and from bank accounts to mobile
wallets and loyalty accounts, building
a Venmo-like product in India is much
easier. This is the reason India has
seen an explosion of payment apps
recently, including global players such
as Samsung, Google, and Whatsapp.
How UPI did this was by first defining the Payments Markup Language. It
standardized the instruction for push
(sending) and pull (requesting) of
money. All transactions are available
on API endpoints, so that payments
become a feature, not just an app. By
standardizing and defining the Payment Markup Language, UPI could
introduce features such as recurring
payments that were previously only
available although credit cards and
tedious bank mandates.
Further, as part of its open architecture, UPI uses a pluggable authentication model, so that it is not dependent
on any particular identity or mode of
authenticating. This was important
from the point of view of inclusion. In
India, enabling digital payments cannot assume the presence of a smartphone. We were able to create two
important apps on top of UPI to serve
even those without smartphones. The
first was the USSD based *99#, that
enabled all transactions that a UPI app
could do, but on a feature phone. The
second was Aadhaar Merchant Pay.
Using Aadhaar authentication, NPCI
could transfer money from a user’s
account to that of a merchant without
the need of a smartphone by the user.
The consent to transfer is instead
collected via biometrics at an agent’s
terminal who may have a smartphone
or specialized point-of-sale machine.
UPI unbundled the “address” of
payments. Instead of requiring users
to remember an arbitrary combination of account numbers and routing
numbers, UPI standardized the payment address. In UPI, every payment
address is of the form “name@entity.”
This address is then resolved internally by NPCI to the correct account.
Every account may have multiple payment addresses linked to it, so that the
user may give john-banker@citi to his
colleagues and john-gamer@sbi to his
friends and both route money to the
same underlying account from ICICI.
Figure 2 also alludes to the four-
The debate engendered by the Aadhaar project has propelled India from being a predominantly
pre-privacy society to one in which privacy protection in digital databases has emerged as a major
national concern. The welcome and scholarly Supreme Court judgment8 has upheld privacy as
a fundamental right, and informational self-determination and the autonomy of an individual
in controlling usage of personal data have emerged as central themes across the judgment. The
main privacy concerns with Aadhaar are:
˲ Identity theft. Aadhaar is vulnerable to illegal harvesting of biometrics and identity
frauds because biometrics are not secret information.
4, 11 Moreover, possible leakage of
biometric and demographic data, either from the central Aadhaar repository or from a point-of-sale or an enrollment device, adds to the risk.
˲ Identification without consent using Aadhaar data. There may be unauthorized use of
biometrics to identify people illegally. Such violations may include identifying people by inappropriate matching of fingerprint or iris scans, or facial photographs stored in the Aadhaar
database, or using the demographic data to identify people without their consent and beyond
˲ Correlation of identities across domains. It may become possible to track an individual’s
activities across multiple domains of service using their global Aadhaar IDs, which are
valid across these domains. This would lead to identification without consent.
˲ Illegal tracking of individuals. Individuals may be tracked or put under surveillance without
proper authorization or legal sanction using the authentication and identification records
and trails in the Aadhaar database, or in one or more authentication-requesting-agencies’
databases. Such records may reveal information on location, time, and context of authentication and the services availed.
Also, Aadhaar does not record the purpose of authentication. Authentication without
authorization and accounting puts users at serious risks of fraud because authentication or KYC meant for one purpose may be used for another.
6 Recording the purpose of
authentication is crucial, even for offline use.
2 Privacy-by-design is not achieved by self-imposed blindness.
Lack of protection against insider threats and lack of virtual identities—which were
retrofitted in a limited way9—raise some serious privacy concerns, and the absence of a
clear data usage policy and regulatory oversight exacerbates the problem.
1 Without a robust consent and purpose limitation framework and a regulatory access control architecture, the privacy concerns will remain. The inadequate privacy safeguards can potentially
give the government of the day unprecedented access to information and power over its
citizens threatening civil liberty and democracy.
3, 5, 7
The Supreme Court’s three-pronged proportionality test for the constitutionality of Aadhaar was based on determination of a rational nexus between the objectives and the means,
of necessity—implying that the adopted means are the least intrusive for the purpose—and
of balancing of extents to which rights are infringed.
7 Although the majority judgment
upheld the constitutionality of Aadhaar, it struck down most of its uses on privacy grounds
and limited its scope to only disbursement of welfare and income tax. The dissenting minority judgment, however, found Aadhaar to be unconstitutional in its entirety. Moreover, the
Supreme Court of Jamaica has also recently struck down its very similar Jamaican National
Identification and Registration Act (NIRA) as unconstitutional by heavily relying upon and
extensively citing the dissenting Aadhaar judgment.
10 Judicious design of a national identity
system that is respectful of fundamental rights is still very much an open problem.
Privacy Concerns with Aadhaar
BY SUBHASHIS BANERJEE AND SUBODH SHARMA
1. Agrawal, S., Banerjee, S. and Sharma, S. Privacy and
security of Aadhaar: A computer science perspective.
Economic and Political Weekly 52, 37 (2017), 16.
2. Banerjee, S. and Sharma, S.V. An offline alternative
for Aadhaar-based biometric authentication, 2018;
3. Drezé, J. The Aadhaar coup, 2016; http://bit.ly/2IfqQSe
4. Khaira, R. Rs 500, 10 minutes, and you have access
to billion Aadhaar details. Tribune India, 2018;
5. Khera, R. Dissent on Aadhaar: Big Data Meets Big
Brother. Orient Black Swan, 2019.
6. PTI. UIDAI suspends Airtel, Airtel Payments
Bank’s e-KYC license over Aadhaar misuse, 2017;
7. Puttaswamy, KS and Another v Union of India. Writ
petition (Civil) No 494 of 2012. Supreme Court
judgment dated Sept. 26, 2018; https://indiankanoon.
8. Puttaswamy, KS v Union of India. Writ petition (Civil)
No 494 of 2012. Supreme Court judgment dated Aug.
9. Sharma, S. (via P.V. Singh). Virtual ID is a good
beginning; much more remains to be done, 2018; http://
10. Supreme Court of Judicature of Jamaica. Justice
Sykes, B. Justice Batts, D. and Justice Hamilton, L-P.
Claim No. 2018HCV01788 between Julian J. Robinson
and The Attorney General of Jamaica, 2019; http://bit.
11. Viswanath, L. Four reasons you should worry about
Aadhaar’s use of biometrics, 2017; https://thewire.in/
Subhashis Banerjee ( email@example.com) is a professor
in the Department of Computer Science and Engineering at
Indian Institute of Technology Delhi, India.
Subodh Sharma ( firstname.lastname@example.org) is an assistant
professor in the Department of Computer Science and
Engineering at Indian Institute of Technology Delhi, India.
© 2019 ACM 0001-0792/19/11