On April 6th, 2022, the Comptroller & Auditor General released a Report on the functioning of the UIDAI which confirmed what scholars, activists have been warning about Aadhaar: it is a badly designed system, with immense surveillance risks, which places an unacceptable burden on people, and violates fundamental rights.

The UID was promised as a robust identification card that would “solve” the problem of duplicates and corruption, becoming the only trusted ID card any citizen needs. However, the CAG audit report shows that the UID is not a trustworthy ID, and that enormous flaws continue to persist, and difficulties are created by the imposition of the UID.

The report is an assessment of the Enrolment and Update Ecosystems as well as the Authentication Ecosystems of the UIDAI for the period from 2014-15 to 2018-19. It begins by stating that, “Various Ministries/Departments of the Government as well as other entities such as banks, mobile operators, rely upon Aadhaar for the identity of the applicant.” However, we note that it fails to mention the function creep of Aadhaar and how it continues to be made mandatory for a host of services, outside the limited uses which were permitted by the Supreme Court in its 2018 Aadhaar judgement.

 While highlighting the various issues that plague the UID system, Chapter 6 of the report titled ‘Redressal of Customers Grievances’ begins: “UIDAI caters to the entire population of India and hence Customer Relationship Management (CRM) is an important aspect of its functioning.” Although confirming the criticism raised by civil society over the last decade, this fails to recognise that UIDAI was thrust onto citizens who were forced to enrol in an evidently poorly designed and executed database project. We are not customers, we are citizens for whom some of the most basic of rights have become contingent on having an Aadhaar card and successfully “authenticating” our biometrics. 

The government and UIDAI must recognise that a functional and accountable grievance redress system must be at the heart of this project upon which access to basic rights has become contingent, and that began as a coercive experiment. The recommendation for a centralised grievance redressal system will not address the issues of lack of sufficient capacity, transparency and accountability for issues within Aadhaar. As this piece from last year explains, existing grievance redress mechanisms were incapable of answering a simple question of how a person was to retrieve a misplaced Aadhaar number. “The combined might of all Aadhaar assistance facilities in Bihar proved unable to help Reena Devi, a poor widow who had lost her Aadhaar card in the process of applying for a change of address after marriage. It took special access to a sympathetic official at the regional office of the Unique Identification Authority of India (UIDAI) in Ranchi – 400 kilometres away from Reena’s residence – to retrieve her lost number.”

 Key findings of the CAG Report:

I. Poor Data Quality 

• “Aadhaar numbers with poor quality biometrics induces authentication errors. UIDAI takes no responsibility for it and transfers the onus of updating the biometrics to the resident and also charges fees for it. Issue of Bal Aadhar to minor children below five years was largely focused towards expanding the Aadhaar footprint, without establishing uniqueness of identity of the children. Costs to the Government for issue of these Bal Aadhar numbers were at best avoidable”.  

• There is no assurance that Aadhaar enrollment was limited to those actually resident in India. 

• The database continues to have duplicates, despite attempts to clean up the system. UIDAI had to cancel more than 4.75 lakh Aadhaars (November 2019) for being duplicate. 

• Issuing Aadhaar to minors (below the age of 5) without confirming the uniqueness of their biometrics goes against the intention of the Aadhaar Act. 

• Aadhaar numbers were not paired with the documents relating to personal information of their holders. 

• Over nearly ten years, the UIDAI could not identify the exact extent of mismatch. 

II. The UIDAI continues to be plagued by systemic issues and lack of accountability 

• "UIDAI is maintaining one of the largest biometric databases in the world; but did not have a data archiving policy."

• UIDAI, responsible for ensuring the licensed requesting entities comply with regulations and comply with annual information system audit of operations, failed to take any action on > 50% entities which have never submitted their annual compliance reports.

• “Moreover, UIDAI had not ensured that the client applications used by its authentication ecosystem partners were not capable of storing the personal information of the residents, which put the privacy of residents at risk. The Authority had not ensured security and safety of data in Aadhaar vaults. They had not independently conducted any verification of compliance to the process involved.”

• “There were flaws in the management of various contracts entered into by UIDAI. The decision to waive off penalties for biometric solution providers was not in the interest of the Authority giving undue advantage to the solution providers, sending out an incorrect message of acceptance of poor quality of biometrics captured by them.”

• UIDAI does not have a system to analyse the factors leading to authentication errors.

III. Placed the burden of ensuring correctness on residents 

• “Troublingly, the onus of ensuring records were accurate was placed on people themselves. “During 2018-19 more than 73 per cent of the total 3.04 Crore biometric updates were voluntary updates done by residents for faulty biometrics after payment of charges.” 

• The huge volume of voluntary updates indicated that the quality of data captured to issue initial Aadhaar was not good enough to establish uniqueness of identity.

IV.  Grievance Redress 

• “The grievance redressal system at the UIDAI Hqrs and Regional Offices was ineffective and was plagued with delays in redressal of grievances.”

V. Accuracy of biometrics 

• The CAG report recommends that “UIDAI may levy penalties on Biometric Service Providers for deficiencies in their performance in respect of biometric de-duplication (FPIR/ FNIR) and biometric authentication (FMR/ FNMR). Agreements in this regard should be modified, if required (Paragraph 4.4.1)”

• While perhaps an attempt to introduce some accountability for biometric failures, the fact that CAG recommends the levy of penalties on providers of this technology for failures, makes it evident that biometric authentication does not work.  Biometrics are, as we have been saying, a probabilistic technology. When UIDAI started collecting biometrics in 2010, it was an untested technology at this scale. 

While the CAG report highlights the poor quality of the UID database and related issues, it is important to remind ourselves of the human cost of this faulty and coercive program including denial of school admissions, denial of pension for the elderly, denial of food under the PDS, which are just a few instances in a much larger and longer list. We reiterate our concerns with the UID project. We call upon the government to end mandatory Aadhaar linking, and to re-evaluate the viability of the project itself.