Last Friday, the Unique Identification Authority of India's (UIDAI) Bengaluru Regional Office issued a press release instructing Aadhaar holders to use masked Aadhaar numbers and refrain from sharing photocopies of their cards.
“Unlicensed private entities like hotels or film halls are not permitted to collect or keep copies of Aadhaar card. It is an offence under the Aadhaar Act 2016. If a private entity demands to see your Aadhaar card, or seeks a photocopy of your Aadhaar card, please verify that they have valid User License from the UIDAI,” the release said.
The advisory added that citizens shouldn’t share photocopies of one’s Aadhaar with any organisations because it can be misused. Instead, it asked people to use the masked Aadhaar alternative, which displays only the last four digits of one’s Aadhaar number.
However, just two days later, the government withdrew the advisory, saying, “Aadhaar cardholders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers.”
“Aadhaar Identity Authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder,” the Ministry of Electronics and Information Technology, the parent body of the UIDAI, said in a statement.
The sudden withdrawal sparked debate over the privacy and safety concerns with the Aadhaar. However, it's not the first time that such debates have come to the fore.
Controversies related to Aadhaar
The Supreme Court had in 2018 upheld the validity of the Aadhaar but flagged privacy concerns.
Amid questions related to the safety of Aadhaar, UIDAI’s former chief and then TRAI chairman RS Sharma shared his Aadhaar number on the microblogging platform Twitter and challenged everyone to show how mere knowledge of the unique number could be used to harm him.
It led to several Twitter users claiming to have dug up his mobile number, photographs, residential address, date of birth and even chat threads using the information.
The same year, several media reports exposed that the Aadhaar database could be accessed on the Internet, UIDAI had claimed that it was a case of unauthorised access to the site and that no biometric data was stolen or lost.
These are among the instances controversies have erupted over the security of Aadhaar and the people's data.
Can you lose your money?
Last year, Rs 30,000 were withdrawn from the bank account of a man in Lucknow using AePS by cloning fingerprints.
Criminals have devised ways to steal people's information including biometric data, thumbprints, and other details. Fraudsters download Aadhaar cards and access digital fingerprints. Then they use a thermal scanner, butter paper, mirror, thinner gel, glue, and image booster chemicals to create thumb impressions on rubber.
They put these cloned fingerprints on scanners of biometric machines attached with the National Payment Corporation Of India (NPCI) and UIDAI which authenticate the fingerprints and money is withdrawn or transferred from the bank account
Several cases of fraud have been reported in Jharkhand and Tamil Nadu in the direct benefit transfers (DBT) where government welfare funds were allegedly siphoned off using the Aadhaar-enabled payment system (AePS).
The AePS is a facility that enables someone who has an Aadhaar-linked account to withdraw money from it anywhere in India through biometric authentication with a “business correspondent” or a mini-ATM. AePS transactions are conducted by thousands of banking correspondents, their companies, banks, and other intermediaries.
Corrupt business correspondents have duped several people using their fingerprints.
Besides, there are organised AePS-based scams like the “scholarship scam” in Jharkhand.
Telangana police have also issued an alert on AePS fraud after several instances in Haryana, Jharkhand and other areas parts of the country.
In a message on social media platforms, Telangana police said: "If you lost money from the Aadhaar-enabled payment system without your knowledge, immediately disable your biometric link from your Aadhaar. Never share your Aadhaar details with anyone."
Will you get compensation in case of fraud?
Last year, the NPCI introduced detailed guidelines for banks to redress frauds through the AePS network. NPCI has directed issuing banks to notify it within five days when a customer registers a complaint, the acquirer bank (the bank processing the transaction) will get 10 days to make a submission for why the liability for the fraud is not on its end. The banks and NPCI will later decide who covers the loss.