The Statesman
06 Jul 2013
Usha Ramanathan
Face, fingerprint, iris ~ the UIDAI is collecting all of these. The uniqueness of the UID number is to be ensured by using the biometrics collected for “de-duplicating” the 1.2 billion plus population resident in India. That sounds such an improbable task that it cannot do without some investigation of why the UIDAI thought they could pull it off. What did the UIDAI know about biometrics which gave it the confidence to roll out the project on a nationwide scale? The answer is, very little.
When the project got off the ground, and Mr Nandan Nilekani took charge, among the early decisions taken seems to have been the introduction of biometrics. On 29 September 2009, the UIDAI set up a committee to review the state of biometrics in the country, and suggest how they may be modified, extended or enhanced to "serve the specific requirements of UIDAI relating to de-duplication and authentication”. Interestingly, among its other tasks, the committee was asked to “obtain consensus (for) widespread propagation of biometrics in governmental and private sectors.” Significantly, no other means of achieving uniqueness and de-duplication was suggested then, nor at any time since then; biometrics was the only tool.
The December 2009 report of the committee on biometrics was cautious. The state of knowledge on biometrics was too meagre. In its sample of 25,000 people, 2-5 per cent did not have biometric records. Globally, de-duplication accuracy of 99 per cent had been reported from western populations, where there was good fingerprint quality and where the database was up to 50 million. To scale up the results from 50 million to a billion plus was fraught with uncertainty. And, importantly, there had been no study of fingerprint quality in the Indian context. Indian conditions, the report read, “are unique in two ways: larger percentage of population is employed in manual labour, which normally produces poorer biometric samples. Biometric capture process in rural and mobile environment is less controllable compared to the environmental conditions in which western data is collected.” It also found that if the way biometrics is captured is deficient, the “false acceptance rate” could be over 10%. The committee “strongly recommended that carefully designed experiments and proper statistical analysis under pilot should be carried out, to formally predict the accuracy of biometric systems for Indian rural and urban environments”.
As for iris, it is technology of recent vintage, and, “compared to fingerprinting, iris capture is less studied and less standardised”. So, they tentatively suggested combining multiple biometric modalities, in this case that would be fingerprint and iris. That was about all the committee was able to say.
Pursuant to this report, in February 2010, the UIDAI issued a “notice inviting applications for hiring of biometrics consultant” to assist in “proof of concept of biometric solutions for UIDAI project”. This document is a startling statement of the state of ignorance in which the UIDAI was, although they had already decided that they would adopt biometric de-duplication and authentication. The consultant would have to “assess the biometric de-duplication accuracy that can be achieved in the Indian context”. The National Institute of Science and Technology (NIST) in the USA “has spent considerable efforts over the past 10-15 years in benchmarking the state-of-the-art extractor and matching technology for fingerprint, face and iris biometrics on the western population,” the invitation document read. “While NIST documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics (i.e., larger percentage of rural population) and in Indian environmental conditions (i.e., extremely hot and humid climates and facilities without air-conditioning). In fact, it went on, “we could not find any credible study assessing the achievable accuracy in any of the developing countries. UIDAI has performed some preliminary assessment of quality of fingerprint data from Indian rural demographics and environments and the results are encouraging. The “quality” assessment of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy.” And so on. And the consultant was given six months to lead the UIDAI from this state of ignorance to profound knowledge about biometrics. At that stage, the focus was on enrolment. What would happen when people would have to be identified by their biometric markers was deferred to a later date.
The study was done between March and June 2010. On 17 July, 2010, the Economic Times reported that “missing biometrics” was confronting the UID project. The millions working in agriculture, construction workers, manual workers would have their fingerprints worn down. Corneal scars, corneal blindness, cataract resulting from nutritional deficiencies and prolonged exposure to sunlight and ultraviolet rays were likely to jeopardise iris data. The Director General of the UIDAI reportedly admitted that they had no estimate of how many people this would affect - they expected it to be a “small number.” “We are dealing with a large country and complex issues. We have to work within these limitations,” he is reported to have said.
They moved on regardless, to collecting biometrics and making claims of uniqueness.
The `UID enrolment proof-of-concept (PoC) report' was finally uploaded on the UIDAI website in February 2011, about five months after UID enrolment had begun to be rolled out. In a report that is gloriously vague and hazy, there is one statement that puts a question mark on the whole exercise: “The goal of the PoC was to collect data representative of India and not necessarily to find difficult-to-use biometrics. Therefore, extremely remote rural areas, often with populations specialising in certain types of work (tea plantation workers, areca nut growers, etc.) were not chosen. This ensured that degradation of biometrics characteristic of such narrow groups was not over-represented in the sample data collected.” The number of people in the sample studies to see if de-duplication worked was 40,000, and this did not include those who were not seen as representative of India! And the report maintains a deafening silence about what will be done for `biometric exceptions' - people for whom neither fingerprints nor iris work.
The UIDAI would be hard put to term this a scientific study. There is no authorship, the complexity of the population is ironed out by excluding them from the sample, the evidence is sketchy and conclusions general. Two years later, Mr Nilekani was to say, in his talk at the World Bank in April 2013, that “nobody has done this before, so we are going to find out soon whether it will work or not”.
In sum, this is an experiment. Even if it fails, biometric companies would have made their money, systems would have been re-engineered and the numbers seeded, and databases would have been created.
Every time I have spoken to a politician, bureaucrat, senior members of research organisations, I have asked them if they have seen any of the UIDAI's own reports, and the answer is always ‘no’.
When biometrics fail ..... well, there are no consequences for project proponents, not as things stand anyway. The authentication story is mirthful, and deserves its own narrative.
(The writer is an academic activist. She has researched the UID and its ramifications since 2009)
