Part 1.
Threat of exclusion, and of surveillance
The aadhaar project has become the bane of average Indians, threatening their access to all manner of services. basic questions have sometimes been asked and almost never been answered, says Usha Ramanathan, in the first of a multi-part series.
The Unique Identity (UID) project has been around for over four years. The Unique Identification Authority of India (UIDAI) was set up by an executive notification dated 28 January 2009 and came into its own after Mr Nandan Nilekani was appointed as chairperson in July 2009. Now it has, as some observers say, become an experiment being conducted on the entire country.
In its early stages, it was marketed, simply, as giving the poor and the undocumented an identity. It was to be voluntary, and an entitlement. But, it is evident even from the Strategy Overview document of the UIDAI that it was never intended to be an entitlement that people may choose to adopt or ignore. That document said that "enrolment will not be mandated", but went on to add: "This will not, however, preclude governments or registrars from mandating enrolment". So, the potential for compulsion was built into the architecture of the project. Starting in 2012, voluntariness began to be eroded, and threats of exclusion from services and entitlements began to be bandied about. By January 2013, a virtual panic was set off when it was announced that various services and entitlements would not be accessible to persons who did not have a UID number.
Mr Nilekani has said time and again that half the population is expected to be enrolled by the end of 2014; yet, there have been warnings that people without a UID number may find themselves unable to access benefits and subsidies if they did not have it, if a bank account had not been opened, and if the UID number were not embedded in the bank account. So, subsidy for cooking gas, kerosene, and scholarships, for instance, became dependent on having a bank account seeded with the UID, or aadhaar, number. In case anyone wonders what the UIDAI has to do with these decisions, it is the chairperson of the UIDAI, Mr Nilekani, who chaired the committees that recommended these changes. The reports are in the public domain.
From its inception, the UID project has been about creating the ’database resident’. The website of the Department of Information Technology, which has been renamed as Department of Electronics and Information Technology, modestly carrying the acronym DeitY, has said all along that "Project UID, a Planning Commission initiative, proposes to create a central database of residents, initially of those above the age of 18 years". Except, that the UIDAI got more ambitious and wanted everyone, from the newborn to the oldest resident, on its database. And it was always intended to converge various databases to construct a profile of the individual, and to this effect the website of DeitY says that "the project envisages provision of linking of existing databases, as well as providing for future additions, by the user agencies". The MoUs between the UIDAI and various registrars that include the state governments, oil companies, banks and the Registrar-General of India, who is in charge of census and the National Population Register and socio-economic and caste census, not only provide for various additional fields of data being collected during enrolment, but also for having the UID number appended to each such database.
As for biometrics, documents reveal that when the decision was made to use fingerprints and iris for enrolment, there was no knowledge about whether these biometrics would work in India, given the demographic and environmental conditions. In fact, it has since been found that with age the fingerprint fades, that manual labour makes the fingerprint difficult to read, that malnourishment-induced cataract blights an estimated 8-10 million people, and so on. In fact, as recently as 23 April 2013, Mr Nilekani said in his speech at the Centre for Global Development in Washington: "We came to the conclusion that if we take sufficient data, biometric data of an individual, then that person’s biometric will be unique across a billion people. Now we have to find that out. We haven’t done it yet. So we’ll discover it as we go along." First, the conclusion. Then they will wait to find out! That is why some observers of the project have been saying that it is an experiment being conducted on the entire population. The consequences of failure have not been discussed, although, in a talk at the World Bank in Washington on 24 April 2013, Mr Nilekani said in response to a question about what he thought was the greatest downside risk to the UID: "To answer the question about what is the biggest risk," he said "in some sense, you run the risk of creating a single point of failure also."
There is more to cause concern, and much to be answered about UID.
LEGALITY
The UID project is proceeding without the cover of law. There is only the notification of January 2009 which says the UIDAI "owns" the database, but which says nothing about how it may be used, or what will happen if it fails or if there is identity fraud, or some outside agency gains access to the database. A Bill was introduced in Parliament in December 2010, after the project had been launched and data collection had begun. The Bill collapsed in December 2011 when the Parliamentary Standing Committee found it severely defective, and after it found that the Bill and the project needed to be sent back to the drawing board. There is no sign yet of a Bill, and any protection that the law may offer is non-existent. There is no law to protect privacy either.
Convergence and snooping
The UIDAI, and Mr Nilekani, have refused to address the probability of surveillance, convergence, tracking, profiling, tagging and intrusions into privacy that is likely to result from the creation of the database of residents and the intended convergence. The link between technology, databases, governmental power and corporate involvement in creating, maintaining, managing and using databases has produced various scenarios of surveillance that we ignore at our peril. PRISM is such a stark demonstration of the ambitions that can fuel a state that the UIDAI can no longer just say `no comment’ when asked about the surveillance potential being created.
In the same period, the state has already set up agencies such as the Natgrid, NCTC, NTRO, CCTNS, MAC which will use the potential for convergence of databases that the UID makes possible. In April 2011, the government made rules under the IT Act 2000, by which it would be able to access any data held by any "body corporate". More recently, we have been hearing about the CMS, or the Central Monitoring System, speaking to a surveillance and control approach that will have the state snooping on us with no oversight, no prior permission, no answerability at any time to anyone.
The companies engaged by the UIDAI to manage the database include L1 Identity Solutions and Accenture. The UIDAI, in response to an RTI request, has claimed that they have no means of knowing that these are foreign companies, given the process of their selection! Yet, a search on the internet reveals the closeness between the L1 Identity Solutions and the CIA, and that after a recent transaction, it is part-owned by the French government; while Accenture is in a Smart Borders Project with the US Department of Homeland Security. Data security, personal security, national security and global surveillance are all drawn into a ring of concern, but remain unaddressed.
(The writer is an academic activist. She has researched the UID and its ramifications since 2009.)
o o o
Part 2
A virtual monster in the cloud
UID is an acronym for unique identification. But first, this is not an identity scheme; it is a system that leverages emerging technologies to help various governmental and commercial agencies identify and database persons. That is why concerns about the UID project include the hugely increased potential for convergence of data, tracking, profiling, tagging and the violation of norms of privacy.
Then, as we have been told many times over, UID is not a card, but a number. Some have mistaken the paper which is used to communicate the number to the resident to be an ID card. Mr Nandan Nilekani — Chairman of the Unique Identification Authority of India (UIDAI) — explained, during a talk to the World Bank on 24 April 2013: "First of all, this is not an ID card project. There is no card. There is a number. It’s a virtual number on the cloud, and we don’t give a physical card. We do send you a physical letter with your number, which you keep in your pocket, but the real value of this is the number on the cloud."
The identification is to be done by matching the number to biometrics that are collected and kept on a Central Identities Data Registry.
The uniqueness of the number depends on the biometric system being failsafe; but biometrics is still at an experimental stage. All we have for the moment are some proof-of-concept studies, and the "faith", "belief" and "conviction" of the project proponents that peppers every document and speech.
Third, while the driving licence, voter ID and PAN card may be used as
identity cards, the UID number is different. The UID is synonymous with another acronym KYC, or Know Your Customer. The UID proposes to partner with Authorised User Agencies (AUA), which may be any agency including banks, mobile companies, LPG service providers, insurance companies, departments with the state and central governments, hospitals and so on. When the AUAs decide to use the UID, they will have to deploy fingerprint and iris scanners, which will be used to "authenticate", that is, verify if the person is who she says she is.
This is a business model, where the UIDAI proposes to make its profits on authentication — the Strategy Overview document calculates that once the project reaches a "steady" state, it should be able to make Rs 288.15 crore. Four, the UID is supposed to be voluntary, but that was a deliberate untruth put out as part of the marketing exercise for the project, and because the UIDAI has no power to force anyone to enrol. After all, their legal status is highly suspect.
In the first two years of enrolment, it was evident that there was little enthusiasm to get on to the database. After all, it was not even clear what the point of the UID number was. Fact is it is still not clear.At the World Bank talk in April 2013, Mr Nilekani said, in answer to a question: "Obviously people don’t know what benefits will come from this — even I don’t know what benefits will come from this...But broadly, they know that this is some kind of a gateway to the future. There will be benefits. What these benefits are, they don’t know..."
Declaring that the UID was mandatory changed things for people. How the idea of making the UID mandatory was sold to the various governments is not widely known. We do know that the UIDAI had banked on the UID being made mandatory by different agencies even when it put together its Strategy Overview. The strategy was for the UIDAI to continue pretending that it was voluntary. This deceit is a part of the way that the UID project has been rolled out.
Five, the words `universal’ and `ubiquitous’ are used to describe the ambitions of the project. By getting everyone on the database, there is to be "universal" coverage. And by getting every possible agency to subscribe to the UID as a KYC, it is to be "ubiquitous". Mr Nilekani, of course, explains that the UID is an "identity platform". It is "open architecture" on which many "apps" may be built. Unlike the driving licence, ration card, voter ID, the UID has no purpose of its own. It is just an "ID verification system" and all manner of "apps" can be built on it. Direct Benefit Transfer is such an "app". And in explanation of what it will do, he says: "You can use the ID and create a credit history...or you could build an electronic health system." Since it is on a cloud, your health record will be portable and "you can take it with you wherever you go". Of course, this also "gives you complete traceability", of persons and their transactions. "Obviously," he admits, "it doesn’t solve the problem of eligibility. You have to build some other systems for that."
The casual disregard of the law, the authoritarian demands to hand over personal and intimate information, creating databases that put people at risk, and passing off half truths and outright lies as facts are some among the disturbing features of the UID.
The writer is an academic activist. She has researched the UID and its ramifications since 2009.
CASH TRANSFERS
"The real beneficiary (of mandatorily linking the UID to bank accounts to be eligible for cash transfers) is neither the finance ministry nor the nodal ministries or citizens but the Unique Identification Authority of India (UIDAI), which has struggled to meet its target of covering large sections of the population. Compared with the average monthly enrolment of 7.4 million people in the last seven months, it needs to add 25 million a month to meet its target of 600 million by 2014. In the absence of parliamentary approval, forcing eligible citizens to take Aadhaar cards to avail the existing benefits, will, perhaps, be the most pernicious legacy of this plan, which is nothing more than an effort to rescue UIDAI."
Himanshu, an economist at Delhi’s Jawaharlal Nehru University who has been studying the UID, in the context of cash transfers.
o o o
Part 3
Inclusion project that excludes the poor
There are claims, and ambitions, that surround the UID project. The claims first.
The UID, it is claimed, will be an identity that will bring down the barriers that prevent the poor from accessing benefits and subsidies. Unfortunately for the UIDAI, this claim is already being severely eroded. What was projected as a project of inclusion is already turning into a threat of exclusion. So, the poor have been told that if they do not enrol for a UID, if they do not have bank accounts, if those bank accounts are not embedded with the UID number, then they will become ineligible for the subsidies that they have been getting so far. That is the first obstacle that has been set up by the project.
Then, a person needs to produce a pre-existing document to be able to enrol; a voter ID, a PAN card a driving licence or one of the many cards that are listed. Those who do not have a document to establish their identity or those whose documents are not accepted by the enrolment agency - and this is invariably the poor and the less privileged - will need an "introducer" to help them get enrolled. The introducer, as was explained by the Demographic Data Standards Committee that reported to the UIDAI in December 2009, would be akin to a bank introducer - with one significant difference: while a bank introducer would be expected to know the person he or she is introducing, it is different with UID enrolment.
The state government or other agency acting as Registrar would have to appoint an "approved introducer" to do the task. That is, introducers must be known to the Registrar, but do not need to know the persons they are introducing! The accuracy of the data can be imagined. No wonder, then, that in January 2012 the Home Ministry protested that they could not accept UID data because it was insecure and unreliable.
A second stated ambition is that of reducing leakage in the system. Mr Nilekani refers to himself as a plumber, plugging the leaks. The savings will be huge, it is said. No one would deny the pervasive corruption that has blighted many systems of distribution. The RTI, "transparency walls", public hearings, the use of technology to computerise, communicate and monitor the movement of goods and grain, the opening of post office and bank accounts for payment of NREGA wages, the use of mobile phones to let people know when their rations are to reach so that they may watch and collect their entitlements, the use of GPS to track the movement of vehicles carrying grain to the shops - these have already greatly improved systems.
The UIDAI, however, suggests that salvation lies elsewhere - in a centralised system of identification.
That, it believes, would do away with duplicates and ghost beneficiaries. There is, of course, no evidence about the extent of the leakage, and what the saving would therefore be. In fact, the first paper attempting to explain that the UID would reduce leakage appeared only a few months ago, done by the National Institute of Public Finance and Policy.
The paper is littered with assumptions for, as they admit, there isn’t any data in some areas and, in others, the data is outdated.
In addition, contrary to Mr Nilekani’s assertion at the talk in April 2013 that this was an `independent study’, scholars at the NIPFP have admitted to "the group’s research affiliations with the UIDAI (which) should preferably have been made (clear) in the study itself".
How many us know of the One Time Passwords which are to be used to "manual(ly) override" when the biometric identification fails? When fingerprints or iris fail in recognising the person, for whatever reason, a request can be sent to the UIDAI to send a One Time Password to any mobile phone that is on hand.
That OTP can then be used in place of the biometric.
The potential for `leakage’ and identity fraud and corruption in this, and the problem this poses for the `last mile’ is undeniable, although it is not being acknowledged.
No wonder everyone including the UIDAI is shrinking from taking on liability where there is "false accept", or "false reject", or where identity fraud occurs is a telling circumstance.
The risk, till things change dramatically, rests heavily on the individual, while the system carries on experimenting.
Is this too harsh a way to read the UID? Fact is, the UID project has been attempting to derive its legitimacy from the failures and corruption and non-performance of the system as it now is.
Yet, since it is the excitement of technology, and not an intimate understanding of the poor and marginalised, that informs the project, the gap between its claims and how it is playing out on the ground is huge.
And how much the bureaucracy and the political establishment have understood is moot; they have spoken too little for us to tell.
With the claims not quite holding up, what ambitions are these that drive the project?
(The writer is an academic activist. She has been researching the UID and its ramifications since 2009.)
STRAIN ON BANKS
In the early stages of the project, UID was held out as the answer to the problems in the PDS and NREGA; but the credibility of these claims was severely challenged by researchers and activists. The focus was then shifted to "financial inclusion". UID is to be the KYC for opening bank accounts, more particularly "no-frills" accounts. The problem with this claim is that KYC in banking was brought in in the context of money laundering, and terrorist funding. No-frills accounts have had no KYC requirement; the amounts are too small to matter. Now, with the UID, KYC is being introduced for no-frills accounts! That so many people are unbanked has a great deal to do with banks not being interested in low value customers, not having branches where it is needed, and with the banking correspondent (BC) system not working for reasons some of which were set out in an RBI report in 2009. The banking system is totally unprepared for these changes. All it does is help the UIDAI get more enrolments from people panicked by the threat of exclusion.
BIOMETRICS
Then again, the biometrics on which this whole system hinges is still in an experimental stage. For the poor, manual workers and the old, authentication of who they are is more than likely to be a problem. This is what the DG and Mission Director of the UIDAI said in November 2011: "The other challenge we face is the quality of fingerprints. Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work, and this poses a challenge for later authentication.... Issuing a unique identity will not be a major problem. But authentication will be, because fingerprint is the basic mode of authentication." So, it seems, the idea is to expand to iris authentication - increasing cost through the introduction of a mode in which pilots are yet being run.
o o o
Part 4
Ambition sans innocence
There is a range of ambitions riding on the UID project, and too many of them seem to lack the innocence that could keep us unworried. ‘Cash transfer’ is the most visible of these ambitions. This is contested terrain, peppered with debates around the wisdom or otherwise of the state withdrawing from taking responsibility for providing food or fuel or education or health; and the unwisdom or otherwise of bringing in the market while displacing the state where whole communities of people live lives rendered precarious by poverty and its concomitants.
Whichever side of the debate one is on, there is no denying that the minimum that is needed for cash transfer is a system in place which can deliver the cash. The acknowledged fact is that there are hardly any banking services available to the poor.
In illustration, this is what Dr Deepali Pant Joshi, Executive Director, RBI said in a talk delivered on 4 May 2013: “Under the roadmap for providing banking outlets in villages with population above 2000, banking outlets have been opened in hitherto 74199 unbanked villages comprising 2493 branches, 69374 Business Correspondents (BCs) and 2332 through other modes like ATMs, mobile van, etc.†And: “As per the roadmap drawn about 4,84,000 villages with population less than 2,000 have been allotted to various banks.
Provision of banking services are to be made in the next three years.â€
And, again: “Business Correspondent model is still in the experimental stages and there are various challenges associated with the model. The viability of BC model has remained a critical issue. Surveys have revealed that branch officials do not visit BCs or customers and do not take any effort in introducing BCs to villagers. One primary reason cited by branch officials are the scarcity of staff provided to them for carrying out such visits to villages.
Further, most of the accounts opened by BCs have remained non-operational.â€
These are just snippets from the speech indicating a remarkable state of unreadiness.
Yet, the Central government has pushed ahead with Direct Benefit Transfer (DBT) depending on banks, banking correspondents, the UID number and authentication each of which is either severely deficient or deeply defective and with no responsibility when any of this does not work.
But, then, in times when minimum wages, and the poverty line, are being reconstituted so that the poor can begin to disappear even as a statistic, these are words that need to be treated with some seriousness.
The interests of national security, and the terror threat, are presented as reasons why the state should have access to data about its people; and the more that is available to it, the better. That the state would want to track and tag individuals is hardly surprising. By now, the US and the UK have trained us to understand how secretively curious states are not just about people in their territory, but far beyond! This ambition, to know the individual intimately, when achieved, will leave him or her at the mercy of the state.
The false sense of security when the state says it wants the power to put people on watch so that they can be kept safe from terrorism, and crime, and immorality, and illegality is a way for the state to keep its hold on the polity.
The complete collapse of the criminal justice system, the waywardness of unsupervised intelligence agencies, and treating every person as a subject of surveillance to keep the country safe, is all part of the same universe.
(The writer is an academic activist. She has researched the UID and its ramifications since 2009.)
Global system?
At Mr Nandan Nilekani’s Washington meetings in April this year at the CGD and the World Bank, discussions threw up what some may consider an outrageous idea. Addressing Mr Nilekani, the chair of the meeting said: "I wonder what you think of the possibility of a global system, and whether or not you think by the year 2050 there could be a global system. Frankly, I think it would be a real influence in knocking down the nation state..."
And then he asked, "Is this the thin edge of the wedge for the end of sovereignty?" The question recurred at the World Bank. Mr Nilekani’s answer was simple: "There is nothing technologically limiting for having the whole population of the world on the system."
And: "If you can do a billion, you can do 7 billion." The President of the World Bank couldn’t stop exclaiming; all projects brought to him, he said, in Africa, and everywhere else, will now have to integrate the UID system, or else he will want to know why. "... can you have a single system that would work with everybody throughout the world?", he paraphrased the question that had been asked.
"So, what are the implications if you were to withdraw money ... all ATMs may say, we don’t want just your card and pin number, we want your biometrics everywhere ... you literally would know where somebody is every minute... or every time he did that transaction. Would you do one system?" he asked.
"So, should we, say, if we start a system in Africa, we should coordinate with you, so that the Africans have different numbers than the Indian have."
"Well," Mr Nandan Nilekani responded, "this is a question of how much you want to centralise...."
o o o
Part 5
Biometrics - the story so far
by Usha Ramanathan
Face, fingerprint, iris the UIDAI is collecting all of these. The uniqueness of the UID number is to be ensured by using the biometrics collected for “de-duplicating†the 1.2 billion plus population resident in India. That sounds such an improbable task that it cannot do without some investigation of why the UIDAI thought they could pull it off. What did the UIDAI know about biometrics which gave it the confidence to roll out the project on a nationwide scale? The answer is, very little.
When the project got off the ground, and Mr Nandan Nilekani took charge, among the early decisions taken seems to have been the introduction of biometrics. On 29 September 2009, the UIDAI set up a committee to review the state of biometrics in the country, and suggest how they may be modified, extended or enhanced to "serve the specific requirements of UIDAI relating to de-duplication and authentication†. Interestingly, among its other tasks, the committee was asked to “obtain consensus (for) widespread propagation of biometrics in governmental and private sectors.†Significantly, no other means of achieving uniqueness and de-duplication was suggested then, nor at any time since then; biometrics was the only tool.
The December 2009 report of the committee on biometrics was cautious. The state of knowledge on biometrics was too meagre. In its sample of 25,000 people, 2-5 per cent did not have biometric records. Globally, de-duplication accuracy of 99 per cent had been reported from western populations, where there was good fingerprint quality and where the database was up to 50 million. To scale up the results from 50 million to a billion plus was fraught with uncertainty. And, importantly, there had been no study of fingerprint quality in the Indian context. Indian conditions, the report read, “are unique in two ways: larger percentage of population is employed in manual labour, which normally produces poorer biometric samples. Biometric capture process in rural and mobile environment is less controllable compared to the environmental conditions in which western data is collected.†It also found that if the way biometrics is captured is deficient, the “false acceptance rate†could be over 10%. The committee “strongly recommended that carefully designed experiments and proper statistical analysis under pilot should be carried out, to formally predict the accuracy of biometric systems for Indian rural and urban environments†.
As for iris, it is technology of recent vintage, and, “compared to fingerprinting, iris capture is less studied and less standardised†. So, they tentatively suggested combining multiple biometric modalities, in this case that would be fingerprint and iris. That was about all the committee was able to say.
Pursuant to this report, in February 2010, the UIDAI issued a “notice inviting applications for hiring of biometrics consultant†to assist in “proof of concept of biometric solutions for UIDAI project†. This document is a startling statement of the state of ignorance in which the UIDAI was, although they had already decided that they would adopt biometric de-duplication and authentication. The consultant would have to “assess the biometric de-duplication accuracy that can be achieved in the Indian context†. The National Institute of Science and Technology (NIST) in the USA “has spent considerable efforts over the past 10-15 years in benchmarking the state-of-the-art extractor and matching technology for fingerprint, face and iris biometrics on the western population,†the invitation document read. “While NIST documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics (i.e., larger percentage of rural population) and in Indian environmental conditions (i.e., extremely hot and humid climates and facilities without air-conditioning). In fact, it went on, “we could not find any credible study assessing the achievable accuracy in any of the developing countries. UIDAI has performed some preliminary assessment of quality of fingerprint data from Indian rural demographics and environments and the results are encouraging. The “quality†assessment of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy.†And so on. And the consultant was given six months to lead the UIDAI from this state of ignorance to profound knowledge about biometrics. At that stage, the focus was on enrolment. What would happen when people would have to be identified by their biometric markers was deferred to a later date.
The study was done between March and June 2010. On 17 July, 2010, the Economic Times reported that “missing biometrics†was confronting the UID project. The millions working in agriculture, construction workers, manual workers would have their fingerprints worn down. Corneal scars, corneal blindness, cataract resulting from nutritional deficiencies and prolonged exposure to sunlight and ultraviolet rays were likely to jeopardise iris data. The Director General of the UIDAI reportedly admitted that they had no estimate of how many people this would affect - they expected it to be a “small number.†“We are dealing with a large country and complex issues. We have to work within these limitations,†he is reported to have said.
They moved on regardless, to collecting biometrics and making claims of uniqueness.
The `UID enrolment proof-of-concept (PoC) report’ was finally uploaded on the UIDAI website in February 2011, about five months after UID enrolment had begun to be rolled out. In a report that is gloriously vague and hazy, there is one statement that puts a question mark on the whole exercise: “The goal of the PoC was to collect data representative of India and not necessarily to find difficult-to-use biometrics. Therefore, extremely remote rural areas, often with populations specialising in certain types of work (tea plantation workers, areca nut growers, etc.) were not chosen. This ensured that degradation of biometrics characteristic of such narrow groups was not over-represented in the sample data collected.†The number of people in the sample studies to see if de-duplication worked was 40,000, and this did not include those who were not seen as representative of India! And the report maintains a deafening silence about what will be done for `biometric exceptions’ - people for whom neither fingerprints nor iris work.
The UIDAI would be hard put to term this a scientific study. There is no authorship, the complexity of the population is ironed out by excluding them from the sample, the evidence is sketchy and conclusions general. Two years later, Mr Nilekani was to say, in his talk at the World Bank in April 2013, that “nobody has done this before, so we are going to find out soon whether it will work or not†.
In sum, this is an experiment. Even if it fails, biometric companies would have made their money, systems would have been re-engineered and the numbers seeded, and databases would have been created.
Every time I have spoken to a politician, bureaucrat, senior members of research organisations, I have asked them if they have seen any of the UIDAI’s own reports, and the answer is always ‘no’.
When biometrics fail ..... well, there are no consequences for project proponents, not as things stand anyway. The authentication story is mirthful, and deserves its own narrative.
(The writer is an academic activist. She has researched the UID and its ramifications since 2009)
o o o
Part 6
Best finger first, but let’s now scan the eye
by Usha Ramanathan
In December 2011, when the Standing Committee on Finance (SCF) readied its report on the National Identification Authority of India Bill 2010 to be placed before Parliament, there were as yet no reports on authentication - viz., on how the biometrics collected during enrolment would be used in identifying a person.
Among a few pieces of the puzzle that was presented to the SCF was a statement from the Planning Commission, in which the UIDAI is located, that read: "It is well acknowledged that there will be failures in authentication for various reasons. After proof of concept studies (PoC) on authentication, appropriate policies and processes will be developed to take care of situations where failure occurs for various reasons .. The choice of using the authentication services is left to the third party service provider ... Concerned agencies will have to develop policies and procedure to handle such exceptional situations .."
That is, there would be problems in authentication, no one could anticipate the extent of the problem because it was still untested, and responsibility would be diffused among service providers if authentication did not work.
This was a strange position to be adopted by an agency that had launched a nationwide project to biometrically de-duplicate and identify the entire population.
The Standing Committee had also seen an interview with the Mission Director and DG of the UIDAI, Mr R S Sharma, in Frontline in November 2011, where he had said: "Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work, and this poses a challenge for later authentication. ... Issuing a unique identity will not be a major problem. But authentication will be, because fingerprint is the basic mode of authentication."
In January 2012, a document was put out by the UIDAI which was incensed by a statistic that the Standing Committee had referred to which estimated that the "failure to enrol" would be as high as 15 per cent.
The UIDAI tried explaining that these were "misconceptions", that they could "state with confidence" to the contrary, and that "it is now safe to conclude" that biometrics will work over the entire population.
Except - they were relying on their Proof of Concept on enrolment which, as their own report reveals, (see earlier report dated 6 July 2013) does not convince that the system can deal with the complexity of the population.
More damning still, Prof Ramakumar, the expert who had provided the statistic was drawing on an estimation made by a company, 4G Identity Solutions, which is partnering with the UIDAI! He quotes them as saying: "It is estimated that approximately five per cent of any population has unreadable fingerprints, either due to scars or aging or illegible prints. In the Indian environment, experience has shown that the failure to enrol is as high as 15 per cent due to the prevalence of a huge population dependent on manual labour." And, the DG and Mission Director’s interview stands unrebutted.
The first report on "authentication accuracy" was released in March 2012. This would indicate whether persons can be identified by their fingerprint. The PoC involved about 50,000 UID number holders.
It was carried out "in a controlled manner using different authentication devices.
The collected data was sent to the UIDAI Technology Centre. Further statistical analysis was performed at the Centre." This was a UIDAI exercise, and a statistic emerged from it: "accuracy of 96.5 per cent can be achieved using one best finger and 99.3 per cent can be achieved using two fingers" up to three attempts. "Accuracy," the report went on to say, "could be further improved by using the additional factors such as one-time-password (OTP), demographical data or second modality such as iris." A separate study was recommended to check that out.
What do these statistics mean? What is the `best finger’? What are two fingers in three attempts? What else does the report say? The "best finger" first.
Though all 10 digits are captured during enrolment, not all fingers work equally well when they have to be used to authenticate a person.
So, when enrolment is done, the report said, a person would have to go through a "best finger detection" (BFD) process, because: "The best finger to be used for authentication depends on the intrinsic qualities of the finger (ex. ridge formation, how worn out they are, cracked, etc.) as well as the quality of images captured during enrolment process and the authentication transaction."
Someone in the team that prepared the report clearly had a sense of humour: this description is accompanied by the sketch of a wrist and fingers, with the index finger pointing skywards with a bow tied to it as a sign of how special it is!
The fingerprints are sorted on the basis of "match scores" by comparing them with what has been enrolled and stored. This helps to rank the fingers: rank 1- best finger, rank 2- second best finger. "Further," the report reads, "the fingers are labelled Green, Yellow, or Red - depending on their suitability for single finger authentication." In addition, it continues, "some residents could be determined to be not suitable for reliable fingerprint authentication".
About the devices, there is the profound statement: "The best set of devices did much better than the good set of devices, which did much better than the rest of the devices." "In online authentication system, providing multiple attempts of the same finger was seen to improve resident’s chances of successful authentication." And the inference that was drawn was that "the resident learns to place fingers appropriately over multiple attempts". And, "residents in the 15-60 years group showed best authentication accuracy". The young and the old are somewhat troublesome. In sum, for those whose fingerprints work, if they have a best finger, or two yellow fingers, and more fingers are used, and if labelled matching works, and best devices are used, and when there are high quality fingerprint images, and immediate feedback, then .... fingerprint authentication may work 99.13 per cent of the time. That is the value of the statistic.
Then, multimodal authentication with both fingerprint and iris, OTP, buffered authentication, multiple attempts and with different fingers - these are recommended, "to not only improve accuracy but also to ensure inclusion."
The recommendations harbour the underlying unease about the capacity of fingerprints to identify the entire complex of people in this country.
That explains why, even as the report starts out, it says "although currently only fingerprint biometric is being offered ... it is likely that in the near future iris biometric authentication will also be supported." And, in conclusion: "Low cost iris capture devices are becoming available in the market. A combination of fingerprint and iris is expected to improve accuracy by a factor of 10 to 100, while reducing failure to enrol (red fingers) rate by a factor of 10. A detailed study such as this should be done on iris authentication."
In the meantime, this report lends context to Mr Nilekani’s statement at the Centre for Global Development in Washington in April this year about having "created huge opportunity for fingerprint scanners, iris readers".
(The author is an academic activist. She has researched the UID and its ramifications since 2009)
o o o
Part 7
But do the eyes really have it?
by Usha Ramanathan
In September 2012, two years after enrolment had begun, the UIDAI produced a report on iris authentication. As in the proof of concept (PoC) on fingerprint authentication, the iris report too was about field-testing the technology, and not a scientific study. This allowed for cleansing the data "of exceptions and anomalies", checking out vendors and their devices, encountering the people who came in their infinite variety - those with squints, those who had undergone eye surgery, those who had eye deformities and those without sight. The PoC was done in a semi-urban taluka in Mysore over two months in 2012 with 5747 residents. As with the fingerprint report, here too the percentages that the UIDAI records are intended to reassure, but the devil is in the detail.
The older population, those who have undergone surgeries, those unable to open their eyes wide, those with eye deformities and, especially those who had undergone cataract surgery using older techniques were expected to have trouble authenticating. But, it was said, while iris authentication is significantly improved by using the dual eye camera, those with a squint would be better off with a single eye camera. What effect there would be on the error rate as the database grows larger and larger is not reckoned with.
Yet, these concerns lose their urgency when viewed against the first presumption on which the PoC is based. "The iris does not get worn out with age, or with use," it says. "In addition, iris authentication is not impacted by changes in the weather." This seems an improbable claim, for it is difficult to imagine a part of the human body which withers with neither age nor clime. Still, the improbable is not necessarily the impossible.
This, the report claims, is a presumption drawn from iris technology literature. But, in a paper presented at the IEEE Computer Society Biometrics workshop on 17 June 2012, two professors from the Department of Computer Science and Engineering at the University of Notre Dame found something quite different. Samuel E Fenker and Kevin W Bowyer did a study of iris images acquired between 2008 and 2011 using state-of-the-art technology, with 322 subjects ranging from 20 to 64 years, 177 male and 145 female, of different races. In introducing their study, they explained that the prevailing view that iris is "essentially immutable over a person’s life" had been repeated in several research papers, even though "we know that no studies with experimental results that support the conclusion that template ageing does not occur for iris biometrics" exist. This includes Daugman’s 1994 iris biometrics patent which asserted that "the iris of every human eye has a unique texture of high complexity, which proves to be essentially immutable over a person’s life." Fenker and Bowyer’s paper was "the most extensive experimental investigation to date on template ageing for iris biometrics."
In brief, their study found "clear and conclusive evidence that template ageing does occur in iris biometric matching. Specifically, the experimental evidence indicates that the false non-match rate increases with increasing time between acquisition of the enrolment image and the image to be recognised." That is, as time elapses, the image alters from how it was when it was enrolled. "In our results," they said, "the false non-match rate increases by greater than 50 per cent with two years of time lapse." The 50 per cent indicates the rejection rate when it was sought to be authenticated, and it is disturbingly large.
Fenker and Bowyer are not biometric skeptics, and they offer ways to proceed once it is acknowledged that template ageing does occur for iris biometrics. One possible route is "that the user may simply need to be re-enrolled in the system after some determined period of time." Given that the drop in confidence in the biometrics occurs within just two years, re-enrolment is not even an option amidst the Indian population. And, they suggest, "once the fact that template ageing for iris biometrics is acknowledged, research effort may be focused on reducing the magnitude of the effect."
This is the state of knowledge in biometrics.
The iris authentication report recognises this when it says: "Few global initiatives have empirically published results on iris based online authentication in a context similar to aadhaar." It is this use of untested technology that has had critics of the project say that it is an experiment where India is the laboratory, and Indian residents are mere specimens.
Spoofing and fraud
It is not only the experimental stage of the technology that raises questions. It is also questions of spoofing and fraud.
On 30 September 2011 a meeting was held at the Planning Commission to discuss the issue of privacy. The UID project, and the Human DNA Profiling Bill which has in circulation since 2007 and which resurfaced more recently, prompted the meeting. Representatives from the UIDAI, Natgrid, the Department of Personnel and Training were present among others that included professionals and activists. J T D’Souza, a biometrics expert who is in the trade, was present, and he demonstrated fingerprint authentication done with a faked fingerprint made out of Fevicol and wax. It was his wife’s fingerprint. It authenticated perfectly when he blew on the spoofed fingerprint to add moisture to its surface, so that the fingerprint reader could be made to believe that it was a live finger that was being applied to it. It is easy to spoof a fingerprint, he said. When it is cooperative, as it had been in his case where his wife gave her fingerprints willingly, he had used a plastic battery case into which he melted wax. When it had not quite set, the finger was pressed into the wax leaving an impression into which he poured Fevicol. When the Fevicol set, he had peeled it off and, hey presto, it was ready for use. When it is "non-cooperative", it may be an impression taken, say, from a glass or anything that is touched, the process would be a tad more tedious, involving using standard techniques from forensic sciences, making a positive, using a standard printed circuit board etching technique which is well known to any second-year electronic student or electronic hobbyist and use that as a template with Fevicol.
The danger is, too, that once the fingerprint has been compromised it cannot be changed, unlike a password or a pin number. In controlled spaces, biometrics may work because there are other controls along with the biometric. But a centralised database and long-distance authentication, D’Souza cautioned, is a prescription for fraud. D’Souza’s demonstration of the use of the spoofed fingerprint to the students of a Bombay college is on youtube; there has been no reaction to it so far. At the Planning Committee meeting, the representatives of the UIDAI said they would look into it. Six months later when the report was released, there was no mention of this issue.
The problem is not only that it is an experiment, and just may fail. It is that what is being attempted is what Mr Nilakeni calls "doing government process re-engineering" with this experimental technology as its foundation.
(The author is an academic activist. She has researched the UID and its ramifications since 2009)
o o o
Part 8
What we (don’t) know about the companies
by Usha Ramanathan
In July 2010, UIDAI announced names of the companies that had been selected to implement the core biometric identification system. These companies would design, supply, install, commission, maintain and support the "multi-modal Automatic Biometric Identification System and multimodal Software Development Kit for client enrolment station, verification server, manual adjudication and monitoring function of the UID application". These would create the ability to de-duplicate on the basis of biometric information collected during enrolment.
The companies were: Mahindra Satyam (as it then was) partnering with Morpho, HP with L-1 Identity Solutions and a recently set up Indian company 4G Identity, and Accenture with MindTree and Daon. L-1 Identity Solutions was also present and participating in the PoC on enrolment.
These are companies with interesting profiles. A promotional document found on the web around the time that L-1 Identity Solutions was selected to partner with the UIDAI speaks of a close connection between the company and the security and intelligence establishment of the US government. "L-1 provides highly specialised government consulting services that address the most important challenges facing US defence and global security", it announces. "More than 1000 specialists, most holding top security clearances", it advertises, giving a more specific figure of "93 per cent holding high-level government security clearances".
In 2007, Tim Shorrock, an investigative journalist based in Washington, took a close look at the connection between L-1 and the CIA in an article he did on the former CIA chief, George Tenet, titled Cashing in on Iraq. Shorrock wrote: "Tenet sits on the board of L-1 Identity Solutions, a major supplier of biometric identification software used by the US to monitor terrorists and insurgents in Iraq and Afghanistan… The company with the closest ties with the CIA - and the biggest potential financial payoff for Tenet - is L-1 Identity Solutions, the nation’s biggest player in biometric identification. L-1’s software which can store millions of ID records based on fingerprints and eye and facial characteristics, helps the Pentagon and US intelligence in the fight against terrorism by providing technology for insurgent registration (and) combatant identification, the company says. L-1 technology is also employed by the State Department and the Department of Homeland Security…" When L-1 acquired Spec Tal, it got 300 employees with security clearances getting them several agencies with whom Spec Tal had contracts, "including the CIA, the NSA and the Defence Intelligence Agency." "We’re in the security business, right? So he’s a tremendous asset," Shorrock quotes an executive vice president of L-1 as saying about George Tenet.
Sagem Morpho which is among the participating companies is the Indian subsidiary of Morpho; which is part of the Safran group. Safran is a French defence company in which the French government holds 30.5 per cent shares.
In August 2011, Safran completed its acquisition of L-1 Identity Solutions. It was a $ 1 billion acquisition. With this, L-1 joins Safran’s security business which was until then operating as Morpho, and which together with L-1 was renamed Morpho Trust.
Morpho and L-1 have, with this acquisition, merged. So, when Mr. Nilakeni says that UIDAI has created a competitive environment, that is not quite accurate.
This deal was held back for about a year between September 2010 and August 2011 till the Committee on Foreign Investment in the US approved the acquisition. Since US contracts make up about 80 per cent of L-1’s business, and to protect US national interests, Safran was to establish "a three-person proxy board" to handle sensitive US contracts - a common feature when security companies are acquired by foreign companies. It was contemporaneously reported that the proxy board was expected to include Barbara McNamara, deputy director of the National Security Agency and William Schneider Jr. former Under Secretary of state under Ronald Reagan.
Accenture is known widely as a consultancy corporation. What is less known is its place in the world of surveillance technologies. Katherine Albrecht and Liz McIntyre, writing about Radio Frequency Identification (RFID) in their book, ’Spychips: How major corporations and governments plan to track your every purchase and watch your every move’ (2006), introduced us to the patents and practices of Accenture in the RFID arena. It is interesting that Accenture describes itself as a "US based business…the global management consulting, technology services and outsourcing company"; no word on surveillance. Yet, in 2004, Accenture was selected by US Department of Homeland Security to design and implement the Smart Borders Project which would be deployed at the land, sea and air ports of entry. In November 2012, Accenture was awarded a bio-surveillance contract by the Department of Homeland Security.
This proximity and interdependence between foreign governments, including their intelligence agencies, and corporate ventures in surveillance technology is no secret. Yet, the UIDAI claims that it is unaware of the countries from where these companies originate.
A question that has been raised time and again in various fora relates to the security of the data. What effect does handing over data to companies that are close to foreign intelligence agencies, or allowing them to handle it, have on security of the person, and on national security? Laws such as the PATRIOT Act in the US, especially provisions such as section 215, bring all agencies in the country within the control of agencies such as the FBI and the Department of Homeland Security. As for Morpho and L-1, the French government is part-owner of these entities. Despite the concerns this should have raised in the UIDAI and within government, there has been a silence which provides no answers. The UIDAI’s response to an RTI query is more disturbing still.
In March 2011, Mr Veeresh Malik filed a request with the UIDAI for information, specifically asking for the "full name, address, websites of the foreign companies which are of US and non-US origin or control". In an appellate order of 21 July 2011, the Deputy Director at the UIDAI who is the Appellate Authority for purposes of the RTI, gave the names of three Biometric Service Providers to the UIDAI. These were, (i) Satyam Computer Services/ Sagem Morpho (ii) L-1 Identity Solutions (iii) Accenture Services. In a startling statement, the authority explained that "there are no means to verify whether the said companies/organisations are of US origin or not. As per our contractual terms and conditions, only the companies/organisations … who are registered in India can bid. Any further information in this regard can be obtained from the UIDAI public domain…" There is nothing more to be got from the UIDAI website.
Col. Mathew Thomas’ RTI query asking for copies of the contracts entered into with the companies was refused by the UIDAI citing section 8(1)(d) of the RTI Act 2005 which speaks of information including "commercial confidence, trade secrets or intellectual property" disclosing which would "harm the competitive position of a third party" to the request. The exception to this provision is if the "larger public interest warrants the disclosure of such information". At a hearing on 24 June 2013, the Central Information Commissioner has said she will hear and decide this matter. Snowden, and PRISM, have blown the lid, yet again, on surveillance by the USA.
Creating a database and handing the data over to companies, and with no discernible protection, should worry a government concerned about the safety of the people and national security, it would seem.
(The writer is an academic activist. She has researched the UID and its ramifications since 2009)
o o o
Part 9
Aadhaar Unmasked When Parliament spoke on the UID
Parliament’s Standing Committee on Finance dismissed with scathing comments an attempt by the Manmohan Singh government to give the UIDAI project the sanction of law. No effort has been made to remedy this serious shortcoming in the huge exercise launched by Nandan Nilekani with the blessings of Montek Singh Ahluwalia’s Planning Commission. In effect, there is no law that makes it mandatory for a citizen to possess the Aadhaar number (or card) and yet we are being railroaded by some states - notably Delhi - to accept its inevitability. Usha Ramanathan
There is currently no law that covers the UID project.
On 28 January 2009, an executive notification set up the UIDAI. It was to be the responsibility of the UIDAI to lay down plans and policies to implement the UID scheme, which would include giving UID numbers to residents, interlinking UID with partner databases on a continuous basis, to keep the database updated, and "take necessary steps to ensure collation of National Population Register (NPR) with UID (as per approved strategy)". It was also to "identify new partner/user agencies"; to "issue necessary instructions to agencies that undertake creation of databases… (to) enable collation and correlation with UID and its partner databases". The Planning Commission would be the nodal agency and the UIDAI “shall own and operate the database".
Since at least September 2009, concern about the consequences of enrolling and databasing people began to be voiced. At a meeting on 23 November 2009, Mr. Nandan Nilekani said that state governments, who were being approached to act as Registrars, that is those who would collect the data and pass it on to the UIDAI, were asking how they were to respond if queried about the authority under which they would hand over enrolment data to the UIDAI. Then there was the vacuum in law on privacy which no one denied was going to be impacted by a project such as this.
It was at a meeting called by the Planning Commission on 6 May 2010, that Mr. Nilekani conceded that a law would be drafted to govern the project. On 30 June 2010, a draft Bill was uploaded on the UIDAI website, and kept there for 14 days for comments. On 3 December 2010, the National Identification Authority of India Bill 2010 was introduced in the Rajya Sabha with scarcely any changes from the UIDAI’s June 30 draft. The finance minister had apparently objected to a clause that would exempt the UIDAI from all taxes and duties, and that was deleted; and the definition of ’resident’ was reworked with the Registrar General of India. By this time, enrolment, the issuing of numbers and databasing had already begun, from 29 September 2010.
The NIAI Bill was referred to the Parliamentary Standing Committee on Finance (SCF) which, after yearlong consideration of the Bill, and necessarily of the project, rejected both- the proposed law and the project itself. ’The Committee’, the SCF concluded, "would, thus, urge the Government to reconsider and review the UID scheme as also the proposals contained in the Bill in all its ramifications and bring forth a fresh legislation before Parliament."
In July 2011, when some of us deposed before the SCF, its members were only talking about tweaking the law and seeing how they could help it reach a legally acceptable form. By December 2011, after they had had time to study the project and hear both proponents and detractors, the SCF had had a total reversal of opinion. What was it about the project, and the Bill, that led the SCF to this rejection?
For a start, the SCF was scathing about the UIDAI proceeding with the project when the law was still in the process of being devised; this is "unethical and violative of Parliament’s prerogatives", the SCF said.
Then, they were concerned that the UID is for all residents, not only citizens.
The UID scheme, the SCF said, "is riddled with serious lacunae and concern areas". The UID scheme "has been conceptualised with no clarity of purpose …. it is being implemented in a directionless way with a lot of confusion… [It has] failed to take concrete decisions on important issues such as identifying the focused purpose of the resident identity database; methodology of collection of data; … conferring statutory authority to the UIDAI since its inception …" Without a law, how would the UIDAI address key issues of security and confidentiality of information, the SCF asked, and how would it initiate proceedings and penalise breaches?
Overlapping of various initiatives, duplication of efforts and lack of coordination raised concerns about cost, and that it was being done in an "overbearing manner without regard to legalities and other social consequences". The committee was also "unhappy", they said, "to observe that the UID scheme lacks clarity on many issues such as even the basic purpose of issuing `aadhaar’ number." And, "although the scheme claims that obtaining aadhaar number is voluntary, an apprehension (has) developed .. that, in future, services/benefits including food entitlements would be denied in case they do not have aadhaar number."
The United Kingdom had disbanded its ID cards project for reasons including the huge costs, the complexity, because it is "untested, unreliable and unsafe technology", and the possible risk to the safety and security of citizens. The SCF was impatient about the unwillingness to draw lessons from this, and related, global experience.
Reflecting the concerns that had been brought before the SCF, they were categorical that "considering the huge database size and possibility of misuse of information, the committee are of the view that enactment of national data protection law … is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases. In the absence of data protection legislation, it would be difficult to deal with issues like access and misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information, etc."
On 28 September 2010, 17 eminent citizens including Justice VR Krishna Iyer, Prof Romila Thapar, SR Sankaran, Aruna Roy, Justice AP Shah, KG Kannabiran, Bezwada Wilson and Prof Upendra Baxi had released a statement of concern in which they had spoken of the no-law status of the project, and of the disconcerting fact that no feasibility study had been done before launching the project. The SCF iterated these concerns.
Further, "despite adverse observations by the UIDAI’s Biometrics Standards Committee," the SCF said, "the UIDAI is collecting the biometric information …. Considering the possible limitation in applications of technology available now or in the near future, the committee would believe that it is unlikely that the proposed objectives of the UID scheme would be achieved."
This severe report on the proposed law and the project provoked no response from the government. Except for a document from the UIDAI defiantly claiming that all was well with biometrics, there has only been silence. On 31 January 2013, confusion was manifest when ministers in the Union cabinet said that they were unclear about the project, whether it is a number or a card, and what its link was with the National Population Register. This was four years after the project had been set off, and a year and two months after the SCF report.
(The author is an academic activist. She has researched the UID and its ramifications since 2009)
o o o
Part 10.
The Statesman, 19 July 2013
Aadhaar Unmasked Making a business out of government data (18th July 2013)
by Usha Ramanathan
Nandan Nilekani was appointed as Chairperson of the UIDAI on 2 July 2009. In an extraordinary gesture, he was simultaneously, and in addition, given the rank of Cabinet Minister. This gave him the status, protocol and privileges of a minister, without having to meet the constitutional requirement that a minister has to be a Member of Parliament: "A Minister who for any period of six consecutive months is not a Member of either House of Parliament shall at the expiration of that period cease to be a Minister," it says in Article 75(5) of the Constitution. In any event, since the Chairperson of the UIDAI is an office of profit, Nandan Nilekani could not have been both the Chairperson and a minister. This device, by which he was given the rank of Cabinet Minister without the constraints of the position, was used to facilitate lateral introduction of corporate leadership into the government.
Then, having been given the dual status of Chairperson and a person with the rank of Cabinet Minister, he was appointed the head of several committees in which capacity he would be able to steer state policy towards the adoption of the UID, while pushing the Prime Minister’s agenda of cash transfer and the phasing out of subsidies along with advancing corporate business agenda. The committees included the Task Force on direct transfer of subsidies which produced an interim report in June 2011 on kerosene, LPG and fertilizer, and a final report in October 2011 by which time the Task Force was reporting on an "IT strategy for PDS and an implementable solution for the direct transfer of subsidy for food and kerosene". This was quickly followed up, in February 2012, with the report of a Task Force on "an aadhaar-enabled unified payment infrastructure" for the direct transfer of subsidies on kerosene, LPG and fertiliser, of which Mr Nilekani was the Chair, pushing the agenda of UID ubiquity and revamping the subsidy structure.
Then there was the Technology Advisory Group of Unique Projects (TAG-UP) which turned in its report in January 2011; and the IT Strategy for Goods and Services Tax Network which, it seems, has resulted in a company being set up to take control over governmental data and to make a business out of it along the lines of the TAG-UP report. There have been other reports, too, such as the report of the Apex Committee for Electronic Toll Collection Implementation in which RFID and the "unique identification" of vehicles are part of the recommendations, but this does not directly impact the UID or subsidies, even if it could have a bearing on tracking, for instance.
In January 2009, when the UIDAI was set up by executive notification, it was described as "an attached office under the aegis of the Planning Commission." The "initial core team" was to comprise 115 officials and staff, with the officials drawn from Central and State bureaucracies. The Director General and Mission Director, for instance, was to be from the level of the Additional Secretary, Government of India. Nandan Nilekani’s appointment in July 2009, and the overlap of project head, cabinet ministerial rank and chair of multiple committees changed the nature, and ambitions, of the enterprise. Yet, even in January 2009, the notification said that the UIDAI "shall own and operate UID database…" This signalled a shift from when the state held data in a fiduciary capacity, and limited to the purposes for which the data was being collected. This was an open claim that data was emerging as the new property.
The National Identification Authority of India Bill 2010 in its draft form, and as introduced in Parliament in December 2010, gave the first indications of the structure intended for the UIDAI. It bears a remarkable resemblance to what was the being worked into the TAG-UP report. After its rejection by the Parliamentary Standing Committee on Finance in December 2011, however, the NIAI Bill went into deep freeze.
There had been no enthusiasm for a statutory framework anyway, and once the Standing Committee sent the Bill back to the drawing board, it just vanished from the agenda.
In the meantime, in January 2011, the TAG-UP Committee chaired by Nandan Nilekani gave its report. It described a framework for the handing over of data that is with the government to private companies set up for that purpose. This is no longer a hypothetical model. In the 2012 budget, Mr Pranab Mukherjee announced that the "GSTN (Goods and Sales Tax Network) will be set up as a National Information Utility", and it seems it has already been established in March this year, with no public discussion or disclosure, and with private banks and insurance companies as shareholders.
The entities to be created are called `National Information Utilities’ (NIU). NIUs will be a "class of institutions" that will be "private companies with a public purpose: profit-making, but not profit maximizing."
Part 11.
What is the cost? And who benefits?
by Usha Ramanathan
There was no feasibility study and no cost-benefit analysis that preceded the launch of the UID project.
In August 2010, a year and a half after the project was set up, there was a question in the Lok Sabha: "whether any pre-feasibility study or cost benefit analysis was done before the notification for creation of UIDAI was issued on 28-01-2009; if so, the details thereof." Mr Narayanaswamy, in his capacity as Minister of Planning, responded, on 18 August 2010: "An Empowered Group of Ministers which was constituted in December 2006 .... decided that a Unique Identification Authority of India be constituted under the Planning Commission and be made responsible for implementing the project which would aim at better targeting of welfare services, improving efficiency of the services and better governance.
The benefits accruing out of the project should far outweigh the cost of the project."
That was it.
In September 2010, a "statement of concern" signed by Justice VR Krishna Iyer, Romila Thapar, Justice AP Shah, SR Sankaran, Aruna Roy and 12 others expressed reservations about the project proceeding without either a feasibility study or a cost-benefit analysis. "Before it (the project) goes any further," they said, "we consider it imperative that the following be done - Do a feasibility study:
There are claims made in relation to the project, about what it can do for PDS and NREGA, for instance, which does not reflect any understanding of the situation on the ground. The project documents do not say what other effects the project may have, including its potential to be intrusive and violative of privacy, who may handle the data (there will be multiple persons involved in entering, maintaining and using the data), who may be able to have access to the data and similar other questions." And: "Do a cost-benefit analysis:..."
In an interview in April 2010, Mr Nandan Nilekani was saying: "I think the savings will be fairly substantial. I can’t put a number around it but it will be substantial." In later interviews, when the challenge to the project was more audible, he was saying: "Now every year India spends 3000 crores on entitlements and subsidies (which) will keep going up in future. And if you can bring in using aadhaar numbers, you make sure that you eliminate ghosts and duplicate numbers among beneficiaries."
These were aspirational and hypothetical. No formal figure emerged from any deliberations. Perceptions of inefficiencies in governmental functioning, leakages in service delivery, and endemic corruption offered a credible basis for assertions that the UID would clean up the system; but these were untested and unqualified assertions. As for surveillance, Mr Nilekani would only say, "no comment".
When the Standing Committee on Finance, in its report rejecting the National Identification Authority of India Bill, commented adversely on there not having been a cost-benefit analysis of the project, that became difficult to ignore.
It was November 2012 when a paper emerged from the National Institute of Public Finance and Policy on "A cost-benefit analysis of aadhaar". The paper did an "estimate of benefits" in PDS, NREGA, education, fertiliser subsidy, LPG subsidy, Indira Awas Yojana, scholarships, pensions and Janani Suraksha Yojana, ASHA and ICDS. The paper, which was characterised as a `study’, was then `presented’ to the Deputy Chairperson of the Planning Commission. It was hosted on the Planning Commission website. It was widely reported, as the PIB release said, that "after taking into account all the costs, and making modest assumptions about leakages, the study finds that the aadhaar project would yield an internal rate of return of 52.85 percent to the government." A remarkable figure, that. Except...
In February 2013, Reetika Khera, an economist who works on the PDS and NREGA and who has been challenging the claims of the UIDAI on what its project will achieve in cleaning up the system, published a critique of the NIPFP paper in the Economic and Political Weekly (EPW). In March, the EPW carried a response from the authors of the paper, who had remained unnamed so far, and Reetika Khera’s counter.
The problem with the `study’ is that it is based on no, or outdated, data. It falls back on assumptions.
The NIPFP authors do not deny this, claiming that they have been "elaborately careful in pointing out its limitations", which includes not having adequate data. It also does not consider alternative technologies that "could achieve same or similar savings, possibly at lower cost", to quote Khera. But, the authors protest, "the primary objective of the study: its central question was to ask whether the expected benefits of aadhaar outweighed its total expected costs", so they did not concern themselves with considering alternative means of problem solving, even the ones that are already in place in states such as Chhatisgarh and Tamil Nadu!
In addition, of course, the biometrics reports were out by then, and the implications of biometrics that may not authenticate, one-time passwords, re-enrolment of biometrics and the range of problems in the last mile are not anywhere in the paper.
And, since this is about cost and benefit, it does not take within its ambit matters relating to surveillance, tracking, convergence, tagging, violations of privacy and matters of personal safety and of identity fraud.
There is a further charge that is placed at the door of the authors of this paper - conflict of interest, and non-disclosure of the relationship of the group of authors with the UIDAI. There is a "NIPFP-UIDAI programme on financial inclusion", revealing collaborative activity between the two institutions.
Non-disclosure of this relationship is explained away by the authors as something that "should preferably have been made in the study itself. "At the same time," they say, "the group’s affiliations are public knowledge on its website."
What may these affiliations be, apart from the UIDAI- Macro/finance group working together? The Chairperson of the NIPFP is Dr C.Rangarajan, who is the Chair of the Prime Minister’s Economic Advisory Council. The Governing Body has a representative of the Planning Commission, and a representative of the NCAER and that is officially termed a `collaborative institution’. The UIDAI is located in the Planning Commission, and the Prime Minister and the Deputy Chairperson of the Planning Commission are its strongest proponents. The Chairperson of NCAER is Mr Nandan Nilekani.
The NIPFP paper is being projected as an authoritative study, and the press has been given the figure of over 50 per cent savings as if it were a fact. One of its authors, writing in a national daily, even said, in December 2012:
"When these estimates are put together into a formal cost-benefit analysis, they demonstrate that the internal rate of return on building UIDAI is around 50 per cent in real terms," a position of certainty from which the authors quickly backtracked when challenged. Mr Nilekani, in his talk at the Centre for Global Development in Washington in April this year, told his audience:
"There’s a study, by the way, by NIPFP, which is an independent study on what is the return on this investment." This may, mildly stated, be called a misrepresentation. There is still no study on the implications of the project for the citizen/resident, nor any cost benefit analysis.
(The author is an academic activist. She has researched the UID and its ramifications since 2009)
Part 12.
Card or number? Crow or cuckoo?
by Usha Ramanathan
Four years into the UID project, on 31 January 2013, Ministers in the Central Cabinet were asking, what is the UID? A card? A number? Or both?
There has been much perplexed questioning in these four years. Is the UID project about identity or identification? Is it about control and tracking or transparency? Is it about information or data? Is it a unique identity (UID) or a “Know Your Customer†(KYC)? Is the UID voluntary or mandatory? Is the information collected kept on a government database or with private companies? Is the UIDAI part of the state, or an entity that transits through the Planning Commission to become a private company when it reaches “steady state†? Is the UIDAI a back office for the National Population Register (NPR), or is it a competitor in the race to enrol? Is the UID part of a surveillance apparatus, or is it only to deliver entitlements? Is biometrics unimpeachable or this an experiment? Is it a game changer or an app? Is it a crow or a cuckoo?
Despite the opacity of the project, its encounter with Parliament being disastrous, and many questions being raised about it, the project has surged ahead. How did that happen?
Mr Nandan Nilekani answered that in his April talk at the Centre for Global Development in Washington. “Our view was that there was bound to be opposition,†he said. “That is a given. So, how do we address that? One was, do it quickly... Second was, do it quietly ... Third was, we said in any case there is going to be a coalition of opponents. So is there a way to create a positive coalition of people who have a stake in its success? So, one of the big things here is that there is a huge coalition of, you know, organisations, governments, banks, companies, others who have a stake now in its future. So, create a positive coalition that has the power to overpower or deal with anyone who opposes it.â€
Quickly. It was announced very early in the project that the numbers would begin to roll out between August 2010 and February 2011. Enrolment actually began on 29 September 2010, well within target. This was a demonstration of efficiency which was to show up the difference between the UID project and any other such task undertaken by the government. The problem, of course, was that this haste left no time for field testing, or to verify the feasibility of the project or its details. Details such as, biometrics as unique identifiers across the swathe of population and across time; introducers who do not know the persons they are introducing to the system but who are “approved introducers†because they are known to the Registrar; “biometric exceptions†, that is persons for whom neither fingerprints nor iris work to enrol or to authenticate; the errors that rampant outsourcing was introducing into the system; the leakage that One Time Passwords has made likely, and the faked and spoofed fingerprint and the ease of identity fraud.
These were still in the realm of the little known or unknown, but decisions to adopt biometrics had been made even before the experiment was to begin. Haste has meant that an untested system has been imposed on an entire population, and whether it will work or not will be known after a passage of time. The problem is compounded by the fervour with which the UIDAI, and Mr Nilekani, have been working to have the number seeded in all databases, and to have systems re-engineered to accommodate the UID.
Quietly. There has, in fact, been no public debate on the project. The government has not spoken except to make the UID mandatory. Mr Nilekani and his team have been hard selling the UID to individuals and institutions, so that their adoption of the UID number would push up enrolment. The quiet on the consequences of the project is especially deafening, and no amount of questioning has produced more than a sullen silence. That explains why Aruna Roy has been speaking out against the project as being disrespectful of the poor and imposing on them a project about which they have been told nothing, the implications of which are unknown to them, and where they have been informed - after being initially told that this is an inclusive project - that they will lose their entitlements if they do not enrol and get themselves a number.
The silence has been used effectively in the non-provision of information. When information was requested on the “full name, address and websites of the foreign companies which are of US and non-US origin or control†, there was something brazen about the response that “there are no means to verify whether the said companies/organisations are of US origin or not†. These companies were Sagem Morpho, L1 Identity Solutions and Accenture Services - with close ties with foreign intelligence agencies such as the CIA and Homeland Security! RTI activist Rakesh Dubbudu asked for the Detailed Project Report which Ernst and Young produced for the UIDAI, but it was denied to him, citing breach of privilege of Parliament as the reason - presumably because the UIDAI had made it part of its submissions to the Standing Committee of Finance. When the contracts with companies that are holding our data were asked to be disclosed, commercial and competitive interest was cited while refusing to give information.
Creating a positive
coalition to overwhelm opposition: state governments, central ministries and departments, banks, oil companies, the medical establishment, schools ... the list continues to grow of those who are being encouraged to demand the UID as a prerequisite to services. On 29 June, Mr Nilekani reportedly said in a speech at the IIM Bangalore that they were in preliminary discussions with embassies to use the UID number to “simplify visa application procedures†. The passport, it would seem, is not sovereign document enough! Is anyone in government listening?
In May 2010, a team of corporate heads including the leadership from Chlorophyl, Pidilite, Future Brands, and Procter and Gamble with a few others put together a document for the UIDAI titled “Aadhaar: Communicating to a Billion†. The UID was a product to be branded and sold, and the group’s prescription was to “create a simple uncomplicated construct that is not open to multiple interpretations†. The message of basic data + biometrics producing an identity was indeed simple. When it did not generate the enthusiasm that the UIDAI had perhaps hoped it would, mandatory enrolment did the trick. Alongside, by dwelling on the corruption and leakages that are commonly perceived problems in service delivery, and the `last mile’ being somewhat intractable, the UID has been promoted as the wand that will wish all this away. At the Centre for Global Development, in April, Mr Nilekani fed the audience a wild fantasy: “Today, we have reached a point where large intractable social problems - not all problems but many of them - can be solved using what we have.†May be it was hyperbole; just may be.
Mr Nilekani says to “think of this (the UID) as an app that answers the question ‘who am I?’ and then you can build all kinds of applications on it.â€
This is how the business model is being currently marketed.
(The author is an academic activist. She has researched the UID and its ramifications since 2009)
Part 13.
In the name of the poor
by Usha Ramanathan
In the beginning, and for some time thereafter, the UID project based its claims of legitimacy on the ’inclusion’ of the poor. In marketing the project, phrases such as giving identity to those without an identity, being "recognised in the eyes of the government", the "lack of identity" as "especially detrimental (to) the poor and the underprivileged", and the people who live in India’s "social, political and economic periphery" have been used liberally.
The movement away from the promise of inclusion to the threat of exclusion if a person is not enrolled for a UID came later, beginning tentatively in 2011 but becoming aggressive and vocal in 2012. It was January 2013 before the poor were led into panic when UID-linked bank accounts were made mandatory for receiving entitlements by cash transfer into banks. Many of them had IDs that recognised their entitlements, for instance ration cards, NREGA job cards, voter ID, post office accounts - but they were now being told that they could not reach their entitlements if they did not have a UID number.
Enrolling the undefined class of the unidentified poor is a complicated exercise. The N.Vittal headed Demographic Standards Committee recognised this, and suggested an approach where "approved introducers" could introduce a person to the system and "vouch for the validity of residents’ information." This idea was borrowed from the account opening procedure in banks; with a significant departure. An introducer must have a UID number; must be easily accessible to the resident; must be above the age of 18 and must not have a criminal record. NGOs were encouraged to act as introducers. But, while an introducer needs to be "approved" by the Registrar, there is no requirement that the introducer must know the person to be enrolled. This might have seemed a pragmatic resolution of the issue of enrolment of the poor and those without identity, but it was bound to raise its own set of problems.
A case in point is the well-documented instance of the homeless in Delhi. In January 2011, I visited the Pul Mithai enrolment centre to understand how the poor were being enrolled. Under the Delhi Government’s ’Mission Convergence’ in which the government and NGOs share a platform for policy-making and implementation, a survey of the homeless had been carried out using the benignant though inexperienced services of an informal roster of young persons. At that point in the exercise, which had covered about 80,000 people, a "provisional ID card under Homeless Survey" carried the name, gender, age and a photograph along with an ID number which ran like this: 10HP 58/1G. 3042397. ’HP’ stood for ’homeless people’ and 1G for the place where they had been surveyed as sited on the Eicher map. 1G was Mori gate, 1B was Yamuna Bazaar and so on. On the reverse were a series of caveats and explanations, including this: "This ID card has been issued on the basis of self-reported information by the cardholder." The UID enrolment was done on the basis of this card.
The actual enrolment was a parody. The names were not complicated, but there were some discrepancies; for instance, where a card recorded a woman as Pooja Devi, she insisted that she was just Pooja. Gender was the easy part. Age was less certain. It often went by approximations and in some cases, the age recorded in the survey was plainly in error - a lady whose daughter had married recently couldn’t be 26! We did a ’panchayat’ to help her arrive at her age.
The columns for the name of the father, and of the mother were left blank. The young lads doing the enrolment explained: "Yeh log NGO ke hain" or these people belong to the NGO, a new version of mai-baap. Where fingerprints did not work, and iris did, the system ’accepted’ the fingerprints after the fourth try - in what is called ’forced capture’. Those enrolled had no idea of the consequences.
The address posed a problem. What is the address of a homeless person? The street where they are when surveyed? A pavement they occupy until a ’clean-up drive’ chases them away?
On the UID form, another option was used. The homeless were given the address of an NGO that out of benevolence was willing to lend its name. Except the NGOs are in places in South Delhi while Pul Mithai is near Old Delhi railway station and the address for delivering the UID letter, and for the UID linked bank account, would be that of the NGO. The two "introducers" at the enrolment centre were young and motivated but had no idea where those they were helping to enrol could be reached.
So, many UID letters stayed undelivered - where the name and photograph did not help locate persons; or where, as in Geeta Colony, there was a ’clean up’ drive between the enrolment and the UID letter reaching the NGO; or in Nizamuddin, where labourers engaged on works for the Commonwealth Games had moved to another site and could not be traced. Later, the Homeless Resources Centre became the address. But the problems are generic and won’t vanish; and the HRCs are linked to projects with a limited shelf life after which they may cease to exist, or may morph into an altered entity.
This may have "enrolled" the homeless, but not in ways that gets them into an identity system that will help them.
Those in poverty live in a twilight zone of (il)legality. To them, an identity document is an especially valued possession. That is one reason that the voter ID was so sought after although not having a voter ID was no disqualification for voting; one among a plethora of ID documents would serve for the purposes of voting. The casualness with which the identity of the poor is being trifled with by the UID, and piggybacking on the poor in carrying on an experiment is, to use a euphemism, less than fair.
NILEKANI’S ELLIS ISLAND
The dependence on an introducer who doesn’t know the person being enrolled holds the potential to actually distort identity. At his World Bank talk in April 2013, Mr. Nandan Nilekani gave a description that has the virtue of simplicity but not quite of accuracy. An introducer, he said, "will say ’I know this person, he’s Ram Singh approximately born in 1977, so, we give a date of birth. He has a home, he has a home; otherwise, if he is a homeless person, we’ll give him an address c/o Homeless Shelter or whatever. Basically, then, the introducer stands as some sort of guarantee in some sense for that person. Then that person’s data is entered, and he gets an ID. So, that’s how these people get into the system… Remember, fundamentally you get only one ID in the system. So the ID that you give at the time of your enrolment is your name in this system for the rest of your life…which is why I refer to this as a 21st-century Ellis Island…what happened at Ellis Island, let’s say in the 19th century or Nova Scotia in Canada in the 19th century?
“You had all the boatloads of people coming from Europe, Eastern Europe, Croatia, Poland, wherever, Ireland, Italy, all that. And they would land at Ellis Island and they would have very complicated names. And the immigration officer would say, ah, no, I think from now on you be Sam David. And, from that day onwards, in the New World, he would be Sam David, no matter what his name was in the Old World. So, we do the same thing, you know. This person was out of the system, except physically he is in the same place, but virtually he is outside. He comes in and gets a name and that’s his name in our system for the rest of his life. So think of it as a 21st-century version of the Ellis Island."
(The author is an academic activist. She has been researching the UID and its ramifications since 2009.)