[jace]

It is designed to be a universal foreign key. The number is supposed to be confidential, but almost no one treats it as such, and the founding CEO of the organisation (since retired) has repeatedly argued in public that the number should be public, and the official policy of regarding it as confidential was a poor compromise made to satisfy privacy critics. Since the architecture is not designed around confidential numbers, there is no actual way to keep it confidential.

Tokenization was promised and implemented in a rush while petitions against Aadhaar were being heard in the Supreme Court in 2018, but the tokens (called "virtual id") are not usable anywhere.

[vsskanth]

Curious, what was the proposed architecture supposed to look like with a public ID ?

[jace]

You have one and only one Aadhaar number.

You give it to every service provider that has internal reasons to prevent double sign-up (usually: state sponsored subsidy)

Or if you don’t comply, the service provider will share their entire database with UIDAI (Unique ID Authority of India) and discover your Aadhaar number and add it to your record themselves. This scheme was colourfully marketed as “inorganic seeding” and ran without legal backing for several years.

If an Aadhaar number shows up twice in the database, it is considered a duplicate and the extra entry is deleted from the service provider’s database.

If no Aadhaar number shows up for a customer, it is considered a ghost and that person is also removed from the database. Sample side effects:

1. Several individuals who depended on the state for food grains were now classified as ghosts and died of hunger. The government attempted to dismiss the news as too fantastical to be true.

2. In an experimental case, this was done on a voter database in one state, and two million individuals found they could not vote in the 2019 elections because their voter identification was deleted. The government saved a shitload of money by not bothering to notify these individuals, also in violation of a legal requirement for due process.

Somewhere in the middle of these delightful experiments, they acknowledged that it was a bad idea to allow random service providers to upload their entire customer database, so they stopped the service. This enlightenment conveniently came after every major provider had run through the program once.

Later still, they acknowledged that if a service provider can add an Aadhaar number against a customer’s record without the customer’s consent, then nothing prevented fraud from occurring within the service provider. The solution to this problem was to acknowledge that Aadhaar numbers are confidential, so that an individual is protected from fraud in their name — as long as they manage to keep their number confidential.

Of course, no solution was found for service providers adding random Aadhaar numbers to create new ghosts.

Oh, and incidentally, it is not possible to perform biometric authentication on a dead person, and so it is not possible to mark an Aadhaar holder as deceased. The dead cannot certify their own death, and as RS Sharma — that founding Director General (whose post was later designated as CEO) keeps telling everyone [1][2], Aadhaar numbers were designed to be public and usable only against biometric authentication.

So now by design, Aadhaar numbers are perpetual, valid as long as they are in use, and any service provider can claim to be providing service to any Aadhaar number, and dead people can’t complain about deficient service, which is most convenient for fraudsters. The dead live on as ghosts in the machine.

[1] https://indianexpress.com/article/opinion/columns/aadhaar-in... [2] https://www.thehindu.com/news/national/concept-of-aadhaar-da...