An unworkable leaky disaster | Business Standard Column–31.03.2018

In a recent deposition to the Supreme Court in the Aadhaar case, Unique Identification Authority of India (UIDAI) Chief Executive Officer Ajay Bhushan Pandey submitted his Aadhaar records. Rather embarrassingly, he has suffered a 19 per cent failure rate in the past six months. His own system refuses to verify his identity roughly one out of five times.

Pandey has made 26 authentication attempts since November last year. One was with a telecom company, eight with two banks, and the remaining 17 attempts on internal UIDAI servers related to UIDAI EKYC, internal monitoring, and services. Five of these attempts resulted in failure. Four of those attempts used the OTP (one-time password) sent to his registered mobile number, while the fifth failure came from his only attempt to use biometrics.

Multiply a 19 per cent failure rate by a population of 1.2 billion. The number will be mind-bogglingly large. If every Aadhaar user is forced to make a verification attempt once a year, there will be roughly 228 million failures per annum.

Double-digit failure rates are not at all uncommon. One of the petitions in the case refers to failures of authentication under Section 7 of the Aadhaar Act (“Targeted Deliveries of Financial and Other Subsidies Benefits and Services”). There is a failure rate of about 12 per cent under Section 7, amounting to 144. 8 million failures so far.

Every false negative or failure in Section 7 authentication makes it likely that somebody has been denied some benefit or subsidy to which she or he is entitled. Every false positive (and we don’t know how many there are) opens the system up to some sort of fraud.

Locking biometrics so as to prevent these being used for authentication is supposedly more safe. But the locking/unlocking of biometrics can only be done via an OTP sent to a registered mobile number. If the biometrics are locked, the only remaining form of authentication is the OTP.

If a handset is stolen or mislaid, or the sim of the mobile number is cloned, the Aadhaar-holder is open to other forms of cyber-impersonation. Every mobile telecom service provider has a database of hundreds of millions of Aadhaar users, with their Aadhaar numbers linked to registered mobile numbers.

It is not difficult to obtain the details of the individual’s Aadhaar and registered phone number. The entire list of sign-ups was being sold for just Rs 500 a short while ago. It is also not difficult to clone a sim to generate a registered mobile number. On an average day, 120-odd phones are reported as stolen or lost to the Delhi police. The number across India would be many multiples. Sim-cloning frauds have already occurred.

At the same time, there appears to be a leak per day. The latest exposes a government database that processes applications made for PAN cards using Aadhaar as the ID document. Again, this sort of thing enables even more in the way of cyber-impersonation and fraud.

So let’s recap. The Aadhaar CEO suffers an authentication failure rate of 19 per cent or enjoys a success rate of 81 per cent, if you want a positive spin. Section 7 authentications to disburse benefits and subsidies have a failure rate of 12 per cent — that is why people have starved to death. If you unlock your biometrics, you are open to fraud via moulded plastic fingerprints (yes, these have occurred). If you lock biometrics, you are vulnerable to your phone being lost or stolen, or a cloned sim authentication attack.

So why is this system still being touted as the best thing since sliced bread? Part of it is the sunk-cost. The Bharat Sarkar has pushed a lot of resources into this great experiment and, like any government, is unwilling to admit that it’s become an unworkable leaky disaster.

The second possible reason was explained way back in 2009 by a retired chief of the Intelligence Bureau. In an interview, the former IB chief said Aadhaar was “actually designed to flush out aliens and unauthorised people. With this system, people can be located anywhere because all databases will be connected”. That gentleman is now National Security Adviser.


Twitter: @devangshudatta

via An unworkable leaky disaster | Business Standard Column

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s