UIDAI, and its CEO, are Yet to Say Anything That Can Help us Trust Them

With only one biometric authentication, and five failed attempts, Ajay Bhushan Pandey's authentication history for five months doesn't exactly spark more faith in the UID system.

Dear Mr. Ajay Bhushan Pandey,

Over the last five years, I have received multiple requests – some polite, some forceful, but mostly threatening – to hand over my data to the Unique Identification Authority of India (UIDAI), the organisation you head. Each time, I have most respectfully declined.

Trusting any third-party with items of importance is a task best handled with care. It also involves ascertaining that the organisation that you are handing over your data to is absolutely capable of taking good care of it.

It seems to me, from your public statements and Aadhaar authentication history – portions of which you made public in the ongoing Supreme Court hearings – that it is likely you might not be able to do so. Let me explain.

First up, finding and eliminating bugs in the Aadhaar system – which can lead to critical data leaks – is not one of your priorities.

India has pushed and cajoled over a billion people into signing up, and there is no official public policy on how concerned security researchers can report potential vulnerabilities. This is akin to saying that ‘all is well, there are no problems because nobody has told us we have an issue’.

And yet, you say that hacking threats (from domestic and foreign entities) give you sleepless nights. Perhaps a bug-reporting policy would give you an extra couple of hours each night? “There are attempts almost every day to hack [the] Aadhaar system, but none has succeeded,” you said recently.

No one has succeeded? The real question is whether you would tell us if an attempt had been made, given your controversial and often misleading history of denials.

Indeed, you deny too much. In the past month, you said that the UIDAI has “trashed” the ZDNet report and “refuted” the Aadhaar data leak by a Delhi researcher.

However, when you don’t say anything, it’s equally revealing. And there have been no public tweets denying The Tribune’s expose. I checked and checked, yet could not find any.

Moving on, you believe that the advent of Aadhaar and Aadhaar-linking cannot possibly result in any state or potentially hostile private entity constructing a 360-degree profile.

In the ongoing Supreme Court case, to prove this point, you made public your Aadhaar authentication history, but it actually revealed the following:

Between November 2017 to March 2018, you authenticated your Aadhaar identification a total of 26 times, of which five attempts failed. While it isn’t a good enough sample to derive any concrete conclusions, it’s more proof of how probabilistic Aadhaar is as an identification technology.

There’s a good chance that you currently hold three accounts in ICICI bank (bank accounts or credit cards), which are Aadhaar linked. It is possible to conclude that these are three distinct accounts, because the “UKC” fields are different, thus implying that these are different transactions and hence not the same account number (Linking one account number is usually a single transaction).

A screenshot of Pandey’s authentication attempts.

You also have an IDFC account, which is curiously not Aadhaar-linked, since it failed once and there were no further attempts to link it again in the history.

While there is an Aadhaar-linked Vodafone postpaid SIM card in your name, you probably don’t have your insurance accounts linked with Aadhaar. There are probably no insurance policies linked with Aadhaar, since there were no attempts from AUAs which are insurance companies.

Unlike your predecessor, Nandan Nilekani, you don’t appear to use the Aadhaar-enabled biometric attendance system as you enter your office and start a day’s work. If you did, there would be more authentication attempts recorded.

Also unlike the famous Matunga hotel in Mumbai, whose owner eats there – and hence first-hand knows the potential problems with the food cooked there – you don’t generally use biometric authentication (only once) and hence may find it difficult to empathise with the troubles facing some of India’s poorest and most vulnerable.

You are indeed a good bureaucrat who loves demos and follows up on progress methodically. And you certainly do spend time at work when there is a crisis.

I hope that I have demonstrated to you with the examples and analysis so far, why I find your proposal to hand over my data very unconvincing. Since you hold a doctorate in computer science, might I remind you of an old joke about what metadata can reveal about a person:

“I know you called your doctor, then your insurance company, then your doctor again, then two cancer treatment centers, then your ex-girlfriend, then your wife. But don’t worry, I have no idea what you talked about.”

Actually, jokes are redundant when your out-of-touch responses themselves generate laughs, as when you claimed that there were no privacy concerns with the Aadhaar ecosystem because the main database is behind “13 feet-high, five-feet thick walls”.

This is not looking good at all. If you can’t laugh at yourself, it may be difficult to handle the stress of all those hacking threats and take prompt action.

I sincerely hope that you consider my rejection to hand over my data in the right spirit. As a citizen of the country, whose tax money helps fund your organisation, we are all in this together – even if we don’t see eye to eye on about my private data and your capability to keep it safe.