Thursday 15 March 2012
1. UIDAI is lying to a billion Indians. And the plain truth is that people running the show at UIDAI are aware of the humongous scale of social catastrophe, which a project like UID could unleash in India. Behind the mask of a cool and confident exterior, some UIDAI officials seems to be constantly grappling with feelings of immense insecurity and uncertainty. We can get a sense of their feelings by closely reading the draft National Identification Authority of India Bill 2010.
In the coming years India will see hundreds of thousands of cases related to its citizens impersonating other citizens of the country to get a portion of ten trillion rupees direct-cash-transfer subsidy scheme. Cases of Indian citizens intentionally appropriating identities of persons dead or alive, real or imaginary could become common just as during license quota-permit raj it was common to forge a license, produce a company out of thin air. Just as during every election tens of thousands of Indian citizens discover to their utter dismay either they do not exist on the voter list or someone impersonating them has cast their votes. On any given day tens of hundreds of unauthorized people could possibly be roaming around India knocking on doors of unsuspecting citizens collecting personal biometric information on behalf of UIDAI. After all in a vast country like India how can a citizen prove whether a person who claims to work for UIDAI is actually working for that organization? Remember UIDAI has subcontracted its entire enrolment process to private companies unlike other data gathering exercises like the census, which usually works with a government or government-affiliated workforce. By the year three of its data collection exercise UIDAI wants to hire fifteen thousand enrollment stations all across India. So how can one ascertain the identity of a group of persons if five men donning some grave uniform, carrying some official looking documents start banging the doors of a plush housing society at Malabar Hill claiming that a UID updating camp is on in the area and you need to submit all your personal and private details once again.
Hundreds of private agents acting as enrollers, data-collectors, data-transporters will have a potential to make a quick buck by selling UID data to market players. These enrollers could intentionally disclose, transmit, copy or disseminate private biometric data in electronic form very easily. The ease of translation of digital data is a fantastic gift of our modern age. The Central Identities Data Repository (CIDF) the main memory of UIDAI is going to be the site for much contestation between operators belonging to private players. CIDF does not even exist now but plans are underway to create its infrastructure. Ernst and Young, the global accounting firm that has been cautioned in many countries around the world for fudging confidential data is currently giving advice to UIDAI to procure the best available technology for the cheapest price. CIDF operators will have a mix of highly dedicated private and public sector employees, but who can prevent these people to access or secure an access or download, copy or extract data and store it in any device before releasing it in the market. Current information about biometric details, bank account numbers, telephone number of potential customers has a huge market demand. Registrars working at enrollment stations are supposed to courier data loaded on memory sticks to CIDF from all across India. UIDAI will give 50 rupees per enrollment but who can insure that data will not be lost or downloaded, copied or destroyed during the transfer process? There is of course no provision to account for loss of data during transfer via memory sticks.
The culture of sub-contracted work introduced by UIDAI will unleash breakneck competition in the market and empanelled firms will use any trick in the book to downplay each other for lucrative UID contracts. We already saw the evidence of fierce corporate battles in the run up to initial disbursement of contracts. After all UIDAI will certainly reward those firms with more responsibility who have done efficient work. Firms, which do not perform will be eased out. But how can UIDAI prevent an anonymous sub-contracted employee of a firm to introduce a virus in a system, which features database collected by a rival firm, to create more value for its original employer. In such a situation sub-contracted workers could possibly damage data, disrupt or cause disruption of the access or deny access or provide some assistance in accessing data stored at CIDF or could potentially destroy or delete or alter some crucial, sensitive, biometric information related of a group of citizens belonging to a certain place. The potential to creatively contaminate digital data will increase stupendously. Furthermore citizens of India could have to deal with new forms of postmodern anxieties as one day some of them may realize that they do not exist in UIDAI database. All or some of biometric details of Indians could be modified. A UID operator will certainly not trust anybody else except the data, which he sees on his screen. The dataset appearing on the screen of UID operators all across India will introduce a new frame of interpreting reality. The UIDAI on its part cannot punish anybody but can only take those people who have been caught to a court of law. That legal system in India is inefficient needs not to be told. It could possibly take years before the guilty could be punished. Additionally during the process of getting an Aadhar number through the much-touted Know Your Resident process how can UIDAI know that an introducer is not collaborating with someone, who is not a genuine citizen for an inducement of some money by giving biometric information that does not belong to that person. In case a company is found liable of offences UIDAI proposes to severely punish those found guilty. This is certainly laudable. But Indian law treats company as a legal person ( I still cannot understand this absurd fundamental legal fiction how can anyone treat a firm as a legal person). But for the sake of argument how can UIDAI prevent a legal person to change its identity, in other words, say for instance, a company x is found guilty of improper practices and is debarred from carrying business with UIDAI, what prompts individuals who run that company to dissolve that firm legally therefore dissolving the legal identity of that firm and create a new firm, a new legal identity in the name of their close family members and apply for empanelment for UIDAI. The UIDAI has provisions to punish the director, manager, secretary or any officers of a company if such a company violates any provision of the law. However, there’s a small but significant rider here, the punishment will only take place if and only if, it could be proved in a court of law that the offence committed by an employee of the company is in consent or connivance of the top management. In other words under the NIDAI law if the state can prove the members of a firm conspires to cheat UIDAI they can be punished. By the time the guilty are brought to book the private confidential biometric information belonging to millions of Indian could be circulating in the market. The NIDAI bill has no provision for punishing, apprehending, or debarring those people who buy, sell, trade, barter, exchange biometric information. Even if there were such provisions I wonder what effect could have in India. The Indian state does not allow over the counter purchase of arms and armaments. On paper at least one needs to be a license holder to trade in arms but does it prevent anyone to deal in arms or to use arms for killing or coercion purposes. Of course none of the scenarios, which I have listed above exist. Therefore these are at best figments of my paranoid imagination. And of course my version of what could happen in India is an extrapolation of clauses of punishments and offences listed under the proposed National Identification Bill of India 2010. But I wonder why would the legal team of UIDAI put such provisions had they not anticipated the ways in which private confidential biometric data of Indian citizens could be tampered with. And if they do not anticipate any such crime to take place, why would they put provisions of severe punishment ranging up to three years of imprisonment. Why do Indians want to appear stupid by not having any debate on consequences of a project like UID in India. The parliamentary committee on finance, on grounds that it was contradictory and ambiguous, summarily rejected the NIDAI bill. Now perhaps the UIDAI legal team is working hard to prepare an even more thorough bill.
The lack of a legal cover however does not prevent the UIDAI to pursue its illegal agenda. Currently an illegal exercise of biometric data collection is on in India.
But not everyone is taking part in it. A friend recently told me a anecdote about what happened when one day some UIDAI officials went to the house of a retired Supreme Court judge of India in Delhi. I record below my impressions of the anecdote.
(Retd) Supreme Court judge: Who are you?
UIDAI official: Sir I have come from UIDAI.
(Retd) Supreme Court judge: What do you want?
UIDAI official: Sir I want your biometric data.
(Retd) Supreme Court judge: Why?
UIDAI official: Sir we are collecting data to give UID numbers.
(Retd) Supreme Court judge: Okay. What do you want me to do?
UIDAI official: Sir we want your fingerprints for this exercise.
(Retd) Supreme Court judge: WHAT!!! (he is furious) What utter nonsense!! Fingerprints are for under-trails and convicts.
UIDAI official: But Sir! UIDAI is a Government of India exercise. It is as per rules.
(Retd) Supreme Court judge: What rules! Show me the damned rules.
UIDAI official: Sir you might not remember but ever since you retired they have appended the Citizenship act. Now all of us have to give our fingerprints.
(Retd) Supreme Court judge: Really!! Show me the rules and take my fingerprints.
UIDAI official: Okay sir.
(The UIDAI official goes to get the rule book but never returns because no such rule exists in constitution of India which says that one has to give ones fingerprint to a UIDAI official)
2. If the draft NIDAI bill partially represents the collective fears UIDAI handlers, the UIDAI’s Communication and Awareness report represents their hopeless dreams. In February 2010 the UIDAI got together a team of corporate propaganda managers, also known as ‘communications experts’ in trade jargon to sell the idea of UIDAI to India. Kiran Khalap the Infosys brand development consultant was given the responsibility to head an eight member team to ‘recommend the awareness and communication strategy for achieving the UIDAI purpose and communication goals most effectively’.
Almost three years before collaborating on the UID communication report Kiran Khalap collaborated with his team at Chlorophyll, a branding agency, on a report about brand identity. This report titled, ‘Ideantity, a unique perspective on brands and brand identities’ provide a range views on what Chlorophyll understands by branding. So according to Chlorophyll, a brand is an unchanging idea and branding is a process of aligning all aspects of a business to that unchanging idea. I think it is important for us to get a glimpse at the way in which propaganda managers like Kiran Khalap understands reality, because it gives us an idea about how they intend to alter or change it. Chlorophyll believes that a key to a successful marketing lies in communicating an idea to its target audience in a most comprehensive manner. The notion of ‘target audience’ entered branding language via the cold war. The propaganda machinery of the empire started to use the term ‘target audience’ to refer to anyone who was seen as under the influence of communism for instance population of eastern bloc countries and former USSR. The brief of imperial propaganda managers was to change the mindsets of target audience. People like Kiran Khalap believe branding is a process, which helps a firm in changing the mindsets of target audience. Chlorophyll’s trademarked word, ideantity is a summation of a brand line, a visual and a name.
The name denotes an unchanging idea, the brand line is a textual reference and the visual provides a pictorial reference to that unchanging idea. In May 2010 kiran Khalap presented his report to UIDAI. Around that time officials of UIDAI started calling their number (UID number) by a new name- Aadhar, which means a root or base or a foundation, a sub-structure or an understructure. In other words the plan was to make an arbitrary random 12 digit number the foundation of one’s identity and of all state to citizen interface in India. It is a pity that enrollment for this number is voluntary. And a greater pity that UIDAI seeks to cover only just over a half of Indian population. None of this is of course any fault of Kiran Khalap. Kiran Khalap and his able team suggested ways and means to develop the personality of Aadhar. A section in UIDAI’s communication strategy gives pointers to deconstruct the personality of Aadhar. Brand managers believe in magical transformations. In the eyes of a brand manager if toothpaste magically transforms into a human being by smiling and talking to a customer again and again, the customer will start to feel about that toothpaste. The key question is how to make a customer feel about an object.
Kiran Khalap’s strategy is to project Aadhar in human terms. A citizen is meant to experience Aadhar. Aadhar is a friend who has been with her since an early age. Indians families will not only just know Aadhar but like him as they like a friend. Aadhar like all superheroes will have great strength and integrity in character. Aadhar is comfortable with technology yet it is not geeky (see, Aadhar- Communicating to a Billion, An Awareness and Communication report, 2010, p-18, 19) In Chlorophyll’s handbook about branding, there is a guideline about set of questions that one should never ask about a branding strategy. The first question is- Does it work?
3. ‘In 1984 Indira Gandhi the then Prime Minister of India was shot dead by two Sikh bodyguards in Delhi. Leaders of Congress (I), the political party to which Indira Gandhi belonged, decided to take ‘revenge’ of her assassination by killing Sikhs. In the days that followed hundreds of Sikhs were killed in many cities of India. Delhi, however, remained the site where largest pre-meditated acts of murder took place. A human rights group investigating the consequences of anti-sikh riots recorded the testimony of a survivor as thus:
“On 1st November 1984 at about 1:00 pm, many trucks and tractors with trolleys full of stones came to Nangloi from the direction of Bahadurgarh. This happened at a time when the Delhi-Haryana border was said to have been sealed. The drivers and passengers let loose a rein of terror in the area. They first stoned the houses, then broke open and looted them, and finally dragged out the men and killed them.”
But how did rioters know who is a Sikh and where does he lives? Before rioters could stone a house, drag a Sikh man to kill or set his body on fire, before a Sikh woman could be raped, a house or a person had to be targeted correctly. Rioters used a variety of ways to garner information about Sikh people. Someone would do an impromptu survey of a place by marking all houses belonging Sikh community with an –X- sign. Few local people acting as native informants would help rioters by giving them information about a shop or a house owned by a Sikh family. But the most common method to identify a Sikh person was to use data available in voter registration and ration lists.
Voter registration and ration lists answer a crucial question of targeting while planning a riot - who lives where. State does not consider this data as confidential. These records are therefore public. Information available in electoral rolls can be used for spatial targeting. For instance, during the Gujarat genocide of 2002 many eyewitnesses gave accounts of rioters carrying printouts of electoral rolls of a place before carrying out an planned operation.
Last year Aruna Roy, a social activist, looking at the UID enrollment process around India, observed, “The UID is a dangerous thing. I’m shocked minorities and other communities are not boycotting it.” Why are minorities of India not boycotting or at least critically thinking about UID? Why are the rest of Indians not questioning legality of UID just like the supreme-court judge. Why no one seems to mind the immense potential of people working for UIDAI to help in illegally providing biometric data in the public domain, which could be used to organize and aid communal violence.
4. Mandate for Unique Identification Authority of India (UIDAI) came from the state. UIDAI was formed in February 2009. According to Government of India, the foundational reason for UIDAI was that it did not know whom to target for subsidies. UIDAI’s role was to identify a person as that person. Verify his or her entitlement for citizenship. And give a number as an acknowledgement receipt. Afterwards various departments of Indian state can interact with him or her through their number. UIDAI commissioned number task forces, studies, and committees to examine various aspects of state-to-citizen interface. The role of these groups was to review state-to-citizen interface, find out challenges, which the state faces, and suggest corrective measures. Between February and November of 2009 UIDAI assigned men (yes these were mostly men) overseeing these groups to do a survey of challenges, which the state was facing in public health, education, public distribution system and national rural employee guarantee scheme.
One by one these groups started presenting their reports. Proper targeting of citizens emerged as a big challenge in all reports. The report on public health highlighted that a major hurdle for the state to disburse medical services is, ‘lack of detailed denominator (ie target population to be covered) focussed services delivery by the government’s rural and urban healthcare systems at district and sub-district levels. A workgroup’s view on PDS was not different either, ‘targeting is not serving its real purpose, as the beneficiaries do not get food grains in accordance with their entitlements.’ A group thought that ‘The present strategy of targeting such children at source can be used simultaneously with strategy of targeting them at destination also. Provision of UIDs at birth will also help the planners of elementary education system in terms of planning for the schools, teachers and other logistics.’
While looking at NREGS scheme, a task force observed that, ‘The ability of UID to positively establish and authenticate the identity of every individual can overcome many of the challenges faced by targeted benefit programs.’
By December 2009 the focus of UIDAI shifted to planning biometric information architecture. The report on Biometrics Design Standards for UID application was the first guideline in this direction. Director General of National Informatics Center Dr. BK Gairola chaired the committee on Biometric Design standards. On the question-how to identify a person as that person, the committee relied heavily on views of American National Standard for Information Systems (NIST)— Data Format for the Interchange of Fingerprint, Facial, & Other Biometric Information reports of 2004, 2005, 2006, 2007 and 2008. The 2004 NIST report was written in the context of evaluation of verification and identification of a new technology using two index fingers. Two critical issues in biometric identification are image quality and correctness of identified matches. 2004 NIST report for instance, was presented as a result of testing samples of new technology developed by Cogent Inc in co-operation with Lockheed Martin, a defense equipment manufacturer.
Cogent Inc had developed a proprietary method for calculating image quality called Image Quality Measure (IQM). IQM ranks an image based on scales 1 to 8. Where scale 1 stands for the best while scale 8 representing the worst image quality of fingerprints. NIST evaluators found out that Cogent image quality is a good rank statistic for all the algorithms tested for all available proprietary databases. But 2004 NIST report also mentions how NIST has developed an open (non-proprietary) algorithm for fingerprint matching. This algorithm is called NIST Fingerprint Image Quality (NFIQ). According to the 2004 report, NIFQ discriminates image quality much more significantly between its five quality levels than does Cogent IQM across its eight levels. The NIST data was for two fingers. Citing NIST report, the fingerprint sub-committee concluded that if UIDAI were to take just two fingers into account, the False Acceptance Rate would come at 14%. False Acceptance Rate is a probability that a system will falsely accept an image of a fingerprint pattern to a non-matching template in its database. The False Rejection Rate of NIST database was at 4%. The False Rejection Rate is a probability that a system will reject a fingerprint pattern as false even though it is true. The database, which NIST used to study was derived from three sources i.e. the US department of state (DoS) Mexican Border Crossing data and US-VISIT data from Ohio and Atlanta. The total data size of these tests was around 6 million. The population of India is 1.2 billion or 200 times the size of the sample data. The NIST report clearly states, ‘The false accept rate (FAR) using index finger pairs is linearly increasing with database size.’
The fingerprint Sub-committee, chaired by Prof. Phalguni Gupta who works at IIT Kanpur, found that ‘A single finger will be sufficient to provide the minimum standard of accuracy requirements.’ (see: Biometric Design Standards for UID Application, Version 1.0, Dec 2009, p-38) It is not clear however, what does UIDAI mean by ‘minimum standard’. The NIST data was for two fingerprints but I think after looking at the high false acceptance rate UIDAI people must have come to a conclusion that all ten fingerprints will necessarily result in a robust fingerprint match. No empirical exists anywhere to suggest that ten fingerprints are good for a biometric match. UIDAI’s fuzzy logic seems to rest on an assumption that ‘one can ballpark a 1,000 improvement in FAR between two-finger matching and ten-finger matching (all other things being equal)’ (see: Biometric Design Standards for UID Application, Version 1.0, Dec 2009, p-45). The UIDAI report relies on a hypothetical scenario, which is achieved by scaling the tiny NIST data to a huge Indian population. Furthermore the UIDAI reports states ‘NIST data indicates de-duplication accuracy (TAR) greater than 95% is achievable for ten-finger matching against a database size of one billion.’ (see: Biometric Design Standards for UID Application, Version 1.0, Dec 2009, p-45). NIST data, INDICATES, what does the word INDICATES means, is it an expression or does it convey a sense of reality. NIST data is clearly untested and surely no empirical evidence exists anywhere to assure that a technology is out there, which could clearly identify a person as he claims to be, by running his biometric information to a database of a billion plus entries. Nowhere in NIST report is it mentioned that the results of their tests could be applicable to capture and verify images of a database of 1.2 billion entries. On the other hand NIST report suggests more testing and more verification before Cogent’s IQM technology could be introduced in the US. The target audience of the UIDAI report was ‘Any person or organization involved in designing, testing or implementing UID or UID compatible systems for the central government, state government or commercial organization’.
When the time came to choosing vendors for fingerprint capturing devices the UIDAI appointed Cogent Inc as its official vendor (By 2010, 3M, a US conglomerate, took over Cogent Inc). The vendors for Facial and Iris technology too use proprietary algorithms. The UIDAI biometric sub-committee clearly mis-interprets NIST data in a certain way to suggest that Cogent Incorporated’s technology could be used for capturing fingerprints. Cogent’s IQM technology was based on NIST’s standardization; the UIDAI on the other hand relies on ISO standardization. Does Cogent’s technology work equally well with ISO, why is UIDAI pushing for purchasing proprietary software when non-proprietary software exists, why UIDAI was eager to purchase Cogent’s under-developed application-these questions remain unanswered.
5. Within five months after a hodge-podge presentation of the biometric sub-committee report in December 2009, the UIDAI rushed to advertise for Empanelment of enrolling agencies. By May 2010 the UIDAI was preparing targets for enrollees and enrollments. The UIDAI wants to cover 60% of Indian population by 2014.
After Nandan Nilekani was appointed as the chairman of UIDAI in 2009 he went around India boasting how by 2014 UIDAI will issue UID numbers to 600 million Indians. I often wonder who are those unlucky 400 million people that are going to be ignored by UIDAI. Why UIDAI wants to enroll only 600 million people.
Nandan Nilekani’s dream of capturing biometric details of 600 million Indians was based on an idea that a web of enrollment agencies will cover India, collecting, verifying, capturing biometric data in a time bound manner. Each agency will take care of a place by establishing an enrollment centre. Each enrollment station will have multiple enrollment stations comprising of enrollment booths or enclosures inside these centers. Enrollment stations could be mobile or stationary. According to UIDAI’s calculations it needed a total of 1,321 enrollment centers with 6,604 stations stationed across India to record data in year one of its operations (see: Request For Empanelment, Empanelment for Enrolling Agencies for undertaking demographic and biometric data collection for UID enrolment, May 2010, p-74). In the subsequent years the number of centers and stations were slated to increase dramatically. As of 14th January 2012, according to The Economist magazine, UIDAI had issued just one third of projected 600 million numbers.
As UIDAI was inviting private firms to apply for empanelment in May 2010, Sanjay Nadhamuni, the head of Technology at UIDAI was busy writing a document explaining how UIDAI wants to work out the idea of financial exclusion. Central to Sanjay Nadhamuni’s belief is an idea that once UIDAI has a person’s unique identity number, his phone number and his bank account, state’s money, reserved for direct cash transfer subsidy can be immediately transferred to his account through ID Mapper. The ID Mapper is an algorithm that links various identities of a person into one dataset. According to Sanjay, ‘Now it is easy to target payments to a UID since the ID Mapper can resolve a UID to a specific Bank Account and infact a SMS can be sent to the person’s mobile number which is also available in the ID Mapper.’ A UID number, in Sanjay’s view, is going to last for centuries. Of course there are minor issues in managing a database which is this big in scale, for instance, one does not know what will happen to a number if a person dies because most deaths in India are either unreported or under reported. People will only report a death of a kin if they have something to gain. Why would a person close to a direct-cash-transfer subsidy beneficiary be interested in reporting her death to UIDAI so long as he could continue to get monetary benefits? Close to a million people die in India every year. These figures relate to reported deaths. Sanjay Nadhamuni had a unique solution for this problem. Ques: So how would UID know if a person has died? Answer: if the account is not used for ten years, it means that person has died and his or her account will be deactivated. Sanjay provides some more solution to foreseen problems such as death or disappearance of a person. In order to authenticate a person’s identity, UID, it appears, is not aiming for a complete match of all biometric markers. The idea is to match the biometric up to certain threshold. Who will decide this threshold, how would this threshold work out, Sanjay Nadhamuni’s document does not answer these questions. However by not choosing to go for a complete match of a person’s claim for an identity, the UIDAI, it seems, is allowing a culture of technological arbitrariness to set in, an arbitrariness, which could result in greater false acceptance rate. Moreover if you lose your UID number, you will be at fault and UIDAI will charge money from you to find your number.
UIDAi intends to distribute direct-benefit-transfer scheme in the name of financial inclusion by providing mobile ATM’s and asking local Kirana stores to act as Business Correspondents. This arbitrary assigning of Kirana (Grocery shops, which are mostly run by members of Vaishya or merchant caste) stores located in over 6,00,000 villages of India as Business Correspondents could create social problems. The citizens of India, which in UIDAI’s documents are often referred to as “customers”, belonging to remote areas will withdraw money and make deposits using UID numbers at a local Kirana store. I wonder why is it that, in a classic state plus corporate managerial model of governance, which UIDAI embodies, any potential of a Bania manning a kirana store and using additional powers of a Business Correspondent acting on behalf of UIDAI, to reinforce rigid local caste hierarchies is not taken into account.
6. The Indian state’s view is that it wants financial inclusion for all. Yet it wants to enroll only 600 million Indians, possibly leaving out 400 million because they are ones with weakest trail of documentary history. The state does not know who are the poor people of India therefore it has created UIDAI to ensure that everyone especially the poor are correctly identified. The fact of the matter is that no technology exists in the world, which can correctly identify a person as he claims to be and work at the scale of a large population. It is true small populations could be identified correctly, for instance patients of a hospital, or a small prison population. But currently no state has a technology to correctly identify all its citizens. In most countries citizenship itself is highly contested socio-legal category. The system, which UIDAI is currently putting in place, is beset with faulty technology. Such a system, as UIDAI documents show, has a potential to either falsely accept a fake claimant as genuine or genuinely reject an original claimant as false. The percentages, it is true, for such a thing to happen are small. But when we translate even a small percentage figure like 4 to Indian population, it means 40 million people could face unwanted problems related to UIDAI on a daily basis. If this is going to be an everyday scenario the percentages cease to be small. Forty million people getting affected from systemic faults on a daily basis is not a small problem in any state, anywhere in the world. The second and highly disturbing aspect of giving a UID number to 600 million Indians is the process itself. The current process stupidly allows itself to become vulnerable to injuries caused by the ease with biometric data traveling in memory sticks could be copied, downloaded, tampered with and destroyed. And finally the floating liquid biometric data can potentially act as a huge asset for communal forces in India in planning, profiling, detailing and executing pogroms and genocides or minor communal conflicts for immediate electoral, political or economic gain. The deafening silence of the far right, which is usually extremely critical of federal programs, about UIDAI scheme is perhaps a good pointer to start thinking about consequences of ignoring UIDAI in India.