Several media reports have been discussing Aadhaar and its misuse of late. People may have differing views, but it is important that the facts about Aadhaar are clearly understood. I am writing an article that explains some of the basic concepts about Aadhaar while addressing some common concerns observed.
Aadhaar as an identity is familiar, and yet a little different. This leads many people to believe that they understand it completely, when they may still harbor some misconceptions. The UIDAI is in the business of providing only a unique ID to resident of India along with an online verification service. UIDAI is not involved in any service delivery linked with Aadhaar.
The inherent difficulty in understanding Aadhaar (a relatively new concept, only 7 years in the life of utility is young) are two fold:
An easier way to understand Aadhaar:
1. Aadhaar is a pure ID utility, unlike most programmes where the ID is part of some other entitlement (eg Passport, PAN, Election Card) and thus shortcomings in service delivery process are assumed to be shortcoming of the ID system.
The ID system works with its reality and limitations, and the service delivery organisation (be it Bank, PDS, etc) have to recognise this reality and leverage it to the best possible while creating fail-safe mechanism. A easier way to understand Aadhaar is to think of it like a new type of utility like electricity. Just the way electricity can be down (and you keep candles), similarly Aadhaar services will not work in certain situations and the service delivery needs to factor this reality in its service delivery obligation.
Now there can be two approaches - you can choose not to use electricity, or understand how it works and help make life better. Similarly, a service provider must make a decision about how to best use this Aadhaar utility, and manage failures, so that they do not get in the way of service delivery.
A simple example, Aadhaar as part of its inclusive mandate provides identity to people who do not have any fingers & Iris (no biometrics). These people are enrolled through a biometric exception process and are issued Aadhaar numbers with additional checks to prevent fraud and misuse of facility.
Such a person will never be able to do a biometric authentication, may do an OTP authentication, but lets say he/she does not have a mobile phone (since mobile is not mandatory as part of Aadhaar enrolment). This reality exists, it is the responsibility of the service provider (for instance PDS) to build in exception handling, and to be sensitive and inclusive to such scenarios. The exception handling can be done in different ways - service like pre-aadhaar days, use a photo ID verification etc. The critical point will be to monitor the exception handling usage for any misuse with smart auditing.
2. Another major challenge in understanding Aadhaar type ID utility is that there is no comparable utility today in the developed world. The ID system of any country fundamentally begins with its Birth Registry System. In most developing countries including India the birth registry does not have universal coverage. The World Bank in 2008 estimated that only 52.8% of births in India were attended by skilled staff. Recording the unique time and place of birth is the source of uniqueness of a person in a country ID system. In the developed world, where 99% of births are in hospitals, the birth registry system gives those countries their unique ID system without the need for taking any biometrics.
In developing countries like India, not having a robust universal birth registry, there is a need for a national id to find a robust source of uniqueness. The UIDAI selected biometrics for this purpose. The various service agencies in the country can leverage this ID. If the service delivery agency needs to ensure uniqueness in its customer database, they can integrate Aadhaar and remove all duplicates, and ghosts that found their way into the system.
Some of the other common concerns observed are:
A. Exclusion of service due to authentication failure: It is interesting to observe, how in some media reports, every authentication failure is treated as a denial of service. Did someone check if the next authentication transaction success was for the same person and did they get served? Also if someone puts your Aadhaar number and his fingerprint do you want the system to reject or accept. Thus jumping on Aadhaar failure as denial of service is not pragmatic, the context of failure rates, and backup mechanisms needs to be understood.
A person sincerely wanting to understand the reality of "exclusion of service" needs to understand the process of service delivery (Bank, PDS etc) and the data generated by the service provider when providing the service. Aadhaar is may be just one of the authentication protocols used and failure of Aadhaar (False Reject) triggers exception handling protocols with no denial of service.
Many service providers have put in exception handling protocols to deal with scenarios where biometric authentication may not work. For instance, the PDS systems in AP, and in Telangana, make all attempts to bring down biometric errors. When all fail, an official adjudicates to ensure that no one loses out on their food entitlements.
Improving (Reducing) the False Reject Rate
It is important to understand that biometric authentication is not a exact match science. The UIDAI relies on the STQC to certify devices. In the certification process, these devices are tested in the field, with real people (in addition to laboratory testing). Only those devices that provide biometric matches above a certain threshold are considered for certification. Thus each certified fingerprint sensor is able to achieve a true accept rate of over 98% in the field - using 2 finger authentication, with three attempts. Iris sensors have even better results. Service providers should be able to accomplish this, (or close to it).
While the raw authentication failure rates depend on the person, the operator, the quality of capture during enrolment, and many other factors, they can be improved by process.
For fingerprints alone:
|Use of 2 fingers instead of 1 finger for authentication. This alone improves the accept rate significantly, and is simple to implement.|
|Multiple attempts: The acceptance rate also goes up significantly with this method. This is natural field behaviour. If the authentication fails, the person tries again and probability of success improves with every additional attempt. This process is similar to retyping a password to overcome a typing error.|
|Best Finger Detection (BFD): The UIDAI has a process to allow the user to help discover the best fingers to be used for authentication. This also reduces the error rate.|
Allow for an alternate biometric, such as Iris, which has better success rates.
Ensure adoption of a well documented and monitored exception handling process. It could be a physical id card, or an empowered ombudsman. Monitoring the usage of the exception handling protocol is essential to prevent it from becoming a source of fraud.
If the original enrollment data was of poor quality, then the Best Finger Detection (BFD) process can diagnose the problem and recommend a biometric update.
While the UIDAI can, should, and does issue guidance in this regard, it is the responsibility of the implementing agency (service provider) to work towards understanding and decrease the failure rates incorporating efforts described above.
B. Costs versus Benefits, Savings etc: Various numbers are floating on the cost savings, benefits or otherwise. There is no point in my justifying why the number I like is more correct and the number you like is more wrong. Aadhaar was designed to bring efficiency to government service delivery. Apportioning credit from efficiencies is a tough job! However, adoption is growing (because it is seen to work). Aadhaar empowers individuals with a verifiable identity and brings in accountability into every retail transaction with the government. Opposition will come from some of those who benefit from the current system, or from proponents of other potential alternate systems (such as smart cards, which have been leapfrogged).
C. Most of the country already had an Identity: The most common identity before Aadhaar was the electoral ID card (EPIC). However, the EPIC has no guarantee of being unique, is not available to people below voting age, and nor to other residents (many services are available to residents, and not citizens). There is also the issue of duplicates (people move, and get a new EPIC, but do not surrender the old one).
The second most common identity was the ration card. This contains details of the head of the household, and a list of family members, with their ages (not date of birth) at the time of issue! In some states, this includes a photograph of the head of family. This identity document is not recognised beyond the state of issue, and nor is it useful to identify the rest of the family. This system has a gender bias - resulting in a disproportionate number of women without a usable identity. There is also the issue of ghosts, and fakes in this system.
With Aadhaar, the individual members of the family now have their independent identity. Having a portable, online electronically-verifiable Id and one that is accepted across the country's geography creates the necessary value-add to the people.
D. Control of data: You cannot control the data that some of the companies collect about you. Your phone number is in Truecaller (associated with your name), because you are in someone else's phone book. The same is true of many other systems, and none of them is accountable to you. Also, any data that they hold about you is accessible, under various processes, to law enforcement. And as shown by Edward Snowden, it is sometimes accessible without process.
In the case of Aadhaar, the law protects your data. The Aadhaar Act does not allow organisations to use or share your Aadhaar information for any purpose other than its original application. We can demand more such protections and may be best practices of privacy protection from across the globe could be a constructive criticism for Aadhaar.
The recent debates are indeed a result of the system having reached a certain mass, and applications developing rapidly. It would be more useful to have constructive conversations about how we move ahead from where we are now, in ways that protect privacy and personal data.
A colonial hangover means some Indians naturally have a high distrust for their government. Given that Aadhaar is bringing about a large-scale reduction in retail corruption, it is easy to understand that there are many lobbies at play that are maligning the project and feeding the distrust with misinformation to confuse people.
I, like the naysayers, am also a person of this country. I also do not want exclusion, nor do I want big- brother systems. I fully support demands for overarching privacy laws from our representatives and enhanced measures for protecting the privacy of all. If the debate moves in the direction of potential ideas to improve the Aadhaar ID system for stricter privacy, enhanced security, efficient performance, wider inclusion, etc., it'll lead to a constructive effort in the right direction.
(Shrikant Karwa worked on the UIDAI project in its early design and implementation stage. The views expressed here are personal)