With factors including inaccountability, lack of data, and laxity towards process compliance, The CAG Audit highlights gaping holes in the UIDAI’s functioning
The UIDAI had “not put in place a system for fulfilling the fundamental requirement of identifying residents.
By Usha Ramanathan
In its 13 years of existence, the Unique Identification Authority of India (UIDAI) has been asked to answer just twice—once to the Parliamentary Standing Committee (PSC) in 2010-11, which considered and rejected the project, and then to the Supreme Court, which allowed a power point presentation to substitute for a deep dive into the project. The recent report of the Comptroller and Auditor General of India (CAG) on the UIDAI is somewhat of a landmark. Unlike the PSC which invited inputs from the UIDAI, the government and the public, the CAG worked with information made available to them by the UIDAI, and a missive from MeitY about which all the audit could record, in 20 places, was this: “MeitY agreed (June 2021) with replies of UIDAI to audit observations.” The report is a scathing indictment of the way the project is run, and it confirms the apprehensions that were taken to court. The project claimed that, unlike all other IDs and registers, the UID database would be short on error and high on accuracy. That, the CAG report reveals, has not happened. The documents supporting the information in the database were unreliable, “causing doubts about the correctness and completeness of residents’ data collected and stored by the UIDAI prior to 2016.” By 2016, close to a billion numbers had been generated, “impact(ing) the reliability of the Aadhaar database.” It is not possible to ensure if all those on the UID database are even ‘residents’. A ‘resident’ has to have been in the country for at least 182 days in the 12 months preceding enrolment. The UIDAI had “not put in place a system for fulfilling the fundamental requirement of identifying residents.”
The biggest selling point of the project was ‘de-duplication’. The majority judgment in the UID case opens with an innocent excitement of this promise: “‘Unique makes you the only one’ is the central message of Aadhaar” the judges said. That now seems a highly questionable claim. No less than 145 UID numbers “generated in a day during the period of 9 years since 2010 were duplicate requiring cancellation.” UIDAI could not provide Regional Office-wise data because, they said, “such data was not available to them.” Instances of “issue of Aadhaars with the same biometric data to different residents” were reported. Further, “information like the date of issue of first aadhaar, the date of issue of subsequent aadhaar and the time taken to identify and cancel them were also not provided to audit limiting our scope for further scrutiny of the issue.” The undetected and unreported cases remain unknown.
The much-vaunted use of biometrics was examined. Quoting from the report: “UIDAI … confirmed that biometric mismatch could happen due to reasons such as poor quality of biometric capture at the time of enrolment, improper placement of finger at the time of authentication, entering of incorrect Aadhaar number and device quality issues. UIDAI also stated that as per the approved procedure for enrolment, operators could complete the enrolment even with poor quality biometrics through “forced capture” after four unsuccessful attempts to capture biometric data. It was reported that this procedure was adopted to improve inclusiveness of residents under the Aadhaar programme.” The audit “observed that the UIDAI takes no responsibility for deficient biometric capture and the onus of updating biometric is passed on to the Aadhaar number holders.” And concluded “acceptance of poor-quality biometrics on the plea of expanding the enrolment under the programme and then passing the burden of the updation of biometrics cost to Aadhaar holders did not seem appropriate.” Biometric updates have been growing at an exponential rate—from 594,000 in 2015-16 to 30.4 million in 2020-21. A little over a quarter of these were ‘mandatory updates’, of children who were required to update their biometrics on turning 5, and then 15 years. For the rest, 22.3 million were by those already enrolled but where “events like accidents or diseases” led to biometrics not working, or biometric updating had to be done because of “authentication failures.”
When the challenge to the UID project was still in court, disturbing reports of deaths due to hunger had begun to emerge. Some of them were attributable to biometric problems. A question was asked of the UIDAI chief, who had presented the project in a power point, “What are the figures for authentication failures, both at the national and state level?” The UIDAI chief said, in his written reply, “UIDAI cannot provide authentication failure rates at the state level since it does not track location of the authentication transactions.” At the national level, the ‘failed rate’ was 8.5% for authentication using iris, and 6% using fingerprints. The UIDAI, however, took the burden off their shoulders, passing it on to “requesting entities (who) are obliged under the law to provide for exception handling mechanisms”. Economists and activists have been reporting exclusion from food, work, pension and wages, in good measure because of the problem with biometrics. The audit report is consistent with these reports, and explains why the UID has produced exclusion of those most needing state support.
There have been many questions raised about the Biometric Service Providers (BSP). Why were biometrics being given to foreign agencies to hold, manage, expand, and use? Why the government was not concerned that the source code was with the BSPs? The audit raised another issue when it found that “breaches in the performance benchmarks for biometric services were never penalised.” Children below 5 years are not enrolled with their biometrics which, in the project, is an essential attribute. Why are they being enrolled at all? And money being wasted on it? Why does the UIDAI not have its own personnel? Why does it continuously rely on outsourced people “at the cost of building their own expertise and competence”? What had happened to all the data that had been collected till 2018 on non-registered biometric devices? In just 2017-18 nearly 38.5 billion e-KYC transactions had been undertaken by the UIDAI. Who had retained and otherwise dealt with this data? What was the security of the data with user and services agencies including authentication partners? What about grievance redressal? Was this, and this is a question many have been asking over the years, an experiment on the whole population?
The author is South Asia editor, LEAD Journal; Views are personal