One for the Record Books

The digital database of the Civil Registration System, or CRS, of India, the most comprehensive records of the Indian population that includes district-wise birth-and death-registration certificates, has been compromised for the last two years at least. A four-month long investigation by The Caravan revealed that the official login IDs of a large number of registrars across India, which is being used to generate birth and death certificates online, are up for sale for just Rs 1,800. The registrars’ login details are being sold to the vast network of over four lakh Village Level Entrepreneurs—the workforce implementing various Digital India schemes at the grassroots level, under the Common Service Centre network of the ministry of electronics and information technology. The VLEs, in turn, are using them to generate certificates at just Rs 200–250 per customer.

The Caravan has observed the working of this operation, including the messages shared by the VLEs and videos of the process through which the certificates are generated. The VLEs ask their online customers to fill in a form with personal details that need to be entered in the certificate, and within five minutes, a certificate is produced using a registrar’s login details. While the official process requires applicants to provide documentary proof in support of the details to be entered into the certificates, the VLEs creating these certificates have no such requirement. The certificate produced is then shared with the customer online as a PDF file.

The authenticity of these fraudulently produced certificates is evidenced by the fact that a QR code on the certificates, when scanned, directs the reader to the entry of the certificate on the CRS’s official website, crsorgi.gov.in. The only discernible way to distinguish the genuine certificates from the fraudulent ones appears to be that the registrars mentioned in the fake certificates are identified as officers of a different district in the same state than the area of the birth or death concerned.

The operation was even found to be active in Punjab, where the state uses a separate portal for registration of births and deaths in the state, and not the central government’s CRS portal. However, the registrars responsible for registration in the state were still given the facility to generate login IDs for the CRS portal, which have been compromised and taken over by the operatives behind the scheme. “Those who are in possession of the master ID of a district registrar have further generated new or additional ID of an already existing sub-registrar by changing his official email without his knowledge,” one 26-year-old VLE from Jalandhar told me. Like all the other VLEs who spoke to me, he spoke on the condition of anonymity. They later delete the ID and create fresh ones as per further demand.

Such an effective breach into the central database of the birth- and death-registration records has opened a pandora’s box of potential implications. For instance, the frequently answered questions page of the official CRS website lists the benefits of birth registration, which includes enrolment in electoral rolls and the National Population Register. The ability to create fictitious birth records is a powerful tool at a time when the central government, led by Narendra Modi and the Bharatiya Janata Party, intends to implement the Citizenship (Amendment) Act of 2019 and a pan-India National Register of Citizen.

The breach can turn the two highly ambitious projects into mere mock drills. The office of the state coordinator of the NRC in Assam states that a birth certificate dated before 24 March 1971 would be sufficient to prove one’s eligibility for inclusion in the controversial register of citizens. The Caravan’s investigation revealed a certificate purportedly issued by the birth-and-death registrar at the Maibang Rural Hospital, in Assam’s Dima Hasao district, for an individual born around 300 kilometres away in Udalgiri district. While the certificate is for a person born in February 2008, the authenticity of this certificate —as evidenced by its QR code directing viewers to the CRS website—reveals the scale and danger of this operation.

The master login even allows the operatives to create new hospital IDs—the official entry of a hospital in the CRS database, which records the births, deaths and other data of that hospital. Any fraudulent birth or death certificate can then be assigned to that fake hospital ID, to further protect the entire operation from scrutiny. As a result, the fictitious birth and death data can be entered into the central government database without the knowledge of any hospital authorities or registrars. “Since the certificates generated through these unauthorised accounts carries a valid QR code, they can be verified from the official portal by scanning the code,” the Jharkhand VLE said.

The Caravan brought this compromise to the attention of Vivek Joshi, the registrar general of India, on 12 July. The RGI’s office then asked me to email my questions. Accordingly, on 18 July, I sent a detailed email to the RGI’s office, including a copy of a birth certificate that had been fraudulently produced using a compromised login id of the birth-and-death registrar of the Municipal Corporation, Jalandhar. The RGI’s office had not responded to the queries before this article was published. It will be updated with a response if and when it is received.

The next day, however, the CRS website went down, halting any online registrations of births and deaths across India. The following day, on 20 July, the website was active once again, and certificates fraudulently issued using the account of the births-and-deaths registrar of Jalandhar now displayed a message that read, “This Record Has Been Cancelled.” This indicated that the fraudulent operation was creating genuine records in the CRS database, which were subsequently deleted after The Caravan brought it to the attention of the registrar general’s office. However, certificates generated from compromised registrar IDs of other states, however, remain functional and their QR codes continue to take viewers to the CRS website.

Anivar Aravind, a public-interest technologist, believed that the certificates being produced under the operation were as good as genuine and a part of the central CRS database. He said this was the case because the “date of issue” on each certificate on the CRS website was the particular date on which the QR code was scanned. “Whenever we are scanning the QR code, the portal is generating a fresh certificate using the data linked to the QR code and it shows current date as date of issue,” Aravind said. “This proves that every time the certificate generated in official portal is from the official database.”

*

In end July 2015, C Chandramouli, the registrar general of India and an additional secretary in the home department at the time, wrote a letter to all registrars and passport officers across the country, among others, seeking to expand the civil-registration system. “Even after more than 46 years since the birth and death registration was made compulsory under the RBD Act, India is still lagging behind with about 16 and 30 percent birth and death unregistered,” the letter stated. “The entries in birth and death registers are public documents and admissible as evidence under section 35 of the Indian Evidence Act, 1872. These entries are conclusive evidence of the fact of birth and death, as the case may be … The certificates issued under the said Act is the legal document.”

The letter went on to call upon the recipients, which also included the office of the election commissioner of India, to link the “services given to the public by your office” to the “availability of birth and death certificates.” The registrar general added, “As a result, the national level of registration of births and deaths will automatically move towards universal level registration.” The letter then listed the benefits of registration, many of them similar to the ones mentioned on the CRS website, such as registration for entry in the NPR, which would form the basis for a pan-India NRC.

In India, the vital statistics of a population are generated through three difference modes. The first is the civil-registration system, which follows the procedure laid out in the Registration of Birth and Deaths Act of 1969. The CRS envisions real-time data that provides reliable statistics on fertility and mortality at every block and district level. The CRS also collects data on 18 indicators of the Indian population, including the birth weight, duration of pregnancy, age of the mother at the time of marriage, sex ratio and mortality rate.

The second mode is the population census, which is conducted at every household level and is the most comprehensive source of providing data on size, structure and growth of population, even for smaller administrative units. However, since it is a decadal operation, it does not provide information on population growth and demographic variables on yearly basis. The third is the Sample Registration System, which was introduced in 1970 as a pilot project in India. Under the SRS, the data of small sample units is recorded of population variables set up in rural and urban areas to prepare an annual statistical report.

“Its an irony that despite being one of the most populated country, we do not get population data in real time and have to depend on sample surveys to prepare public-welfare policies,” a senior official in the CRS department of the RGI’s office told me. “The CRS data take years to make entry into the central database as people do not get birth and death registrations on time. Keeping this in mind, the CRS portal services was introduced to receive the real time data of births and death cases.” According to a report released in June this year, on the vital statistics of India in 2019 based on CRS records, at least 17 states and four union territories are presently using the online portal for registration of births and deaths in India.

To understand the operation behind the fraudulent certificates, it is necessary to first understand the official process for registration of births and deaths. According to the Registration of Births and Deaths Act, in cases of births or deaths at home, it is the duty of the head of a household to report it to the registrar exercising jurisdiction over that locality. In the case of a hospital, the duty lies with the medical officer in charge or anyone authorised on their behalf. In either case, the head of the household or the hospital authorities must fill a registration form on the online portal and submit it to the local registrar with supporting documents. The registrar scrutinises the application and the documents, and then accords approval and generates the required certificate, which can be downloaded by the applicant or the hospital authorities.

The act mandates that if an applicant seeks a certificate of birth or death over a year after it takes place, then she must first apply for an order before a local magistrate. The operation, however, offers an alternative to these processes which require no supporting documents or court orders. The VLEs offering to provide the certificates, with the help of the master login details purchased from the main operatives, are able to generate certificates instantly for their customers without seeking any supporting documents.

According to one 26-year-old VLE from Bihar, the entire operation originated when following a technical glitch, the CSC portal suspended the birth and death registration facility in 2019. “It was a big blow to the daily earnings of the VLEs as numerous people  would approach them for registrations and seeking printouts of their birth and death registrations on daily basis,” the Bihar VLE said. “One print of a birth and death certificate alone would earn them Rs 10 to Rs 50.”

Soon after, the Bihar VLE said, social-media platforms were flooded with offers to provide a direct access to the registrar’s login for Rs 1200 to Rs 1800. He said it began with a Telegram group of VLEs in Maharashtra that was created in 2019. “Someone created a group, “CSC VLEs All Maharashtra,” for all the VLEs of the state. The administrator then became inactive on Telegram for over six months, leading to the deletion of his account, following which the main operatives infiltrated the group and offered registrar-login details at a price of Rs 1,800. In the last two years, the operation has spread to Haryana, Punjab, Assam, Madhya Pradesh, Bihar, Uttar Pradesh and West Bengal. The Caravan has seen fraudulent certificates from each of these states. According to the Bihar VLE, a majority of the VLEs involved in the operation are not aware that it is unauthorised. “Since the access is generating genuine certificates, they still consider it to be legal,” the Bihar VLE said.

The VLEs, in turn, have further  circulated messages offering the service on WhatsApp and Telegram, some of them charging as low as Rs 200 per certificate. One message read that a PDF of the certificate would cost just Rs 200, but a certificate that can be verified online—possibly referring to a certificate with a QR code—would cost Rs 250. They asked only for certain details about the person whose certificate is necessary, all of which need to be filled in a form prepared in advance.

These details include the person’s name, Aadhaar, age, gender and postal address. One such message circulated by the VLEs read: “Iss form ko angrezi mein shudh shudh bharein. Galat hone ke baad iski zimmedari humari nahi hogi. Birth certificate aapko 5 se 10 min ke andar hi mil jayega.” (Fill this form carefully in English. We cannot be responsible for any mistake. You will get the birth certificate within five to ten minutes.)

In most cases, the Jalandhar VLE explained, the operation is carried out using login IDs that are not used. “It is mostly these inactive IDs that are being used prominently to gain unauthorised access into the central database, or to generate birth and death certificates of a particular state,” he said. Punjab has proved to be ideal state for the operation, because even though the state developed an independent civil-registration platform, its registrars still have functional login IDs for the CRS website.

The Caravan has scrutinised 31 birth certificates generated using the login details of the registrar of the Municipal Corporation Jalandhar. These certificates bear the stamp of the registrar, but certify births that took place in other districts, outside the jurisdiction of the Municipal Corporation Jalandhar, including Bathinda, Moga, Hoshiarpur, Kapurthala and Amritsar. One of the certificates records a date of birth in 1970, which establishes the potential of the operation with respect to citizenship. Under Indian citizenship law, an individual born in the country before 1987 would be considered a citizen without needing to show any further documentary proof about the citizenship of their parents.

When scanned, the QR code on the certificates took me to record of the same document on the CRS website, even though Punjab’s births are not recorded on the central CRS database. This suggests that these are fraudulently produced certificates that nonetheless contain genuine QR codes linked to the CRS database.

Gurinderbir Singh, the chief registrar of birth and deaths in Punjab, told me that the state uses the e-sewa portal developed by Punjab’s department of government reforms, and not the central CRS portal. But according to the senior CRS official, a registrar’s login details can only be compromised from the account of the chief registrar of a respective state. “Since CRS is a state subject, only the chief registrar of a state has the authority to create or delete a sub registrar’s account in his jurisdiction,” the official explained. “In the case of Punjab, it seems the chief registrar’s account has been compromised following which a fresh account of registrar, MC Jalandhar was created.” Singh did not respond when asked whether his login details had been compromised over the last four months.

*

This fake-certificates operation has not been completely under the radar. On 23 June, The Tribune reported that some fraudsters had tried to claim the insurance money of Dr Prashant Bhalla, the director of Manav Rachna Educational Institutions, using a fake death certificate issued by the Municipal Corporation Gurugram in Haryana. Bhalla’s wife, Deepika, filed a complaint after the insurance company went to their house to verify the death. When investigated, it was found that the official account of Gurugram’s birth and death registrar had been hacked and 14 fake certificates had been made.

“For all these certificates, there is no data available with the department,” The Tribune reported. The police speculated that the fraudsters hacked the login details of the Gurugram registrar and then stole the QR codes from death certificates issued the previous year, according to an official at the Gurugram CRS office. The official, who asked to remain anonymous, said that the fraudsters had taken complete control over the registrar’s login details by remotely changing the official email addresses linked to the CRS portal, and then changed their password.

It is unlikely that the QR codes were stolen, since the QR codes on the fraudulent certificates show the same certificates on the CRS website, and not a certificate of someone else’s birth or death. Moreover, given that the login details of the registrar were compromised, a new certificate could have been generated by the fraudsters without needing to steal a QR code. But it appears that the Haryana Police have not identified the full scale of the scam.

According to the official in the Gurugram CRS office, during an updation of the portal in April, officials discovered that the email addresses of the registrars of Haryana’s Gurugram, Pataudi, Haily Mandi and Sohana areas as well as other sub registrars, had been changed. “We found that the official ids of many of our sub-registrars were changed to a single id ‘teamleasepvtltd’ and the passwords were changed,” the official said. “The miscreants were managed to take complete access of the registrar’s account. We immediately alerted the CRS technical team and got them inactivated.”

The official added that the sub registrars found that the number of birth and death certificates listed on their IDs exceeded the number of certificates actually generated by them. The police also found that the fraudulently generated certificates were of individuals residing outside Gurugram, in other districts of Haryana. The cyber-crime unit of the Haryana Police has registered a first-information report into the case and it is still under investigation.

These cases are not the first reported instances of the login details of birth-and-death registrars being compromised. According to a report published in Amar Ujala in March this year, the login details of Dr Renu Agarwal, the chief medical superintendent of a district hospital in Noida, were compromised, following which the registration numbers of existing birth and death certificates were tampered remotely. In May this year, the Times of India reported a glitch in the Nagpur CRS system. Similar breaches were also reported in Rajasthan, Jharkhand, Uttar Pradesh and Bihar in July.

This is also not the first time that an initiative under the prime minister Narendra Modi’s Digital India programme has suffered a breach. In January 2018, I reported for The Tribune how some fraudsters had obtained login details into the Aadhaar database and were selling them to the massive VLE networks across the country. For a charge of just Rs 500, the VLEs were sold an entry into the central database of over one billion Aadhaar beneficiaries. As in the case of the civil-registration operation, the VLEs, in turn, used the login details to provide Aadhaar-related services to the public. 

In June this year, the Office of the Registrar General of India, or the ORGI, released the annual “Vital Statistics of India Based on the Civil Registration System” for 2019. The report claimed that the level of birth registration in India under CRS has reached 92.7 percent in 2019, from 82.4 percent in 2011, and death registrations went up to 92 per cent in 2019. It adds that 14 states and union territories achieved 100 percent level of birth registrations, and 19 states and union territories achieved the same level in cases of death.

The report further states that ten states have registered over 90 percent of the births and deaths. These are Assam, Kerala, Telangana, Uttarakhand, West Bengal, Rajasthan, Karnataka, Maharashtra, Haryana and Andhra Pradesh. Among these, apart from Telangana, Kerala, Rajasthan and Karnataka, all other states are using the uniform software developed by the ORGI on the CRS website. Given that the VLEs said that fake certificates have been in operation for over two years, the veracity of the annual report’s statistics remain unclear.

A fraudulent death certificate can cause major concerns for someone who is alive. Lal Bihari Mritak, a resident of Amilo village, in Uttar Pradesh’s Azamgarh district, fought an 18-year battle to prove himself alive after he was declared dead in official records. Earlier this year, the Bollywood film Kaagaz, starring Pankaj Tripathi, was released on his incredible journey. “Despite digital identities nowadays, one needs to fight a long court battle to prove himself alive,” Mritak told me. “In the process, a person either becomes too old or die before he could be proven alive. Sometimes a person needs to even fight multiple court battles to claim back his property rights.”

Section 15 of the Registration of Births and Death Act does empower a registrar to make corrections to the register if an entry is proven to be erroneous. However, according to Pradeep Sharma, a Chandigarh-based lawyer, “a large number of cases end in courts due to land or property disputes.” Similarly, Gautam Bhatia, a legal scholar, said, “It’s not necessary that digitisation will serve as a panacea. If the digital record goes wrong, it is even harder to get it corrected, as you can argue with a human being, but not with an algorithm.” 

The Jalandhar-based VLE spoke of fraudulent death certificates too. “One doesn’t have to actually die or kill someone to claim insurance money or a property,” he said. “We now have ghar-ghar Yamraj”—the god of death in every home—“sitting everywhere ready to make someone dead or alive officially with just the click of a mouse!”