A recent government audit of India’s Unique Identification Authority of India (UIDAI) concluded that the agency’s data management practices have been “deficient” for a long period of time.
Responsible for distributing and maintaining the country’s Aadhaar national ID cards, required for accessing a variety of government services, UIDAI is now being taken to task for failure to have a data archiving system and an alarming rate of Aadhar cards returned in the mail as undeliverable (among other systemic failings).
UIDAI found to have systemic issues with Aadhaar card distribution and record keeping
Conducted by the Comptroller and Auditor General (CAG), the sweeping audit found a variety of ongoing issues at UIDAI. One of the primary problems is with its biometric database, which is one of the world’s largest. The Aadhaar photo identification cards incorporate fingerprints and iris scans as a security measure, and are mandatory for accessing a broad variety of government services. A national law prevents private companies from asking customers or clients to produce an Aadhaar card, but the audit found that the UIDAI had been using the system to provide authentication services to banks and mobile carriers (among other types of businesses) free of charge through March 2019. Some types of businesses are legally entitled to make use of the UIDAI’s identification system in this way, but the government is supposed to be compensated and the process disclosed to the public.
Another serious data management issue centered on the agency’s complete lack of an archiving policy. Aadhaar has been dogged by authentication issues since it was introduced a little over a decade ago, with citizens sometimes blocked from government services despite having a valid card and identification number. CAG found that ongoing failures to trace and understand these authentication errors could be in no small part attributed to this lack of a data archiving policy along with other inconsistencies in data management.
CAG also took UIDAI to task for repeat failures to simply get people into the system and get cards to those holding valid numbers. At present, some 90% of the country (about 1.2 billion people) are in the Aadhaar system. Some of those that are not are not attempting to opt out, but have applied but have not yet been matched with an Aadhar number; in some cases data has been collected but has not been matched to a card for as long as 10 years. And a “large number” of Aadhaar cards that have been mailed out have ended up being returned to UIDAI, apparently due to inadequate arrangements with the postal service.
UIDAI also apparently does not have adequate security in place to ensure that the agency’s devices and applications cannot store the personal information of residents in ways that they are not supposed to, creating openings for unauthorized access of the data by employees. This very thing became a major security issue in early 2018 as a rogue government employee appeared online offering to sell the Aadhaar personal information of anyone in the database to any buyer who could produce as little as £6 per record.
The data management issues also apparently extend to verification of residency. Despite being citizens, Non-Resident Indians (NRIs) are required to be in the country for at least 182 days in the prior 12 months to qualify for Aadhaar. However, the audit found that there is no “specific proof, document, or process” in place to ensure that this requirement is met.
Other issues noted in the sprawling 108 page report (which took four years to complete) include Aadhaar cards generated with poor quality biometric components and incomplete information, UIDAI itself failing to engage in mandatory audits, and the creation of multiple cards for the same person due to improper data management. The report found that about 145 duplicate IDs were being generated each day from 2010 to 2019, which then had to be tracked down and canceled after the fact.
UIDAI looking at likely data management reforms
UIDAI’s handling of Aadhaar is likely to be facing substantial reforms, not just due to the findings of this data management report but also due to ongoing controversy over the constitutionality of making it mandatory for all citizens to participate in.
A September 2018 decision from the country’s highest court upheld the constitutionality of the program, but one of the five judges dissented and opined that it was unconstitutional. This has led to a series of petitions for review of the judgment in the following years. One of the central points of concern is the increasing use of Aadhar for digital verification purposes, and whether all the associated agencies and private companies processing this information are securing it properly.