What exercise are we calling hopeless?

UIDAI and Aadhaar proponents recommend linking your mobile with Aadhaar for security and convenience of OTP in Aadhaar transactions. OTP could even be mandatory for particular transactions. If you have an accessible mobile number linked to Aadhaar, you can update/change the mobile number anytime you want by an OTP to that existing registered number. But if you didn't provide a mobile number at the time of Aadhaar enrollment or if you can no longer access that Aadhaar linked mobile number, you have to go to Aadhaar Kendra to add/update a new number. Both these processes are terrible in every way we look at them. That's what we will talk about in this article.

Significance of OTP in Aadhaar

For any Aadhaar authenticated service you avail, your yes/no authentication or eKYC authentication will be done by your biometrics (iris, fingerprint or something else in future), demographic data, OTP or a combination of two or more of the above. Biometrics and demographic information are not at all sensible authentication factors because they are not really secret and can be known by anyone and hence replicated. The only authentication factor providing some security for Aadhaar transactions is OTP. So it may even be mandated for various transactions

Significance of mobile for OTP and Aadhaar

You can receive OTP (One Time Password or One Time PIN) in two ways

• OTP received over SMS service
• TOTP (time based OTP) generated locally on your Android phone by mAadhaar app

We will see mAadhaar TOTP in another post. But most Indians would use Aadhaar with SMS OTP on their mobile phone. Even TOTP needs registered mobile number because you can install and use mAadhaar only on an Android phone having the registered mobile number. So a registered number is vital for both OTP types.

Further, while reading documents for this article, I realized that if you want to update any information in your Aadhaar, almost every mode for update needs a mobile whether you wish to do it by post or website or OTP! The only update mode that doesn't need mobile is where you physically visit the Aadhaar Kendra.

So mobile number is central to Aadhaar.

The need to change Aadhaar registered mobile number

Your mobile number is not guaranteed to stay the same. You may voluntarily want to change it while you still have your old number. Or you may lose the old number due to loss of mobile phone, change of residence & circle, or your mobile service provider may shut down like Reliance Communication, or your connection may be cancelled for not following TRAI or service provider's rules about minimum active days and minimum recharge within a period, or any other unforeseen reasons. So UIDAI provides you the facility to change your mobile number registered for Aadhaar.

Changing the registered mobile while old one still works

I have been informed by a reader that UIDAI has stopped this mode of mobile number update since around November 2017. This seems to be true based on their recent tweets. I am not bothering to find and provide exact references here. Many more things to investigate and write about. Refer to the next section for mobile update method now needed in both cases where you possess an already registered mobile or don't.

The normal process, where you still possess your old registered number before changing to a new one is relatively simple and also 'secure' if we don't consider the fact that SMS OTP itself is insecure and recommended to be phased out by USA's NIST itself. You login to UIDAI resident portal 1 using your Aadhaar number and OTP which you receive on existing registered mobile number. Once logged in, you change the mobile number on the site. And perhaps confirm by OTP received on new number.

This is a terrible system that makes all Aadhaar users very vulnerable sitting ducks. Your Aadhaar number is typically known to a lot of people. They can just enter it on the website while your phone is lying unattended, use the OTP, change the phone number at the website and delete the messages UIDAI sent to your existing mobile. Due to various vulnerabilities of SMS, it is possible to intercept or read your SMS even when you are physically very careful and protective and careful about your mobile

What if you never registered a mobile number or it is lost?

If you never registered a mobile number with UIDAI or lost access to your registered number in some way, you cannot receive an OTP even to change the number.In such case you need to visit a Permanent Enrollment Centre and update mobile number after biometrics authentication. But this process is very problematic too. It is also the process which fraudster will attempt to use, when the fraudster doesn't physically posses your existing registered mobile number or doesn't even know your number to use sophisticated digital intercepts or has no clue how to intercept SMS over mobile netwroks.

There are three major problems with this process:

• It is not communicated well by UIDAI.
• It is very cumbersome, inconvenient and tiring.
• It keeps you insecure even if you follow it diligently.

We will see these in detail in next three sections.

Problem 1: Update process documented poorly by UIDAI

We have seen that mobile is most crucial for convenience, security and data update of Aadhaar. For many transaction types it may even be mandatory. But on UIDAI website I could not easily find any clear instructions how to update registered mobile number if you can't access old number. So I tried to piece together an answer by combining information from various related documents on the site.

Correlating UIDAI documents related to mobile update

First we have 'UIDAI Data Update Policy' document 2 on the site. In that document, on page 9, in a table under section UD 4.1 they indicate that mobile number can be updated by every data update mode which UIDAI supports.

There are 6 modes in that table.
1. By postal mail
2. Through registered mobile
3. Online portal with registered mobile
4. Three other modes, for which I ignore the nuances and treat as just one mode: Going to an Aadhaar related agency/centre physically to provide proof documents and biometric authentication for data update.

Further, in examples at the end of section UD 4.1.3 of same document, they suggest mobile number update could be integrated with SIM issuance process. It is not clear whether this is being done or whether it should even be done. If person has registered a mobile already, it might get unintentionally updated when the person buys new SIM using Aadhaar eKYC. To avoid that, the eKYC process to purchase SIM would need to have special features where it checks with CIDR if the resident already has a registered mobile. Then it can ask resident whether they want to register the number (if no registered mobile in CIDR) or update the old number with this one as (if already have a registered mobile). Since no such process is known to exist, there is no clarity whether this mode of update exists. Probably not.

So we are back to 4 modes listed above. Mode 2) & 3) can't be used in our case where old mobile number is no longer usable. Further section UD 4.1.5 of the doc tells us that updating by post ALSO needs you to have registered a mobile first. So we are left with just one mode. We need to go physically to some agency/center with documents and do a biometric authentication.

In the same example of mobile update which we saw in section 4.1.3 (page 11) earlier, the question is left open whether only registrars can update mobile or Authentication User Agency (AUA)should also be allowed. Two more recent documents on UIDAI site provide the definitive answer. On May 05 2016 UIDAI decided to allow these kind of authentication agencies to run mobile number update facility 5 But on 21 March 2017 it was stopped again, and allowed only at Permanent Enrollment Centers 6. So you must go to a Permanent Enrollment Center only.

But that still doesn't provide any clarity about documents needed or exact process we must follow or insist upon at this agency/center. Further that's a December 2014 doc & some things could have changed? So we check the current "Aadhaar Data Update" page on UIDAI website 3, section 3 regarding visiting permanent enrolment center for update. It offers more clarity on the process with a nice infographic but is still vague about documents needed for updating mobile. From the infographic, the key steps of the process are

1. You fill the application form.
2. UIDAI/Registrar appointed verifier verifies your docs.
3. Operator enters your data in update software.
4. Only after that you provide biometric authentication. (Insist to check the data which operator has entered before giving your approval through your biometrics.
5. Operator (& supervisor?) must provide their biometric sign-off too.
6. Collect receipt with Update Request Number.

However this page also doesn't really tell us which documents/proof, if any, are needed for updating mobile. It speaks of DDSVP Committee Recommendations for verification. So we look at what DDSVP Committee says. In table 2 (Process Summary), the DDSVP Committee report 4 says no verification required for mobile number.

So now we finally know the process to change registered mobile number without having the previous one, and we know that it does not need document verification. Next, let us clearly detail out the mobile update process when you don't have previous registered mobile

How to add/update registered mobile to Aadhaar

When you already have an accessible registered mobile number

1. Go to UIDAI resident portal 1.
2. Enter your Aadhaar number. This will send an OTP to your registered mobile.
3. Enter the OTP on the same Aadhaar Kiosk Resident Portal webpage to log in.
4. Once logged in, you can update the mobile number field.

When you don't have or can't access your existing registered mobile

1. Physically go to a Permanent Enrollment Center.
2. Fill application form.
3. No document needs to be verified.
4. Operator enters your new mobile number in their update software.
5. You verify correct data entry before providing biometric authentication.
6. You provide biometric authentication to prove you are the genuine Aadhaar holder.
7. The operator (and supervisor?) provide their biometric sign-off.
8. Collect the receipt with Update Request Number.

I would like to reiterate that this mobile addition/update process is one of the most important cornerstones of Aadhaar security, because

1. Transaction OTPs need mobile.
2. Even update of all other fields by all other ways needs a mobile!

Yet, because UIDAI hasn't explained this process anywhere, we had to hunt so many documents and do information crunching across them to reach such proper understanding of it. Because of lack of clear communication from UIDAI, not only common people but even media has no clarity on the process and is giving false information as well as incomplete information.

Media misinformation about Aadhaar mobile update

I have noticed at least three kinds of errors and omissions in Aadhaar mobile registration/update articles in mainstream media:

1. Articles claim it is necessary to submit documents at Aadhaar Kendra/Permanent Enrolment Centre along with biometrics just for mobile update. But we know documents not needed if you want to add/update mobile only.

   Some mainstream articles with this incorrect information:

   • Times of India 7 and Economic Times 8 say you must submit photocopy of Aadhaar 'card' (Aadhaar letter) as well as other id proof like PAN, passport or voter id.
   • First Post says you must submit 'relevant documents' 9
   • Money Control says you must submit one id proof, according to UIDAI's id proof list 10

   Many others but these are enough examples for now.

2. Articles claim that doing 'linking' process for SIM at telecom operator store (to comply with some irrelevant DoT order) will make that number your Aadhaar registered mobile number. That is likely not true just like we have reasoned above that mobile number will not get updated in CIDR just by purchasing SIM with eKYC. eKYC for SIM updates telecom service provider's database, while actually linking SIM for Aadhaar transaction OTPs needs update of CIDR.

   Example

   • The same First Post article we saw above also makes this second error of conflating the two different Aadhaar-mobile hassles. 9

3. None of the mainstream articles I came across so far actually talk about finer details of the process we figured out above, which might offer some protection against fraud: checking data entered by operator before doing biometrics authentication, checking operator biometrics sign-off, collecting receipt with Update Request Number.

In case some of you are skeptical about our analysis being correct and media articles above being incorrect, here is UIDAI itself confirming the first two points, on social media:

1. Between 18 July 2016 11 and 22 Dec 2017 12 UIDAI's verified Twitter handle has said many times that mobile number addition/update needs biometrics at enrollment centre but no documents. One such tweet even has Prime Minister's Office Twitter handle among recipients of the tweet 13.
2. UIDAI's verified Twitter handle has also tweeted an article which clarifies that providing your Aadhaar to your telecom operator with biometric or OTP authentication does not make it your mobile registered with UIDAI on which you recieve OTP for Aadhaar transactions. That needs you to go to Aadhaar Kendra 14

Summary of lack of documentation and misinformation problem:

1. Being able to register/update mobile for your Aadhaar profile when not having an older registered one is vital.
2. By omission or commission UIDAI has not clearly documented the process for this vital update anywhere in one place.
3. When people ask UIDAI, they do give some correct information about the process on social media, but most people would not be asking or reading UIDAI's replies on social media.
4. Hence lies & incomplete information about this process are widespread, both among media articles and consequently among people trying to search for this information. Uninformed or misinformed can be duped even by PEC operators as we will see later.

Problem 2: Process is cumbersome, inconvenient & tiring

Whether you do or do not know the process correctly or completely, updating mobile linked to Aadhaar is a cumbersome, tiring process if you do not posses an already registered mobile number.

Physical travel to facilities, often located far away

You have to physically visit a Permanent Enrollment Centre (PEC) even in the so called 'Digital India'. This is worsened by the fact that this facility is not available at other authentication agencies (AUA/KUA/sub-AUA), which are more common than Permanent Enrollment Centres (PEC). This is further worsened by the fact that government stopped all such enrollment centres on private premises. Now they are limited to government premises and banks only. And banks are (rightly) reluctant to open such facilities on orders of UIDAI which has no jurisdiction on banks anyway. I cannot make absolute comment how near or far these centres are for you. Some of you in cities may be lucky to have many centres at reasonable distance, while others in not so urban areas have to travel far.

Urban-Rural Divide

We can get some idea about the disparity between urban and rural population faces in access to a Permanent Enrolment Center (PEC) if we look at two data pages

1. Chart of Permanent Enrolment Centers (PECs) in districts of Maharashtra State 15
2. Wikipedia page telling us total area occupied by each district in Maharashtra 16

Take most well-known urban district Mumbai. 21 PECs are listed. If we consider this is over Mumbai City & Mumbai Suburban the combined area is around 437 square km. That's density of 1 PEC per 21 square km. Since urban streets are typically at right angles, we can imagine square packing where side of each square will be around 4.6 km and a PEC will be at its centre. A person located at corner of the square will only have to travel up to 4.6 km to reach the PEC at centre. That's how much a Mumbai person may need to travel.

Take a lesser known Maharashtra district Gadchiroli with area 14,412 square km. There are 21 PECs listed. That's just 1 PEC in 686 square km! With square packing, Gadchiroli person may have to travel nearly 26 km to reach nearest PEC. Of course sparsely populated big district may have PECs much more irregularly situated. So even more travel (maybe up to 35-45 km?) may be needed than our square packing estimate. And this long distance that a Gadchiroli person must travel will be on much more poorly connected routes than Mumbai person.

Here is Twitter video of an Orissa rural farmer telling a similar tale about Aadhaar troubles where people need to pay Rs 170-180 bus fare to go to a proper enrollment center or pay up Rs 120 locally. (which I suppose isn't a PEC). Many poor folks can't afford it. On the other hand a city person could just take a public transport for Rs.10-20 or even walk a few kilometers absolutely free of cost.17

Big lines and limited service

When you reach a PEC, you often find big lines because everybody is being forced to obtain or use Aadhaar and hence everybody is rushing to these limited Permanent Enrollment Centers. As per many social media photos and anecdotal testimonies, people wait in these lines for hours, often coming at early dawn next time if their turn did not come during previous attempt. To attempt crowd control, these centres often assign tokens to people in the lines and serve only a limited number of people each day by token-based appointment.

Tech failures

Even if you do get your turn at the PEC, there is no guarantee that your biometrics will work, whether for enrollment or for biometric authentication for an update like mobile. The enrollment failure rates were estimated to be 15% even in Parliamentary Standing Committee report. Biometrics authentication failures were expected to be 5%. Actual data are nearly as high as 50% authentication failures in social welfare schemes in some states. So prepare to be extremely frustrated even if you do get your turn in the line and victory seems close! Now imagine having to go through this ordeal every time you lose or change your mobile number. I have myself lost many phones and hence mobile numbers along with them.

Overall, instead of a digital future of convenience and speed, Aadhaar is sending us back to the age of "Chala Musaddi Office Office" type babudom just to update lost mobile number. But this time not just officials, even technology will frustrate you. Or officials can frustrate you and blame it on technology. Those officials could further be local ones at PEC, or unseen insiders at UIDAI who control Aadhaar's CIDR database or any intermediaries between PEC and CIDR. You will not even be able to tell whether humans are playing with you or technology!

Problem 3: The process is hopelessly insecure

All the above points make UIDAI mobile update process for lost or inaccessible mobile number hopelessly insecure in many ways:

Operators can fool Aadhaar holders about vital documents, biometrics or about update itself

Mobile update does't need id or other proof documents. But since the exact process has not been clearly documented or explained at any one place officially, a common man may get fooled by anything anyone says. Media articles with incorrect information (like many examples we saw) or the Aadhaar Kendra operators themselves may fool innocent people into giving away document copies unnecessarily, which will be used for nefarious purposes. They might even ask people to give biometrics authentication multiple times. And in spite of all that they might not update the mobile number (no receipt). Or they may update a wrong mobile number which would result in fraud later, because Aadhaar holder did not check the number entered by operator before biometrics authentication.

Insecure delay time windows or dead end

Since you need to physically go to Aadhaar Kendra, there is a big time window where you can't access old mobile number and can't yet update the new mobile number. Your Aadhaar transactions will not only be unsecured in this duration, you may even be totally prevented from doing many types of transactions that mandate OTP. And if your biometric authentication doesn't work when trying to update mobile, you hit a dead end. What do you do next? Aadhaar doesn't work. Mobile can't be updated. Life is finished for you in 'Aadhaar world'.

Sophie's choice between security and connectivity

The title of this section used to be "Your hands are tied, but thief can change your registered number". But as I have been informed by a reader, since November 2017 it is no longer possible to update your Aadhaar registered mobile just by possessing your Aadhaar number and OTP received on your existing registered mobile number. So the form of insecurity described in cancelled text below no longer applies.

But it also means you cannot immediately change to some other mobile number if you realize that OTP security of your existing mobile number is compromised by some hacking trick. Your only choice would be to get your mobile number cancelled by calling your mobile operator. And then you have to go to Aadhaar centre and get the mobile number updated after giving biometric authentication. Hence the risks 2 & 4 come into play. In addition, you also can't receive phone calls or messages from your friends, relatives and acquaintances because you cancelled your mobile.

On the other hand if you choose not to cancel your mobile, the thief who has access to your OTP through SS7 hacking or other ways can misuse your Aadhaar before you manage to change the mobile. So you face a Sophie's Choice of being cut-off from all people who contact you on mobile or risk losing all your Aadhaar linked critical accounts. Why should citizens of democracy accept such impossible choices inflicted upon them? We must simply compel the government to destroy the Aadhaar!

During the delay in physically visiting a PEC to update your mobile, or in the indefinite delay if your biometric authentication fails at the PEC, a thief who has stolen your mobile or is in possession of your old number in any way can actually change your Aadhaar registered mobile number. The thief just has to go to the UIDAI website, login using your Aadhaar number and the OTP received on your mobile number, and then update the mobile number on site! So this process is absolutely evil which can leave the original Aadhaar holder helpless and easily facilitate the crook who stole the mobile!

Zero protection or remedy from biometrics fraud

The basic process itself is hopeless for security. At start of this article we said that biometrics are insecure and hopeless for authentication, and mobile number SMS OTP/TOTP can provide some security for Aadhaar. But what does changing registered mobile number itself depend on? It again only depends on that very insecure biometrics authentication!

Some insider can steal and spoof your biometrics as well as biometrics of the operator (for sign-off) to fraudulently change your Aadhaar registered mobile number to a number which they control. There is no other protection. And apart from harming you, the innocent operator whose biometrics were stolen and spoofed will also get framed for crime someone else did. So the criminal has no disincentive. Or maybe the operator wasn't so innocent and actually stole your id. There is no way to tell the difference between operators who are your culprit or who are themselves victims of biometrics theft!

But whoever the criminal is, they would posses both your biometrics and your registered mobile now. There is no way you can recover from this. You cannot change biometrics. You may change mobile, but thief now has the key to change it back anyway.

Congratulation! Your Aadhaar identity is completely and irreversibly stolen!

In Conclusion

• PEC operators can trick Aadhaar holder into giving unnecessary documents & biometrics and also cheat in updating mobile number because UIDAI has not clearly documented the process. UIDAI can document the process better to remedy this.
• PEC visit mobile update process is cumbersome, inconvenient, time consuming, tiring and even expensive. Perhaps mobile number update cost exceeds price of new SIM for many. (like the video where bus fare was Rs.180).
• Hardships seem to be even more for rural population than urban. Perhaps much touted 'New India' doesn't want these people to thrive.
• It would be good if UIDAI can remove these hardships, but since the enrollment centres seem to run more on profit motive basis rather than for social good, I don't have high hopes geographic density of rural PEC locations increasing. Of course Aadhaar is an evil, not social good so I do not know which way I wish for rural folks.
• Even if people overcome the barriers of distance, time, effort, money and manage to get their turn with a PEC operator, the biometrics enrollment/authentication technology may fail them, with no remedy.
• Even if people successfully complete the hoops and manage to update their mobile, the process does not secure their Aadhaar.
• The hopeless process provides more guaranteed opportunity to your mobile thief to change your mobile number than it does to you.
• Since you can no longer update your mobile just by having previous mobile (hence the cancelled point above), you have to make the difficult choice of losing all connectivity by canceling your mobile with your mobile operator before you can update mobile by physically visiting a PEC. If you don't, you risk hacking of any Aadhaar linked accounts.
• I also don't see how the above Sophie's Choice can be 'fixed'. If UIDAI allows you to cancel or suspend your old registered mobile number without updates, any mischief-maker can get your mobile suspended again and again.
• Any biometric id theft at the Aadhaar enrollment center itself completely and irreversibly compromises your whole Aadhaar identity, including mobile.
• Since PEC operators cannot prove innocence if framed due to theft of their own biometrics, there will be greater frustration, and greater incentive to be evil rather than good. "If you can't beat them, join them."
• None of the major problems in last five points can be fixed.

• Destroy the Aadhaar.

That last conclusion is the most important conclusion. It is the conclusion of all conclusions:

Destroy the Aadhaar!