The Statesman
10 Jul 2013
In December 2011, when the Standing Committee on Finance (SCF) readied its report on the National Identification Authority of India Bill 2010 to be placed before Parliament, there were as yet no reports on authentication - viz., on how the biometrics collected during enrolment would be used in identifying a person.
Among a few pieces of the puzzle that was presented to the SCF was a statement from the Planning Commission, in which the UIDAI is located, that read: "It is well acknowledged that there will be failures in authentication for various reasons. After proof of concept studies (PoC) on authentication, appropriate policies and processes will be developed to take care of situations where failure occurs for various reasons .. The choice of using the authentication services is left to the third party service provider ... Concerned agencies will have to develop policies and procedure to handle such exceptional situations .."
That is, there would be problems in authentication, no one could anticipate the extent of the problem because it was still untested, and responsibility would be diffused among service providers if authentication did not work.
This was a strange position to be adopted by an agency that had launched a nationwide project to biometrically de-duplicate and identify the entire population.
The Standing Committee had also seen an interview with the Mission Director and DG of the UIDAI, Mr R S Sharma, in Frontline in November 2011, where he had said: "Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work, and this poses a challenge for later authentication. ... Issuing a unique identity will not be a major problem. But authentication will be, because fingerprint is the basic mode of authentication."
In January 2012, a document was put out by the UIDAI which was incensed by a statistic that the Standing Committee had referred to which estimated that the "failure to enrol" would be as high as 15 per cent.
The UIDAI tried explaining that these were "misconceptions", that they could "state with confidence" to the contrary, and that "it is now safe to conclude" that biometrics will work over the entire population.
Except - they were relying on their Proof of Concept on enrolment which, as their own report reveals, (see earlier report dated 6 July 2013) does not convince that the system can deal with the complexity of the population.
More damning still, Prof Ramakumar, the expert who had provided the statistic was drawing on an estimation made by a company, 4G Identity Solutions, which is partnering with the UIDAI! He quotes them as saying: "It is estimated that approximately five per cent of any population has unreadable fingerprints, either due to scars or aging or illegible prints. In the Indian environment, experience has shown that the failure to enrol is as high as 15 per cent due to the prevalence of a huge population dependent on manual labour." And, the DG and Mission Director's interview stands unrebutted.
The first report on "authentication accuracy" was released in March 2012. This would indicate whether persons can be identified by their fingerprint. The PoC involved about 50,000 UID number holders.
It was carried out "in a controlled manner using different authentication devices.
The collected data was sent to the UIDAI Technology Centre. Further statistical analysis was performed at the Centre." This was a UIDAI exercise, and a statistic emerged from it: "accuracy of 96.5 per cent can be achieved using one best finger and 99.3 per cent can be achieved using two fingers" up to three attempts. "Accuracy," the report went on to say, "could be further improved by using the additional factors such as one-time-password (OTP), demographical data or second modality such as iris." A separate study was recommended to check that out.
What do these statistics mean? What is the `best finger'? What are two fingers in three attempts? What else does the report say? The "best finger" first.
Though all 10 digits are captured during enrolment, not all fingers work equally well when they have to be used to authenticate a person.
So, when enrolment is done, the report said, a person would have to go through a "best finger detection" (BFD) process, because: "The best finger to be used for authentication depends on the intrinsic qualities of the finger (ex. ridge formation, how worn out they are, cracked, etc.) as well as the quality of images captured during enrolment process and the authentication transaction."
Someone in the team that prepared the report clearly had a sense of humour: this description is accompanied by the sketch of a wrist and fingers, with the index finger pointing skywards with a bow tied to it as a sign of how special it is!
The fingerprints are sorted on the basis of "match scores" by comparing them with what has been enrolled and stored. This helps to rank the fingers: rank 1- best finger, rank 2- second best finger. "Further," the report reads, "the fingers are labelled Green, Yellow, or Red - depending on their suitability for single finger authentication." In addition, it continues, "some residents could be determined to be not suitable for reliable fingerprint authentication".
About the devices, there is the profound statement: "The best set of devices did much better than the good set of devices, which did much better than the rest of the devices." "In online authentication system, providing multiple attempts of the same finger was seen to improve resident's chances of successful authentication." And the inference that was drawn was that "the resident learns to place fingers appropriately over multiple attempts". And, "residents in the 15-60 years group showed best authentication accuracy". The young and the old are somewhat troublesome. In sum, for those whose fingerprints work, if they have a best finger, or two yellow fingers, and more fingers are used, and if labelled matching works, and best devices are used, and when there are high quality fingerprint images, and immediate feedback, then .... fingerprint authentication may work 99.13 per cent of the time. That is the value of the statistic.
Then, multimodal authentication with both fingerprint and iris, OTP, buffered authentication, multiple attempts and with different fingers - these are recommended, "to not only improve accuracy but also to ensure inclusion."
The recommendations harbour the underlying unease about the capacity of fingerprints to identify the entire complex of people in this country.
That explains why, even as the report starts out, it says "although currently only fingerprint biometric is being offered ... it is likely that in the near future iris biometric authentication will also be supported." And, in conclusion: "Low cost iris capture devices are becoming available in the market. A combination of fingerprint and iris is expected to improve accuracy by a factor of 10 to 100, while reducing failure to enrol (red fingers) rate by a factor of 10. A detailed study such as this should be done on iris authentication."
In the meantime, this report lends context to Mr Nilekani's statement at the Centre for Global Development in Washington in April this year about having "created huge opportunity for fingerprint scanners, iris readers".
(The author is an academic activist. She has researched the UID and its ramifications since 2009)