Kaarana

Technology

Death of an Aadhaar-holder – Kaarana – Medium

St_Hill

Ever wondered what happens to someone’s Aadhaar once they pass away? Well, nothing happens. This is because UIDAI has not built any process or technology to handle an Aadhaar holder’s death. There are multiple issues that arise from this inability of UIDAI to handle death.

FAQ from UIDAI website

Now, have you wondered what happens to someone’s mobile number once they pass away? Telecom companies deactivate a phone number after 90 days of no usage, and then may assign it to new subscribers after a month or so. In essence, a dead person’s phone number may get assigned to a new person within 4–6 months. (The same reassignment policy applies for anyone who stops using their phone number, dead or alive.)

We know that Aadhaar numbers have a mobile number mapped with them in the UIDAI database, and is used by UIDAI for sending OTPs during authentication. Hence, the phone number owned by a dead person (and updated in UIDAI records) may get assigned to someone else six months after their death, but UIDAI will never find out that this phone number no longer belongs to that dead person.

Can a relative approach UIDAI and get their own phone number updated against the dead person’s Aadhaar? It would have been ideal if UIDAI allowed the family to update the dead person’s Aadhaar with the phone number of the next of kin, so that the family is in charge of the dead person’s Aadhaar and OTPs, and can prevent misuse. But UIDAI allows mobile number to be changed in UIDAI records ONLY IF the Aadhaar holder visits an Aadhaar center and performs a fingerprint authentication. Unless the family finds a grisly way to get the dead person to perform a fingerprint authentication at an UIDAI centre, this option is shut. Hence, the phone number will remain mapped to the Aadhaar number forever.

Can a fraudster misuse a dead person’s Aadhaar number?

UIDAI tweet claiming that dead people’s Aadhaar cannot be misused

In the tweet above, UIDAI explains why nobody has to report deaths to UIDAI since it claims that authentication would not be possible in the absence of the Aadhaar holder. While this may be true for biometric authentication, it is definitely not true for OTP authentication. OTP authentication only requires the person to be in possession of the phone number mapped against the Aadhaar number. If a third person is in possession of the phone number, UIDAI will send them the OTP since it has no clue that the phone number has been reassigned by the telecom company.

Imagine a fraudster who has just purchased a new SIM card and has been assigned a new phone number. If he figures out which Aadhaar number was mapped to this phone number in UIDAI, he will now start receiving OTPs from UIDAI whenever he uses the dead person’s Aadhaar. This will enable the fraudster to use the dead person’s Aadhaar number everywhere without the relatives of the deceased ever realizing this. Essentially, this enables the identity takeover of the dead — the fraudster can continue to live all his life using the dead person’s name and Aadhaar.

How big is this problem? UIDAI has generated a total of around 1200 million Aadhaar numbers since its inception in 2009 (Source). Since UIDAI does not have a death reporting mechanism, all the dead people since 2009 continue to be counted. India has a death rate of 7.3 deaths per 1000 population per year, meaning 95 million people die every year. Assuming 80% of these people had enrolled for Aadhaar before their death, this translates to a total of 76 million Aadhaar number holders who have died in the last 10 years but continue to be alive as ghosts in the Aadhaar database. That is 6% of the Aadhaar database.

Most of these mobile numbers assigned to these 76 million ghost Aadhaars are now being used by someone other than the dead person. This ghost number will continue to grow with more people dying every year, until UIDAI finds a way to fix this.

The table below from the UIDAI website is proof of these ghost Aadhaars. In some of the states, the number of Aadhaars issued is more than the state’s population. While some of the gap may be explained by migration of population, non-capturing of the dead people is the key reason why the saturation level is more than 100% in some states.

UIDAI would want us to believe that 88.9% of resident Indians now have an Aadhaar. The population of 1354 million includes only the alive, while the Aadhaar number count of 1203 million includes the alive and the dead. There is a numerator-denominator mismatch in calculating the 88.9%.

So what should a family do when someone passes away?

  1. Lock the biometrics: Visit the UIDAI website, and lock the Aadhaar number’s biometrics from being used. Some fraudsters have already figured out how to clone fingerprints, and some more will figure it out in future. Locking the biometrics will ensure that even if fraudsters figure it out, your relative’s Aadhaar number remains unusable. Locking biometrics requires OTP authentication and does not require the family member to visit the Aadhaar centre, so you can do this from home as long as you have access to the deceased person’s phone number.
  2. Retain the phone number within the family: UIDAI has no option to lock OTP authentication. To ensure that your telecom service provider does not reassign your dead relative’s phone number to someone else, you can either reuse the SIM card within your family, or keep the phone number active by recharging for a minimum of Rs.20 or so. This will ensure that no third party will ever receive OTPs for your relative’s Aadhaar.
  3. Periodically monitor authentication requests on that Aadhaar number: Just to ensure that there has been no misuse, you can check the Authentication History of that Aadhaar number to see where all the Aadhaar number has been used in the last 6 months. Note: Accessing this history requires an OTP authentication.
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top