The IL&FS Aadhaar enrolment scandal - Part 1

Why the Aadhaar database is fatally compromised, why the UIDAI has known about it for years, and how they covered it up. (thread)

2. This is a story about a scandal so big it should have marked the cancellation of the entire Aadhaar project (and, if fully reported, still will).

3. It begins in Hyderabad, in 2012. The Govt of undivided Andhra Pradesh was one of the earliest and most enthusiastic adopters of Aadhaar. So much so that, by 2012, Hyderabad district *already had more Aadhaar numbers than people*.

4. IL&FS was one of the original companies approved ('empanelled') by the UIDAI to undertake Aadhaar enrolment back in July 2010 (before the first Aadhaar number had even been issued).

5. IL&FS was then contracted by the AP State Registrar (the AP Dept of Civil Supplies) as one of several enrolment agencies selected to carry out Phase I and Phase II Aadhaar enrolment on behalf of the State Registrar.

6. This it did at a frantic pace, working alongside the other UIDAI-empanelled enrolment agencies contracted by the AP State Registrar. These were:

- eCentric Solutions
- Gouthami Ed. Soc.
- Grapesoft Solutions
- Infronics Sys.
- Madras Sec. Printers
- Smartchip
- Tera Software

7. Then, on April 20th 2012, the AP Dept of Food and Civil Supplies received a confidential communication from the UIDAI (Ref: UIDAI/Hyd/AP-Fraudulent Enris/133055).

8. This stated that an IL&FS enrolment operator - one Mohammed Ali - had carried out 60 fraudulent enrolments under the biometric exception category, all of which had already resulted in the issuance of Aadhaar numbers.

9. These Aadhaar enrolments, details of which were provided by the UIDAI, had only been retrospectively identified as fraudulent because the image provided was an obvious photograph of a photograph (a so-called 'photo-on-photo' enrolment).

10. The UIDAI's letter stated that the same operator had undertaken a total of 870 b/m exception enrolments in October 2011 which it presumed were mainly fictitious, and also "around 30,000 [regular] enrolments in the last few months" which "appear to be fraudulent".

11. Upon receiving this notification, the AP Commissioner of Civil Supplies (Harpreet Singh) wrote to the Hyderabad Commissioner of Police on April 23rd providing details of the UIDAI’s letter (including the 60 enrolments attached).

12. On April 26th, an FIR was formally filed under Sections 468, 471, 420, 419 and 120(b) at Charminar Police Station (No: 106/2012), naming the accused as “Mohammed Ali” and “Employees of Infrastructure Leasing Financial Services Ltd., and others”.

13. Then, on April 27th, the Times of India broke the story.

And that's when everything started to unravel for the UIDAI.

[End of Part 1]

The IL&FS Aadhaar enrolment scandal - Part 2

Gone public.

16. The Times of India’s first report on the case, on April 27th, reflected what the UIDAI, the AP Dept of Civil Supplies and the Hyderabad Police *thought* they knew.

17. There was an Aadhaar enrolment agent named Mohammed, with supervisor-level credentials, who was currently working for IL&FS in the Old City of Hyderabad.

18. This operator had carried out 30,000 apparently fraudulent Aadhaar enrolments in the previous six months, including over 800 under the biometric exception category.

19. The police had filed a case against him, tracked him down, and were bringing him in for questioning.

20. The Times’s public disclosure of the case was, from the UIDAI’s perspective, a major problem. Throughout late 2011 and early 2012, they’d been starting to come to terms internally with the scale of the crisis

21. their jugaadu approach to Aadhaar enrolment and issuance had created, while simultaneously trying to conceal its full implications (which they knew threatened the very foundations of the project) from policymakers and the general public.

22. In the face of epidemic levels of fraud and malpractice by Aadhaar enrolment agencies, and clear evidence that the UIDAI’s internal systems and processes were completely unable to guarantee the integrity of the issuance process,

23. the UIDAI had quietly begun to suspend (without any public disclosure of the relevant malpractice) many of the largest private Aadhaar enrolment agencies it had initially empanelled.

24. By the time the IL&FS scandal broke, the UIDAI had already suspended not only IL&FS itself, but also:

- Alankit
- 4G Identity Solutions
- Madras Sec. Printers
- Smartchip
- Techsmart
- Tera Software
- Vakrangee

25. But the Times’s public disclosure of the case, although a problem, was not an insurmountable one. There was no denying 30,000 fraudulent enrolments was a large number, but the UIDAI had already successfully weathered several potentially damaging public revelations

26. about the Aadhaar enrolment system, like the findings of the Maharashtra IT Dept’s surprise inspection of Tera Software’s Aadhaar enrolment operations in Bombay in 2011,

27. or the arrest of Mohammed Ali (no relation) in Hyderabad in January 2012. Why should this case be any different?

28. Except the police investigation, under the direction of investigating officer V. Shyam Babu, was moving fast. And it was about to turn the UIDAI’s world upside down.

[End of Part 2]

The IL&FS Aadhaar enrolment scandal - Part 3

Losing control.

30. So where did the case stand on April 27th?

Using the information on the 60 suspect enrolments enclosed with the UIDAI’s original letter, the investigation team had established that the details provided with the enrolments were false,

31. identified and tracked down the IL&FS enrolment operator responsible (Mohammed Ali), and were bringing him in for questioning.

So far, so straightforward.

32. And then, on April 29th, came the Times’ second article.

Here it is. Take some time with it.

33. Those 30,000 suspect enrolments which the UIDAI’s systems showed had been carried out by Mohammed Ali?

They hadn’t.

34. In fact, Mohammed Ali didn’t even work for IL&FS any more - he’d been sacked (without the UIDAI’s knowledge) six months earlier.

35. Following his termination, Aadhaar enrolment agents at 20 different enrolment centres across the Old City had been using his credentials to fraudulently upload Aadhaar enrolment packets, against which valid Aadhaar numbers were then issued.

36. Except how was this possible? Didn’t the UIDAI’s systems require biometric authentication by an operator for each enrolment, supposedly rendering the creation of fraudulent enrolment packets impossible?

37. Take a deep breath.

38. And IL&FS?

They were in on it.

[End of Part 3]