To understand the relentless stream of news on data breaches, fake Aadhaar cards, enrolment centers selling Aadhaar data and more, there is a need to understand the money part of the equation for operators. A lot of it is opaque, but there are hints.
What investment does it take to be an Aadhaar operator?
To become an operator, the person or business would have to invest in the equipment to capture biometric data as specified by the UIDAI, as the UIDAI does not provide the equipment. Additionally, the person would need to have some kind of shop space, which would come with its own investment. And even if the person did not have any employees, the owner himself would need to make some form of profit in order to survive. I sincerely doubt that many operators applied to serve the UIDAI out of the generosity of their hearts.
The UIDAI was paying them Rs. 50 per enrolment. It would take 40 enrolments a day to earn two thousand rupees and it isn't too hard to see how it would take about a year to simply recover investment. A person who can afford to invest 3 lakhs in a new venture is not likely to accept a few thousand as a monthly income, right?
Some idea of the investment they made can be had from the follow up report published by The Tribune, Chandigarh, where Rachna Khaira gives the background of her investigative story and describes the whistleblower who approached her. He describes an investment of approximately 3 lakhs that he couldn't recover before the UIDAI removed him, which is why he had purchased the Rs.500 access being sold in order to be able to continue the business based on what he was already trained and equipped for, when his services were terminated.
The scammers clearly knew of this economic vulnerability of VLEs, which is how they were targeted for selling the bogus logins to.
How many Aadhaar operators are there in India?
For an organization keen to flaunt numbers, the UIDAI sure seems tight lipped about the number of operators or enrolment centers it has. I was not able to access a proper count but references in other news stories provide a picture. As of January 27,2017, there were "135 registrars and 612 enrolment agencies working at 47,192 enrolment stations". This became "almost 25,000 active enrolment centres across India will come under direct supervision of the authorities". This news is from July 2, 2017 when the government announced that enrollment would only happen at government centers after September. It is unclear how many Aadhaar operators are in each center, but going by what we see in real life, it is safe to assume there is only one in all but the largest ones. There is a drop of over 22,000 enrolment stations/centers from January to July.
How many ex-Aadhaar operators are there in India?
We have more numbers. 34,000 operators were blacklisted as per RS Prasad's reply in the Parliament on April 10, 2017. On September 12, 2017, the number was 49,000 showing a marked acceleration in blacklisting Aadhaar operators. In other words, there are almost twice the number of ex-Aadhaar operators in India as active ones.
The UIDAI very conveniently does not appear to have data on grievances, so it is not possible to tell how many were genuinely blacklisted and how many simply found their services terminated as the UIDAI started realizing that the actions of the operators were out of their control or simply because the Aadhaar scheme started approaching 100% enrolmentand there no longer was a need for as many operators.
What is the picture being painted here?
We see a massive layoff of Aadhaar enrolment operators. Most of the number is explained as "blacklisted" - implying there were complaints about some or the other malpractice. The motive for the malpractice being money is not so hard to discern, given that we are easily able to see that there were barely any profits - particularly for those who registered later. So now there are a lot of trained operators who know how the system works and its vulnerabilities who have lost a source of income in an already slow economy. The one thing they would be unlikely to do is take it philosophically unless they got other work.
It is not so hard to see why they would monetise whatever they had that would sell - enter the application form data, fake logins to continue the business, bribes to provide services that should be free, bribes to create fraudulent Aadhaars, ghost kits and other workarounds for UIDAI's "security" measures..... there is a lot of potential for earning by stepping outside UIDAI's rules, while following them will earn them a pittance in comparison with updation services getting them still less money - legally. In fact, even going by the money UIDAI lets them earn for services, a fake (re)enrolment for someone with Aadhaar problems will get them twice what an updation will.
On the other hand, the government making it impossible to avail of basic necessities without Aadhaar puts tremendous pressure on people to get Aadhaar cards made or updated. As more and more operators turn out to be blacklisted or terminated, there are queues and crowds at the few that remain. The government itself is forcing the people to do whatever it takes to link their Aadhaar everywhere - those with problems will need to offer bribes, because it simply is not an option to go without necessities. A no brainer to realize that bribes will be offered or asked for and paid in order to retain access to necessary services.
Once we have an environment where bribes are being facilitated, it is a very small jump to bribes being paid for creating fake Aadhaars.
These are people who know how the system works. It would not be so hard for them to game it.
This was predictable
When hiring private operators, it was nearly guaranteed that unless they earned an income that justified the investment they had made, there would be massive temptation to monetize the access and data they had. The UIDAI ran its system mostly on trust and duct tape from the sound of it. They have no way to track how new admin users are added. They have no records of grievances to verify against edit requests. They have been adding operators recklessly to scale up to meet their ambitions and there is clearly no thought given to prevention of data theft and illegal sales.
In other words, the UIDAI needed the operators to scale up recklessly to become too big to fail and bypassed security procedures on multiple fronts and their "ecosystem" is now out of their control with multiple people knowing how it works and its vulnerabilities who have been disenfranchised and their income stopped.