Aadhaar is falling behind on technology, missing out on confidentiality and has gaps in its data archiving policy and preserving confidentiality in delivery of the cards to people, says a report by the Comptroller and Auditor General of India (CAG).
The performance report, ‘Functioning Of Unique Identification Authority Of India’, tabled in Parliament on the last day of the budget session notes, assigning a unique identity to all resident Indians was supposed to be the key feature of Aadhaar. But “There were instances of issue of Aadhaar with the same biometric data to different residents indicating flaws in the de-duplication process and issue of Aadhaar on faulty biometrics and documents”. It says close to half a million such records had to be cancelled by the Unique Identification Authority of India up to 2016.
Standards have improved since then. “Though UIDAI has taken action to improve the quality of the biometrics and has also introduced iris based authentication features for enrolment for Aadhaar, the database continued to have faulty Aadhaars which were already issued.
The national auditor has advised UIDAI to “improve its technology” and improve the way the numbers are generated to “minimise, multiple/ duplicate Aadhaar numbers generated”.
For years, advocates for and against Aadhaar have argued on the plan to offer a unique identity to all Indians. Those against, have pointed to the possible violation of privacy and possibility of data theft as the two major arguments for their demand to roll back Aadhaar.
The CAG has not made any comments on the issue of privacy. It has instead noted that the Aadhaar database has since reached 1.29 billion by March 2021 and “is considered as one of the largest biometric based identification systems in the world. Aadhaar is now established as an important identity document for residents".
The CAG has shown up various weaknesses in the technology and delivery platforms of Aadhaar and suggested drastic improvements in their functioning to ensure that the second possibility, that of data theft is minimised.
For instance it has pointed out that “All Aadhaar numbers were not paired with the documents relating to personal information of their holders and even after nearly ten years the UIDAI could not identify the exact extent of mismatch”.
It has put down this lacuna to the use of agencies to generate Aadhaar since the UIDAI has a small budget and even Though with the introduction of inline scanning—iris, etc the quality has improved. But this has imposed costs on the people. In FY19 more than 73 per cent of the total 3.04 crore biometric updates were “voluntary updates done by residents for faulty biometrics after payment of charges”. On the technology shortcomings, the report tellingly notes, ”UIDAI did not have a system to analyze the factors leading to authentication errors”.
The rap on UIDAI is unusual considering the central government has set a huge value on the use of this data bank to achieve plenty of socio-economic goals. The government, for instance, has mandated Aadhaar—Pan linkages across the country with effect from April 1, this year. Even otherwise, Aadhaar driven identity is used to generate beneficiaries across the country for a wide range of welfare programmes.
“The shortcomings pointed out by the CAG point to the need for improvement in the delivery of Aadhaar. Those lacuanes have been highlighted”, said a top government official.
The Uidai, on its part, has accepted the shortcomings as pointed out in the CAG report. The period of review by the CAG covers the years FY15 to FY19, though the auditor notes the commentaries have been updated to track the developments up to March 2021.
The shortcomings mainly refer to the early phase of UIDAI, like this one. “Huge volume of voluntary updates indicated that the quality of data captured to issue initial Aadhaar was not good enough to establish uniqueness of identity”.
The audit report is particularly critical about the plans to issue identity numbers to children below five years of age. It “goes against the basic tenet of the Aadhaar Act”. The auditor argues that since the Supreme Court has held that no child will be denied any government benefit because she does not have an Aadhaar number, UIDAI has to “find alternate ways to establish their unique identity”.
In the process, the organisation has made an unavoidable expenditure of almost Rs 600 crore on the exercise till March 2021.
The auditor is also critical of the data archiving practices of UIDAI and the way the Aadhaar reaches people through the post offices. Both are faulty systems, it notes. “With a sound data archival policy, an organization like UIDAI, can not only have access to all classes of data whenever the need arises but also reduce the size of storage by disposing off redundant data regularly. It is therefore vital that UIDAI frames a Data Archival Policy and implements it strictly.
On the use of post offices to reach the cards across the country, it notes there are more than 250 welfare schemes of the centre and the states that require identification through Aadhaar. Also as per the Aadhaar Act of 2016, UIDAI is responsible for the security of the identity information of the Aadhaar holder.
But the department of posts has often not been able to reach the right address. While UIDAI has claimed that 1.22 billion such cards have reached the right persons, test audits have also thrown up large errors. UIDAI received back 5 million Aadhaar letters “at its Bengaluru Centre till March 2019 due to non-delivery to residents”, it remarked.