Faulty Biometrics, Duplication, Errors: What CAG Audit Report Says About Aadhaar Regime

In its first-ever performance audit of the Aadhaar body, the national auditor touches upon five major issues that have dominated debates surrounding the unique identification programme.

Aadhaar, privacy, EC, Election Commission, 2019 elections

New Delhi: The Comptroller and Auditor General (CAG) has pulled up the government body behind the issuing of Aadhaar numbers over a range of issues that have dominated the mainstream debate around India’s unique identification programme.

In its first ever performance audit of the Unique Identification Authority of India (UIDAI), the CAG has flagged problems with its de-duplication process and how flaws in the biometric capture process led to hundreds of thousands of people paying a fee to update their biometrics.

The audit report – which examined the UIDAI’s functioning between 2014-15 to 2018-19 – also red-flags the issuance of Aadhaar numbers to minor children below the age of five based on details given by their parents, calling it a step that goes against the “basic tenet of the Aadhaar Act”.

Here are the national auditor’s major findings:

1) No documents for proof of residency?

In India, Aadhaar numbers are only issued to individuals who have resided for a period of 182 days or more in the 12 months before the date of application. The problem with this, the CAG has pointed out, is that the UIDAI only requires a “casual self-declaration” to prove this.

“…UIDAI has not prescribed any specific proof/document or process for confirming whether an applicant has resided in India for the specified period, and takes confirmation of the residential status through a casual self-declaration from the applicant. There was no system in place to check the affirmations of the applicant. As such, there is no assurance that all the Aadhaar holders in the country are ‘Residents’ as defined in the Aadhaar Act,” the CAG report notes.

Also read: Four Reasons You Should Worry About Aadhaar’s Use of Biometrics

“UIDAI may prescribe a procedure and required documentation other than self-declaration, in order to confirm and authenticate the residence status of applicants, in line with the provisions of the Aadhaar Act,” it added.

2) De-duplication problem

The purpose of the Aadhaar system is that it is unique – that is, no individual can obtain two Aadhaar numbers, and that a specific person’s biometrics cannot be used to obtain Aadhaar numbers for different people.

This is established through the UIDAI’s de-duplication process. Over the years, there have been many questions about the effectiveness of this process.

While this criticism is not new, the CAG report throws up an interesting statistic: the UIDAI had to cancel more than 4,75,000 Aadhaars (as of November 2019) for “being duplicate”. This data indicates that on average no less than 145 Aadhaars generated in a day during the period of nine years since 2010 were duplicate numbers requiring cancellation.

Representative image. Photo: Reuters

“There were instances of issue of Aadhaars with the same biometric data to different residents indicating flaws in the de-duplication process and issue of Aadhaars on faulty biometrics and documents. Though UIDAI has taken action to improve the quality of the biometrics and has also introduced iris-based authentication features for enrolment for Aadhaar, the database continued to have faulty Aadhaars which were already issued,” the audit report notes.

UIDAI response

In its reply to CAG, the UIDAI noted that the biometric de-deduplication process ensures uniqueness with an accuracy of 99.9%, but “in cases where residents with poor biometrics enrol, their accuracy could be slightly poor which could lead to generation of multiple Aadhaars”.

In the report, the CAG however replies sharply: “No details on the frequency of the deployment of the self-cleaning system, the number of duplicates detected through the process, etc., were provided to audit as of July 2020. The fact that residents reported 860 cases of multiple Aadhaars in Bengaluru RO alone during 2018-19 suggested that the self-cleaning system employed by UIDAI was not effective enough in detecting the leakages and plugging them.”

3) Shelling out for a faulty enrolment process?

The Aadhaar system allows its users to ‘update’ their fingerprint and iris scans for a range of reasons. Some of these updates are ‘mandatory’ (for instance, children aged between 5 and 15 years at the time of enrolment are required to update their biometrics after they turn 15).

But people can also update their biometrics voluntarily. Why would they do this? A few reasons, but it appears that the most common one is that their biometrics were not properly captured during the enrolment process, leading to authentication failure.

While mandatory updates are free for the residents, voluntary updates are chargeable for the residents at rates prescribed by UIDAI.

During 2018-19, more than 73% of the total 3.04 crore biometric updates were “voluntary updates done by residents for faulty biometrics after payment of charges”.

Photo: Reuters. Illustration: The Wire.

“Huge volume of voluntary updates indicated that the quality of data captured to issue initial Aadhaar was not good enough to establish the uniqueness of identity. UIDAI may review charging of fees for voluntary update of residents’ biometrics since they (UIDAI) were not in a position to identify reasons for biometric failures and residents were not at fault for the capture of poor quality of biometrics,” the audit report notes.

Also read: Aadhaar Link Threatens Sanctity of Electoral Rolls

On top of this, the CAG also notes that UIDAI did not penalise “the Managed Service Provider for failure to achieve the expected service levels in the performance of biometric solutions”.

4) Matching Aadhaar numbers to their actual documents 

According to the CAG, all the Aadhaar numbers stored in the UIDAI database were not supported with documents on the demographic information of the resident, “causing doubts about the correctness and completeness of resident’s data collected and stored by UIDAI prior to 2016”.

“Though with the introduction of inline scanning (July 2016) the personal information documents were stored in CIDR, the existence of unpaired biometric data of earlier period indicated deficient data management. UIDAI may take proactive steps to identify and fill the missing documents in their database at the earliest, in order to avoid any legal complications or inconvenience to holders of Aadhaar issued prior to 2016.”

5) Children below the age of five

In India, Aadhaar numbers are issued to minor children below the age of five based on details given by their parents.

However, the national auditor believes that this goes against the basic tenet of the Aadhaar Act, which is to confirm the uniqueness of biometric identity (which cannot usually be done at such a young age).

“Apart from being violative of the statutory provisions, the UIDAI has also incurred avoidable expenditure of Rs 310 crore on the issue of Bal Aadhaars till March 31, 2019. In Phase- II of ICT assistance a further sum of Rs 288.11 crore was released up to the year 2020-21 to states/schools primarily for the issuance of Aadhaars to minor children,” the report notes.

“The UIDAI needs to review the issue of Aadhaar to minor children below five years and find alternate ways to establish their unique identity, especially since the Supreme Court has stated that no benefit will be denied to any child for want of Aadhaar document. UIDAI may explore alternate ways to capture the uniqueness of biometric identity for minor children below five years since uniqueness of identity is the most distinctive feature of Aadhaar established through biometrics of the individual.”

mm

Author: Anuj Srivas

Anuj Srivas is Business Editor at The Wire, where he writes and analyses issues at the intersection of technology and business. He can be reached at anuj@cms.thewire.in and on Twitter at @AnujSrivas.