1. How to address Aadhaar flaws? Audit database to weed out fakes

How to address Aadhaar flaws? Audit database to weed out fakes

Since the past seven years, I have been a consistent critic of Aadhaar, drawing attention to several issues and concerns relating to flaws in Aadhaar and its weak architecture.

By: | Published: April 14, 2017 4:19 AM
This government, instead of rejecting Aadhaar and wasting public money, has moved to address its shortcomings. (PTI)

Since the past seven years, I have been a consistent critic of Aadhaar, drawing attention to several issues and concerns relating to flaws in Aadhaar and its weak architecture. These concerns and issues are coming true today. It is important to acknowledge the difference in the approach of the current government vis-à-vis that of the UPA government. The latter spent thousands of crores of rupees on Aadhaar with no debate inside or outside Parliament, no legislative backing and, most importantly, no legal accountability for the authenticity of this biometric database. As a result, all that money was spent on creating a poorly verified biometric database with no details on citizenship. The only time Aadhaar was scrutinised was by the Standing Committee of Finance—of which I was a member—that concluded that it would be ineffective even for the purpose of directing subsidies, and recommended its merger with the National Population Register.

This government, instead of rejecting Aadhaar and wasting public money, has moved to address its shortcomings. It has subjected Aadhaar to parliamentary scrutiny and will use Aadhaar as a sharp attack on the problem of leakages and fraudulent claims in public subsidies. It has addressed the issue of lack of verification and fake entries by making the Unique Identification Authority of India (UIDAI) statutorily responsible under section 3(3) of the Aadhaar Act, for verifying the entries.

You may also like to watch:

But, there remain a few important issues for the government to consider. The first is the use of Aadhaar as a broader identification while it remains an unverified database. Till 2016, 100 crore entries were created with little or no verification. The government needs to answer how such poorly verified entries, that can be forged for `40 at Palika Bazar, can be used to access airports and as KYC for opening non-JDY bank accounts. There has been no disclosure or audit conducted to show the steps taken by the UIDAI to ensure are in compliance with the direction of section 3(3) to verify all entries created before the Act was passed. As a result, Aadhaar remains an unverified database, containing crores of entries with no certification that the name against the biometric is correct.

Databases are only as good as what you put in them. However, sections 3(3) and 4(3) of the Aadhaar Act create the perception that the UIDAI guarantees the authenticity of all Aadhaar information, on the basis of which various government departments now require it as ID proof, unaware or unconcerned that the database is plagued with fake and ghost entries.

The minister for law and justice and for information technology has given an assurance on the floor of Parliament, that the government is sure of the authenticity of the data collected from 2010 to 2016. He has assured the House that the system created by the UIDAI is robust, safe and secure with no data leaks and no systematic problems. He also assured that the UIDAI is accountable to him and, through him (and along with him), accountable to Parliament. However, there have been numerous previous incidents of fake entries, including the recent case where Pakistani spies obtained Aadhaar cards under fake names but with their biometrics. If this results in a terror attack, who should the victims approach? The UIDAI? To truly deliver on the directions of sections 3(3) and 4(3), the UIDAI must immediately audit, clean up and re-verify the database to weed out fake and ghost entries. Ignoring this is unacceptable in view of the national interest.

Another issue is the debate on “mandatory” and “non-mandatory” use of Aadhaar for better delivery of subsidies. This debate is misplaced. It is really an issue of “exclusion” and “non-exclusion”. Aadhaar must be developed as the gateway for the delivery of subsidies because leakages in subsidies ultimately harm the poor and needy. But Aadhaar should be made mandatory only after ensuring that it will not lead to the exclusion of the poor and needy.

The mandatory–non-mandatory confusion is being created by vague regulations made by the UIDAI, specifically Regulation 12 of the Enrolment and Update Regulations which seems to encourage a breach of Section 7 of the Act. This is a result of lack of proper oversight of the UIDAI. The UIDAI must be subject to stringent oversight, possibly through a Parliamentary Standing Committee on national identity.

The third issue is the issue of data integrity and the broader issue of privacy. As more and more people have become aware of Aadhaar and with its expansion to new areas, more concerns about its design, operation and misuse have surfaced. There are fears that such data shall be misused for surveillance. While some concerns are legitimate, many are caused by a lack of understanding and a lack of communication and transparency by the UIDAI. Such fears shall be misplaced if the government articulates clear safeguards to prevent such misuse.

This is an issue regarding the lack of reciprocal accountability on the part of those who collect, store and provide access to sensitive personal data of citizens. The Act and the regulations place no accountability on the UIDAI to protect the database of personal information provided by citizens. They are silent on the liability of the UIDAI and its personnel in case of non-compliance with the provisions of Section 3 and Chapter VI that require verification and protection of such data. How can this database be the gold-standard for identity if its entries are unverified, fake or fraudulent? Who is responsible? The recent fiasco of the storage and reuse of e-KYC data without permission is also widely known.

Privacy is a broader and more fundamental issue that goes beyond Aadhaar. It raises legitimate questions about the role and responsibilities of the state and other entities that are the custodians of our digital footprints at a time of rapid digitisation of our lives. The finance minister had stated during the debate on the Aadhaar Bill that privacy is a fundamental right, echoing my position in a PIL. The current provisions regarding privacy and data protection under the Aadhaar and the Information Technology Acts are skewed in favour of those who hold our data and places an extraordinary burden on the individual to get justice.

As the world’s largest democracy, soon to be its largest digital democracy, we should lead the world in taking an enlightened approach to balancing our citizens’ right to privacy with our national security considerations. The law minister (who also holds the IT portfolio) has stated that there are enough safeguards in the Aadhaar and the Information Technology Acts. With great respect, he is wrong. I would encourage the government to initiate a discussion on this and not take a rigid position. It is better for the government to take the lead rather than have the courts step in.

Constant change is normal in the digital world. The risks outlined here need to be addressed. There is a real need to be adaptive and changing, especially in the case of evolving Aadhaar from an unverified biometric database into a robust, reliable and authentic national ID platform.

  1. Sundar BN
    Apr 14, 2017 at 4:50 pm
    The GoI told folks to map UIDAI no to PAN. PAN dBASE created much earlier accepted special chars in names while UIDAI created much later for some reason does not. Eg: D'Souza. Now, any III grade back end SQL or Perl coder would realise this problem existed after just looking at the specs for UIDAI and PAN info specific system rqts : that UIDAI barred spl chars while PAN didn't. And the same III grade scripter would have also devised SQLs or even devised some rudimentary algos for say, a perl script to run thru the dump of the two dBASE s and map the UIDAI no to PAN No's himself. The obviously matching one's, which are the only ones that'd go thru when ornery folks try it personally where there are no cases of two PANs for one UIDAI would have been easily achieved by that back end SQL feller. With a bit of ingenuity he could have managed even the iffy matches - iffy cos of spl chars. But,GoI asked the public to unearth the spl chars issue & become laughing stock of a billion folks.
    Reply

    Go to Top