The UIDAI was unable to give assurances on the security of “REs and ASAs accessing and storing” Aadhaar users’ personal information through non-registered biometric devices (used prior to April 2018).
Even if the UIDAI has discretionary powers to grant exemptions, cases of use of such power need to be made public proactively, and be based on well-defined benchmarks, as the CAG has noted in its report.
The Comptroller & Auditor General’s (CAG’s) recent report on the management of Aadhaar highlights worrying deficits on the part of the Unique Identification Authority of India (UIDAI) on securing the data of the world’s largest biometric identification system. The report notes that the UIDAI was “neither able to derive required assurance” that the information systems of the entities involved in the authentication ecosystem—the requesting entities (REs) and the authentication service agencies (ASAs)—were in compliance with its prescribed standards, “nor did it ensure” auditing by the bodies authorised for this. UIDAI thus has been negligent of a fundamental function it has been entrusted with—Regulation 12 of the Aadhaar (Authentication) Regulation vests in the identification authority the responsibility to verify the information furnished by REs and ASAs.
While the share of REs audited out of the overall pool went up from 36% in 2016-17 to close to 56% in 2018-19, the share of ASAs audited remained below 50%. As of March 21, an overwhelming proportion of REs were private parties. So, if there hasn’t been much improvement over the 2018-19 audit levels, there should be many red flags about UIDAI’s management of data security. This is not to say that the data security question concerns only private entities; the identification authority should be ensuring that both private and government entities submit to the annual audit process. Even if the UIDAI has discretionary powers to grant exemptions, cases of use of such power need to be made public proactively, and be based on well-defined benchmarks, as the CAG has noted in its report.
The UIDAI was unable to give assurances on the security of “REs and ASAs accessing and storing” Aadhaar users’ personal information through non-registered biometric devices (used prior to April 2018). Similarly, even as the UIDAI mandated, in 2017, dedicated vault storage of all Aadhaar numbers and connected data collected by enlisted entities—with penalties for non-compliance—it failed to assure the CAG on the entities involved adhering to the due process. The CAG was of the opinion that the UIDAI had “not established any measures /systems to confirm that the entities involved adhered to procedures and was largely dependent on reports submitted” by the latter. These are egregious examples of the identification authority failing in its responsibility to ensure data security. The CAG report has also flagged the lack of a system to verify an Aadhaar applicant’s compliance with the residency requirements under the Aadhaar Act. The large number of cancellation of “duplicate” Aadhaars belies the establishment of uniqueness of identity that is at the core of the Aadhaar system, and the large number of voluntary updates of biometric data is evidence of poor quality of registration.
There is no denying Aadhaar has been a game-changer for India, manifest in the JAM mechanism helping plug subsidy leakages and better targeting for government benefits. The Aadhaar-enabled Payments System has led to greater financial inclusion. The unique ID has even expedited passport services. But there is a need to engender greater public trust. The UIDAI, as the CAG has pointed out, has dropped the ball on several counts, all of which will weaken such trust. Apart from course correction, UIDAI must proactively build trust with greater transparency on oversight of the ecosystem. The government can play a facilitative role, should it choose to, as Section 50 of the Aadhaar Act enables it to give the UIDAI directions on questions of policy that the authority must comply with. Given how the UIDAI has also sought exemption from the remit of the personal data protection law once it is enacted, it is perhaps in the interest of continued public faith in the Aadhaar system that the UID-holders are assured of a robust and secure ecosystem.