The New Oil

Aadhaar’s mixing of public risk and private profit

DIBYANGSHU SARKAR/AFP/GETTY IMAGES
DIBYANGSHU SARKAR/AFP/GETTY IMAGES
01 May, 2018

IT WAS A BLACK-AND-WHITE PHOTOGRAPH of a crowded street, centred on a man glancing backwards into the camera. His face sat in the crosshairs of a computer-generated box populated with a mobile number, a date of birth, an address and other personal information. Superimposed above this was a 12-digit number, with four digits redacted: a representation of an Aadhaar number, the biometrics-backed digital identifier that the government has looked to impose on every resident of India. A few other faces in the crowd were framed by boxes crowned with Aadhaar numbers too. Above the image were a few lines of text, one of them reading, “Welcome aboard @On_grid team.”

The text and image were part of a tweet by India Stack in February 2017, announcing that OnGrid had joined a select group of its user entities. India Stack is a set of Aadhaar-specific application programming interfaces, or APIs—code that allows and governs communication between various programmes, as, for instance, when an app on your phone interacts with an e-retailer’s database or a payment gateway. In effect, India Stack’s APIs are building blocks in the software architecture required by many third-party entities, whether public or private, to use Aadhaar. OnGrid, a private company, provides background checks on employees for companies hiring blue-collar workers. It verifies individuals’ identities using their Aadhaar data, but also collates data from numerous other sources to show their employment history, criminal background, and more.

India Stack had taken the tweeted image from OnGrid’s homepage. Many were quick to call it frightening and dystopic—an illustration of Aadhaar’s potential use for mass surveillance. India Stack took the image down from its Twitter feed within hours, but OnGrid’s practices still came in for scrutiny. “Does it mean that Aadhar, PAN, passport etc docs for a given individual will be linked and available on your server?” one person tweeted. One of the company’s founders, Piyush Peshwani, replied, “With consent, yes. The record belongs to the Aadhaar-holder and only he/she decides what stays on it and what doesn’t.” Another user responded, “You have removed the image and repeated the same thing in words.”

Aadhaar was already deeply controversial at the time the tweet appeared. The first attempt to win legislative backing for the scheme, under the previous, Congress-led government, failed spectacularly. In 2011, the parliament’s standing committee on finance—led by a member of the BJP, which was then in the opposition—found Aadhaar to be “riddled with serious lacunae and concern areas,” and declared that it had “been conceptualized with no clarity of purpose … and is being implemented in a directionless way with a lot of confusion.” A retired judge who filed the first legal challenge to Aadhaar, in 2012, told the Supreme Court that the scheme “is a clear violation of citizens’ privacy,” and complained that the government was going ahead with the scheme despite its rejection by the parliament. When Aadhaar finally became part of law, with the Aadhaar Act passed in March 2016, it was under a government headed by the same BJP that had emphatically opposed it earlier. The government chose the unusual route of passing the legislation as a money bill—a route typically reserved for bills that deal only with the use of public funds, and which bypassed the Rajya Sabha, where the government does not have a majority. Critics argued that the Aadhaar Act pertained to issues including civil liberties, national security and social policy, and could not be defined as a money bill. A Congress leader challenged the move in the Supreme Court.

The concerns and controversies over Aadhaar have only escalated ever since. A May 2017 report by the Bengaluru-based think tank Centre for Internet and Society showed that the Aadhaar numbers of over 130 million people had been published on government websites, along with their names, bank account numbers and other personal details. In January 2018, The Tribune published a story of how one of the paper’s reporters gained access to a portal with data from every Aadhaar holder after paying a middle man just Rs 500. Other major leaks of Aadhaar-linked data have been surfacing with alarming frequency. Meanwhile, there have been multiple reports of poor people being denied access to welfare benefits, including food aid, because of failures in authenticating their identities using Aadhaar, whether due to network problems or their fingerprints being worn down from old age or manual labour. Some reports have connected such denial to starvation deaths.

A large and growing number of benefits and services both public and private are being linked to people’s Aadhaar numbers, and made contingent upon Aadhaar-based authentication—despite the outcry and the pending legal challenges to Aadhaar, as well as interim orders by the Supreme Court against making Aadhaar mandatory for many essential schemes and services. The government has made Aadhaar a requirement for food aid, cooking-gas subsidies, mobile connections, NREGA wages, government examinations, banking facilities, tax filings and much more. The threat of exclusion from essential benefits and services has spurred massive Aadhaar enrolment. The Unique Identification Authority of India, the authority in charge of the scheme, has enrolled over 1.2 billion of India’s 1.3 billion people. The UIDAI has touted this as a sign of runaway success, but critics say that India’s digital infrastructure and security systems have failed to keep pace, creating threats of data and identity theft in addition to those of the denial of benefits and services. The linking of Aadhaar to otherwise disparate services and information systems is also driving a massive consolidation of users’ data, and with it the potential for mass surveillance and profiling. Critics have pointed out how this can be exploited for such things as the malicious targeting of groups and individuals on ethnic or political grounds.

In all of this, OnGrid and other companies like it stand as crucial and interested go-betweens. As this story went to press, the Supreme Court was hearing a case that argued Aadhaar is unconstitutional. The case clubs together dozens of legal challenges to various aspects of the scheme that have been filed in courts all over the country. This January, OnGrid joined four other private parties to intervene in the Aadhaar matter. Their petition to the Supreme Court said that their businesses “have developed entirely as a result of the introduction of the Aadhaar system,” and argued for the system to continue unchanged.

These private companies are far from the only ones that stand to benefit from, and are currently batting for, Aadhaar. There is no fault in their profit motive and defence of their interests per se, but there is cause for caution in instances where such firms might have a great proximity to, and possibly influence over, the architects and operators of the Aadhaar system, creating potential conflicts of interest. With OnGrid, for instance, Peshwani, the company’s co-founder, was earlier a manager at the UIDAI. Khosla Labs, a business-incubation and investment firm that is among the companies that have approached the Supreme Court, has had several executives with UIDAI histories.

Though the Supreme Court ruled in August 2017 that privacy is a fundamental right, India has no privacy law yet. Critics of Aadhaar have highlighted that those enrolled in the programme currently have no recourse in cases where their information is compromised. When data leaks have been brought to the government’s attention, the official response on many occasions has been not to swiftly fix the problem, but to penalise those who identified it, including journalists. The UIDAI initiated criminal action against The Tribune after the newspaper published its exposé. The Centre for Internet and Society received several legal notices from the UIDAI following its revelations, and reportedly also faced scrutiny of its funding by the home ministry.

Aadhaar was originally pitched as a way to eliminate identity fraud in the delivery of public benefits. Today, its application far exceeds that purpose. Nandan Nilekani, the technology billionaire and politician who was the first head of the UIDAI and prime mover behind Aadhaar, has said, “Data has become the new oil,” and that “if we can restructure data to benefit every individual and every business, then we can lead to enormous amount of activity and economic growth.” He has also said, “In the West, the identity business was privatised. That’s a much more unsafe model than when a government issues an ID.” Even as Aadhaar is presented as a way to mobilise Indians’ data for the public good, the lines between those who run Aadhaar and those who profit from it are often blurry.

ONGRID AND KHOSLA LAB'S co-applicants in the petition to the Supreme Court are the bicycle-sharing company Yulu, the authentication-services firm Transaction Analysts, and the Digital Lenders Association of India, a group of financial startups. But the list of companies working in support of Aadhaar is much longer. The petition states, “There are several persons and businesses who depend on the Aadhaar system in the same manner as the Applicants therein,” and “a society comprising many such businesses who are dependent upon the Aadhaar system” is being formed, hoping to show the court “the facts pertaining to benefits and submissions on its constitutionality.” Soon after the petition was filed, the Economic Times reported that “a group of 50 companies consisting of fintech firms, lending companies, verification agencies” had formed a “Coalition for Aadhaar.” Neither the petition nor the Economic Times named members of the coalition beyond the petitioners.

Saranya Gopinath, the general counsel at Khosla Labs and the lawyer who filed the petition, told me the purpose of the petition. “If you see the conversation right now, it is a lot of well-meaning petitioners filing the case” against the government, “talking about Aadhaar and the implementation of it,” she said. “As a bunch of private companies who are not only deeply impacted by Aadhaar but who have been seeing the effect that our work, empowered through Aadhaar, has been able to create, we felt that we really had a lot to add to the conversation.”

Gopinath did not disclose the membership of the coalition. It was meant, she said, to “ensure that we can support Aadhaar in whatever way is required, in whatever way we think would be necessitated at that point of time.” When I asked her, in February 2018, whether the companies in the coalition were contributing money to the fight, she was noncommittal. “We’re actually working that out as we go along,” she said. “We’ll see as and when it comes together.”

But an email sent in mid January by Srikanth Nadhamuni, the current CEO of Khosla Labs and a former head of technology at the UIDAI, suggested otherwise. Under the subject line “Aadhaar PIL update,” the email contained a brief account of the filing of the petition, and then a paragraph about the coalition:

The creation of the Society has been proceeding and more companies have come forward to join the coalition. Wrt financial contributions as mentioned in the last meeting, the larger entities (PayTM, OlaCabs, Flipkart, PhonePe, etc) as discussed in the last meeting will be contributing Rs20 lakhs each, all the AUA/KUAs [user agencies licensed by the UIDAI] (Khosla Labs, eMudhra, Transaction Analyst etc) will be contributing Rs10 lakhs each. Smaller companies will be contributing Rs2 lakhs each. Please send your check made out to “Coalition for Aadhaar” and mail it to: Saranya Gopinath.


When asked about this message, Gopinath responded, “The coalition had sought contributions from the participating companies to cover the costs of representation in court.”

A representative of Ola Cabs’s corporate communications team told me that the company “has never made any commitment towards ‘Coalition for Aadhaar.’” The other companies named had not responded to requests for comment at the time this story went to press.

To many, lobbying by private companies in favour of Aadhaar is cause for concern. Rachita Taneja, a part of the Mozilla Foundation, which has been advocating for stronger data protection and privacy rights in the face of Aadhaar, told me, “You have companies like Amazon that will benefit from having more information.” With Aadhaar-enabled collation of data, she said, “they can have access to some of users’ most intimate details to create profiles of users in ways that they can’t see or even control. That’s not a feature, it’s a bug. It’s something that users don’t have active consent to. Users do not know how their information is being used, which company has access to their information.”

JONATHAN TORGOVNIK/GETTY IMAGES

Companies working with Aadhaar are generally aware of the issue of consent. The frequently-asked-questions section of OnGrid’s website, for instance, says, “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid web platform or mobile platform for verifications, for background checks and references, and for storing his/her data on the OnGrid platform.” It adds that if anyone objects to their data being on the OnGrid platform, they may ask the company to take it down. In practice, however, obtaining meaningful consent can be more difficult than companies assume. Srinivasa Katuri, the head of Transaction Analysts, told me that his company has “done each and every transaction with authentication—consent from the customer.” But it is a different question, he said, “whether the customer understood the consent or not.” In some cases, “the citizen is sitting on the other side, and consent is shown on this side, and it is tick marked and then an account is opened,” Katuri said, but the customer “doesn’t even know what consent is.”

One example of how hazy consent can be on Aadhaar-enabled platforms came in late 2017. Airtel reportedly used an Aadhaar-linked “know your customer” system, called the e-KYC, to open accounts for thousands of its mobile customers on the telecom giant’s own mobile payments bank, and routed a reported Rs 190 crore of LPG-subsidies away from their older bank accounts and into these new ones. Many customers complained that they had no idea of where their subsidy payments were going. Airtel promised to return the transferred sums, and was fined Rs 2.5 crore by the UIDAI.

In the case of background-check services, “for a poor plumber, if that becomes the only way of getting work, then he will give his consent, he will install that app,” Reetika Khera, a professor of economics at IIT Delhi and a vocal critic of Aadhaar, told me. “And they’ll say, ‘Ok, he’s installed it with consent.’ But actually, you’re killing all his other options.”

Source Photograph Shahid Tantray For The Caravan

Khera’s larger concern was that Aadhaar-enabled identity authentication and background checks exemplify “the dangerous 360-degree profiling that we’ve been warning about.” The number of companies making a business out of such checks, which rely on compiling elaborate repositories of personal information, is growing. Besides OnGrid, they include firms such as TrustID, which claims to be able to “scan through 100 million eCourt Records PAN India, instantly,” “track & monitor social media profiles of candidates & employees” and “instantly assess income, salary & previous employment.” Another such company, IDfy, claims to be “redefining the boundaries of fraud detection” by using, in addition to Aadhaar authentication, data extraction from government documents and other “disparate public sources,” as well as “face match” technology.

Khosla Labs also has an Aadhaar-enabled authentication and verification product, called Aadhaar Bridge. The company, like OnGrid, is licensed by the UIDAI to access Aadhaar holders’ demographic data, with those holders’ consent. It describes Aadhaar Bridge as “a developer friendly API that allows organisations to easily integrate Aadhaar into their existing applications without the need of a separate Government license.”

Khosla Labs gets its name from Vinod Khosla, a prominent technology investor and one of the company’s founders. During a panel discussion in 2013 with Nadhamuni and Nilekani, who was then the chairman of the UIDAI, Khosla said, “People often ask me why we started Khosla Labs. And frankly, one of the simple reasons was that there was great talent available—I told you I love talent. But they also knew the Aadhaar system. And I said, ‘There’s got to be a bunch of opportunities around Aadhaar.’ So I would highly encourage it. And I do think it’s a really big opportunity.”

Regulatory filings for the 2016-2017 financial year indicate that Khosla Labs gave a loan of Rs 21 lakh to a non-governmental organisation called the eGovernments Foundation. Gopinath told me that it has been repaid. The foundation describes itself as being committed to “using technology to solve hard to crack governance challenges,” and was established in 2003 by Nadhamuni and Nilekani. Nadhamuni is its managing trustee. Gopinath said that Nilekani is no longer a trustee with the foundation, and that he “has nothing to do with Khosla Labs.”

Besides Nadhamuni, the set of Khosla Labs employees with major UIDAI links includes Sanjay Jain, the chief product manager for the UIDAI from 2010 to 2012 and an entrepreneur in residence at Khosla Labs from 2012 through 2015. Vivek Raghavan, a volunteer in biometrics at the UIDAI between 2010 and 2013 and the organisation’s chief product manager and biometric architect from 2013 until today, was a director of Khosla Labs until 2016 and an entrepreneur in residence at the company for nine months starting in 2012.

Such connections between the private sector and the UIDAI raise questions of what is sometimes called the “revolving door”—the phenomenon of individuals using experience, knowledge and clout gained while in public service in pursuit of profit for private companies. “There are cases where you have people who have been involved either in the construction of Aadhaar, the rollout of Aadhaar, the design of Aadhaar, now working in the private sector,” Nitin Pai, the director of the Takshashila Institution, a public policy think tank in Bengaluru, told me. Aadhaar “is the first time where a big government project got in people from the private sector to design this and roll this out. … What that meant is when they went into the government structure, the rules of hiring were unclear. … When they come out into the private sector, what are the rules governing what they can do or cannot do in the private sector? I think those were also not very clear.” Pai described this as “a systemic problem, where the Indian governmental system is not prepared and does not have the capacity to absorb large numbers of private-sector people coming in and working and leaving on a short-term basis.”

A former senior official with the UIDAI expressed strong concern about the possibility of people without formal positions in the UIDAI exercising influence within the organisation. The former official was a government servant, and was deputed to work at the UIDAI for a specific period of time. “If I am interested to continue I cannot, because my government role says that my deputation cannot extend beyond five years,” the former official said. But someone from the private sector might have been “for the past nine years enjoying” power both inside and outside the organisation. Sometimes, the former official said, security regulations might be relaxed to accommodate an insider with a conflict of interest. “See, if you say you have a rule, apply that rule for all or don’t apply it. You say, ‘I’m applying rules,’ and then you apply for a few and don’t apply for a few. So there comes the compromise. There come the lapses.”

“In what raises questions of propriety and conflict of interest, executives who have worked or are working with the Unique Identification Authority of India (UIDAI)—the parent agency for Aadhaar—are launching companies or funding start-ups that offer Aadhaar-based services and products for a fee,” the Indian Express wrote in a 2017 report on the relationship between Khosla Labs executives and the UIDAI. The report described how Khosla Labs’s articles of association show that “Raghavan, Jain and Nadhamuni were the three promoters of the company which is 99.9 per cent owned by another Mauritius-based company also called Khosla Labs.” In a report on the technology-news website The Ken, also from 2017, an anonymous founder of a prominent digital-payments company was quoted saying, “Khosla Labs were the first guys to get access to (Aadhaar) APIs. Others would’ve jumped at that opportunity.”

Gopinath told me that approximately a hundred authentication user agencies had already received licences from the UIDAI before Khosla Labs. She added that the company started its authentication service about two and a half years after Nadhamuni, Jain and Raghavan quit the UIDAI. “I don’t particularly understand the conflict,” Gopinath told me. Khosla Labs had gotten the same licence as any other user agency, she said, and through the same channels.

Nadhamuni and Nilekani did not reply to emails requesting interviews. Jain replied that he was not available to speak before this story went to press.

Source Photographs Jonathan Torgovnik / Getty Images

In April 2018, a number of financial-technology companies were reportedly denied access to Aadhaar-based verification services, despite there not being any written directive from the UIDAI to this effect. Tanuj Bhojwani, a volunteer with the organisation iSPIRT, which is behind India Stack, told me he thought the UIDAI was “just being respectful of what is happening in the courts right now,” in response to concerns that there may be no legal grounds for certain private entities to use Aadhaar-based verification services. “The UIDAI is just waiting to understand what it can and cannot do, and what it should and should not do.”

In response, an appeal to the UIDAI was circulated online, though not published. Its signatories included a representative of Khosla Labs, and Peshwani of OnGrid. It read, “We understand that the UIDAI, and the Aadhaar program have come under criticism by a small group of vocal activists. We call upon the UIDAI to take from the criticism that which can be used to improve their services, ensure better consumer data protection while ignoring the noise. … We call upon you to ensure that the UIDAI’s services continue to be reliably available, through a simplified process to all.”

INDIA STACK HAS ENORMOUS IMPORTANCE in the Aadhaar ecosystem. Its APIs provide the primary route to using Aadhaar for many practical applications. In effect, India Stack is the gate to Aadhaar, and almost every third party that wants to use Aadhaar must go through it.

The gate to India Stack is iSPIRT—the Indian Software Products Industry Round Table, formed in 2013 by former employees of NASSCOM, an industry group for information technology and business-process-outsourcing companies. Although iSPIRT, a non-profit entity, describes itself as a think tank, it also functions as an industry group for businesses that rely on Aadhaar. Today, iSPIRT is almost entirely devoted to developing and promoting India Stack’s APIs, and supporting companies who put them to use.

While iSPIRT is not a private company, the concerns of the revolving door apply just as much to it as to any private firm—perhaps even more so, given iSPIRT’s role as a crucial intermediary for private players looking to work with Aadhaar. On its website, iSPIRT calls those who work for it “volunteers,” and says they are paid “a modest Living Wage that is capped at their previous salary or Rs 36L”—Rs 36 lakh, or around $55,000—“whichever is lower.” These volunteers have included numerous individuals who have held prominent positions, both formal and voluntary, with the UIDAI: Pramod Varma, the chief system-architect and technology advisor at the UIDAI since its inception; Sanjay Swamy, an early volunteer with the UIDAI who worked on authentication and digital-payments systems for a year; Shankar Maruwada, the UIDAI’s head of demand-generation and marketing for two years; Sanjay Jain, the UIDAI’s chief product manager for two years; and Vivek Raghavan, the UIDAI’s current chief product manager and biometric architect.

JAGADEESH AH/REUTERS

One of iSPIRT’s founders, and today its functional head, is Sharad Sharma, a prominent technology investor. In How to Fix the Future, a book by the internet entrepreneur and writer Andrew Keen, Sharma is quoted saying that the volunteer-based, donor-funded model allows iSPIRT to “build public digital goods without public money.” But the model also allows iSPIRT to escape public scrutiny. The international watchdog Privacy International, in a November 2017 report on financial technology in India, wrote:

Who is building India Stack, this set of APIs? It is being produced, ostensibly, by “volunteers”, operated by iSPIRT (the India Software Product Industry Round Table)—a high-powered think tank. Having India Stack as a product produced by a group of ‘volunteers’—rather than, say, within the UIDAI (Unique Identification Authority of India)—has certain advantages from their point of view: they do not have to operate transparently, there is no requirement for them to be subject to right to information legislation or procurement rules. Thus, this important initiative—potentially as important as anything coming from government ministries—is not subject to that degree of oversight.

The Ken, in its 2017 report, detailed how the mobile-payment company PhonePe received “red carpet treatment from iSPIRT” in 2016 when building an app linked to the Unified Payments Interface, or UPI, an India Stack API that was then just being launched. The report also described how iSPIRT seems to have positioned itself as a “consultant to the banks.” The organisation’s website lists Axis Bank, Bank of Baroda, IDFC Bank and the State Bank of India as donors. The Ken report quoted the founder of a digital-payment startup as saying, “You have to pitch to iSpirt so they will put you in front of banks. They’ve done sessions on alternate lending, UPI, payments etc., but all closed-door events. You need to be in their good books to move forward. As an entrepreneur, I’d prefer not to lick them, but I have no choice but to.”

In 2016, as the Aadhaar Act was about to be enacted by parliament, Sharma was asked on a Slack channel about what recourse there would be for critics of Aadhaar if it could not be halted through the legislative process. He replied, “As I said, as architects of India Stack, we will use our influence to get changes through. It’s still not late for that.”

The iSPIRT website states, “Since we have different types of volunteers with differing roles, they each have different codes of conduct.” Depending on a person’s position, this can entail disclosure of interests, and a bar on holding equity or investing in startups they work with through iSPIRT or that stand to benefit from their policy advocacy. There is no detail on how these standards are enforced. I contacted Sharma to ask to speak with him, but he did not reply.

In May 2017, Kiran Jonnalagadda, an entrepreneur and a prominent critic of Aadhaar, used slides from an internal presentation prepared by iSPIRT to reveal that the organisation had sanctioned a programme of trolling critics of Aadhaar on social media using anonymous accounts. One slide called on iSPIRT volunteers, described as “swordsmen,” to coordinate attacks to ensure “strength in numbers.” Jonnalagadda also outed Sharma as the person behind an abusive troll account on Twitter. Sharma initially denied the link, but eventually apologised. “Anonymity seemed easier than propriety,” he tweeted, “and tired as I was by personal events and attacks on iSPIRT’s reputation, I slipped.”

After Sharma posted his apology, Nilekani wrote on Twitter, “Bravo, Sharad! I am sure that the indefatigable @sharads will take iSPIRT to greater heights.”

NILEKANI, THOUGH HE IS NO LONGER the chairman of the UIDAI, still wields immense power in the Aadhaar ecosystem, in both private and public realms. Aadhaar was his brainchild, and his appointment to lead the project, in 2009, was fully backed by the Congress-led government of the day. He was listed as a mentor to iSPIRT on the group’s website as late as in May 2017, though his name has been removed from it since. His influence and connections as a technology investor run deep, especially in Bengaluru, and only stand to get deeper—last year, he backed a new $100-million venture capital fund called Fundamentum. As a politician—Nilekani left the UIDAI in 2014 to join the Congress, and ran a failed campaign for a Lok Sabha seat from Bengaluru—his reach extends all the way to the highest circles of power at the national level.

The 2014 general election was a time of great uncertainty for Aadhaar. The BJP’s record of opposition to Aadhaar suggested the party would move against the programme now that it was in power. Narendra Modi himself, just weeks before he became prime minister, had tweeted, “On Aadhaar, neither the Team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick.”

But Modi was quickly won over. The journalist Shankkar Aiyar, in his 2017 book Aadhaar: A Biometric History of India’s 12-Digit Revolution, wrote that the new prime minister met RS Sharma, an officer of the Indian Administrative Service and the UIDAI’s first director-general, soon after his swearing in. According to Aiyar, Modi immediately asked Sharma if it was feasible to have Aadhaar-linked biometric systems to track attendance at all central government offices. Sharma said it was, and Modi replied, “This must be done.” Shortly after this, Nilekani also met with Modi. In a television interview in 2015, Nilekani said, “I did have one meeting with him after the election, where I told him about the value” of Aadhaar.

In February 2018, the news website The Wire reported that Nilekani had had a strong hand in the appointment of a new head of the National Payments Corporation of India, or NPCI, a non-profit company created by the Reserve Bank of India and the Indian Banks’ Association to create and oversee infrastructure for electronic payments across the country. The NPCI board had voted for Uttam Nayak, a former India chief for the credit-card company Visa, to become the group CEO, but after intervention from the RBI it appointed Dilip Asbe—an associate of Nilekani’s, who was then the NPCI’s chief operating officer. According to The Wire, “Nilekani, who serves as an ‘advisor’ to NPCI but does not sit on the board, batted heavily in favour of Asbe.” Someone with knowledge of the proceedings told me that Nilekani “shadow-runs that company,” and that the NPCI board was sick of his influence.

India Stack’s Unified Payments Interface was rolled out, in 2016, by the NPCI. At a conference shortly before this, Nilekani said, “UPI’s going live in the next four, five days. … Every day I call up Dilip Asbe and say, ‘What’s going on?’ And he says, ‘Tomorrow, tomorrow—kal ho jayega, kal ho jayega.’”

In 2013, the RBI formed a working group to consider the use of Aadhaar to authenticate bank-card payments. The group prepared a report that stated, “Since this is a new technology that has not been adopted globally, the concerns related to data compromise are still unknown. Further, the remedial action in case of such a compromise needs to take into account the fact that if Aadhaar of a cardholder is compromised then the cardholder’s identity gets compromised for life unlike in the scenario where Banks replace the compromised Card+PIN with a new Card+PIN. Embedding Aadhaar in the payments ecosystem will need more stringent controls to avoid data breach at environments other than payments where Aadhaar is used.” A senior banking official told me that the RBI constituted the working group because Nilekani, then the UIDAI chief, was pushing hard to have Aadhaar incorporated into card transactions. When the group’s conclusions proved to be critical of Aadhaar, the official added, Nilekani “managed to get the RBI to suppress that report.” The document is not available in the RBI’s online archives.

Before the working group’s rebuff, Nilekani had even higher hopes for Aadhaar in banking. “He tried to get card numbers to be replaced by putting Aadhaar on the magstripe of every card,” the banking official said, “with the intention that somewhere down the line he’ll get RBI or somebody to mandate the Aadhaar, and drop the card number.” The official added that Dilip Asbe was among several of Nilekani’s associates to enthusiastically back the idea. But Nilekani ran into tremendous resistance from credit-card companies and banks, which said they were “not going to compromise any of the global standards.”

Some months after the report was finished, the RBI informed banks that all new bank-card infrastructure has “to be enabled for both EMV chip and PIN and Aadhaar (biometric validation) acceptance.” In September 2016, it directed banks to ensure that “new card acceptance infrastructure deployed with effect from January 1, 2017 are enabled for processing payment transactions using Aadhaar-based biometric authentication also.” That December, it extended “the time for deployment of Aadhaar-enabled devices till June 30, 2017.” There have been no further instructions on this so far.

The person with knowledge of NPCI proceedings said that when Nilekani, as the head of the UIDAI, was working as a public servant under the previous government, “there were checks and balances for him, because it was quite a fragmented government. In the current government, he’s just got a free run. So somebody in the government believes that this idea is so great, and they’ve just virtually given him the reins to run and hire and fire and do what he wants at the moment. Everybody knows it, but nobody wants to have the courage to speak up, because the government is seen as backing him.”

Philanthropic contributions by Nilekani’s wife, Rohini, also raise concerns of potential clashes of interest. (Incidentally, several years before the Aadhaar project began, the Nilekanis established an initiative in Bengaluru called the Adhar Trust.) Rohini has donated to the Vidhi Centre for Legal Policy, a Delhi-based think tank that drafted the Aadhaar Act, and which is led by Arghya Sengupta. Before the Supreme Court read a distinct fundamental right to privacy into the constitution in 2017—going against the government’s position on the question—Sengupta appeared before the court on behalf of the state of Haryana and the Telecom Regulatory Authority of India. The court’s judgment noted that Sengupta “supported the arguments of the learned Attorney General ,” and that he argued “any right to privacy is conceptually unsound, and only comprehensive data protection legislation can effectively address concerns of data protection and privacy.” Sengupta now sits on the Srikrishna Committee, formed by the ministry of information technology in the wake of the Supreme Court’s affirmation of a fundamental right to privacy, which has been tasked with framing a data-privacy law. The UIDAI’s current CEO, the civil servant Ajay Bhushan Pandey, is also on the committee.

In November 2017, a group of citizens that included a retired chief justice of the Delhi High Court, a former state governor, senior advocates and former university vice-chancellors, wrote a letter of concern to BN Srikrishna, a retired Supreme Court justice and the head of the committee. “Most members on the current committee have in the past voiced or echoed views that seem to support Aadhaar, the brand created by the UIDAI,” they noted. “Some have even taken stands in the Supreme Court to challenge the fundamental right to privacy. A committee created to look at a fundamental issue which will impact this country needs to be balanced and cannot be biased towards one position, particularly when there might be conflicts of interest.”

The Vidhi Centre for Legal Policy did not respond to an emailed questionnaire.

IN THE TELEVISION INTERVIEW where he spoke about his meeting with Modi soon after the 2014 general election, Nilekani suggested that he did not have to do much to convince the prime minister to back Aadhaar. Modi, Nilekani said, “had already understood the value as the chief minister of Gujarat.”

In 2011, as his government was overseeing the early implementation of Aadhaar in Gujarat, Modi convened a council to design a State Resident Data Hub, or SRDH—a repository of personal data on all state residents. The database included data required for Aadhaar—held in the UIDAI’s Central Identities Data Repository, or CIDR—but also, according to Shankar Aiyar’s Aadhaar, additional information such as voter-card numbers, ration-card numbers, disability records and unique household numbers. This data was gathered under KYR Plus—Know Your Resident Plus—a system by which the UIDAI allowed states to ask for more information than is mandated for the creation of an Aadhaar number in the course of the enrolment process.

Aiyar’s book describes the UIDAI’s working philosophy. “The core team concurred that the concepts, design and executing structure would be thought through in-house,” he writes, but “execution, as far as possible, would be outsourced, to leverage competitive market dynamics which could be incentivised. In short, the design template was ‘in-house brains, outside limbs.’” This model, when applied to the enrolment process, meant that the UIDAI delegated enrolment work to registrars—mostly state governments, but also public-sector banks and some other private firms—which further delegated it to tens of thousands of private contractors.

SRDHs now exist in multiple states. In response to legal challenges, the government has told the Supreme Court, “A user department of the government, or agency will have information pertaining only to its own domain and will never have or will not be able to build a 360 degree view of any of its customers or beneficiaries.” But in a piece on SRDHs, Anand Venkatanarayanan, a technology professional, writer and prominent critic of Aadhaar, has shown that the language used by state governments to describe SRDHs casts doubt on this claim. For instance, according to an official presentation, Andhra Pradesh’s SRDH aims at “Getting a 360-degree view of Citizens” by linking data on health, education, employment, public safety and more from almost every government-run scheme, and can also geolocate Aadhaar-holding residents. An official presentation on Haryana’s SRDH described it as a “unified, central system” where “all data” is “inter-linked,” and said the database could be integrated with mapping technology to provide “updates in the citizen’s location.”

In an interview in 2009, in Aadhaar’s early days, the former Intelligence Bureau director Ajit Doval, who is now the National Security Advisor, said that the identification project “was intended to wash out the aliens and unauthorised people. … With this system, people can be located anywhere because all databases will be connected.” But, he added, “it is being projected as more development-oriented, lest it ruffle any feathers. People would be unwilling to give up their right to privacy.”

The government has been secretive about SRDHs. Venkatanarayanan told me that numerous documents on them that were earlier accessible on the UIDAI website, including a 2012 strategy document, have been taken down. Rakesh Dwivedi, a senior advocate representing the state of Gujarat in Aadhaar hearings, told the Supreme Court in February 2018 that the SRDHs were projects from the time of the previous national government, and that all biometric data in Gujarat’s SRDH was destroyed shortly after the Aadhaar Act was passed in 2016. A report on SRDHs in the Hindustan Times noted that the UIDAI “has consistently maintained that it is the sole custodian of citizen data collected during the Aadhaar enrolment process. Dwivedi’s statement in court reveals this was not always the case.”

The report also revealed that across the country, “Administrators and police departments are using individual Aadhaar numbers to consolidate citizen data scattered across disparate government departments, allowing for the creation of detailed personal databases.” It described the TSCOP—an application that allows police constables in Telangana to see detailed personal information about the state’s residents. Six “state-level IT administrators and programmers” told the Hindustan Times that the TSCOP and Gujarat’s SRDH are “based on the same principle—of using Aadhaar as a common identifier to integrate previously discrete data silos.”

In April 2018, a security researcher pointed to a new data leak on a government website, which exposed an Aadhaar-based database that listed individuals’ religion and caste alongside other personal data.

The government has involved private firms in efforts to consolidate data using Aadhaar. The income-tax department has been running Project Insight, an effort to gather and analyse data, including from individuals’ social-media profiles, in order to identify tax evaders—for instance, by flagging discrepancies between a person’s declared income and the level of wealth implied by her lifestyle. According to a government press release, the department has contracted the information-technology company Larsen & Toubro Infotech to “strengthen the non-intrusive information driven approach for improving tax compliance.” The company has described Project Insight as a “comprehensive big data, analytics and surveillance solution across India.”

(The government has brought in private parties for other Aadhaar-related work as well. One of the three contractors the UIDAI signed on to guard against duplicate biometrics and identities in the Aadhaar system was L1 Identity Solutions, a company that has since been absorbed by the defence multinational Safran. The agreement between the UIDAI and L1 Identity Solutions allows the contractor to “collect, use, transfer, store or otherwise process … information that pertains to specific individuals and can be linked to them.” Critics have pointed out that such sharing of data violates provisions in the Aadhaar Act.)

The multinational accounting firm Ernst & Young has been brought in as a consultant on Project Insight. The cover feature in the December 2017 issue of Tax Insights, a magazine published by Ernst & Young, was an interview with Arbind Modi, a special secretary of the Central Board of Direct Taxes, the statutory body overseeing Project Insight. He told the magazine that Project Insight’s objective “is to amalgamate the various information that comes into a single database,” and to “create a 360-degree profile of the taxpayer.” He also credited Aadhaar for much of what Project Insight is able to do.

A former employee of Project Insight spoke to me about its inner workings. “They told me, quite casually, that, ‘Ok, you’re going to be going through everyone’s social-media platforms, integrating various online identities that you might have, your digital footprints,’” he recalled. “So I did ask them, ‘Isn’t that a bit of an invasion of privacy?’ They said, ‘No, if you’re an honest person you have nothing to worry about.’”

Apar Gupta, one of the lawyers for the petitioners taking issue with Aadhaar in the Supreme Court, told me that “dredging a social media account is a clear violation of privacy” as defined by the apex court.

Project Insight’s cavalier attitude extended to security as well. “Generally when you’re working on these projects, you have a secure network,” the former employee said. “We weren’t provided that.” Instead, workers got online via USB devices and mobile data packs, regular wireless hotspots, or any other way they could.

“I’m pretty sure there was some corruption involved in the project,” the former employee added, because “we had ghost employees”—people registered and paid as employees, but who rarely, or never, showed up. “So, the way these companies work is you tell them, ‘Ok, you will have five of my dedicated employees—these are the people who will be working on the project.’ Now, you’re charging the client for each of them. But that doesn’t mean that they keep all the people there.”

According to his LinkedIn profile, Piyush Peshwani, the OnGrid co-founder, worked at Ernst & Young between January 2013 and August 2015, first as a manager and then as a senior manager. From August 2010 until he joined Ernst & Young, Peshwani was a manager at the UIDAI, where he helped oversee the creation of SRDHs. He has posted repeatedly on an open Google group about SRDHs, providing advice on how to use them and sometimes sharing key documents. The minutes of a meeting at the department of electronics and information technology in August 2012, released after an RTI application, show that Peshwani delivered a presentation that touched on “seeding of Aadhaar in databases” and “State Resident Data Hub (SRDH) and its use in Seeding and Service Delivery.” Despite messages asking for interviews, neither Peshwani nor Vineet Bansal, his partner in founding OnGrid, responded to me.

Venkatanarayanan drew a connection between Peshwani’s work for the UIDAI and the work he is now doing with OnGrid. “OnGrid is probably a much-evolved version of SRDH, in terms of architecture,” he told me. “You have a master database, and you have a lot of ancillary databases which were not originally Aadhaar-seeded, and you can just keep seeding them and you can keep building them.”

ERNST & YOUNG'S INVOLVEMENT with Aadhaar-related projects goes back to 2010, when the UIDAI signed it on as a consultant to help devise “strategy, business models, business cases, and potential revenue streams for CIDR.” The consulting contract, made public after a Right to Information application, states, “The revenue model should strike a balance between the objectives of social inclusion/welfare versus commercial sustainability of the CIDR. … To catalyze uptake, target those customer segments which are at a high level of maturity to use CIDR services.”

The contract also indicates that the UIDAI should “minimize or avoid free services to the extent possible.” It suggests services for which “CIDR based identity verification could be valuable”: “attendance of entrance exams,” “application for gas connection,” “issuance of digital signatures,” “purchase/transfer of property,” “opening of bank account,” “ATM Cash withdrawal,” “issue of credit card,” “obtaining mobile phone connection,” “airline check-in” and “check-in to hotels.”

The contract suggests that, even in its early days, the UIDAI envisioned a role for Aadhaar that extended into profitability, and was willing to promote an extensive flow of data between the public and private sectors. This part of the UIDAI’s vision was not acknowledged in any official public communication. Instead, the UIDAI and the government pitched Aadhaar as an initiative for improving public welfare—initially as a way to reduce fraud and losses in the public distribution system for food rations, and then as a way of facilitating financial inclusion and access to welfare schemes.

The UIDAI’s strategy overview, published in 2010, opens with, “In India, an inability to prove identity is one of the biggest barriers preventing the poor from accessing benefits and subsidies.” The five companies’ submission to the Supreme Court uses vocabulary typical of the UIDAI’s public pitch. “By providing a reliable proof of identity to sections of society that did not have the ability to get formal identification,” it reads, “the Aadhaar system has paved the way for these persons and their businesses to have access to cost effective and non-predatory lending channels even in remote locations and for small loan requirements.”

SOURCE PHOTOGRAPHS BY MANSI TAPLIYAL/REUTERS; SHAHID TANTRAY FOR THE CARAVAN

The computer scientist and entrepreneur Viral Shah was a manager of financial inclusion at the UIDAI between 2010 and 2012. He designed the e-KYC system, which shares individuals’ demographic details during the process of Aadhaar-based identity verification. Now packaged as an India Stack API, e-KYC has become a mainstay of the work of companies such as OnGrid and Khosla Labs. The e-KYC process “made it possible for people who were unbanked to get a bank account, people who could not get a SIM card to get a SIM card,” Shah said. “At some level it was allowing people to be seen by the government who perhaps otherwise missed out before.”

One of Aadhaar’s core functions is basic authentication, which responds to verification requests with a simple “yes” or “no” about whether an individual’s biometrics or phone numbers match those tied to their Aadhaar number. The e-KYC feature was an extension of this basic function, and was not always part of the UIDAI’s plans. Shah told me that even Nilekani was at first sceptical about creating it. Even after he was convinced of its utility, others at the UIDAI were not. The former senior UIDAI official told me that before e-KYC was introduced, “citizens felt protected” from their data being compromised, because they knew that “information doesn’t go out—I am proven only by ‘yes’ or ‘no.’” The e-KYC system, the former official said, “goes against our principle of the concept”—of minimum information flowing out from the Aadhaar database.

There are many who question Aadhaar’s actual impact on financial inclusion. Parul Agarwal, who studies the topic for a non-profit research organisation, told me there has been an upsurge in financial inclusion in India in recent years, “but I don’t think Aadhaar is the reason.” Instead, she linked the phenomenon “to various kinds of interventions that the government and RBI have introduced”—such as the Pradhan Mantri Jan Dhan Yojana, which has relaxed the minimum deposit limits and documentary requirements for opening bank accounts. As for fintech companies of the kind included in the Supreme Court petition, “None of them are at scale, and the consumer and financial behaviour of low-income households, particularly rural households, is very difficult to understand,” she said. “Fintechs do not really have the expertise to approach it.”

Kshitija Joshi, a professor at the Indian Institute of Sciences in Bengaluru who has studied financial inclusion in rural Karnataka, told me that Aadhaar-enabled financial inclusion “is clearly not happening.” Poor people are being turned away from formal credit not because of the costs of verifying their identities and personal details, Joshi explained, but because banks do not offer the kinds of products they need—such as personal loans “to tide over their temporary difficulties.” She emphasised the importance of looking at the “demand side” of the problem—the perspectives of rural Indians, and their habits in using financial products—rather than the “supply side”—the perspectives of the companies and entities involved in providing those products.

But, Joshi added, she had no issue with Aadhaar’s application regarding financial inclusion. “I have an issue with it being used for things like PDS”—the public distribution system—“where people are dying because their fingerprints don’t match.”

Even before Aadhaar enrolments began, in September 2010, the UIDAI had reason to expect that fingerprint authentication would be difficult in the Indian context. In a white paper published around a year before that milestone, a company that provided the UIDAI with biometric scanners detailed how fingerprints “are susceptible to noisy or bad data, such as inability of a scanner to read dirty fingerprints clearly. People above 60 years and young children below 12 years may have difficulty enrolling in a fingerprinting system, due to their faded prints or underdeveloped fingerprint ridges.” The paper estimated that while approximately five percent of any given population in the world has “unreadable fingerprints,” in India, “experience has shown that the failure to enroll is as high as 15% due to the prevalence of a huge population dependent on manual labor.”

Sanjay Swamy, the former UIDAI volunteer who is now with iSPIRT, said about authentication failures, “I don’t think it was expected to be as bad as it has ended up being, otherwise we would have probably done something about it.” Iris authentication is much more foolproof, he told me, but the “iris camera, it has really not taken off” because “people actually don’t like the iris experience.”

Still, Swamy said, Aadhaar meant a massive improvement on the previous status quo in the PDS system, where massive quantities of subsidised food were siphoned off due to fraud and a lack of public accountability.

This claim, too, has its sceptics. Reetika Khera, who has written extensively on Aadhaar’s effects in rural India, wrote in a 2017 paper that welfare fraud can be categorised into three broad groups: eligibility fraud, quantity fraud and identity fraud. Eligibility fraud, she wrote, involves “persons who do not meet the eligibility criteria managing to get themselves included” in welfare schemes. Quantity fraud “takes the form of eligible persons receiving less than their entitlements, e.g. under-selling in the PDS (people are forced to sign off on more than what they actually get).” And identity fraud involves “cases where one person’s benefits are claimed fraudulently by another.” Aadhaar—and, more broadly, biometric authentication—“can help eliminate identity fraud,” Khera wrote, “but has a very limited role, if any, in reducing quantity fraud or eligibility fraud. There is limited evidence on the magnitude of each type of fraud, but whatever evidence is available suggests that quantity fraud is the bigger problem. Therefore, contrary to the government’s understanding, Aadhaar can only play a marginal role in reducing corruption.”

“We’ve been saying from the beginning that we have no reliable estimates of identity fraud, we have estimates of quantity fraud,” Khera told me. “So, if you believe that identity fraud is a big problem, then you give us the evidence. That, they’ve never done.”

“There is very little corruption that exists between the ration shop and the consumer, which is the last mile,” R Ramakumar, an economics professor at Mumbai’s Tata Institute of Social Sciences who has written extensively on Aadhaar, told me. “The corruption is, the grain never reaches the ration shop, it is diverted somewhere in between.” Reshma, an organiser for the national Right to Food movement, told me that relying on Aadhaar to curb fraud was further burdening the poor when those siphoning away public goods are more often the wealthy. “It’s not the poor people. … It is the officials who are doing it,” she said. “They are the culprit—you please handle them, and don’t deny people to get rations.” The Aadhaar Act, she continued, “states that for the elderly people, for the women, for migrant workers, for unorganised workers, children, they will take special measures,” yet “no special measures have been taken. Rather, their rights have been taken away.”

Even Aadhaar’s purpose of providing a reliable form of identification to people who could not otherwise get it seems to not have been borne out. The UIDAI devised two paths to Aadhaar enrolment. People with existing identification documents had to submit copies of two accepted forms of identification. Those without them could use the “introducer system,” where a person with an established identity could vouch for theirs. An RTI application in 2015 revealed that of the 835 million people who had already received Aadhaars only 219,000—a tiny 0.03 percent—had done so through the introducer system.

“I remember us discussing the introducer system in detail because we thought there would be lots of people,” Viral Shah said. “There were cases with us like homeless people, beggars, people who are in orphanages. We just thought that we would need a sophisticated introducer system to make it happen, but I guess it wasn’t really needed.”

Shah continued, “There are people who claim that Aadhaar’s brought about new forms of exclusion. Probably it’s true.” With a population of over a billion people, “the effect of a small percentage error is magnified, so I think the concerns are real and the authority”—the UIDAI—“should be made accountable to it through the law.”

Shahid Tantray For The Caravan

AN AADHAAR NUMBER “IS NOT SENSITIVE DATA,” Sanjay Swamy told me when I brought up the possibilities of Aadhaar-related fraud. “I’ll tell you my Aadhaar number—you can print it in the magazine. … It’s like people knowing your phone number. A few people can spam you with a few things.” He insisted that “the system does not make you vulnerable in any way. Do not worry, get over it.”

Srinivas Kodali, one of the authors of the Centre for Internet and Society report on the massive leak of Aadhaar numbers and linked data, disagreed. “You have the Aadhaar number, you have the bank account number, and there are also phone numbers,” he told me. “All somebody needs to do is initiate a transaction, give a call to the guy saying, ‘Look, I’m calling from the bank … can you just give us the OTP we sent you?’”

Samir Kelekar, a security professional who has submitted an affidavit to the Supreme Court on the Aadhaar matter, told me that even the premise of using “biometric, as a password, is a disaster, because you cannot change it. If I got your password today you can just call and change your password. … The moment biometric is compromised, you cannot use it.”

“In security, you don’t try to make it impossible to compromise the system, you just try to make it expensive to compromise the system,” a noted security researcher told me. “To make a fake smart-card, you need a skimmer, you need a machine to break the cryptography—you need a powerful machine to break the cryptography—you need another machine to print the smart-card.” But “with a fingerprint, you just need a dollar—glue and wax—and you can make a gummy finger. Even though it is more sophisticated technology, the cost of the attack is very cheap.”

“The fact is that there is no bug-reporting mechanism to report any security loopholes to the UIDAI,” Kodali said. “And we have been asking UIDAI to get one for a really long time.” He added that he had informed the UIDAI months in advance about the leaks described in the Centre for Internet and Society report, but he never heard back and the leaks were not addressed until after the report was released.

Anand Venkatanarayanan, the technology professional and Aadhaar critic, told me that when he and some others started reporting security issues to the UIDAI in 2017, the authority began taking down certain documents from its website. So he and his associates decided to save copies of the UIDAI website each day and monitor it for changes. At one point, the site shrank drastically, from 140 gigabytes to 120 gigabytes in size. When they compared it to older versions to see which documents were removed, they found that the UIDAI “gave us a priority list.” The group began relaying details of Aadhaar’s security flaws to petitioners with cases before the Supreme Court, “just coming from all those 20 GB deleted documents.”

In August 2017, in response to a string of tweets on security vulnerabilities in Aadhaar-related apps, Ajay Bhushan Pandey, the CEO of the UIDAI, responded, “UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner.” No such policy has materialised yet. Pandey did not respond to an interview request.

There have been numerous reports of Aadhaar-linked scams already—including one that involves an app reliant on India Stack’s Unified Payments Interface, which has stumped law enforcement agencies. Police in Uttar Pradesh have uncovered an underground ring that was creating fake Aadhaar cards based on bogus identities, reportedly by using artificial fingerprints and bypassing requirements for iris scans.

The government has informed the parliament that around 50,000 enrolment agencies have been blacklisted for dishonest behaviour since the Aadhaar project started. In February 2018, the UIDAI refused to re-authorise CSC e-Governance Services India Limited, an entity of the ministry of information technology that was earlier running enrolment centres, after what it described as an “enormous number of complaints of corruption and enrolment process violations against Aadhaar enrolment/Update centres.” A newsletter issued by CSC that month said the company was responsible for almost 270 million enrolments—about a fifth of all Aadhaar enrolments to date.

Rakesh Goyal, who led security audits of 25 authentication agencies licensed by the UIDAI, has submitted an affidavit to the Supreme Court that states, “I observed that in some cases the entities being audited were storing biometric data,” which “can potentially be used by these entities or hacked/leaked from these entities without any knowledge of UIDAI.” In a paper appended to the affidavit, he wrote, “I have no idea about the security posture of Aadhaar CIDR. Hypothesis cannot be ruled out that if such basic vulnerabilities exist in authentication ecosystem, there may be some vulnerabilities in data storage system, as it’s security is managed using the same set of knowledge base.”

“A great amount of care was taken in the design of the internal systems at UIDAI, so all the data is encrypted and stored, to my knowledge at least,” Shah said. But “some of the things—like the website, or app-related things—might have been done later, because those portals did not exist while I was at UIDAI. I know that they’ve come in much later, and they were probably devised with a lesser amount of care, perhaps. But I don’t think that should be taken as a sign that everything under the hood is rotten.” He argued that the government should “appoint an independent auditor, to look at security.”

The former UIDAI official explained that, sometimes, “senior officers go and announce, ‘We are coming up with an app to give the citizens the ease of getting their Aadhaar.’” Then “there is a pressure built on the developing team, that they have to bring out the app.” So “they will take three months to build the app,” but “will give not even three hours” to test it for security flaws.

Subhashis Banerjee, a professor of computer science at Delhi’s Indian Institute of Technology who has written on Aadhaar and data security, suggested that Aadhaar’s access-control systems need to be overhauled so that personal data can be accessed, “programmatically, only in certain ways, and you should have to provide an authorisation, a check by a third party”—that is, Aadhaar should have an independent regulator. Any programme that wants to access the database, he added, “should be able to prove that I am looking at this data, with this authorisation. And this chain of events should be recorded by the regulatory authority, in a tamper-proof way.”

But many critics of Aadhaar insist that, in light of all the risks, the only safe way forward is to dismantle the Aadhaar system completely. The UIDAI database “contains all manner of things, all manner of information about people,” Usha Ramanathan, a senior advocate and a prominent Aadhaar critic, told me. “It makes people very vulnerable, not only to breaks into the database per se, but also because of various kinds of links that have been established through seeding it in different databases.” The database, she said, “plainly has to go.”

That is an option that Aadhaar’s originators refuse to countenance. In January, after the news of the major data breach reported by The Tribune ignited a scandal and prompted criminal action from the UIDAI, Nilekani told a newspaper that there was an “orchestrated campaign to see how Aadhaar can be maligned.” He added, “If you are just taking a negative view, and not a constructive view, then you also have other reactions. I think everybody has to accept Aadhaar is here to stay.”

Editors’ note:An earlier version of this story stated that Arghya Sengupta appeared before the Supreme Court “on behalf of the government” during proceedings regarding the right to privacy in 2017. The story has been modified to clarify that Sengupta appeared on behalf of the Telecom Regulatory Authority of India and the state of Haryana, not the Union of India. The characterisation of Sengupta’s arguments before the court has been modified to reflect greater detail.