The Comptroller and Auditor General of India (CAG) has released a detailed report on the functioning of the Unique Identification Authority of India (UIDAI) in which he highlighted a list of flaws that exist in the infrastructure Adhaar. The report also highlights the pitfalls in the process of generating unique identification numbers for Indian residents through the system which was introduced in 2009 and received separate legal support for the Aadhaar system in 2016. In addition to highlighting the issues , the report names HCL Infosystems and HP as two of the private entities behind some of the major IT problems in the Aadhaar infrastructure.
The 108-page report that has been prepared for submission to the President includes a number of flaws that impact the Aadhaar infrastructure. It included the evaluation of the unique identification system put in place by the UIDAI which took place between 2014-15 and 2018-19.
One of the biggest issues that the CAG report highlighted in the Aadhaar system is duplicate listings where HCL Infosystems has been indicated to have a primary role. The IT company was appointed as a managed service provider to manage UIDAI’s end-to-end infrastructure in August 2012. It works with private vendors who provide automatic biometric identification systems to help identify duplicates in data .
UIDAI has a two-step process to identify duplicate enrollments where the first step matches demographics and the second step searches for fingerprint and iris biometric matching.
The report states that the Aadhaar nodal body relies on self-declaration to verify the “resident” status of applicants at the time of registration. It thus makes it possible to authorize the issuance of Aadhaar cards to “non-authentic residents”, according to the audit carried out by CAG.
It has also been reported that the deduplication process by UIDAI is vulnerable to generate multiple Aadhaar numbers. CAG suggested that the authority could solve this problem through manual interventions.
The report pointed out that the UIDAI was unable to provide data on the number of multiple Aadhaar at the regional office level as it was not available from the authority. However, UIDAI regional office in Bengaluru showed 5,38,815 cases of multiple Aadhaar numbers between 2015-16 and 2019-2020. Cases of unique identification numbers with the same biometrics for different residents have also been reported to the regional office in Bengaluru, according to the report.
CAG also noted that until July 2016, the UIDAI entrusted HP with the responsibility of storing the physical sets of records provided by individuals at the time of registration. The audit revealed that all Aadhaar numbers stored in the UIDAI database were not accompanied by documents.
The constitutional authority said that despite being aware that not all Aadhaar numbers are associated with their holders’ personal details, UIDAI “has not yet identified the exact extent of the mismatch although that almost ten years have passed since the issuance of the first Aadhaar” in January 2009.
It was also found that a large number of voluntary biometric updates have taken place over the past few years, suggesting an inability to capture accurate biometric data during registrations.
The report also pointed out that the UIDAI was unable to verify the infrastructure and technology support claimed by third parties offering the submission of identity information for Aadhaar verification.
Since its launch, Aadhaar has been used as a source of identification to avail social assistance schemes offered by the government. Telecom operators and banks also require Aadhaar numbers to facilitate customer registration for their services. All this has led to a massive growth of Aadhaar cardholders in the country. The number rises to more than a billion at this time.
However, the report notes that the UIDAI has yet to develop a data archiving policy through which it could effectively move data that is no longer actively in use.
Entities using Aadhaar verification are also not required to store residents’ personal data in a separate vault.
The UIDAI mandated the Aadhaar vault requirement for all authentication user agencies and e-KYC user agencies in July 2017. However, the CAG audit suggested that the authority” had not established measures/systems to confirm that the entities involved adhered to the procedures” to establish vaults to store resident data.
The audit report also highlights shortcomings in restricting authentication agencies to only use secure devices to store biometric data and signatures of Aadhaar cardholders. Furthermore, it suggests that the UIDAI chose not to penalize any of the private entities it works with and instead restructured the contracts.
“There were flaws in the management of various contracts entered into by the UIDAI. The decision to waive penalties for biometric solution providers was not in the interest of the Authority by giving an unfair advantage to the providers of biometrics. solutions, by sending an erroneous message of low-quality acceptance of the biometric data captured by them,” the report states.
Gadgets 360 contacted UIDAI, HCL Infosystems and HP for their comments on the report. This article will be updated as entities respond.
Security issues, privacy issues, and infrastructure flaws with Aadhaar have been fairly well reported in the past. However, UIDAI has yet to make any major updates to its system.
