A little bit of epoxy can get India’s wellness system off the ground

Placeholder while article actions load

Prime Minister Narendra Modi’s welfare model is not new to India: Past leaders have also subsidized food and fuel, and given the rural poor houses, toilets and paid work. Modi’s advantage comes from technology. A year before the 2014 elections that brought him to power, the government, then led by the Congress Party, had tested direct cash transfers to beneficiaries, modeled on former Brazilian President Lula da Silva’s popular Bolsa Familia program. Modi took that modest $1bn start and turned it into a $300bn vote magnet – and he did it with the help of 12-digit numbers.

Those numbers, and the ID cards that bear them, are known as “Aadhaar”. It’s a biometrics-based system through which almost everyone in the second most populous nation can prove who they are. Aadhaar, which means “foundation” in Hindi, supports more than 450 million no-frills savings accounts and has bolstered the use of mobile internet for financial transactions even in remote villages. Five years ago, Nobel Prize-winning economist Paul Romer endorsed Aadhaar as a model for the world.

Increasingly, however, it seems that there is a bit of epoxy putty, literally, at the very foundation of Modi’s welfare program.

Taking the fingerprints of 1.33 billion people and registering their personal information and iris scans in a central repository was no mean feat. This super-expensive database was expected to pay for itself by helping reduce waste in public programs and preventing theft. That was touted as a huge advantage in a country plagued by corruption where state benefits have a hard time reaching rightful beneficiaries.

However, activists have highlighted numerous incidents of denial of benefits: fingerprints fade with intense manual labor; fixing data entry errors can be a nightmare. Those problems have been largely ignored.

Now there is a growing problem in the other direction: scammers are using Aadhaar very successfully. Blame ubiquity combined with lax controls. Although the unique identification was conceived to make social assistance programs more efficient, private entities wasted no time in harnessing its potential. Banks and telcos used Aadhaar to conduct online know-your-customer verifications, dramatically lowering the cost of authenticating customers. In the process, Aadhaar became ubiquitous and private data began to appear for sale on the dark web.

The government’s response has been to eliminate everything. Anything that casts doubt on the integrity of the system is ignored. That’s not surprising: Having chosen a technology and universalized it, policymakers have no other route to build transaction trust. In 2018, the Supreme Court of India restricted the use of the database and prohibited private entities from using it for know-your-customer checks. Since then, however, New Delhi has been opening legal back doors for the private sector to further exploit.

Last month there was a wake-up call about identity fraud. The Unique Identification Authority of India, or UIDAI, issued a notice asking people not to hand over photocopies of their cards “because they may be misused.” Additionally, the notice said that only users licensed by the authority can query the database to authenticate identity; establishments such as hotels or movie theaters are not allowed to collect or keep copies. After people began to wonder why this warning was being issued when everyone’s Aadhaar information was already circulating everywhere, it was withdrawn the same day and replaced with new guidance advising people to “act with normal caution.” .

So what is going on? The Morning Context, an Indian news website, recently gave an alarming report of scams. It seems that anyone can learn how to clone a fingerprint with epoxy putty on YouTube; and anyone can buy an ID card online. Fingerprints can be extracted from digitized property sales deeds. Or, to steal money from bank accounts, a mobile app used by small village shops that function as micro-ATMs for Aadhaar holders could be hacked. There was a sixfold increase in overall Aadhaar fraud registered with the UIDAI last year, the May 30 article said. “There is no data on the full extent of social benefits swindled, demoted accounts and criminal complaints filed,” Morning Context added.

More disturbing than the crime is the official silence about its prevalence or seriousness. The recently released Payments Vision 2025 by the Reserve Bank of India gives a nod to “significant growth in the Aadhaar-enabled payment system (AePS) through the merchant agent-assisted model.” More than 2 billion micro-ATM transactions took place last fiscal year; that’s Aadhaar’s $38bn entanglement with the banking system, all of which is on behalf of customers at the bottom of the economic pyramid. say about making security stronger for deposit, withdrawal and transfer services used by the poor.

Then there is the welfare plank: Aadhaar Payment Bridge System is the government’s way of transferring cash to beneficiaries. Even here, there are weaknesses. In 2018, Ram Sewak Sharma, the former head of UIDAI, made his Aadhaar number public on Twitter and challenged privacy activists: “Show me a concrete example where you can harm me!” It turns out that someone managed to register Sharma as an eligible farmer and the Modi government paid him three installments in free cash. It can be broken down into details about whether the vulnerability was in Aadhaar or elsewhere, but the hacker was proven right.

Modi’s new welfarism is based on Aadhaar. But if there are cracks in the building, they should be recognized, not to scare users, but to make them more aware. At the same time, India needs a strong data protection law. Losing money is bad enough. But it is scary if a bad actor can put a person in a specific place or link him to an activity with the help of a fake transaction. Sealing wax on the foundation of trust simply won’t do.

More from Bloomberg’s opinion:

• Facebook’s biggest threat is the law, not lawsuits: Parmy Olson

• Why aren’t there more public restrooms in New York?: Stephen Mihm

• Trust, privacy and India’s need to protect both: Andy Mukherjee

(1) The most conventional digital payment public utility in India is the Unified Payments Interface, or UPI, which is widely seen as a remarkable innovation that emerged from a developing country.

This column does not necessarily reflect the opinion of the editorial board or of Bloomberg LP and its owners.

Andy Mukherjee is a columnist for Bloomberg Opinion who covers industrial companies and financial services in Asia. Previously, he worked for Reuters, the Straits Times and Bloomberg News.

More stories like this are available at bloomberg.com/opinion

Leave a Reply

Your email address will not be published.