Architecting World’s Largest Biometric Identity System: Aadhaar Experience

In this article, we will discuss the Aadhaar project, which was launched on January 28, 2009 and received a lot of international attention at the time. It is an identification project created to provide every Indian resident with a unique 12-digit identification number that can be used to access a variety of services and benefits. This number contains biometric data (fingerprints, iris scans), address, identification number and all other important details about an individual. It is now the largest biometric system in the world.

In 2014, Dr. Pramod Varma, chief architect and technology advisor to the Unique Identification Authority of India, gave a talk in which he outlines the reasons why the Aadhaar project was created. In India, the inability to prove one’s identity is one of the main barriers that prevent the poor from accessing benefits and subventions. There are nearly 1.4 billion people in India spread across almost 600,000 villages for which the Indian government spends $50 billion annually in direct subsidies. To provide these services, however, Indian agencies require proof of identity, but at the time there was no verifiable identity number program that residents could use. As a result, when Indian residents wanted to receive services, they went through an arduous personal identification process. In addition, the various service providers often required different documents from one another, making it even more difficult as Indian residents often lacked documentation.

The Aadhaar project was born with the goal of providing every resident of India with a unique identification number and helping them access government grants. This number allows residents to receive food stamps, apply for loans, insurance, pensions, property titles, … Furthermore, it also allows the government to ensure that social benefits go directly to the right person.

This project has generated a lot of controversies, especially with regard to privacy. Indeed, the Supreme Court of India ruled that the government could not make such identification mandatory for Indian residents wishing to access government services. It also ruled that the collection, use and storage of citizens’ biometric data was a violation of privacy. This decision raised many questions about the AADHAR policy and it took a long legal battle for the Supreme Court to declare AADHAR constitutionally valid. Another major controversy involved the linking process: aadhar was supposed to be linked to the PAN card and phone number when there was no reason to do so.

In March 2018, an article addressing privacy and data security issues was published by IEEE Spectrum: “As Aadhaar has grown, the program has also proven susceptible to fraud. In January, The Tribune reported that village-level Aadhaar enrollment agents were selling access to personal details for as little as $8. The ability of third parties to compile such data in a central repository may be one of the weaknesses of the Aadhaar system […]. Days later, the Unique Identification Authority of India said it would offer facial recognition along with user-generated virtual ID numbers to verify personal identities, so users would not have to reveal their Aadhaar numbers for every transaction”.

Despite all this, the Unique Identification Authority of India stood firm and said that the project could never be hacked.To prove them wrong, a French hacker named Baptiste Robert revealed a flaw in the Indian biometric database.

He revealed that the biometric data of 20,000 Indian citizens could be accessed in a few clicks, then realizing that the flaw persisted, the engineer decided to reveal two months later how to obtain, “in one minute”, the password of the database. The Unique Identification Authority of India finally assured on the social network that no malicious use could be made of this data, ignoring the bank fraud and the detour of food stamps to which it was nevertheless used in 2018.

Whether Aadhaar is a reliable and secure system or whether it violates the privacy of Indian residents is indeed a big question. Nevertheless, putting this issue aside, Aadhaar has truly marked the digital revolution in India and even today, it is the largest biometric system in the world.