The Comptroller and Auditor General of India (CAG) has released a detailed report on the functioning of the Unique Identification Authority of India (UIDAI) where it lists a number of flaws in the Aadhaar infrastructure. The report also highlights the flaws in the process of creating unique identification numbers for Indian residents through the system launched in 2009 and received a separate legal support for the Aadhaar system in 2016. In addition to pointing out problems, the report names HCL Infosystems and HP as the two private companies behind some of the major IT problems in the Aadhaar infrastructure.
The 108-page report that was prepared for submission to the President contained several flaws that affected the Aadhaar infrastructure. This includes the evaluation of the unique ID system implemented by UIDAI between 2014-15 and 2018-19.
One of the biggest problems underlined in the CAG report on the Aadhaar system is the duplicate listing where HCL Infosystems has been shown to have a primary role. The IT company was hired in August 2012 to manage UIDAI’s end-to-end infrastructure. It works with individual vendors who provide automated biometric identification systems to help detect duplicate data.
UIDAI has a two-step process for identifying duplicate entries where the first step is to match the demographic information and the second step is to look for fingerprints and biometric matching of the iris.
The report states that the nodal body of Aadhaar relies on self-declaration to verify the ‘residential’ status of the applications at the time of their enrollment. This, in turn, makes it possible to allow the issuance of Aadhaar cards to “unauthorized residents” as per the audit conducted by CAG.
It has also been noted that the duplication process by UIDAI is risky for creating multiple Aadhaar numbers. The CAG suggested that the authorities could resolve the issue through manual intervention.
The report highlighted that UIDAI was unable to provide any regional office-based information on multiple Aadhaar numbers as it was not available to the authorities. However, the UIDAI Regional Office in Bangalore showed 5,38,815 cases of multiple Aadhaar numbers between 2015-16 and 2019-20. Examples of unique ID numbers with the same biometric data of different residents have also been reported at the Bangalore regional office, the report said.
The CAG also noted that as of July 2016, UIDAI HP was responsible for preserving the original set of documents provided by individuals at the time of enrollment. Audits have shown that not all Aadhaar numbers stored in the UIDAI database are supported with documents.
Constitutional authorities say that despite being aware of the fact that not all Aadhaar numbers are associated with the personal information of their holders, UIDAI “has not been able to identify the exact amount of discrepancies even though almost ten years have passed since the first Aadhaar issue”. In January 2009.
It has also been found that there have been a number of voluntary biometric updates over the past few years, suggesting an inability to capture accurate biometric data at the time of enrollment.
The report further states that UIDAI has not been able to verify the infrastructure and technical support claimed by third parties by proposing to submit identity information for Aadhaar verification.
Since its inception, Aadhaar has been used as an identification source to obtain welfare projects provided by the government. Telecom operators and banks also need Aadhaar numbers to facilitate customer registration for their services. All this has led to a massive growth of Aadhaar cardholders in the country. At the moment the number exceeds one billion.
However, the report noted that UIDAI has not yet developed a data storage policy that allows it to effectively transfer data that is no longer actively used.
It has also been found that Aadhaar verification companies are not obliged to store the personal data of the residents in a separate vault.
UIDAI in July 2017 made Aadhaar Vault requirement mandatory for all authentication user agencies and e-KYC user organizations. However, the CAG’s audit suggested that the authorities “did not establish any measures / systems to ensure that companies complied with the procedures”. Save residents information.
The audit report also outlines errors in restricting authentication agencies to use only protected devices to protect Aadhaar cardholders’ biometrics and signatures. Furthermore, it recommends that UIDAI choose not to penalize any of the private companies it operates with and to renegotiate contracts instead.
“The various agreements entered into by UIDAI were flawed. The decision to waive fines for biometric solution providers was not in the interest of the authorities to provide undue benefits to the solution providers, sending a false message of acceptance to the poor. The quality of biometrics captured by them,” the report said. .
Gadgets 360 contacted UIDAI, HCL Infosystems and HP for their comments on the report. This article will be updated if companies respond.
Security issues, privacy concerns, and structural flaws with Aadhaar have been reported quite well in the past. However, UIDAI has not yet made any major updates to its system.