India's Digital ID Dilemma: How AI Threats Are Testing The Backbone Of A Billion-User Ecosystem

By Avishek Sarkar

Digital identity has become the foundation for accessing public services in India's fast-growing digital economy. As e-governance initiatives expand, platforms like Aadhaar, UPI, and DigiLocker are central to India's Digital Public Infrastructure (DPI). These systems offer seamless access to services and increased inclusivity across social and geographic boundaries.

Threats to the Digital Identity Ecosystem

The Aadhaar is the foundation of digital identity in the DPI framework. While offering convenience for both the government and the citizens, the storage and access of personal data remains a key concern and responsibility of the data custodians. However, the growing reliance on digital identity also exposes systemic vulnerabilities. From large-scale data breaches to biometric misuse and the emerging threat of AI-generated fake documents, the integrity of digital identity systems like Aadhaar is under increasing strain. A few notable examples of security gap exploitation include:

  • The alleged breach of the Indian Council of Medical Research (ICMR) database exposed the data of over 815 million citizens, including Aadhaar numbers.
  • Financial frauds linked to Aadhaar-enabled Payment System (AePS) exploitation, unauthorised access to government benefits, and fraudulent loans are on the rise. Reports estimate that 11% of all online financial frauds in 2023 were associated with AePS.
  • Identity theft and impersonation using biometric data have become increasingly common. One major case uncovered a racket that tampered with biometric data from over 1,500 citizens across 12 states, allowing criminals to activate SIM cards and gain unauthorised access to services.

The integration of artificial intelligence (AI) into criminal toolkits has magnified the risk to digital identity systems. AI-generated images, such as fake Aadhaar or PAN cards, created using tools like OpenAI’s DALL·E, are being used to deceive verification systems. Meanwhile, AI-based malware and ransomware automate phishing emails and deepfake social engineering attacks, thus enabling personalised scams.

The impact of AI on digital identity security is not just limited to Aadhaar but the entire digital identity ecosystem. The McAfee 2023 survey highlighted that 47% of survey responders had been victims of AI-powered voice scams. The recent case of scammers cloning the voice of Mr. Bharti Mittal, Chairman of Bharti Entreprises, to dupe the company's employees, although unsuccessful the case highlights the severity of the situation. Advances in GenAI capabilities and the democratisation of services have further fuelled the growing concerns regarding data privacy, ethical utilisation and accountability.

The Regulatory Landscape 

The above threats highlight the need for stringent regulations across the ecosystem to manage the misuse of AI solutions and protect digital identity systems. Globally, several nations have introduced measures to safeguard digital identity systems and address AI-related threats:

  • EU Digital Identity Initiative: Promotes secure and decentralised digital identity wallets for authentication, storage and sharing and e-sign their digital documents.
  • China’s National Network Identity Authentication Public Services Platform: Aims to issue network ID numbers and network ID certificates based on facial recognition.
  • EU AI Act: Categorises AI applications by risk (i.e., unacceptable-risk, high-risk, limited-risk, and minimal-risk), and places biometric identification (like Aadhaar) under the "unacceptable risk" category.
  • China’s AI Content Labelling Rule: Requires clear identification of AI-generated content to curb misinformation and improve transparency.

These examples demonstrate a proactive stance towards AI regulation and identity protection, recognising the interplay between the two.

India also has regulations in place to support the digital identity ecosystem. The Digital Personal Data Protection Act of 2023 supports improving data privacy regulations, the Indian Computer Emergency Response Team (CERT-In) issues guidelines for secure application design and data protection practices and the expected 'Digital India Act' is anticipated to include provisions related to ethical utilisation of AI tools.

However, India lacks a comprehensive regulation focused exclusively on digital identity systems and AI integration. A single framework that addresses the unique challenges posed by AI-enabled identity fraud and biometric misuse is urgently needed.

As India accelerates toward a digital future, safeguarding digital identity systems must become a national priority. While current regulations offer partial safeguards, a targeted framework governing both identity data and AI tools is essential to prevent misuse, uphold citizen trust, and ensure the long-term success of India's digital infrastructure.

(The author is the Manager - Growth Advisory, Aranca)

Disclaimer: The opinions, beliefs, and views expressed by the various authors and forum participants on this website are personal and do not reflect the opinions, beliefs, and views of ABP Network Pvt. Ltd.

technology