Whose purpose does a non-unique ID that doesn’t certify anything, or does not know how it was created, that was never audited and never identifies anyone serve? wonders Anupam Saraph
Whose purpose does a non-unique ID that doesn’t certify anything, or does not know how it was created, that was never audited and never identifies anyone serve?
Your Aadhaar isn’t unique
It may not be entirely obvious, but if your biometric could pull up unique records, you wouldn’t need a number. You would simply use your biometric to access to your demographic information. In practice you need your number to pull up your record.
Not only does this mean that your biometric is not unique, it also means that it cannot be used to identify you. I decided to ask the UIDAI to confirm. Finally, the UIDAI, in an RTI reply, admitted that they cannot retrieve a unique record using biometrics.
This also means that biometrics cannot de-duplicate the Aadhaar database. It is meaningless to assert that Aadhaar helps to remove ghosts from any database; it can’t remove ghosts from the Aadhaar database itself. Without de-duplication any claims of using Aadhaar for plugging leakages through ghosts and duplicates is completely hollow.
Your Aadhaar doesn’t identify you
The Aadhaar number merely pulls up a record from the Aadhaar database. It doesn’t identify anyone. Biometric or demographic data submitted in the query can be compared with the biometric or demographic data that is associated with the record pulled up by an Aadhaar number. UIDAI calls this comparison as authentication. It also uses this word synonymously with identification.
Authentication is like checking for access to the key. Anyone with the correct key to a lock can get authenticated by the lock to gain access. Identification, on the other hand, ensures that someone responsible makes sure that an identified person is not denied access. In authentication no one takes responsibility for failure of a key to grant access to one who should get access or to prevent an unauthorised person from getting entry.
So using authentication where you need identification would be absurd, isn’t it?
Use of authentication where identification is necessary creates information asymmetrically as the authenticated cannot identify the authenticator either. Fraud, corruption and crime result from asymmetry of information and the destruction of responsibility from responsible parties. Replacing identification with authentication creates that asymmetry and destroys responsibility of making access to services work, from those who are responsible for it.
The Targeted Delivery of Financial and Other Subsidies, Benefits and Services Act does not define identification. It defines authentication. But the UIDAI is not the Authentication Authority of India, it is the identification authority. Responding to a question under the RTI, the UIDAI confirms that it does not define identification.
If the UIDAI doesn’t identify anyone, can Aadhaar be used in any process that requires identification – like on-boarding customers, identifying customers, or delivering a benefit?
Several tens of thousands of people have been denied pensions, crores of persons their rations, thousands have been denied admissions to schools, prevented from sitting for exams, several have been denied salaries or even jobs, excluded from health facilities, prevented from filing tax returns, or even from having a dignified cremation due to the misunderstanding that Aadhaar identifies persons. The creation and use of Aadhaar payments instead of NEFT because of the same replacement of identification by authentication has resulted in frauds of siphoning subsidies and laundering money using Aadhaar payments and Aadhaar accounts.
Without ability to identify anyone, Aadhaar is merely a tool for exclusion.
Your Aadhaar is not certified, verified or audited
Given that the UIDAI wants it to be used as a proof of identity document, the information associated with Aadhaar would need to be certified. The UIDAI would need to certify the name, age, address, resident status, and even the existence associated with the number. Again, the UIDAI’s reply to an RTI question settles that it does not certify anything. This of course makes Aadhaar completely useless wherever the law and reason requires a copy of a certified document.
Has each record been verified and audited by the CAG, or any auditor? The UIDAI confirms, in response to an RTI question, that its data was never verified or audited.
The UIDAI data indicates that just 20 registrars – 8 state governments and 12 government organisations – appointed enrolment agencies who hired enrolment operators whose enrolment packets were assigned 1 billion Aadhaar numbers. Read it again and digest this carefully. The Government of Maharashtra, for example, appointed as a Registrar is not going to have enrolments in Karnataka or UP. The non-state government agencies are limited in presence in a few metros. So the enrolment operators must be from each of the 707 districts with about 600,000 villages and 5,000 towns and cities. Should this information be available with the UIDAI and be public? Citing privacy of the operators, the UIDAI refuses to share which enrolment operator enrolled in which village/town/district for which agency of which registrar.
Try to figure out the miracle of how just 20 registrars could reach out to 84% of the population across the vast sub-continent – a feat that the government or even private companies have not been able to do over 70 years of independent India.
Without certification, verification or audit, Aadhaar cannot serve any legal process.
the ghosts of Aadhaar
The use of Aadhaar infects good databases with the ghosts of Aadhaar. Minister R.S. Prasad has indicated that 49,000 operators were suspended for generating ghosts. The UIDAI data indicates about 230 enrolments were done by each operator per day. If we assume these operators could operate for about 365 days before they were suspended, even if we consider that each operator enrolled only 100 persons a day and 50% of them were ghosts, it is more than 45% of the database that would be ghosts.
The use of this database is like infecting every existing database with AIDS – or destroying their ability to tell a genuine from a ghost. It replaces a customer or beneficiary onboarded by a sound legal procedure of identification with one that does not identify anyone, certify anything, and with one where no one takes the responsibility for identification, consent, authorisation and the resulting consequences of errors or frauds. The use of Aadhaar is the best way to facilitate third parties, those that have no role in the transactions that generate the databases, to colonise, corrupt and destroy your databases.
With its ability to generate undetectable ghosts, Aadhaar is a disease to destroy good databases.
Is there any doubt that the Aadhaar database doesn’t offer anything better than the existing databases with government departments, banks, telecom companies and other businesses?
Whose purpose does Aadhaar serve?
The UIDAI doesn’t identify anyone. It doesn’t certify anything. It doesn’t give anyone a unique identity. It has no information about the documents used to issue a UID number. It doesn’t know identification; it authenticates biometrics associated with the number. Its database has never been verified or audited. It cannot de-duplicate any database. Is it meaningful to mandate it for governance, commercial, or financial transactions? In fact, isn’t it delusional to use this number for anything?
Whose purpose does it serve to use it for governance, commerce or financial transactions?
[Dr. Anupam Saraph is a Future Designer, Professor of Systems and Decision Sciences and a renowned expert in governance of complex systems. He can be reached @anupamsaraph.]