'peeling the onion' on Aadhaar for coriander
Friends,
One of the considerations early in the design phase of Aadhaar (when I was volunteering for the UIDAI) was how to enrol people without usable fingerprints or intact irises, consistent with the UIDAI's mission of inclusion -- e.g. construction workers, severely handicapped, hospitalized, the old and immobile, and the visually impaired (BTW, many visually impaired people do have intact irises.)
Consequently, the UIDAI instituted an exception handling process that would allow enrolment agencies to enrol people who do not have usable biometrics: They would take in the rest of their personal data and make an exception note, after recording a picture of missing fingers or hands or eyes. My guess is that such an exception process was misused to allow ‘coriander’ to be enroled without any biometrics! (I’m assuming for the moment that the Deccan Herald story is true as reported.)
Clearly, an operator either out to prove a point on his/her own, or as part of a larger attempt to frustrate the project and to create public doubts, seems to have misused a process designed exclusively to help the differently-abled! Ideally, there should be zero tolerance for such pranks in a system of this kind; however, unlike frauds in other systems, the UIDAI is capable of quickly tracing the prank to the specific enrollment station and to the specific operator, to a specific date and time, as his/her biometric signature would have been essential for the system to accept the ‘coriander’ data. I hope the UIDAI will do so quickly and explain the exact circumstances in which the prank succeeded, and what corrective actions they plan to take to prevent such incidents:
For instance, they could add programmatic checks to look for pointers to fraud before issuing an Aadhaar number – e.g. make sure that the photograph posted is that of a real human face, not that of some other object. Or, for every biometric exception, they can manually verify the person has missing limbs or eyes and reject all enrolments without clearly visible face and clear evidence of missing limbs or eyes. Aless desirable alternative would be to redirect everyone with biometric exceptions to a special enrolment centre, where better trained operators would enrol them. But then, you can imagine the righteous indignation that such 'discriminatory treatment' would kick up among our human rights defenders!
Be that as it may, it is important that people do not run away with harsh judgements about the reliability of the UID system based on such one-off incidents, out of 17 crore Aadhaars issued so far! We must distinguish between pranks with their nuisance and publicity value vs. more serious fraud scenarios that would call into question the reliability of the system.
Here are some thoughts in that direction:
1. Unfortunately, people who commit fraud do not seem to consider that their actions always seem to affect the less powerful, whether intended or not -- in this case, the ability of the differently-abled to get their Aadhaar numbers without a hassle. Now, there is a chance that the UIDAI may react with more stringent rules that may slow down and make the enrolment process more unpleasant for such people as well as for all the others!
(Just a few months back, another major effort at inclusion of people without ID documents, through the idea of ‘Introducers’ took a hit from the Home Ministry, which seemed more concerned about ‘security’ than the urgent need to get millions of poor ID-less into our welfare systems. Again, it was the Aam Aadmi who did the damage by getting fraudulent introduction letters from MLAs and such. Fortunately, the Introducer system has survived, but I doubt if it will be implemented as energetically as originally intended. I continue to push the UIDAI for more proactive efforts to enrol the ID-less, as you may have seen from some of my earlier posts here.)
2. At the end of the day, there is no way that any system/process can totally prevent people from trying to beat it. For all we know, there may already be a ‘parsley’ or an ‘onion’ in the system, waiting to make headlines that the opponents of UID would love. But the real question is whether ‘coriander’ or its creator can use the newly acquired Aadhaar number to open a bank account, or draw MGNREGS wages, or receive LPG cylinders at ‘his’ doorstep. I think not!
Also, supposing someone had lent his/her biometrics to enrol ‘corainder,’ then that person would have to live as ‘coriander’ for the rest of his/her life, and would be unable to get his/her own Aadhaar number and the attached benefits...unless he/she were to confess first to the original fraud and pay the consequences.
3. The real test of Aadhaar biometrics is not whether someone can attempt fraud at one of the thousands of enrollment centres, manned by tens of thousands of enrollment clerks, but:
a. Whether people can commit the kind of frauds that we are used to seeing in other systems, by enrolling multiple times and successfully getting multiple Aadhaar numbers;
b. Whether the system is capable of tracing fraud to its origin and implementing a self-cleaning system, such as in the credit card business – I think it can; and
c. Whether Aadhaar biometrics are unique enough for a country as large as ours -- the UDIAI-published statistics from 10 crore enrolments clearly demonstrate that it is (99.86% accuracy in de-duplicating!)
4. Concerns about potential breach of privacy can’t be dismissed, as some have pointed out, even though the UIDAI stores only four fields of data and has elaborate data security protocols. But privacy concerns are even more real and immediate with the ubiquitous mobile telephone usage, with lot more personal data; public posting of personal information such as MGNREGS muster rolls and voter’s lists; and a host of other systems already in existence. The only real solution, in my view, is an omnibus national data privacy law that can balance the needs of RTI vs. privacy, and which also considers the unique circumstances of our country -- as recently noted by judge A.P. Shah, who is heading up the Planning Commission’s panel on privacy law (see Live Mint April 12. 2012).
Anyway folks, please go through the website ThinkUID.org where we discuss all of these issues in considerable detail. In the interest of informed discourse, let us understand the facts; and please let us not indulge in knee-jerk condemnation of a project merely because it has become fashionable to do so.
Best Regards,
Raju Rajagopal