The Evolution of Aadhaar in India

ASA Research Note

THE EVOLUTION OF AADHAAR IN INDIA

AUTHOR: Ashritha Dsouza PUBLISHED: February 2020 WRITTEN: May 2019

KEYWORDS: Biometrics; Personal Identifiable Information ABSTRACT: The Aadhaar program was envisaged as a biometric-based unique identity number that could improve the delivery of welfare benefits and limit the scope of fraudulent activities. But as the project progressed, it faced challenges from various stakeholders such as government bodies from different levels and citizens This paper analyzes and identifies the gaps in processes and external events of the Aadhaar project and suggests ways to address those gaps.

Over the last several decades, the world has slowly transitioned from traditional paper- based identification systems to digital identification systems. In India, an inability to prove one’s identity was the biggest challenge preventing the marginalized sections in accessing benefits and subsidies given by the government. “Prior to 2010, the landscape of identification in India was fragmented.”1 The previous system of multiple identity documents issued by various Indian government agencies caused complications in the distribution of funds and subsidies, duplication of efforts and extreme inconvenience to individuals. To tackle and address these problems, the Indian government launched the Aadhaar project in 2009. Aadhaar was envisaged as a biometric-based unique identity number that could facilitate citizens’ access to welfare. Since it was thought to be a more reliable identity proof, “the union and state governments made Aadhaar compulsory to avail a series of essential services including opening and accessing bank accounts, passports, cell phone services”2. According to the Unique Identification Authority of India UIDAI, as of 2018, “a total of 121 crore Aadhaar cards have been issued.”3 Since its inception, the rising significance of Aadhaar has been accompanied by a lot of challenges and risks. Initially, the Aadhaar project was supposed to revolutionize the identification mechanism. But as the project progressed, it faced challenges from various stakeholders such as government bodies from different levels, technical partners, citizens and equipment suppliers. Using the traditional operational risk framework, my paper analyzes and identifies the gaps in processes and external events of the Aadhaar project and suggests ways to address those gaps.

External Events: This category identifies the “external issues that could affect the performance”4 of the Aadhaar project. “Aadhaar’s design is based on a centralized database called the Central Identities Data Repository that stores every individual’s demographic and biometric information.”5 Centralized identity databases, however, have been controversial, because of the inherent security risks and policy concerns. There have been multiple reports suggesting bogus and fake entries in the Aadhaar database. Moreover, there is a huge concern over the accuracy of biometrics, since the thumb impression and iris of those who are involved in manual labor could get changed or damaged. Failing the biometric identification test has led to the exclusion from welfare programs of the poor and the homeless. The 2018 UIDAI statistics, which revealed that the Aadhaar project suffered a 12 percent failure rate,6 supports the above point. This indicates that many people equivalent to the population of many countries were denied welfare benefits that they were actually entitled to. The combination of making Aadhaar mandatory and not providing alternatives for establishing identity excluded those it had actually set out to make better off. Furthermore, The Aadhaar Act of 2010 stated that no external entity could request confidential demographic information such as name, address, phone number, etc.7. However, as the ecosystem developed, many companies like Paytm used Aadhaar data to verify customer information. Since there are no specified controls on storage and retention of the data, data collected by such companies through Aadhaar can be accessed by them in the future. Processes: When Aadhaar was being developed and launched, several complex legal questions emerged concerning fundamental and constitutionally guaranteed rights, along with mass surveillance. Due to the outdated legal framework, the privacy and rights of the people, who have enrolled in the system cannot be guaranteed. Individuals may be tracked or put under surveillance without proper authorization using the authentication and identification records in the Aadhaar database. Such records will typically also contain information on the precise location, time, and context of the authentication or identification and the services availed. Additionally, a proper communication channel to report issues in the Aadhaar portal or data breaches has not been communicated to the people. This further leads to non-reporting of vulnerabilities and increases the mistrust of people in Aadhaar. For instance: according to The Aadhaar Act of 2016, only UIDAI authorized officers could file a criminal complaint about violations under the Act. This means that any law-abiding citizen cannot initiate action to report fraudulent activities and would have to completely depend on the UIDAI for any action against fraudulent actors. Another prominent deviation was that photocopies of the Aadhaar card were accepted by security personnel as a proof of identity at railway stations and airports, without

authenticating the data from the UIDAI system. Due to non-implementation of this provision of The Aadhaar Act of 2016, any fraudster with a genuine citizen’s name and Aadhaar number can take such a copy and enter high-security areas. Based on the challenges discussed above, it is clear that the Aadhaar project is not doing well in many dimensions. The below mitigation process uses certain “elements of the Operational Risk Resilience Model”8 to address the gaps in the processes and external events. Awareness and Risk Assessment: This process improves the effectiveness of risk control systems, which helps UIDAI to monitor and minimize ongoing risks. For instance, valid identification mechanisms should be identified in case the Aadhaar authentication fails. There is no hard-and-fast rule for technology to improve its functioning. UIDAI must “develop strategic IT infrastructure which can enable the entire populace to benefit equitably.”9 While the transition phase is being realized, public services should not be affected. Additionally, the Indian government must set up an effective communication channel and address the concerns of its citizens satisfactorily Treatment through Prevention and Detection: The Indian law has always been considered traditionalist in its approach. As the technology infrastructure improves, there is also a greater need to add provisions in the existing laws and create an enabling legal framework for data protection. One of the main components where Aadhaar could have performed significantly better was if the implementation of a Data Protection Act was achieved on time. This could have helped in setting effective data measures and standards and also in maintaining the faith of the citizens of India in the project. Response and Recovery: The response and recovery mechanisms are aimed at containing an event immediately when it occurs. One of the biggest risks, which was identified, was the security of the system. To fortify the security of the system and prevent future data leaks, UIDAI could proactively seek incident reports about flaws or vulnerabilities from consumers. Such reports could help UIDAI address issues in the system, which were not looked at earlier. Also, the data leak through the Aadhaar project highlights the importance of training people to appropriately handle biometric data. This would involve developing a strong compliance framework and ensuring that the officials are knowledgeable about the framework. Aadhaar has added tremendous value to the lives of many Indians, yet in many cases, it has failed to assuage the fear of citizens. The Indian government offers key lessons for governments across the world to incorporate the “best practices” to establish an effective digital identification system.

SOURCES

1 Drumm, C., Pandey, N., Young, C., Wong, J., Koswin, K., & Sardesai, S. “Case study: Aadhar-providing proof of identity to one billion”. Toronto: Munk School of Global Affairs. 2017. 2 HK, V. “SC’s Aadhar Verdict | Privacy vs Identity”. Deccan Herald. 20 Sep 2018. Accessed May 2019 www.deccanherald.com 3 “Around 10 lakh people enrol, update Aadhaar every day: UIDAI”. ET Online. 11 Jul 2018. Accessed May 2019 www.economictimes.indiatimes.com 4 Gordon Proctor & Associates; The Starlsis Corporation; Jeff Roorda and Associates, Inc. “Managing Risk across the Enterprise: Final Quick Guide for State Departments of Transportation.” Transportation Research Board. p-16. 21 May 2015. 5 Bhardwaj, K. “Explainer: Aadhaar is vulnerable to identity theft because of its design and the way it is used”. Scroll.in. 2 Apr 2017. Accessed May 2019 www.scroll.in 6 Sachdev, V. “Aadhaar Authentication for Govt Services Fails 12% of Time: UIDAI”. The Quint. 27 Mar 2018. Accessed May 2019 www.thequint.com 7 Suhag, R., & Chaturvedi, A.. “Comparison of the 2010 and the 2016 Aadhaar Bills” . PRS Legislative Research. 2016. Accessed May 2019 www.prsindia.org 8 Green, P. E.. “Enterprise Risk Management: A Common Framework for the Entire Organization”. Elsevier. p-67.2016. 9 Kumar, A. P.. “Lessons from the World’s Largest e-Identity Program – India’s Aadhaar”. Procivis. 13 Feb 2018. Accessed May 2019 www.procivis.ch