Questions remain on the Aadhaar flip-flop
Over the weekend, the government issued and withdrew an advisory cautioning people on sharing their full Aadhaar numbers in a hard copy with “unlicensed” organisations. The initial release was by the Bengaluru office of the Unique Identification Authority of India (UIDAI), which manages and maintains the Aadhaar database. Soon, it went viral on social media. The government then withdrew it, citing “possibility of misinterpretation” in a separate release on Sunday. Aadhaar cardholders, the second statement said, are “only advised to exercise normal prudence”. The U-turn brings with it several questions: Why was the advisory issued in the first place? What happened? Who was involved? And most importantly, what constitutes “normal prudence”?
For years now, the Aadhaar programme has been upheld as an example of how technology can improve speed and access of citizen services. But it sits at the centre of a conflict between security, scale, and universality — focusing on one creates vulnerabilities in the other two domains. Until now, the government focus on security and universality has not kept at pace with its thrust on scale. The likelihood of being asked for a photocopy of an Aadhaar — instead of being verified via an OTP or a fingerprint scan – to access a service is higher than the correct method via the Aadhaar-authentication protocol. This poses a security risk, of the nature the first advisory warned, and ties into the larger challenge of universality, the principle that all sections of users are technologically literate of what is and isn’t prudent. The government must review Aadhaar processes and compliances of stakeholders, licensed and unlicensed, and come out with detailed advisories for its users, and its service providers too.