Dispelling the haze (of Aadhaar)
AADHAAR PROJECTUSHA RAMANATHAN
Dispelling the haze
That the lawmakers of the country have found themselves in a haze of incomprehension about the UID project, which is being promoted as a “game changer”, is deeply unsettling. VIJAY VERMA/PTI
United Progressive Alliance chairperson Sonia Gandhi presents an Aadhaar ATM card to a beneficiary at the launch of the Delhi Annashree Yojna in New Delhi on December 15, 2012. Chief Minister Sheila Dikshit (left) and UIDAI Chairperson Nandan Nilekani are also seen.
MANY Union Cabinet Ministers are confused about the government’s Unique Identity (UID), or Aadhaar, project. At a Cabinet meeting held on January 31, there was confusion regarding this issue, with some of them reportedly wanting to know whether the UID was a card or a number. This is an attempt to clarify some basic issues about the UID project.
Is the UID a card or a number?
The UID is a 12-digit number. It is not a card. What is sometimes mistaken for a “card” is only the intimation that the issuing authority, the Unique Identity Authority of India (UIDAI), sends to a person who has been allotted a number.
The enrolling agency collects a person’s demographic information —name, address, gender, age, and for children, details of parents/guardian—and captures the biometric information—prints of all 10 fingers, scans of both irises and the photograph of the face.
The UIDAI then has the data “de-duplicated” by cross-verifying them against its database to check whether the person is already enrolled and has been issued a number. Since a person could enrol multiple times with a changed name or address, the accuracy and usefulness of the system depend on biometrics.
The UID is, therefore, a number that is linked to a person’s fingerprints and iris scans on a database.
Do we know for sure that fingerprints and iris are unique and reliable metrics?
The truth is we do not. And this is an area of concern, especially as the UID project seeks to make these the key metrics of a person’s identity.
In February 2010, the UIDAI issued a “notice inviting applications for hiring a biometric consultant”, which contained this candid admission: “While NIST [National Institute of Standards and Technology, the United States agency that studies biometrics technology in the context of its application to public policy] documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics (i.e., larger percentage of rural population) and in Indian environmental conditions (i.e., extremely hot and humid climates and facilities without air-conditioning). In fact we do not find any credible study assessing the achievable accuracy in any of the developing countries” 1(emphasis added throughout).
Then, between March and June 2010, the UIDAI did a proof of concept (PoC) study of biometric enrolment. The report, uploaded in February 2011, concluded that it had “validated one hypothesis regarding biometric enrolment”—that iris enrolment was “not particularly difficult” and “dramatically improved” accuracy levels and the “accuracy levels necessary for the de-duplication of all residents of India are achievable”. But what sticks out is a paragraph in the report: “The goal of the PoC was to collect data representative of India and not necessarily to find difficult-to-use biometrics. Therefore, extremely remote rural areas, often with populations specialising in certain types of work (tea plantation workers, areca nut growers, etc.) were not chosen. This ensured that degradation of biometrics characteristics of such narrow groups was not over-represented in the sample data collected.” 2
In July 2010, it was reported that a 2005 paper by researchers at the Rajendra Prasad Ophthalmic Institute in Delhi estimated that there were six to eight million people in India with corneal blindness. It further identified the issue of cataract, which resulted from nutritional deficiencies and prolonged exposure to sunlight and ultraviolet rays, and corneal scars caused by injury or infection of the cornea.3These are clearly problems essentially pertaining to the labouring masses, the aged and the disabled.
In March 2012, the UIDAI readied its report, “Role of Biometric Technology in Aadhaar Authentication”. Authentication is the process by which a person’s biometric detail is used to establish or verify his or her identity.
The report dislodges the common assumption that the print of the thumb and the index finger can be used to identify a person. It appears that for 55 per cent of those tested, these fingers did not work as their “best finger”. The report recommends a “Best Finger Detection” process. “The best finger to be used for authentication depends on the intrinsic qualities of the finger (for example, ridge formation, how worn out they are, cracked, etc.) as well as the quality of images captured during enrolment process and the authentication transaction,” it says. The fingers are, therefore, to be labelled green, yellow or red, depending on their suitability for single-finger authentication. In addition, some residents could be determined to be “not suitable for reliable fingerprint authentication”. Those younger than 15 and, more especially, persons above 60 years of age had the highest rates of rejection. This is the shaky foundation on which authentication rests.
The report does not tell us how “biometric exemptions”—that is, people who do not have reliable fingerprints or irises that can be used in enrolment—will be treated. Nor does it spell out an alternative to help secure their identity. Nor, indeed, does it speak of spoofing.
On September 30, 2011, J.T. D’Souza, managing director of SPARC Systems Limited, who works with biometrics equipment and has been following the UID project closely and critically, demonstrated to officials in the Planning Commission how, using some Fevicol and candle wax, he could spoof a fingerprint and use it to authenticate someone else. Officials of the UIDAI said they would look into it, but there is no information on what steps they have taken. 4
What about authentication using iris as a biometric? The “Iris Authentication Accuracy Report” was published in September 2012. It starts with the assumption that “the iris does not get worn out with age, or with use. In addition, iris authentication is not impacted by change in the weather.” The report attributes these assumptions to “iris technology literature”. The part of the claim that requires validation is that there is a part of the human body that neither ages nor withers nor wears out. The fact is that this is a new field of inquiry and there is very little literature on the subject.
Perhaps, the first longitudinal study of the ageing iris as a biometric is found in a Notre Dame University study conducted by two professors, Samuel Fenker and Kevin Bowyer. They state: “Using a large data set of iris images acquired over a three-year period, we have analysed cohorts of irises with images acquired over one, two and three years. We find clear and conclusive evidence that template ageing does occur in iris biometric matching. Specifically, the experimental evidence indicates that the false non-match rate increases with increasing time between acquisition of enrolment image and the image to be recognised. In our results, the false non-match rate increases by greater than 50 per cent with two years of time lapse.” The remedy, they suggest, is to have regular “re-enrolment”. At the time of writing, the implications of re-enrolment are not known.
In the process of the UID project roll-out, it has been reported from Jharkhand that authentication failed in four out of every 10 persons. This is the evidence emerging from the field.
Is UID voluntary?
While marketing the idea, the UID was projected as voluntary and was sold as providing an identity to those who have no other. Since, unlike the ration card or the voter ID, the UID does not have any intrinsic value or purpose, there was little enthusiasm for enrolling for it. This led to a change in tactics. Persons without UID are now facing the threat of denial of services. The UIDAI has been involved in the process of making UID mandatory. There is a push to make UID essential for getting rations, accessing banking services and getting gas connections and refills; for school admissions in the economically weaker section (EWS) category, registration of marriages and property transactions; and for getting caste certificates. And, if the Chief Secretary of Maharashtra were to have his way, even making an application under the Right to Information (RTI) Act would need the UID. This aggressive push seems to be based not on the usefulness of the UID to the system, but rather to drive the enrolment process.
The fact that the UID has such a low penetration even in the districts that have been selected for the roll-out of UID-linked cash transfers (in lieu of direct subsidies) must be understood in this context.
Is there a law that governs the UID project?
No. However, there is an executive order for the establishment of the UIDAI within the Planning Commission. On December 3, 2010, over two months after the project had begun to collect and process personal data, the National Identification Authority of India Bill, 2010, was introduced in Parliament and referred to the Standing Committee on Finance (SCF). The SCF gave its report in December 2011. SCF members, cutting across party lines, found the Bill severely inadequate and recommended that the UID project be taken back to the drawing board.
The SCF found it “unethical and violative of Parliament’s privileges” to proceed with the project when lawmaking was still under way. It commented adversely on the conflation of the “resident” and the “citizen”. The UID scheme, it said, had “been conceptualised with no clarity of purpose… leaving many things to be sorted out during the course of its implementation” and “is being implemented in a directionless way with a lot of confusion”. The “collection of biometric information and its linkage with personal information of individuals” without amending the Citizenship Act and Rules “appears beyond the scope of subordinate legislation, which needs to be examined in detail by Parliament”.
It was scathing about the project, which “continues to be implemented in an overbearing manner without regard to legalities and other social consequences”. On voluntariness, it said: “Although the scheme claims that obtaining Aadhaar number is voluntary, an apprehension is found to have developed in the minds of people that in future, services/benefits, including food entitlements, would be denied in case they do not have Aadhaar number.”
It cited the United Kingdom’s experience with the National ID project regarding the huge cost; the complexity; the untested, unreliable and unsafe technology; and the possibilities of risk to the safety and security of citizens.
The SCF recognised that the UID project “facilitates the UIDAI and the registrars to create database of information of people of the country. Considering the huge database size and possibility of misuse of information”, it said, “…and in the absence of data protection legislation, it would be difficult to deal with the issues like access and misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information, etc”.
On September 28, 2010, seventeen eminent persons, including Justice V.R. Krishna Iyer, Romila Thapar, Justice A.P. Shah, S.R. Sankaran, Aruna Roy, K.G. Kannabiran and Bezwada Wilson, issued a statement in which they said that before the UIDAI went any further, it was imperative to do a feasibility study and a cost benefit analysis, engage experts to study its constitutionality, put a law of privacy in place, and have an informed public debate before any major changes are introduced. In the meantime, they said, the project should be halted. The SCF echoed these concerns.
The SCF found the UID project to be “full of uncertainty in technology as the complex scheme is built upon untested, unreliable technology and several assumptions. Further, despite adverse observations by the UIDAI Biometrics Standards Committee on error rates of biometrics, the UIDAI is collecting the biometric information.”
Relying on registrars to ensure that only genuine residents are enrolled, the SCF said, “may have far-reaching consequences for national security”.
There is still no law, and the UIDAI continues to function in a legal vacuum.
What is the link between the National Population Register (NPR) and the UID?
The NPR is under the Citizenship Act and is a prelude to creating a National Citizen’s Register. The Registrar General of India is responsible for carrying out this task. It is an attempt to establish who is a citizen and who is not and to control infiltration and the entry of illegal immigrants.
The 2003 Rules authorise the collection of only 15 fields of data, and fingerprinting and scanning of irises are not among them. This means that what has been done so far in the NPR process is in violation of the law. The NPR has not itself studied biometrics but has merely gone along with the UID.
The notification that set up the UIDAI within the Planning Commission gave it the mandate to “generate and assign UID” to “residents”, to maintain the database and to work on ways in which user/implementing agencies may use the UID, for instance, for the delivery of various services. It was also to “take necessary steps to ensure collation of NPR with UID (as per approved strategy)”. The expansion of its mandate happened at a meeting of the Cabinet Committee on the UID, which was constituted after Nandan Nilekani, former chief executive officer of Infosys, was appointed the UIDAI Chairperson. Nilekani was extended permission initially to enrol 10 crore people, which was later increased to 20 crore. It was increased further to 50 per cent of the population after the Home Ministry in January 2012 agreed on an information-sharing agreement with the UIDAI.
The duplication in what the NPR and the UIDAI are doing is one of the unresolved areas.
UID and outsourcing.
The UID project relies on a large number of enrollers who, in turn, are dependent on “introducers” and “verifiers” to help enrol those without IDs. And these have proved to be severely compromised. The issuance of a UID number to “Kothimeer [coriander], s/o Palav, Gongura tota, Mamidikaya vuru [raw mango village, in Telugu]” with the photograph of a mobile phone was only an extreme manifestation of the deficiencies that have shown up. 5
One criticism has been that every time a problem crops up with the technology, or despite it, it is sought to be overlaid with another layer of technology, adding to the costs and introducing one more experiment to the project. So, for instance, when fingerprints seemed an inadequate metric, iris scan was added as an additional metric; a Global Positioning System (GPS) was attached to enrolment equipment after an episode in Hyderabad revealed large-scale enrolment of non-existent people. The investigations in the case are still on.
Scanning for Biometric Information for the Aadhaar project in progress at the Christ Nagar Senior Secondary School in Thiruvallam, Kerala, on February 16, 2012.
The NPR uses the method followed by the Census, where the enumerators have a responsibility to locate and reach persons to be enrolled.
The potential for exclusion is inherent in both processes.
Who holds the data collected?
The 2009 notification says that the UIDAI “shall own and operate UID database”. The standing committee cited the National Information Centre’s (NIC) concern that the “issues relating to privacy and security of UID data could be better handled by storing [them] in a government data centre”, indicating that it is not currently with the government but “owned” by the UIDAI.
In its Strategic Overview document (2010), the UIDAI had set out a revenue model by which it could become self-sufficient and begin to earn a reasonable profit through selling its authentication services, after which it would not be dependent on government resources. The report of the Technology Advisory Group on Unique Projects (TAG-UP, July 2011), chaired by Nilekani, promotes the idea of National Information Utilities (NIU). These will be “private companies” acting in the “public interest” and will be “profit-making” but not “profit maximising”. Data held by the government is to be handed over to these private companies, which will then use them for profit-making. The 2012-13 Budget adopted the NIU model of data management in relation to the Goods and Services Tax (GST). The UIDAI, too, seems to be moving in that direction, where it will acquire the character of an NIU.
This is deeply disturbing, for it will mean that our data will become the property of a company, which may then do data mining and use data as an asset to make money.
Why have there been concerns about the companies involved in the project?
Since the early days of the project, alarm bells have been rung about the involvement of companies such as L-1 Identity Solutions and Accenture. These companies have a close relationship with the intelligence establishment in the United States. L-1 Identity Solutions has been doing a lot of work for the Central Intelligence Agency (CIA). It has even had George Tenet, an ex-CIA chief, on its board. Accenture has been partnering the Department of Homeland Security in the U.S. in its Smart Borders Project. L-1 Identity Solutions has recently been bought by Safran, a French company in which the French government is a large shareholder.
In reply to an RTI query about these companies, the UIDAI said: “There are no means to verify whether the said companies/organisations are of U.S. origin or not. As per our contractual terms and conditions, only the companies/organisations who are registered can bid” (reproduced in an appendix to Mathew Thomas (ed.), UID is not yours, 2012).
These leave unanswered disturbing questions about the security and confidentiality of a population-wide database.
Has any other country got a project such as this?
No. In fact, the UIDAI prides itself that nowhere in the world is there such a project, on such a scale and on the basis of a biometric database. This, alongside the experimental stage in which biometric enrolment, de-duplication and authentication are at this point, has given rise to concerns that this is a massive experiment on the population of India.
None of the countries in the developed world has accepted biometric identity even as developing countries are encouraged to adopt it.
The George W. Bush administration considered a biometric database when it enacted the Real ID Act in 2005. But it realised the impracticalities of the project, especially in depending upon biometric stability and accuracy across the swathe of population, and across time, and so shelved it.
In Australia, an Access Card for health and welfare benefits was abandoned in 2007, two years after it was started, after protests that raised concerns about privacy, identity theft and disclosure of information.
In the U.K., when the David Cameron government jettisoned the biometric ID project, the Home Secretary explained that this was done because the government was the servant of the people and not their master, and that the project would constitute “intrusive bullying”.
What are the costs of the project?
The direct costs are expected to reach Rs.15,000 crore in this phase of the project. This does not include the cost to the enrollers, the registrars, the time and resources spent by non-governmental organisations (NGOs), administrators and the people enrolling, or the costs of authentication equipment. There is also the cost that is generated in shifting to the UID system, and the cost of failure, both to the individual and to the system. The savings are hypothetical and so far unsubstantiated.
Vijay Unni, former Registrar General of India, has asked why, when the complete Census exercise is carried out at a cost of about Rs.2,000 crore, the UID project cost, at many times that amount, is being borne without question.
Will the UID help in reducing leakage and reduce subsidies?
If de-duplication works, perhaps it will help eliminate duplicates and ghost entries in various databases. If there is a linking of databases and profiling of persons, those not entitled to subsidy may get identified.
But, as academics and activists advocating right to food have argued, given the rates of hunger and child malnourishment in India the country needs to worry about under-inclusion.
The only attempt at calculating the savings that the UID may effect can be found in a document produced for the Planning Commission by the National Institute of Public Finance and Policy (NIPFP). 6 The study, funded by the UIDAI, relies on patchy data since “the present state of knowledge does not permit precise quantification of the gains”. And “many of the gains from Aadhaar are difficult to quantify as they are intangible”.
In effect, we do not know the effect UID will have on subsidies and leakages.
What are the other anxieties that dog this project?
The convergence of databases and profiling of individuals is a serious concern, and the “seeding” of the UID number in various databases accentuates the problem.
A recent report says that Apollo Hospitals is spearheading an initiative to link the health records of patients with the Aadhaar identification system, raising questions about confidentiality of health data. Linking up the Socio-Economic and Caste Census and the voter ID to the UID will breach the protection that anonymity provides.
The rush into UID-linked cash transfer has given rise to the belief that this is only to help the UID quicken its pace of enrolment which, the UID website reveals, had slumped. And, the cost of failure has not even been considered.
That the lawmakers of the country have found themselves in a haze of incomprehension about a project that is being promoted as a “game changer” is deeply unsettling.
Usha Ramanathan works on the jurisprudence of law, poverty and rights.
4 D’Souza’s demonstration at the Press Club Mumbai can be viewed at:https://www.youtube.com/watch?v=0a96L_SphR4--
Peace Is Doable