems used in banking.
While the Supreme Court verdict does not make Aadhaar compulsory, it still needs to be linked to PAN. Bank accounts need PAN and some other places also recognise PAN authentication. Can there be leakages through the PAN route?
The UIDAI’S affidavit to the Supreme Court indicates that more than 51 per cent of the Aadhaar numbers have never been used for biometric or iris authentication anywhere. So, it is obvious that most of them are likely to be ghosts or duplicates. Section 139AA of the Income Tax Act, which requires the linking of Aadhaar to PAN for income tax purposes, if upheld, will continue to generate fake PAN through fake Aadhaar. This will continue to generate benami bank accounts that are Aadhaar-enabled with these fake PAN numbers.
The concern is not about public exposure of Aadhaar numbers. It is about treating these uncertified, unverified and unaudited numbers as identity and enabling money transfers to benami bank accounts created through such Aadhaar numbers.
Can companies and banks that have collected Aadhaar data destroy the data now or will they still be stored somewhere? Also how do users know that the data have been deleted?
Delinking Aadhaar, while an essential process for financial and other institutions to reduce risks, is not sufficient to protect an individual or those institutions. Financial institutions need to run a campaign now to cleanse themselves of the Aadhaar virus to protect themselves from financial scams and unprecedented risks, which are outside their ability to contain. Aadhaar is not KYC.
A person’s safety cannot be guaranteed by just delinking his/her Aadhaar number. As long as uncertified, unverified and unaudited Aadhaar is treated as identity, it will expose one to identity fraud. As long as Aadhaar numbers, or any identity document based on Aadhaar numbers, are used to make Aadhaar-enabled payments, they will continue to enable money transfers to benami bank accounts created through Aadhaar.
In order to protect against harm from Aadhaar, the RBI needs to ensure two things. First, that banks revert to keeping a person’s identification documents for KYC, as long as they are not generated using that person’s Aadhaar and, unlike the Aadhaar, are certified, verified or audited by some government agency. Second, the National Payments Corporation of India’s [NPCI] Aadhaar-enabled payments should be delicensed, and no money transfers with Aadhaar or documents derived from Aadhaar should be allowed.
Aadhaar was also linked to the Prime Minister’s Digital India programme. Now that the court has ruled that private companies cannot use Aadhaar, what happens