What UIDAI doesn’t tell you about offline use of Aadhaar for KYC

After the Supreme Court of India struck down the use of Aadhaar by private entities in its recent judgement, UIDAI and lobbying houses have been promoting the offline use of Aadhaar. This article tries to help you understand offline Aadhaar from the perspectives of an Aadhaar holder and a private business using Aadhaar for customer on-boarding.

Offline use

Aadhaar, unlike other identity documents, can be trusted only if it is validated online. It is easy to create a document that looks like Aadhaar with different numbers. Only with online verification of the Aadhaar number on the UIDAI website can you ensure that the card is genuine.

Aadhaar was conceived to make online digital verification of identity possible; but no longer serves this purpose except for availing Govt. benefits, after the Supreme Court verdict. In addition, UIDAI received a lot of feedback about people being denied their basic rights due to Aadhaar authentication failure due to various factors including network connectivity and authentication failure. Initially, UIDAI tried to solve this problem by mandating exception handling mechanisms by service providers, which was not fruitful. UIDAI, then produced a workaround to this problem in the form of an offline verification mechanism - digitally signing the contents of Aadhaar “card” / password protected XML file. Any person seeking to verify the authenticity of a card/file can scan it using software that verifies the digital signature. (The Aadhaar card is sometimes referred to as the Aadhaar letter, because it is delivered to the individual as a postal letter with a tear-away card portion.)

Offline usage of Aadhaar can be accomplished by two means:

1. Via the QR code on Aadhaar card & E-Aadhaar PDF
2. By downloading Offline Aadhaar file (a password protected ZIP file containing an XML file) from UIDAI’s website

After Section 57 was struck down by the Supreme Court, UIDAI has been extensively promoting the first approach using the QR code on the Aadhaar card, while the coverage for second solution is limited, possibly because of the difficulty in use.

QR code

According to the UIDAI website, on 20th February 2018 a new QR code format was implemented on e-Aadhaar, and the QR code reader client is available on the official website from 27th March 2018. By March 2018, a month before launching Aadhaar letter with new QR code, UIDAI had issued more than 1.2 billion Aadhaar numbers. It means that potentially 1.2 billion people do not have new QR code-enabled Aadhaar letters in their possession.

However, they too can get new QR enabled document by downloading E-Aadhaar. There are two ways to get E-Aadhaar:

1. Download it yourself using Resident Portal
2. Download through an intermediary. Eg: Enrollment and Update Agency for Aadhaar

Downloading it yourself requires you to have your Aadhaar number with mobile phone seeded. You can download the E-Aadhaar and print it on a laser printer after entering the OTP sent to your mobile phone.

If your mobile phone isn’t seeded in Aadhaar database, then you need to visit an enrollment center and perform biometric authentication and then get the E-Aadhaar printed.

Information encoded in the new QR code

1. Full name
2. Masked Aadhaar number (last four digits displayed)
3. Gender
4. Masked mobile phone number (last four digits displayed)
5. Date of birth
6. Address
7. Low resolution photo (Base64 encoded; JPEG2000 Format; 160 x 200 pixels)
8. Digital signature (Base64 encoded)

There are two QR Codes in the E-Aadhaar — a large one and a small one. The large one contains your photograph & demographic information and small one contains only your demographic information. Both are digitally signed by UIDAI.

The data is stored in the following format inside the QR Code.

<HEDR n="Your Name" u="xxxxxxxx1234" g="M" m="xxxxxx4321" d="01-01-2000" a="Your address with PIN code" i="Photo" x="" s=""/>

On the large QR code, "HEDR" can take values of QPDA or QPDB or QA, because it contains the photo of the resident. If the QR code includes masked phone number (for people who have given their mobile number to UIDAI at the time of enrolment), HEDR can be either be QPDB or QDB.

It is important to note that this QR code does not include your 12 digit Aadhaar number or 10 digit mobile number; instead only the last four digits are included and other digits are masked with letter x. Also, the contents of the QR code are signed, making it easy for an application to verify the contents. This is different from the earlier QR code which had the full Aadhaar number, resulting in accidental leaks.

The FAQ on secure QR reader mentions that there is only a Windows client available to verify the QR code. However, the Aadhaar QR Scanner app on Google Play Store also claims that it can scan the secure document.

Offline Aadhaar XML

Offline Aadhaar XML is another way to do eKYC without the service provider accessing UIDAI Infrastructure. UIDAI itself uses the “e-KYC” moniker when referring to this as “Aadhaar Paperless Local e-KYC”. This service was announced in the second half of August 2018. If you are to avail a service and want to use the offline KYC process, then you have to download the zipped XML file and hand the downloaded document and password over to your service provider.

One interesting benefit of this approach is that the user can choose the fields like photo, date of birth, etc. to be shared with a service provider, apart from the mandatory name and address. It does not disclose your Aadhaar number, even in masked form. Also, email id and password are hashed using an algorithm specified by UIDAI.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ResidentData>
 <name>Your full name</name>
 <address>D/O: Father, Address with pin code</address>
 <photo>Your photo</photo>
 <dob>mm-dd-yyyy</dob>
 <email>Hash of email address</email>
 <mobile>Hash of mobile number</mobile>
 <gender>male/female</gender>
 <Signature
  xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
   <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
   <Reference URI="">
    <Transforms>
     <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <DigestValue>Content Digest</DigestValue>
   </Reference>
  </SignedInfo>
  <SignatureValue>Signature</SignatureValue>
  <KeyInfo>
   <X509Data>
    <X509SubjectName>CN=DS UNIQUE IDENTIFICATION AUTHORITY OF INDIA 03,2.5.4.51=#xxxxxxxxxxxxxxxxxxxx,STREET=CONNAUGHT CIRCUS,ST=DELHI,2.5.4.17=#xxxxxx,O=UNIQUE IDENTIFICATION AUTHORITY OF INDIA,C=IN</X509SubjectName>
    <X509Certificate>Certificate</X509Certificate>
   </X509Data>
  </KeyInfo>
 </Signature>
</ResidentData>

The selected fields become a part of the XML file and are digitally signed with UIDAI’s private key. In order to verify the digital signature, the public key is also included in the XML file. In its document UIDAI says: “… the XML file generated by the Aadhaar number holder using Offline Aadhaar Data Verification Service is digitally signed document using UIDAI digital signature. Thus, the service provider can verify the demographic contents of the file and certify it to be authentic when doing the offline verification.”

Although this suggests that only demographic details are signed, it is not so. All the contents of the file including the photograph are digitally signed. There is however a missing piece in this entire process: UIDAI does not tell you how to share the file.

Comparison of QR code and XML KYC

QR Code XML KYC Comparison

The good thing about offline Aadhaar

By providing the offline KYC option, UIDAI has:

1. Removed itself from the authentication process, thereby eliminating the possibility of centralised surveillance from UIDAI’s own records.
2. Ensured authenticity of data, bringing an end to widespread forgery of Aadhaar cards (provided whoever accepts an Aadhaar card also bothers to verify the digital signature on the QR code).
3. Placed individuals in control of the demographic information they’d like to share.
4. Removed the possibility of linking databases using an Aadhaar number, because the number of is no longer included in the XML file. However, linking on the basis of hashed email address and phone number remains a possibility.

Problems with offline KYC for Aadhaar holders

While offline KYC is a good development, it presents far too many new problems.

1. E-Aadhaar should be printed on a good quality paper using a laser printer, as suggested by UIDAI, because of the high information density of the QR code. This puts it out of the reach of those without access to a good printer.
2. Since UIDAI is no longer involved in authentication, there is no record of who has had access to your QR code, and no way to invalidate it. Once stolen, it can be misused forever, making it far worse than OTP or biometric authentication. As a digital record, you can’t even scribble a purpose limitation on a printout, so you need to exercise extreme caution over who you share it with.
3. If you depend on a service provider to download and print your E-Aadhaar (which contains QR code) or offline KYC XML, you need to ensure they securely delete it from their computer. This is almost impossible for you to confirm and depends on having a high degree of trust in the service provider.
4. The QR code contains a low resolution photograph that may not be sufficient to recognize the person holding the E-Aadhaar, so a service provider may need additional photo id or an offline KYC XML file.
5. The Aadhaar number is masked and so may not be appropriate for all service providers depending on the regulations they are subject to. Service provider may request additional identification.
6. The digital signature in the QR code is static and unique to you (unless your demographic details change). It can take the place of your Aadhaar number as a common identifier across databases, meaning unscrupulous service providers could still profile you without your consent.
7. The QR code can be read by normal QR code applications and will reveal your demographic details, although without the ability to confirm the data is genuine. The top five apps in the Play Store all store the history of scanned QR codes, leading to potential misuse. It is not safe to leave your QR code visible where it can be seen by a camera.
8. There is no clarity on how to share the offline KYC XML with a service provider. While the file is password protected, the user needs to share the password with the service provider.
9. Nothing stops the service provider from storing both the XML file and the password to access it. For example, a service provider’s internal workflow may store the password as part of the filename. A leaked file can be used at any other service provider, since nothing in the file limits its usage. Therefore, a service provider’s poor hygiene can lead to identity theft with no way to trace the source of the leak.
10. The XML document may contain information that a service provider may not require to deliver the service. Since it is up to the user to select the fields on UIDAI’s website, they may unintentionally provide more than is necessary.

Problems with offline KYC for businesses

Offline KYC creates problems not only for end users as outlined above, but also for businesses that depend on Aadhaar. Since this topic is not discussed in the mainstream, let’s take a look at these issues:

1. Usage of Aadhaar by private entities is explicitly struck down by the Supreme Court due to concerns of violation of fundamental rights. Those who support voluntary use of Aadhaar for private entities say that voluntary use is not prohibited. At the most optimistic level, this is a gray area with uncertainties; businesses may not want to embrace uncertainty and end up in a situation where they spend more to correct a bad decision. There is still uncertainty over the business models of private AUAs/sub-AUAs and ASAs.
2. QR code alone cannot be used for providing a service where KYC is mandatory. It may be used with other documents such as voter id, ration card, etc. A completely paperless experience is not possible, so the use of Aadhaar card with QR code does not reduce your customer on-boarding cost.
3. UIDAI suggests using specialised hardware to scan QR codes. This makes sense for high traffic zones like airport entry gates, but is an additional investment almost everywhere else.
4. Offline KYC XML may not have all the fields that a service provider requires, thereby requiring additional documentation from the customer.
5. UIDAI does not provide a reference implementation for offline XML verification. Service providers have no way to confirm they are doing it correctly.
6. The Supreme Court, in striking down Section 47(1) of the Aadhaar Act, granted Aadhaar holders the right to litigate against misuse without the prior permission of UIDAI. This means the protective cover that UIDAI gave its partners is gone, so service providers need to be extra cautious of how they handle Aadhaar-related data.

Offline KYC enables identity theft

A QR code is less than 1500 bytes of data. A 1 GB USB drive can hold approximately 5 lakh such QR codes. It is possible for someone to print and misuse stolen QR codes. Low resolution photos make it harder for service providers to identify unauthorised use. Even in the case of offline KYC XML, the file size is less than 15 kB.

Digital identities that aren’t linked to a specific purpose suffer from a problem called double spending. In real life, if Kumar spent a ₹10 note to buy something from Babu (a transaction), then Kumar no longer has that ₹10 note to buy something else from Singh. The note can’t be spent twice.

Double spending is the reason why digital money is not a PDF or XML file. If Kumar sends a “₹10 file” to Babu, Kumar still has a copy of the file and can also send it Singh, spending it twice. Anyone who was watching the transaction and grabbed a copy of the file can also do it. To prevent this, the current ownership of digital money must be tracked by a central authority, or by an expensive distributed mechanism such as blockchain.

The same problem applies to digital identity. If Kumar is identifying himself to Babu for one transaction using an offline KYC file, an observer shouldn’t be able to steal this and identify as Kumar to Singh for another transaction. The identity has to be bound to a specific transaction.

UIDAI was well aware of this problem and hence created a centralised authentication infrastructure. But UIDAI diluted this constraint to circumvent the Supreme Court’s order.

Anyone can use the information you provided to one service provider to claim services from another provider in your name. As a user, you want protection from identity theft. For a service provider, fraudulent users are an additional risk. Given how easy it is to scale up fraud with digital identity, this can prove to be a costly affair for both individuals and service providers.

The lucre of untraceable misuse will lead to large scale harvesting of machine readable identity information, similar to how phone numbers and email ids are misused for spamming. Although UIDAI warns that sharing of identity information with third parties is punishable, there is no way to trace the source of a leak.

Since neither UIDAI nor the individual will be notified of misuse, tracking it will require consulting every service provider, making it very hard for even even law enforcement agencies.

A broken architecture

UIDAI made a mistake by not using smart cards for user authentication. They know that the stories of exclusion are real. They know that biometric authentication does not work as they intended. However, admitting a design mistake will prove costly not only to UIDAI and the Aadhaar project, but also its architects, who rejected the use of smart cards and spent years defending that choice, eventually leading them to the less secure idea of digitally signed QR codes.

In smart cards, the private key is stored on the card, in the hands of the user, but in a chip designed to block read access to the private key. The chip only allows signing a transaction using the private key, thereby binding identity to it in a manner that cannot be forged for a different transaction. Smart cards are not a radical idea. Every SIM card is a smart card, as is every chip-based debit or credit card. There are more smart cards in active use in India today than there are Aadhaar cards.

Offline Aadhaar (QR code or KYC XML) represents nothing more than the Aadhaar architects’ defiant defence of their half-baked idea against a mainstream idea that is far better established and has been improved over decades with worldwide acceptance. We are all paying for their defiance with our identities.