Updates

Newsletter: Rethink Aadhaar and OneVote

Dear all, 

We are pleased to announce our partnership with the good folks at One Vote to bring you more news, updates and thoughts about Aadhaar, and how we can reimagine our digital futures.This update focuses on two things we’re worried about: the proposed Aadhaar Voter-ID linkage, and the recent announcement on Aadhaar-linked UPI payments.

But first - the Comptroller and Auditor General’s Report on the UIDAI

CAG Report confirms criticism of Aadhaar

Time to end project?

On April 6th, 2022, the Comptroller & Auditor General released a Report on the functioning of the UIDAI which confirmed what scholars, activists have been warning about Aadhaar: it is a badly designed system, with security risks, and places an unacceptable burden on people, without accountability systems or grievance redress.

The UID was promised as a robust identification card that would “solve” the problem of duplicates and corruption, becoming the only trusted ID card any citizen needs. However, the CAG audit report shows that the UID is not a trustworthy ID, and that enormous flaws persist because of the imposition of the UID.

The report is an assessment of the Enrolment and Update Ecosystems as well as the Authentication Ecosystems of the UIDAI for the period from 2014-15 to 2018-19. It begins by stating that, “Various Ministries/Departments of the Government as well as other entities such as banks, mobile operators, rely upon Aadhaar for the identity of the applicant.” However, we note that it fails to mention thefunction creep of Aadhaar and how it continues to be made mandatory for a host of services, outside the limited uses which were permitted by the Supreme Court in its 2018 Aadhaar judgement.

It did, however, note the problems created by UIDAI's (lack of) governance, and its negligent oversight of the private parties contracted by it. Some excerpts:  

"UIDAI is maintaining one of the largest biometric databases in the world; but did not have a data archiving policy."

“...UIDAI had not ensured that the client applications used by its authentication ecosystem partners were not capable of storing the personal information of the residents, which put the privacy of residents at risk. The Authority had not ensured security and safety of data in Aadhaar vaults. They had not independently conducted any verification of compliance to the process involved.”

“There were flaws in the management of various contracts entered into by UIDAI. The decision to waive off penalties for biometric solution providers was not in the interest of the Authority giving undue advantage to the solution providers, sending out an incorrect message of acceptance of poor quality of biometrics captured by them.”

The CAG report also notes the huge volume of biometric failures. Biometrics are, as we have been saying, a probabilistic technology. When UIDAI started collecting biometrics in 2010, it was untested at this scale. The report noted high numbers of poor quality biometrics in the Aadhaar database:

“Aadhaar numbers with poor quality biometrics induces authentication errors. UIDAI takes no responsibility for it and transfers the onus of updating the biometrics to the resident and also charges fees for it. Issue of Bal Aadhar to minor children below five years was largely focused towards expanding the Aadhaar footprint, without establishing uniqueness of identity of the children. Costs to the Government for issue of these Bal Aadhar numbers were at best avoidable”...

The CAG found that the huge volume of"voluntary" updates indicated that the quality of data captured to issue Aadhaar numbers was not good enough to establish unique identities. The burden of this poor quality data (and the UIDAI's biometric experiment on India) was borne by people, who were faced with denial of services because their biometrics did not match, and who were made to ensure their records were accurate.

Troublingly, the onus of ensuring records were accurate was placed on people themselves. “During 2018-19 more than 73 per cent of the total 3.04 Crore biometric updates were voluntary updates done by residents for faulty biometrics after payment of charges.” 


The CAG report recommends that “UIDAI may levy penalties on Biometric Service Providers for deficiencies in their performance in respect of biometric de-duplication (FPIR/ FNIR) and biometric authentication (FMR/ FNMR). Agreements in this regard should be modified, if required (Paragraph 4.4.1) This is perhaps an attempt to introduce some accountability for biometric failures, the fact that CAG recommends the levy of penalties on providers of this technology for failures, makes it evident that biometric authentication does not work.

The report also excoriated the UIDAI for poor grievance redress mechanisms, finding:

“The grievance redressal system at the UIDAI Hqrs and Regional Offices was ineffective and was plagued with delays in redressal of grievances.”

While highlighting thevarious issues that plague the UID system, Chapter 6 of the report titled ‘Redressal of Customers Grievances’ finds that, “UIDAI caters to the entire population of India and hence Customer Relationship Management (CRM) is an important aspect of its functioning.” This confirms the criticism raised by civil society over the last decade, although it fails to recognise that UIDAI was thrust onto citizens who were forced to enrol in an evidently poorly designed and executed database project. We are not customers, we are citizens for whom some of the most basic rights have become contingent on having an Aadhaar card and successfully “authenticating” our biometrics.

The government and UIDAI must recognise that a functional and accountable grievance redress system - and system for accountability and transparency - must be at the heart of this project upon which access to basic rights has become contingent, and that began as a coercive experiment. Its recommendation for a centralised grievance redressal system will not address the problem of lack of sufficient capacity, transparency and accountability for issues within Aadhaar. As this piece from last year explains, existing grievance redress mechanisms were incapable of answering a simple question of how a person was to retrieve a misplaced Aadhaar number. ( https://indianexpress.com/article/opinion/columns/flaw-in-aadhaar-architecture-uidai-card-enrolment-7389133/ )

While the CAG report highlights the poor quality of the UID database and related issues, it is important to remind ourselves of the human cost of this faulty and coercive program including denial of school admissions, denial of pension for the elderly, denial of food under the PDS, which are just a few instances in a much larger and longer list. We reiterate our concerns with the UID project. We call upon the government to end mandatory Aadhaar linking, and to re-evaluate the viability of the project itself. 

We encourage you to read the report yourselves. You can read our statement here. Please see also two articles explaining it, one by Usha Ramanathan here and one by Reetika Khera and Ria Singh Sawhney, here.
 

____________________________

Linking Aadhaar and Voter ID for voter verification

"On Aadhaar, nobody knows you're a dog"

In December 2021, the Indian Parliament passed The Election Laws (Amendment) Bill, 2021 with provision for “voluntary” Voter ID-Aadhaar linkage, despite all the evidence of Aadhaar contributing to marginalisation of already vulnerable communities. What new vulnerabilities will be created by linking proof of citizenship to Aadhaar? This runs counter to experts’ recommendation and is a step towards greater technological intervention in elections.

The linkage was proposed and passed under the guise of deduplication of electoral rolls. However, no research has been conducted to demonstrate how this can be done. Maansi Verma’s excellent article highlights the stakes of this operation. Rethink Aadhaar firmly opposes the linking of Aadhaar and voter ID. Our statement on the same is available here. For more background, read this comprehensive article by The Wire, and this piece written by Ajit Ranade

In related news, it was recently reported that the 2021 Bihar Panchayat Elections conducted Aadhaar biometric verification for voting. The exercise was mandatory. And since Aadhaar data is inherently insecure, voters were subject to mass bank fraud. State Election Commissions are increasingly enthusiastic about premature technological interventions, at the cost of voters’ privacy, safety, and franchise. This MediaNama article has the details. 

 ____________________________

Aadhaar - UPI Linkage  

In what appears to be a loss of all common sense, the National Payments Corporation of India (NPCI) is seeking to enable a feature which will allow users to set up a UPI account using their Aadhaar-based OTP authentication number, instead of a debit card issued to their bank accounts.

In addition to existing social engineering / screen sharing based UPI frauds, this feature when enabled might give anyone having a brief physical / remote access to setup UPI PIN without the knowledge of the user leading to massive risk to those who have linked Aadhaar and mobile number to their bank account. 

____________________________

What we’re watching, reading, thinking about

 (Yes, PAN-Aadhaar linking "deadline" has been extended yet again to 2023)

 ____________________________

Connect with us!

 Ask friends and family to subscribe to Rethink Aadhaar. Please email us to sign up to Rethink Aadhaar's mailing list. 

Please also follow One Vote on Twitter for regular updates and to amplify our message! You can also subscribe to our project page

Rethink Aadhaar Campaignhttps://rethinkaadhaar.in

For signing up for Rethink Aadhaar mailing list, please click: https://lists.riseup.net/www/subscribe/rethink-aadhaar
Twitter: @No2UID
Facebook: https://www.facebook.com/no2uid/Write to us at: contact@rethinkaadhaar.in