Nearly 12 years after the Unique Identification Authority of India (UIDAI) launched its
de-facto numbering ID, Aadhaar, the comptroller and auditor general (CAG) has pointed out several issues like faulty biometrics and unpaired documents in the UIDAI database. Plus, the success rate of Aadhaar fingerprint authentication transactions remained a cause of dissatisfaction among the users due to biometric authentication failures. CAG has recommended that UIDAI should review its charges for a voluntary update of residents' biometrics since it was not in a position to identify reasons for biometric failures and residents were not at fault for the capture of poor quality of biometrics. Several activists and
Moneylife have been in vain highlighting these issues since 2010, as all successive governments have ignored them. In fact, despite the Supreme Court verdict, the Union government continues to make the 'voluntary' Aadhaar mandatory for everything.
In its performance audit report, the CAG says, "All Aadhaar numbers were not paired with the documents relating to personal information of their holders, and even after nearly ten years, the UIDAI could not identify the exact extent of mismatch. Though with the introduction of inline scanning in July 2016, the personal information documents were stored in the central identities data repository (CIDR), the existence of unpaired biometric data of earlier period indicated deficient data management."
"During 2018-19, more than 73% of the total 3.04 crore biometric updates were voluntary updates done by residents for faulty biometrics after payment of charges. The huge volume of voluntary updates indicated that the quality of data captured to issue initial Aadhaar was not good enough to establish the uniqueness of identity," it says.
Interestingly, UIDAI and the Union government have been promoting Aadhaar as a unique ID all these years. However, the CAG report discards this as, during the performance audit, it found flaws in the de-duplication process and issue of Aadhaars on faulty biometrics and documents.
Highlighting the generation of multiple Aadhaar numbers, the CAG says, UIDAI's de-duplication process remained vulnerable to generating multiple Aadhaar numbers and manual interventions had to be done to resolve the problem.
As per information provided by the UIDAI tech centre, nearly 475,000 duplicate Aadhaar numbers were cancelled as of November 2019. "This data indicated that on an average, no less than 145 Aadhaars generated in a day during the period of nine years since 2010 were duplicate numbers requiring cancellation."
"Uniqueness of identity of the applicant, established through a de-duplication process, is the most important feature of Aadhaar. It was seen that UIDAI had to cancel more than 4.75 lakh Aadhaars till November 2019 for being duplicates. There were instances of issue of Aadhaars with the same biometric data to different residents indicating flaws in the de-duplication process and issues of Aadhaars on faulty biometrics and documents. Though UIDAI has taken action to improve the quality of the biometrics and has also introduced iris-based authentication features for enrolment for Aadhaar, the database continued to have faulty Aadhaars, which were already issued," CAG says.
Besides this, verification of records at the UIDAI regional office (RO) at Bengaluru showed that residents reported 5,388 cases of issue of multiple Aadhaars during the period 2015-16 to 2019-20, forcing UIDAI to cancel the second Aadhaar issued, based on complaints received.
CAG says, "We could not ascertain the number of multiple Aadhaars reported at other ROs as access to the related documents was not given to us. UIDAI headquarter (HQ) also could not provide RO wise data on the number of multiple Aadhaars and stated in September 2019 that such data was not available with them. Apart from the issue of multiple Aadhaars to the same resident, instances of issue of Aadhaars with the same biometric data to different residents were also seen reported in RO Bengaluru."
"Further, information like the date of issue of first Aadhaar, the date of issue of subsequent Aadhaars and the time taken to identify and cancel them was also not provided to audit, limiting our scope for further scrutiny on the issue," the auditor points out.
According to the report, in September 2019, UIDAI stated that the biometric de-duplication ensures uniqueness with an accuracy of 99.9%, but in cases where residents with poor biometrics enrol, their accuracy could be slightly poor which could lead to the generation of multiple Aadhaars.
In October 2020, UIDAI further explained to CAG that fingerprint authentication might fail in the first attempt due to various reasons, but subsequent attempts may succeed. It claimed that there had been an improvement in transaction wise fingerprint authentication success rate to 74%-76% in 2019-20 from 70%-72% in 2016-17.
UIDAI informed CAG that it had deployed a self-cleaning system, an automated process, to identify duplicate Aadhaars and take corrective actions.
However, CAG says, "No details on the frequency of the deployment of the self-cleaning system, and the number of duplicates detected through the process were provided to audit as of July 2020. The fact that residents reported 860 cases of multiple Aadhaars in Bengaluru RO alone during 2018-19 suggested that the self-cleaning system employed by UIDAI was not effective enough in detecting the leakages and plugging them, though the number of cases reported could be termed as minuscule when compared with the total number of Aadhaars generated."
The auditor-general also expressed doubt about the collection of documents from residents and their management. It says, "All the Aadhaar numbers stored in the UIDAI database were not supported with documents on the demographic information of the resident, causing doubts about the correctness and completeness of resident's data collected and stored by UIDAI prior to 2016."
Despite being aware of the fact that not all Aadhaar numbers were paired with the personal information of their holders, CAG says UIDAI has yet to identify the exact extent of a mismatch though nearly ten years have elapsed since the issue of the first Aadhaar. "Non-pairing of biometric data in the system with demographic information was not in consonance with the instructions issued by UIDAI and non-availability of personally identifiable information (PII) documents with the Authority, for those already collected from the residents, impacts the reliability of the Aadhaar database."
"Further, any quality check of demographic data by UIDAI post issue of Aadhaar will lead to deactivation of these Aadhaar numbers as stipulated by the regulations. As a matter of fact, till 1 November 2019, about 37,551 Aadhaar numbers were deactivated due to disputed PII documents," the report says.
Here are the 17 issues highlighted in the performance audit by the CAG about UIDAI and Aadhaar:
1. The Aadhaar Act stipulates that an individual should reside in India for a period of 182 days or more in the twelve months immediately preceding the date of application for being eligible to obtain an Aadhaar. In September 2019, this condition was relaxed for non-resident Indians holding a valid Indian passport. However, UIDAI has not prescribed any specific proof/ document or process for confirming whether an applicant has resided in India for the specified period and takes confirmation of the residential status through a casual self-declaration from the applicant. There was no system in place to check the affirmations of the applicant. As such, there is no assurance that all the Aadhaar holders in the country are 'Residents' as defined in the Aadhaar Act.
CAG Recommendation: UIDAI may prescribe a procedure and required documentation other than self-declaration, in order to confirm and authenticate the residence status of applicants, in line with the provisions of the Aadhaar Act.
2. Uniqueness of identity of the Applicant, established through a de-duplication process is the most important feature of Aadhaar. It was seen that UIDAI had to cancel more than 4.75 lakh Aadhaars (November 2019) for being duplicates. There were instances of issue of Aadhaars with the same biometric data to different residents indicating flaws in the de-duplication process and issue of Aadhaars on faulty biometrics and documents. Though UIDAI has taken action to improve the quality of the biometrics and has also introduced iris-based authentication features for enrolment for Aadhaar, the database continued to have faulty Aadhaars which were already issued.
CAG Recommendation: UIDAI may tighten the SLA parameters of biometric service providers (BSPs), devise foolproof mechanisms for capturing unique biometric data and improve upon their monitoring systems to proactively identify and take action to minimise, multiple/ duplicate Aadhaar numbers generated. UIDAI may also review a regular updation of technology. UIDAI also needs to strengthen the automated biometric identification system (ABIS) so that generation of multiple/ duplicate Aadhaars can be curbed at the initial stage itself.
3. Issue of Aadhaar numbers to minor children below the age of five, based on the biometrics of their parents, without confirming the uniqueness of biometric identity goes against the basic tenet of the Aadhaar Act. Apart from being violative of the statutory provisions, the UIDAI has also incurred an avoidable expenditure of Rs310 crore on issue of Bal Aadhaars till 31 March 2019. In Phase- II of ICT assistance a further sum of Rs288.11 crore was released up to the year 2020-21 to states/ schools primarily for issue of Aadhaars to minor children. The UIDAI needs to review the issue of Aadhaar to minor children below five years and find alternate ways to establish their unique identity, especially since the Supreme Court has stated that no benefit will be denied to any child for want of Aadhaar document.
CAG Recommendation: UIDAI may explore alternate ways to capture uniqueness of biometric identity for minor children below five years since uniqueness of identity is the most distinctive feature of Aadhaar established through biometrics of the individual.
4. All Aadhaar numbers were not paired with the documents relating to personal information of their holders and even after nearly ten years the UIDAI could not identify the exact extent of mismatch. Though with the introduction of inline scanning (July 2016) the personal information documents were stored in CIDR, existence of unpaired biometric data of earlier period indicated deficient data management.
CAG Recommendation: UIDAI may take proactive steps to identify and fill the missing documents in their database at the earliest, in order to avoid any legal complications or inconvenience to holders of Aadhaar issued prior to 2016.
5. During 2018-19 more than 73% of the total 3.04 crore biometric updates were voluntary updates done by residents for faulty biometrics after payment of charges. Huge volume of voluntary updates indicated that the quality of data captured to issue initial Aadhaar was not good enough to establish the uniqueness of identity.
CAG Recommendation: UIDAI may review charging of fees for a voluntary update of residents' biometrics since they (UIDAI) were not in a position to identify reasons for biometric failures and residents were not at fault for the capture of poor quality of biometrics.
6. UIDAI did not have a system to analyse the factors leading to authentication errors.
CAG Recommendation: UIDAI may make efforts to improve the success rate of authentication transactions by analysing failure cases.
7. UIDAI did not carry out verification of the infrastructure and technical support of requesting entities and authentication service agencies before their appointment in the authentication ecosystem, despite stipulations in Aadhaar (Authentication) Regulations.
CAG Recommendation: UIDAI may conduct thorough verification of the documents, infrastructure, and technological support claimed to be available, before on-boarding the entities (requesting entities and authentication service agencies) in the Aadhaar ecosystem.
8. UIDAI maintains one of the largest biometric databases globally; but did not have a data archiving policy, which is considered a vital storage management best practice.
CAG Recommendation: UIDAI may frame a suitable data archival policy to mitigate the risk of vulnerability of data protection and reduce saturation of valuable data space due to redundant and unwanted data, by continuous weeding out of unwanted data.
9. UIDAI's arrangements with the department of posts (DoP) were not adequate to guarantee delivery of Aadhaar letters to the right addressee, as seen from the large number of Aadhaar letters being returned as undelivered.
CAG Recommendation: UIDAI may address the delivery problems with their logistic partner namely DoP, by designing a customised delivery model, which will ensure delivery of Aadhaar letters to the correct addressee.
10. UIDAI provided Authentication services to banks, mobile operators and other agencies free of charge till March 2019, contrary to the provisions of their own regulations, depriving revenue to the government.
CAG Recommendation: UIDAI needs to be alert and cautious in matters concerning charges for delivery of services and ensure that decisions for non-levy of charges are taken with due process and approvals, which are properly documented and available for verification by any stake holder.
11. UIDAI did not penalise the managed service provider for failure to achieve the expected service levels in the performance of biometric solutions.
CAG Recommendation: UIDAI may levy penalties on biometric service providers for deficiencies in their performance in respect of biometric de-duplication (FPIR/ FNIR) and biometric authentication (FMR/ FNMR). Agreements in this regard should be modified, if required.
12. The support services to states by way of a state resource personnel to be provided by the National Institute of Smart Governance (NISG) through the ICT assistance given to them, was duly approved by the cabinet committee for one year only, but the same continued for years together as approved by UIDAI.
CAG Recommendation: UIDAI have to accept their own responsibility for issue of Aadhaar and limit/reduce their continued reliance on other agencies for support. They may partner with state governments to increase the enrolment functions for issue of Aadhaar.
13. There was a deficiency in the assessment of the requirements for field service engineers (FSE), resources to be hired from NISG and monitoring of the payments made to them.
CAG Recommendation: UIDAI should strictly follow the standards of financial propriety while procuring services and ensure that advances are not paid for in excess of requirements.
14. UIDAI could not avail rebate on franking values worth Rs30.19 crore offered by the department of posts due to deficiency in their agreements with print service providers.
CAG Recommendation: UIDAI may incorporate suitable clauses in their Agreements with all agencies mentioning clearly that the benefits accruing due to UIDAI's resources need to be passed on to them and vendors to indemnify UIDAI towards the loss/ cost arising due to their actions.
15. UIDAI had not effectively monitored funds released to states as grants-in-aid towards ICT assistance for creating infrastructure.
CAG Recommendation: UIDAI may improve upon its financial management of grants given to state authorities by proper monitoring and ensuring regular and timely receipt of utilisation certificates from them. It may also discontinue monetary assistance given to states/schools and other agencies for enrolment of minor children below five for issue of Aadhaar numbers.
16. Monitoring of the information system operations of authentication ecosystem partners was deficient to the extent that UIDAI could not confirm compliance with its own regulations.
CAG Recommendation: UIDAI may ensure that each of the existing REs and ASAs are audited by them or by the auditor appointed by it within a cycle of three years so as to provide adequate assurance about compliance with the regulations.
UIDAI may consider suspension of the services of REs and ASAs if they fail to conduct annual audit in time as prescribed by the Regulations 2016.
UIDAI may ensure the implementation of Aadhaar Data Vault process and institute/carry out periodic audits independently, to enhance the security of Aadhaar number storage data by user organisations. UIDAI may deal the cases of non-compliance of directions as per the Act and as per conditions in the agreement with AUAs/KUAs (authentication user agencies and e-KYC user agencies).
17. The process of capturing of grievances/complaints has not been streamlined and does not display a clear picture for analysis. Also the complaints lodged at the RO level did not get the attention of UIDAI HQ, compromising the effectiveness of the grievance redressal mechanism, besides the delays in settlement of grievances.
CAG Recommendation: UIDAI may explore the possibility of introducing a single centralised system where grievances/complaints lodged even at ROs are also captured so as to enhance the quality of customer servicing.