As India-Five Eyes Relations Sour, US Ratings Agency Moody’s Takes Aim at India’s Aadhaar Digital ID System

The report calls into question key aspects of India’s digital ID program, including its heavily centralised nature, the reliability of its biometric identification systems and its vulnerability to data breaches.

Relations between India and the so-called “Five Eye” nations (United States, United Kingdom, Australia, Canada and New Zealand) are in a bit of a rough patch. According to an article in The Hindu, India’s second most circulated English-language newspaper, India’s relations with Canada are now at their lowest point since the 1980s, after Justin Trudeau raised “credible” allegations last week that Indian agents were involved in the murder of Canadian citizen Hardeep Singh Nijjar — a Sikh plumber-cum-separatist leader shot dead by masked gunmen on the outskirts of Vancouver in June.

Delhi, of course, has denied any involvement while saying it will cooperate with any investigation. Nonetheless, the ensuing diplomatic crisis has so far led to visa suspensions and reciprocal expulsions of senior diplomats. The Trudeau government already paused negotiations on a Canada-India free trade agreement more than two weeks before going public with its allegations.

And it is not just Canada that is casting aspersions on India’s possible role in the crime. According to the US envoy in Ottawa, David Cohen, Trudeau’s allegations, first aired in Canada’s parliament last week and then reiterated at the UN General Assembly last weekend, were based on “shared intelligence among Five Eyes partners”:

“There was a lot of communication between Canada and the United States about this… We have been consulting throughout very closely with our Canadian colleagues — and not just consulting, coordinating with them — on this issue. And from our perspective, it is critical that the Canadian investigation proceed, and it would be important that India work with the Canadians on this investigation. We want to see accountability, and it’s important that the investigation run its course and lead to that result.”

US Secretary of State Anthony Blinken has echoed these sentiments, confirming that the US is “coordinating” with Canada and is seeking “accountability,” while stressing that “it’s important that the investigation run its course.” Interestingly, Blinken did not mention the spiralling US-Canada dispute in the readout following his meeting in Washington yesterday with India’s Foreign Minister Subrahmanyam Jaishankar, but that does not mean it was not discussed.

Aadhaar Under Attack

Now, a report by Moody’s Investor Services on some of the challenges facing digital identity programs around the world is raising hackles in the subcontinent. The main cause of the anger is a three-paragraph section that calls into question key aspects of India’s digital ID program, known as Aadhaar, including its heavily centralised nature, the reliability of the biometric identification systems it uses and its vulnerability to data breaches:

Aadhaar, the world’s largest digital ID program, assigns unique numbers to over 1.2 billion Indian residents using biometric and demographic data. This system enables access to public and private services, with verification via fingerprint or iris scans, and alternatives like One-Time Passcodes. The Unique Identification Authority of India (UIDAI) administers Aadhaar, aiming to integrate marginalized groups and expand welfare benefits access.

However, the system faces some hurdles, including the burden of establishing authorization and concerns about biometric reliability. There have been cases of service denials, and there are risks to reliability of biometric technologies, especially for manual laborers in hot, humid climates.

The real kicker comes in the third paragraph, which argues that decentralised identity [DID] programs such as the SSI [Self-Sovereign Identity] system rolled out by countries like Estonia — which is now working with the Zelensky government to pilot a national mobile application modeled on Ukraine’s Diia application — offer a far better approach to digital ID than India’s heavily centralised system:

In recent years, the spotlight has shifted toward DID [Decentralized Identity programs] as a strategic response to the security and privacy vulnerabilities posed by centralized ID systems like Aadhaar. While DID systems are currently in their formative stages, they harbor significant potential to introduce a more robust and private avenue for managing digital identities.

Perhaps most damning of all, the short section on Aadhaar is presented alongside an even shorter section on Worldcoin, the controversial iris biometric cryptocurrency project developed by San Francisco and Berlin-based Tools for Humanity. Co-founded by OpenAI chief executive Sam Altman, the venture has “faced scrutiny over its data collection practices,” notes the report. “Critics have also voiced concerns about potential privacy violations, security breaches, and the potential misuse of Worldcoin’s data, which could lead to identity theft or surveillance.”

Moody’s Motives?

It is not clear whether Moody’s criticisms are merely poorly timed, given the geopolitical backdrop, or form part of a broader campaign in the Anglosphere against India’s interests — a campaign that some claim began at the beginning of this year when US hedge fund Hindenberg Research accused Adani Group of perpetrating “the biggest con in corporate history.” The afund’s ccusations of “brazen stock manipulation and accounting fraud” triggered a whopping $50 billion plunge in the value of the shares of India’s then largest conglomerate.

“This is not merely an unwarranted attack on any specific company but a calculated attack on India, the independence, integrity and quality of Indian institutions, and the growth story and ambition of India,” Adani said in response. “The allegations and insinuations, which were presented as fact, spread like fire, wiping off a large amount of investor wealth and netting a profit for Hindenburg. The net result is that public investors lose and Hindenburg makes a windfall gain.”

India’s refusal to endorse their self-harming sanctions against Russia has angered the US and its NATO vassals partners no end. As readers may recall from the second instalment of Jerri Lynn’s excellent two-part piece on India, the war in Ukraine and the emerging multipolar world, U.S. deputy national security advisor Daleep Singh even warned the Modi government during a state visit to India in April 2022 that there would be  “consequences” for countries, including India, “that actively attempt to circumvent or backfill the sanctions.”

Predictably, Singh’s threats have had the opposite of their desired effect. India has actually deepened its trade ties with fellow BRICS member Russia since then, becoming the largest buyer of seaborne Russian oil this year. It has also struck bilateral currency agreements with Russia as well as the UAE and Indonesia as part of the Modi government’s plans to internationalise the rupee. And as Conor reported recently, it is speeding up efforts to complete a new sanction-free transport corridor with Russia and Iran that would largely cut Europe out of the picture.

Sensitive Timing

The timing of Moody’s report is highly sensitive, and not just because of the fraught diplomatic backdrop. Its publication comes roughly a month after the BRICS’ leaders summit and less than two weeks after India hosted the G20 annual meeting, which was widely hailed as a success despite the absence of both China and Russia.

One of the main points of discussion at the event was the design and implementation of “digital public infrastructure,” or DPI, on which India has both extensive experience and expertise. The G20 Leaders’ Declaration described DPI as “a set of shared digital systems, built and leveraged by both the public and private sectors, based on secure and resilient infrastructure.” Examples include digital vaccine passports, central bank digital currencies (CBDCs) and digital ID systems like India’s Aadhaar.

India is at the leading edge of this trend, thanks largely to the so-called “Indian Stack” — three programs launched by the Narenda Modi government over the past decade: the Jan Dhan Yojana, a financial inclusion program that has enabled hundreds of millions of Indians to access basic financial services; Aadhaar, the world’s largest biometric-enabled digital identity system with 1.3 billion users (of a population of 1.4 billion); and the UPI, an instant payments system launched in 2016, just six months before the government yanked 84% of India’s cash notes out of circulation in its infamous demonetisation campaign.

The World Bank, which, like the Gates Foundation, provided funding to the program, has described India’s digital transformation as “a potential game-changer for economic development.” Aadhaar has already transformed the lives of around 1.3 billion Indians beyond recognition, writes Pam Dixon of the World Privacy Forum in an exhaustive analysis of Aadhaar, some of it drawing from first-hand experience, as well as the potential risks, benefits and pitfalls of biometrics-empowered digital identity systems as a whole:

Men and women living in remote villages, some without plumbing in their homes and many living in extreme poverty without access to modern technology, in the space of a few years underwent sophisticated biometric enrollments and began using their biometric identity for access to government subsidies such as rations. Women, who used to take inches-thick paper booklets holding generations of their families’ health care history written carefully in script, now access health care through their Aadhaar identity with a digital authentication, for example, through a fingerprint scanner or a mobile phone.

The results, as I’ve previously noted, have been mixed. The three programs have massively accelerated India’s digital transformation while also excluding millions of people from government programs and services. As the FT noted a couple of years ago in an article titled “India’s All-Encompassing Identity System Holds Warnings for the Rest of the World,” Aadhaar has helped to speed and clean up India’s bureaucracy while also massively increasing the Indian government’s surveillance powers. It also has huge privacy issues.

Nonetheless, the heading of the FT’s latest article on Aadhaar, published just two weeks ago, reads: “India Points the Way to Digital Access Across Africa.” The sub-heading: “Bill Gates is among the supporters who say DPI is key to reducing poverty but critics warn civil liberties could be at risk.”

Both the Modi government and Indian companies are now looking to export the DPI platforms and applications they have jointly developed, including Aadhaar and the Unified Payments Interface (UPI), to other countries around the world, particularly Africa. From Livemint:

In June, India signed a Memorandum of Understanding (MoU) with Antigua and Barbuda, Armenia, Sierra Leone and Suriname on sharing its DPI solutions. Mint reported earlier that India is also in talks with a number of other developing countries in Latin America, Africa and Southeast Asia, to extend these DPI partnerships.

India’s neighbours have also adopted UPI in recent years. Nepal and Bhutan use the platform while Sri Lanka is expected to operationalise UPI in the coming months. This year, India and Singapore linked their payments systems to allow for an easier flow of remittances.

A Fast, Furious Response

Given the harm the Moody’s report could inflict on global perceptions of Aadhaar, the Modi government was quick to respond to Moody’s claims. And it didn’t hold any punches. The public body in charge of Aadhaar, the Unique Identification Authority of India (UIDAI), said the US credit ratings agency had made sweeping assertions about the digital identity program without providing any evidence to back them up, which, to be fair, appears to be true: Moody’s does not offer any concrete, detailed information to back up its assertions. But that is not to say that the accusations are not valid.

In a note titled “Aadhaar, the Most Trusted Digital ID in the World — Moody’s Investors Service Opinions Baseless”, the Ministry of Electronics & IT said that both the IMF and the World Bank had lauded Aadhaar and India’s other DPIs. It also argued that over a billion Indians had placed their trust and faith in Aadhaar by using it to authenticate themselves “over 100 billion times”.

What it didn’t mention is that they had little choice in the matter: Aadhaar was first introduced as a voluntary way of improving welfare service delivery and giving people without identification an ID they could use, but the government rapidly expanded its scope by making it mandatory for welfare programs and state benefits as well as more or less necessary for an ever-growing list of services and activities, including medical records, bank accounts and pension payments.

In response to Moodys’ claim that Aadhaar has serious security issues, both the Ministry and UIDAI categorically state that there have been no reported breaches of the Aadhaar database to date, which is flagrantly untrue. Since 2017 security experts and journalists have reported multiple vulnerabilities and data leaks tied to Aadhaar. In its Global Risks Report 2019, the World Economic Forum, one of the world’s biggest proponents of digital ID programs, noted:

“The largest (data breach in 2018) was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January 2018 that criminals were selling access to the database at a rate of Rs 500 for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.”

A 2018 First Post article lists a litany of other data leaks, hacks and breaches. Three examples:

• “According to a report last year, a gang in Kanpur was running a racket in order to generate fake Aadhaar cards. UIDAI stated that its systems detected abnormal activities and filed a complaint accordingly. It clarified that the big scam to generate the fake cards was foiled by the system and it did not affect the database of the processing system. What is interesting is that UIDAI refused to disclose the number of fake or duplicate Aadhaar cards in circulation citing the threat to national security. So much for transparency and accountability on the part of UIDAI and the government.”
• “[An] investigation by The Tribune uncovered that anonymous individuals were ready to sell the Aadhaar card details of any individual with an Aadhaar number against the payment of a sum of Rs 500. An additional Rs 300 would also let you print out these Aadhaar cards… What was surprising to note is that the ‘agents’ were running a racket using messaging platforms as WhatsApp to reach out to potential buyers.”
• “According to a previous report last year, WikiLeaks tweeted claiming that CIA might have access to the database as well. The series of tweets claimed that CIA was using Cross Match Technologies to access Aadhaar database as this company was one of the first suppliers of biometric devices certified by the UIDAI. The report claimed that CIA was using Express Lane, a covert information collection tool to ex-filtrate the data collection.”

To date, UIDAI has categorically denied any data breach in the Aadhar database even though, as even Wikipedia notes, many of the unsecure endpoints and government websites with unauthorized data access were taken offline after the reports. UIDAI also filed a case against The Tribune alleging false reporting.