CAG flags privacy gaps, duplication in Aadhaar
The findings are part of the first performance review by the country’s independent auditor of UIDAI, which was carried out over a four-year period between FY2015 and FY2019 .
The Unique Identification Authority of India (UIDAI) generated Aadhaar numbers with incomplete documents, did not ensure that partners who carry out verification would not be able to store personal information, and put the onus and cost on citizens to correct biometrics records when its own contractors responsible for enrolment performed poorly, the Comptroller and Auditor General (CAG) has found.
The findings are part of the first performance review by the country’s independent auditor of UIDAI, which was carried out over a four-year period between FY2015 and FY2019 . After being launched in 2010, the Aadhaar database reached 1.29 billion records by March 2021 “and is considered as one of the largest biometric based identification systems in the world”, the report noted.
The report, tabled in the Lok Sabha on Tuesday and the Rajya Sabha on Wednesday, went on to list a series of what it described as deficiencies, including some that it said carried privacy risks for residents.
“UIDAI had not ensured that the client applications used by its authentication ecosystem partners were not capable of storing the personal information of the residents, which put the privacy of residents at risk. The Authority had not ensured security and safety of data in Aadhaar vaults. They had not independently conducted any verification of compliance to the process involved,” it said in its conclusion.
The Aadhaar authentication ecosystem refers to agencies — these could be banks or telecommunication companies — that often use the 12-digit ID number for applicant verification, who query the UIDAI database for identity verification, including via the use of biometrics such as fingerprints.
The audit found that UIDAI generated Aadhaar numbers “with incomplete documents”, did not establish whether applicants were residing in the country with proper documents, and accepted poor quality biometrics. This “resulted in multiple/ duplicate Aadhaar numbers”, it added.
Saurabh Garg, the chief executive officer of UIDAI, did not comment on the findings, saying: “I have not seen the CAG report yet. I will be able to comment only after I see it”. The report said that UIDAI, in an exit conference held on October 14, 2020, largely agreed to the audit recommendations. The agency, however, gave explanations for the several of the ostensible deficiencies pointed out by the CAG report — including on the faulty biometrics and security audits.
A person involved in the performance audit said among the key findings was that when UIDAI rules specify a person has to have been in the country for 182 days before applying, the agency has no way of verifying this. “UIDAI takes the self-confirmation of individuals through casual self-declaration. We have expressed our concerns, whereby the correctness of residential status of individual should be checked,” the person added, asking not to be named.
Another important issue was with duplicate entries. “All duplicate Aadhaar cards are still in the database because of unpaired biometric data,” the person said.
A fourth problem was that UIDAI appeared to have charged people for biometric updates when poor quality data was fed in during enrolment. “73% of biometric updates were voluntary updates. UIDAI charged residents a fee for no fault of theirs,” the person said.
In the report, CAG elaborated on this by saying that UIDAI did not take responsibility for poor quality biometrics and put the onus on the resident and charged fees for it
The audit was critical of UIDAI’s move to issue Aadhaar cards to children and newborns without biometrics under an initiative known as Bal Aadhaar. “This needs to be reviewed. Because anyway after 5 years, a child has to apply for new regular Aadhar. The unique identity is not matched anyway because it is issued on the basis of documents of parents,” the person quoted above added.
“Apart from being violative of the statutory provisions, UIDAI has also incurred avoidable expenditure of ₹310 crore on issue of Bal Aadhaars till 31 March 2019,” the report said, adding that “costs to the government for issue of these Bal Aadhar numbers were at best avoidable”.
CAG noted that UIDAI “was successful in issuing a large majority of residents with an identity document, based on unique identity established through biometrics” that “undoubtedly helped government as well as private agencies in establishing identity of the residents before delivery of services”.
But, it added, the agency was too reliant on contractors. “… UIDAI would do well to proactively accept its role and responsibility bestowed upon them by the government by various statutory enactments and reduce its continued dependence on outsourced agencies and instead partner with state governments for the enrolment process”.
CAG also said UIDAI belatedly levied fees for authentication services used widely. “UIDAI’s compliance to its own regulations were found wanting due to belated levy of fees for authentication services, which deprived the government of its due revenues up to March 2019, though the Aadhaar database was used extensively by banks and mobile operators for authentication of identity of the applicants. The fees chargeable were determined thereafter.”
The audit held that there “were flaws in the management of various contracts”. Among these was its “decision to waive off penalties for biometric solution providers”, which was “not in the interest of the authority” and gave “undue advantage to the solution providers, sending out an incorrect message of acceptance of poor quality of biometrics captured by them.”
“What the report indicates is that there are systemic problems in the design and the role of UIDAI, where it is operating the system and is also in the role of overseeing itself and the entities to which it gives contracts. These problems have been pointed out to the government and UIDAI for years by grassroots activists, MPs and lawyers and they have not been heeded,” Raman Jit Singh Chima, Asia Pacific policy director at Access Now, a digital rights organisation.
“The lack of accountability is an inherent feature of the Aadhaar system. The findings of the CAG audit confirm the ground level studies of junk enrolments, faulty and low-quality demographic and biometric data,” said Apar Gupta, executive director of the Internet Freedom Foundation.
The CAG report said on the flawed documentation that UIDAI agreed in an October 2020 exit meeting with the audit recommendation and assured it will explore the possibility to fill gaps in without causing avoidable inconvenience to Aadhaar holders.
On the issue of flawed biometrics, the report said the agency “explained that most authentication was based on fingerprints which do change in adults with time based on their job profiles”, and said it was requesting their ecosystem partners to deploy iris authentication devices.
On the audit report of authentication partners, UIDAI said during the October 2020 meeting that there had been a steady increase in submission of information security audit reports by the partners “from about 35% in 2016-17 and 2017-18 to 52% in 2018-19”.
Get Current Updates on India News, PM Narendra Modi Live Updates along with Latest News and Top Headlines from India and around the world