Over the last few months, the Indian twittersphere has been awash with citizens concerned about government websites leaking millions of individual digital ID numbers .
On May 1, the Centre for Internet and Society, a multi-disciplinary think tank in Bangalore, released  a report indicating that faulty information security practices have exposed as many as 135 million ID numbers, leaked from four government databases. The data leaks originated in the process of implementing online dashboards that were likely meant for general transparency and easy administration by the government agencies.
Developed by the Union government of India in 2009, the plan called for the creation a Unique Identification Authority of India (UIDAI ) that would issue Unique Identity numbers (UIDs) to all residents of India. Under this scheme, now known as Aadhaar, the UID number ties together several pieces of a person's demographic and biometric information, including their photograph, ten fingerprints and an image of their iris. This information is all stored in a centralized database.
The scheme has so far enrolled 1.13 billion Indians  and residents of India, making it the largest biometric database in the world.
This has become a point of pride for government agencies involved in the program. Information Technology Minister Ravishankar Prasad (@rsprasad) tweeted:
— Ravi Shankar Prasad (@rsprasad) April 24, 2017 
Aadhaar was built to be used as an identity authentication mechanism that could have multiple services being built on top of it. The scheme was run under an executive order from its inception in 2009 until the Aadhaar Act  was passed in 2016. The strategies employed by its supporters generated substantial controversy, and it since has been challenged in the Supreme Court  on budgetary grounds. But thus far, it remains in place.
The UIDAI has maintained that the scheme is voluntary. Yet the central government has pushed state governments  to include UID for a wide range of essential government services meant to be available to the public.
Independent news portal Scroll  regularly covers issues related to UID’s linkages with various welfare programs through its Identity Project . In recent years, Scroll has identified multiple examples of public services being denied to individuals who did not have a UID.
In Delhi  in 2015, food rations were denied to those without UID numbers. In April 2016 in the Ajmer  district of Rajasthan, UID-enabled food subsidies repeatedly recorded authentication failures.
Six months after Aadhaar was introduced in Rajasthan, state officials report that 10-15% of beneficiaries  who normally received food grains from the government (under the National Food Security Act) have been denied some or all of their rations because the system could not authenticate their UIDs. A local farm laborer told Scroll that his rations had been drastically reduced since the arrival of Aadhaar. “In some cases, when we put our fingers, the machine reads out 5 kg, 10 kg, or 15 kg as our entitlement. But we are entitled to 35 kg as per the government norms.”
Advocates are quick to note that there is no adequate avenue to remedy in these situations, leaving citizens with little recourse or ability to seek that these errors be corrected.
In spite of multiple court orders  making UID voluntary and limited to selected schemes, the government continues to expand its scope.
Delicate infrastructure and its misuse
According to economist Jean Drèze, the new authentication system requires a lot of fragile technologies  to work at the same time, such as a point of sale machine, internet connectivity, biometrics, remote servers and mobile networks. He also maintains that the primary cause of corruption in disbursement of food subsidies is related to the quantity of rations distributed or quantity fraud , which UID doesn't address.
Another economist who has worked extensively on these issues, Reetika Khera points out that the exclusion of large number of people from welfare schemes has not been because of lack of an identity, but rather due to “measly budgets and exclusion errors. “
Contention with the court
The Supreme Court issued two orders  in September 2013 and March 2014 which stated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled.” On August 11, 2015, the court issued yet another order  which limited the use of UID to food, kerosene and cooking gas subsidies. On October 15, it further expanded it to four more schemes : the National Rural Employment Guarantee Scheme , Pradhan Mantri Jan Dhan Yojana  (a scheme for financial inclusion), and policies related to pension and provident funds, after the government argued that it would be difficult to roll back UID now that it is the most used national identity system and is linked to service delivery in several major welfare schemes.
‘Leaky’ by design
Following the repeated arguments by the state that UID makes it possible to weed out ‘ghost beneficiaries’ and ‘de-duplicate’ multiple IDs, revelations of fake ‘UID cards’  began to circulate. These UID cards were reportedly issued under the names of pets, historical figures, one alleged spy and even gods.
— Mayank Jain (@Mayank1029) April 21, 2017 
More recently, the Indian twittersphere has been vocal in pointing to government websites leaking  sensitive information from the UID database. In February, security researcher Srinivas Kodali exposed a parallel database containing UID numbers and other details of 5-600,000 children.
— Srinivas Kodali (@iotakodali) February 17, 2017 
In another case, UID numbers of scholarship-holders sat on a state government website for over a year.
— Anivar Aravind (@anivar) April 20, 2017 
On March 22, 2017, tech worker @St_Hill exposed the severity of the problem by showing spreadsheets of personal data that appear with just a single Google search.
So I wrote a few words about Aadhaar. Will be happy to be proven wrong if you find something incorrect https://t.co/CHKBAR0gP7 
— St_Hill (@St_Hill) March 22, 2017 
This was immediately taken down. But new ones continue to appear with other simple Google searches.
Under the hashtag #AadhaarLeaks , Twitter users have reported numerous such cases on various government websites. The leaks gained popular attention on social media when former Indian men’s cricket team captain MS Dhoni’s UID  appeared in a tweet sent by a UID enrollment operator.
The government response
The UIDAI responded to the uproar with a campaign entitled #AadhaarStars , in which parents of young children were encouraged to post 30-second videos of what UID meant to them.
— Aadhaar (@UIDAI) April 10, 2017 
This was rejected by angry twitterati through the hashtag #AadhaarFail  which now offers a compendium of tweets about UID-based authentication failures.
In the last couple of months, after the privacy and security-related concerns became louder, the UIDAI has shut down  enrollment operators, websites and payment applications for misuse of biometrics data. The central government has even warned  state departments against leaking UID data on their portals.
As the uncertainty looms, privacy researcher Amber Sinha and aforementioned security researcher Srinivas Kodali estimated the size of #AadhaarLeaks.
— Srinivas Kodali (@iotakodali) May 1, 2017 
@Memeghnad  @iotakodali  Important to understand these are not so much as leaks as proactive publication of #Aadhaar  Numbers & other data. #leakagebydesign  pic.twitter.com/amNfqJAuxL 
— Amber Sinha (@ambersinha07) May 1, 2017 
It remains to be seen how the government will react to this.