AI News, India’s Big Bet on Identity

India’s Big Bet on Identity

Construction, such as the concrete supports of the new metro rail line that looms overhead, causes detours everywhere, and in spots the entire road abruptly disintegrates into gravel.

This is the road to Electronic City, an oasis of glass and steel high-rises overlooking pristine black asphalt paths that snake through the perfectly manicured lawns of tech companies like Wipro, IBM, and Infosys Technologies.

By the most conservative estimates, at least a third of the country’s 1.2 billion citizens live below the poverty line and outside the formal economy.

The UIDAI is expected to connect those hundreds of millions of people to government programs, save public money, reduce fraud and corruption, and foster new business opportunities—all by creating an unprecedented biometric system.

This project marries these two worlds.” UIDAI plans to use fingerprints and iris scans to assign every person in the country a unique 12-digit ID number that can be verified online.

In India the project is called Aadhaar, which means “foundation” or “support,” because it’s meant to be a fundamental technology platform that will enable dozens of new public and private services to be created.

It’s easy to list major challenges: How exactly do you collect biometrics from every single person in the world’s second most populous country, especially those living at the margins?

Earlier this year, the whole scheme seemed in imminent danger of collapse, when a parliamentary committee killed the bill that would have given the program statutory authority, and a political turf war erupted between the UIDAI and the National Population Register, another government project collecting biometrics for the national census.

But by late January the two sides had reached an agreement to share biometric data collection, and Aadhaar is once again moving full steam ahead with a new mandate and an estimated budget this year of 15 billion rupees [PDF] (about US $300 million).

India spends about 2 percent of its gross domestic product on social programs like the Public Distribution System, which provides subsidized rice, wheat, and other staples, and a rural employment scheme that guarantees 100 days of work.

But all such programs suffer from severe ­“leakage”: According to the World Bank, corrupt officials and middlemen siphon away 59 percent of the money before it reaches the intended recipients.

One Friday after midnight, I watch dozens of families wait patiently in a municipal building where only half the lights are on and there’s always a baby crying.

Now his 7-year-old daughter dozes on his wife’s shoulder as the whole family waits another half an hour for the enrollment agent to return from a break.

The UIDAI outsources enrollment to “registrars”—often state governments or banks—which in turn hire accredited agencies to actually set up and staff the centers.

UIDAI says that an average station (see photos, “Necessary Gear”) can process each enrollment in under 10 minutes, but in the days I spent observing, it wasn’t uncommon for the process to take twice as long.

In addition to a simple quality check, the software looks for self-consistency—for instance, verifying that each fingerprint isn’t coming from the operator or another recently enrolled resident and that all 10 fingerprints and two irises are distinct from each other.

If something goes wrong in a biometric capture, the software tells the operator how to correct it—for instance, it can distinguish between a facial photo that’s too dark and one in which the person was photographed at the wrong angle.

For example, when the UIDAI began enrolling people in the Punjab region of North India, where many men wear long beards and large turbans, enrollment agents had a hard time taking a photo that the software considered acceptable: The turban would be interpreted as an unacceptable background, or the automatic cropping feature would crop around the turban instead of the face.

At the end of each day, all the encrypted enrollment data are stored on USB flash drives, and the drives are transported to a place with Internet access so the data can be uploaded to UIDAI’s servers.

In order to issue 1 million Aadhaar numbers in a single day, the current maximum rate, the data center must conduct 100 trillion person matches.

Rather than hiring a single firm for the job, it awarded the project to three contractors, each responsible for processing a portion of the enrollments, with the overlapping records used to compare performance between the systems.

This arrangement lets the UIDAI know if a system isn’t working correctly and also gives the companies a financial incentive to improve their software—they’ll get to process more records, and get paid more, if their products perform better.

There are two primary factors that determine the accuracy of a biometric system: the false-positive rate, which in this case is how often a newly registered person is incorrectly judged to be already enrolled, and the false-negative rate, which is how often true duplicates are not recognized as such.

To measure the false-positive rate, the UIDAI tested 4 million unique records against a subset of the enrollment database containing 84 million records: Of the unique records, 2309 were falsely rejected, for a false-­positive rate of 0.057 percent.

Several full-time employees manually review the roughly 0.2 percent of cases that the software can’t handle, resolving errors and looking for evidence of fraud.

Now that the UIDAI has shown it can collect biometric and demographic data and eliminate duplicate enrollments, much of the attention will shift to the authentication system, where people can prove their identity with just the swipe of a finger.

Here’s how such a futuristic system might work: Walking up to a wirelessly connected terminal at a local shop, a person will type in his name and Aadhaar number, and then he’ll scan his fingerprints.

Take India’s vaunted mobile-phone culture: Phone companies are currently required to collect and retain significant documentation for every person they sell a SIM card to, as I found out in the two days I spent collecting the photos and local references I needed to get one myself.

“If you look at any service provider, they’re not going to offer the mobile-phone service unless they verify who you are,” says Bala Parthasarathy, an entrepreneur who worked in Silicon Valley but came back to India to volunteer on the project for a year.

But the downside of being so inclusive is that as the project matures, it may be difficult to keep all the interested parties happy, and there’s bound to be disappointment if the project fails to achieve all its lofty ambitions.

India’s biometric programme is putting the identities of a billion people at risk

When Infosys co-founder Nandan Nilekani shepherded the Aadhaar programme into existence at the turn of the decade, the motivation was to ensure better delivery of subsidies and government schemes, and avoid duplicates from cashing in.

Over time, telecom companies, banks, insurers, and other corporates also began using Aadhaar to verify identities, supposedly to prevent fraud.

Under the Narendra Modi government’s watch, the platform has expanded from an authentication tool into a master database of sorts that is now being used to check the veracity of other databases.

And as its implementation has widened in recent months, Aadhaar has now almost become something of a coercive instrument, with service providers compelling citizens to link their biometric information, while concerns persist over the vulnerability of data on the platform.

On Jan. 03, Rachna Khaira, a journalist with The Tribune newspaper, published a report detailing how she paid just Rs500 ($7.84) to buy Aadhaar data from an anonymous seller over WhatsApp—something the UIDAI denied was a result of failed security.

Two days after the article was published, the UIDAI filed a first investigation report (FIR) not just against the people selling the data but also against Khaira herself.

To prevent future breaches, the UIDAI, on Jan. 09, revoked access for around 5,000 designated officials—both government and private operators—who were involved as intermediaries in the ecosystem.

In March 2017, a police complaint was filed against Sameer Kochhar, head of Gurgaon-based think-tank Skoch Development Foundation, for sharing a video demonstrating how unauthorised transactions were taking place via the replay of stored biometrics.

In the same month, an FIR was filed against a CNN-News 18 journalist who conducted a sting operation to obtain two separate Aadhaar enrollment numbers with the same set of biometrics.

“More personal information available in the public domain including phone numbers, addresses and date of birth…every additional piece makes it easier to engage in identity fraud,”

The Modi government is aggressively pushing for the introduction of Aadhaar into as many of services and systems as possible, finding legal covers “to ensure mandatory compliance of what started off as a voluntary programme,”

Further, the government made it mandatory to link mobile numbers to Aadhaar, based on NGO Lokniti Foundation’s findings that unverified SIM cards were being misused and posed a major threat to national security.

But in light of a slew of cases pending in the supreme court challenging this mandatory linking, the government extended the deadline to March 31, 2018.

A five-judge constitution bench of the supreme court, led by chief justice Dipak Misra, will conduct the final hearings on the validity of the Aadhaar scheme, challenged in 24 separate petitions, beginning on Jan. 17.

The World's Largest Biometric ID System Keeps Getting Hacked

Critics of India’s Aadhaar—the world’s largest biometric identification system—have been vocal about its infrastructural flaws for years.

Aadhaar data includes fingerprints, retina scans, names, addresses, and phone numbers through which SIM cards can be purchased, and important government services and bank accounts can be accessed.

“These are small little bumps which have been over magnified.” Ultimately, Aadhaar’s supporters champion the program as a way for the poor to easily obtain government subsidies, pensions, and food rations by using their fingerprints as ID.

In August, the country’s Finance Minister Arun Jaitley described the linking of bank accounts to Aadhaar and mobile phone accounts as “nothing short of a social revolution.” Modi, of Lucideus, agrees: “Let’s not forget this touches a billion people and there is no parallel program like this anywhere on the planet,” he said.

But in the meantime, Aadhaar is essentially becoming de facto compulsory, with more and more people linking it to services like bank and mobile phone accounts out of a fear of getting cut off from those accounts.

“Basically [the government, phone companies and banks are] completely dependent on the confusion,” Meghnad said, adding that, because people think the program is compulsory, they sign up for it and associate many of their accounts with it: “People panic and they’re like, ‘Oh my god, we have to link it now, it’s mandatory.’” In response to the ongoing pressure to jump on the Aadhaar train, Meghnad and Jonnalagadda launched speakforme.in, through which citizens can email Members of Parliament, banks and telephone companies about their concerns.

Still, the UIDAI’s decision over the weekend to file a police report against The Tribune and the reporter who broke the story, has been seen by many as “an attack on freedom of the press.” Jonnalagadda agrees and says this isn’t the first time the UIDAI has filed a police report against a journalist for exposing weaknesses in Aadhaar’s infrastructure.

Enrolment Update Ecosystem

Appointment of multiple registrars, multiple enrolment agencies, and multiple technology providers has created an environment of healthy competition within.

Since the authentication service is provided online and in real-time, the UIDAI has also established two data centres where authentication and other online services such as e-KYC are deployed in active-active mode to ensure high availability.

Banks and payment network operators have embedded Aadhaar authentication into micro-ATMs in order to provide branch-less banking anywhere in the country in a real-time, scalable and interoperable manner.

Aadhaar

The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established in January 2009 by the Government of India, under the jurisdiction of the Ministry of Electronics and Information Technology, following the provisions of the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016.[1] Aadhaar is the world's largest biometric ID system, with over 1.19 billion enrolled members as of 30 November 2017,[3] representing over 99% of Indians.[4] World Bank Chief Economist Paul Romer described Aadhaar as 'the most sophisticated ID programme in the world'.[5] Considered a proof of residence and not a proof of citizenship, Aadhaar does not itself grant any rights to domicile in India.[6] In June 2017 the Home Ministry clarified that Aadhaar is not a valid identification document for Indians travelling to Nepal and Bhutan.[7] Aadhaar has been compared to the Social Security number of the United States, although Aadhaar has more uses and fewer safeguards.[8] Prior to the enactment of the Act, the UIDAI functioned, since 28 January 2009, as an attached office of the Planning Commission (now NITI Aayog).

On 23 September 2013 the Supreme Court issued an interim order saying that 'no person should suffer for not getting Aadhaar',[12] adding that the government cannot deny a service to a resident who does not possess Aadhaar, as it is voluntary and not mandatory.[13] The court also limited the scope of the program and reaffirmed the voluntary nature of the identity number in other rulings.[14][15][16][16][17] On 24 August 2017 the Indian Supreme Court delivered a landmark verdict affirming the right to privacy as a fundamental right, overruling previous judgments on the issue.[18] As of November 2017 a five-judge constitutional bench of the Supreme Court is yet to hear various cases relating to the validity of Aadhaar[19] on various grounds including privacy, surveillance, and exclusion from welfare benefits.

The court said that the final hearing for the extension of Aadhaar Linking Deadlines will start on 17 January 2018.[20] Some civil liberty groups such as the Citizens Forum for Civil Liberties and the Indian Social Action Forum (INSAF) have also opposed the project over privacy concerns.[21][22][23] Despite the validity of Aadhaar being challenged in the court, the central government has pushed citizens to link their Aadhaar numbers with a host of services, including mobile sim cards, bank accounts, the Employee Provident Fund, and a large number of welfare schemes including but not limited to the Mahatma Gandhi National Rural Employment Guarantee Act, the Public Distribution System, and old age pensions.[24] Recent reports suggest that HIV patients have been forced to discontinue treatment for fear of identity breach as access to the treatment has become contingent on producing Aadhaar.[25]

framing policies and procedures for updating mechanism and defining usage and applicability of UIDs for delivery of various services, among others.[26] The number is linked to the resident's basic demographic and biometric information such as a photograph, ten fingerprints and two iris scans, which are stored in a centralised database.[27] The UIDAI was initially set up by the Government of India in January 2009, as an attached office under the aegis of the Planning Commission via a notification in the Gazette of India.[26] According to the notification, the UIDAI was given the responsibility to lay down plans and policies to implement the UID scheme, to own and operate the UID database, and to be responsible for its updating and maintenance on an ongoing basis.

The UIDAI data centre is located at Industrial Model Township (IMT), Manesar[28], which was inaugurated by the then Chief Minister of Haryana Mr. Bhupendra Singh Hooda on 7 January 2013.[29] Starting with issuing of first UID in September 2010, the UIDAI has been aiming to issue an Aadhaar number to all the residents ensuring that it is robust enough to eliminate duplicate and fake identities, and that the number can be verified and authenticated in an easy and cost-effective way online anywhere, anytime.[30] In a notification dated 16 December 2010 the Government of India indicated that it would recognise a letter issued by the UIDAI containing details of name, address, and Aadhaar number, as an official, valid document.[31] Aadhaar is not intended to replace any existing identity cards, nor does it constitute proof of citizenship.[32] Aadhaar neither confers citizenship nor guarantees rights, benefits, or entitlements.[33] Aadhaar is a random number that never starts with a 0 or 1, and is not loaded with profiling or intelligence that would make it insusceptible to fraud or theft, and thus provides a measure of privacy in this regard.

It was a substantial increase from the previous year's allotment of ₹15.50 billion (US$240 million).[73] Also in July, it was reported that UIDAI would hire an advertising agency and spend about ₹300 million (US$4.7 million) on an advertising campaign.[74] On 10 September 2014 the Cabinet Committee on Economic Affairs gave approval to Phase V of the UIDAI project, starting the enrolment process in Uttar Pradesh, Bihar, Chhattisgarh, and Uttarakhand.[75] The Union Cabinet allocated ₹12 billion (US$190 million) to the project in order to reach the target of 1 billion enrolments by the end of 2015.[76] On 5 July 2015 finding the experience with DBT scheme in LPG 'very encouraging', with a reported savings of ₹127 billion (US$2.0 billion) to the public exchequer this year, Jaitley said, 'If we can realize the government's JAM—Jan Dhan, Aadhaar, Mobile—vision we can ensure that money goes directly and more quickly into the pockets of the poor and from the savings we achieve, we can put even more money for the poor.

The savings to the government were to the tune of ₹127 billion (US$2.0 billion) in 2014–2015.[92] The success of the modified scheme helped fuel marketing companies save almost ₹80 billion (US$1.2 billion) from November 2014 to June 2015, said oil company officials.[90] The DBT for the public distribution system (PDS) will be rolled out in September 2015.[92] The government's own data, however, suggest that the cost of implementing the DBT for LPG was over a million dollars, a figure quite at odds with the savings figures that the government cites.[93] Prime Minister Modi has asked for integration of all land records with Aadhaar at the earliest, emphasising at his monthly PRAGATI (Pro-Active Governance And Timely Implementation) meeting on 23 March 2016 that this was extremely important to enable monitoring of the successful implementation of the Pradhan Mantri Fasal Bima Yojana or crop insurance scheme.[94] In July 2014 Aadhaar-enabled biometric attendance systems were introduced in government offices.

The public could see the daily in and out of employees on the website attendance.gov.in.[95][96][97] In October 2014 the website was closed to the public but as of 24 March 2016 is again active and open to public access.[98] The employees use the last four digits (last eight digits for government employee registering as of August 2016) of their Aadhaar number and their fingerprints, for authentication.[99] Technological glitches with the system have, however, meant that employees have to often spend In November 2014 it was reported that the Ministry for External Affairs was considering making Aadhaar a mandatory requirement for passport holders.[100] In February 2015 it was reported that people with an Aadhaar number would get their passports issued within 10 days, as it sped up the verification process by making it easier to check if an applicant had any criminal records in the National Crime Records Bureau database.[101] In May 2015 it was announced that the Ministry of External Affairs was testing the linking of passports to the Aadhaar database.[102] In October 2014 the Department of Electronics and Information Technology said that they were considering linking Aadhaar to SIM cards.[103] In November 2014 the Department of Telecom asked all telecom operators to collect Aadhaar from all new applicants of SIM cards.[104] On 4 March 2015 a pilot project was launched allowing Aadhaar-linked SIM cards to be sold in some cities.

The Digital India project aims to provide all government services to citizens electronically and is expected to be completed by 2018.[105][106] In July 2014 the Employees' Provident Fund Organisation of India (EPFO) began linking provident fund accounts with Aadhaar numbers.[35] In November 2014 the EPFO became a UIDAI registrar and began issuing Aadhaar number to provident fund subscribers.[107] In December 2014 Labour Minister Bandaru Dattatreya clarified that an Aadhaar number was not necessary for any provident fund transaction.[108] In August 2014 Prime Minister Modi directed the Planning Commission of India to enrol all prisoners in India under the UIDAI.[109] In December 2014 it was proposed by the Minister for Women and Child Development, Maneka Gandhi, that Aadhaar should be made mandatory for men to create a profile on matrimonial websites, to prevent fake profiles.[110] In July 2015 the Department of Electronics and Information Technology (DeitY) called a meeting of various matrimonial sites and other stakeholders discuss the use of Aadhaar to prevent fake profiles and protect women from exploitation.[111] On 3 March 2015 the National Electoral Roll Purification and Authentication Programme (NERPAP) of the Election Commission was started.

It had an estimated ₹9 billion (US$140 million) value but had been allotted to the UIDAI at a very cheap rate.[136] The issue of constructing the UIDAI HQs and UIDAI Regional Office building in Delhi was resolved with Department of Telecom (DoT), following which the Ministry of Urban Development issued a notification on 21 May 2015 clearing the titles of the land in favour of the UIDAI, including projected land use.[137] In an August 2009 interview with the Tehelka, former chief of the Intelligence Bureau (IB), Ajit Doval, said that Aadhaar was originally intended to flush out illegal immigrants, but social security benefits were later added to avoid privacy concerns.[138] In December 2011 the Parliamentary Standing Committee on Finance, led by Yashwant Sinha, rejected the National Identification Authority of India Bill, 2010, and suggested modifications.

In theory, this means that is possible to create a false Aadhaar card using the number of a genuine holder from the same postal code with the same gender, with the card subject to a number of cases of counterfeiting.[149] The digital document itself is self-signed by a non-internationally recognised certificate authority (n)Code Solutions, a division of Gujarat Narmada Valley Fertilizers Company Ltd (GNFC)[150] and needs to be manually installed on the PC.[151] This is despite Entrust assisting in the development of the solution.[152] While the service is free for citizens, some agents have been charging fees.[153] Despite the modern processes, there are cases where enrolments are lost in the system without explanation.[154] mAadhaar is an official mobile application developed by the UIDAI to provide an interface to Aadhaar number holders to carry their demographic information including name, date of birth, gender, and address along with photograph as linked with their Aadhaar number in smartphones.[155] In one case, every resident in a village in Haridwar was assigned a birthday of 1 January.[156] Documentary proof may be difficult to obtain, with the system requiring documents such as bank accounts, insurance policies, and driving licences that themselves increasingly require an Aadhaar card or similar documentary evidence to originate.[157] This may lead to a significant minority underclass of undocumented citizens who will find it harder to obtain necessary services.[158] Introducers and Heads of family may also assist in documentation;

Wikileaks tweeted on 25 August 2017 that the same American supplier of fingerprint and Iris scanning equipment that collaborated with the CIA to identify Osama Bin Laden was also supplying equipment to India.[171] The complex structure of ownership is detailed in an article in Fountainink.in[172] Concerns were raised as early as 2011 in the Sunday Guardian regarding not following due process and handing over contracts to entities with links to the FBI and having a past history of leaking data across countries.[173] How the CIA can hack and access the Aadhaar database using a secret Expresslane project is documented in a report on the GGInews website[174] and saved in an archive lest it be removed.[175] Further communications have also identified the clauses under which data may have freely flowed to foreign agencies due to the nature and wordings in the Aadhaar contracts[176] and archived here.[177]