The latest report on the administration of Aadhaar by the Comptroller and Auditor General (CAG) exposes concerning deficits on the part of the Unique Identification Authority of India (UIDAI) in securing the data of the world’s largest biometric identification system.
The UIDAI was “neither able to derive required assurance” that the information systems of the entities involved in the authentication ecosystem—the requesting entities (REs) and the authentication service agencies (ASAs)—were in compliance with its prescribed standards, according to the report, and “neither did it ensure” auditing by the bodies authorised for this.
UIDAI has thus failed to perform a basic job with which it has been entrusted—Regulation 12 of the Aadhaar (Authentication) Regulation delegates to the identification authority the responsibility of verifying the information provided by REs and ASAs.
While the proportion of REs audited out of the whole pool increased from 36% in 2016-17 to nearly 56% in 2018-19, the proportion of ASAs audited remained below 50%. As of March 21, the vast majority of REs were private parties. So, if there hasn’t been any progress since the 2018-19 audit levels, there should be a lot of red signals about UIDAI’s data security management. This is not to argue that the data security issue is limited to private companies; the identifying authority should ensure that both private and public entities participate in the annual audit process.
Even if the UIDAI has discretionary rights to issue exemptions, cases of such use must be made public in advance and must be based on well-defined benchmarks, as the CAG stated in its report.
The UIDAI was unable to provide assurances on the security of “REs and ASAs accessing and storing” Aadhaar users’ personal information via unregistered biometric equipment (used prior to April 2018). Similarly, despite the fact that the UIDAI enforced dedicated vault storage of all Aadhaar numbers and related data gathered by enlisted companies in 2017—with consequences for noncompliance—it failed to satisfy the CAG that the entities involved were following the proper procedure. According to the CAG, the UIDAI “did not develop any measures/systems to validate that the entities involved complied with protocols and was entirely reliant on reports submitted” by the latter.
These are severe cases of the identification authority failing to fulfill its obligation to ensure data security. The CAG audit also highlighted the lack of a system to check an Aadhaar applicant’s compliance with the Aadhaar Act’s residence requirements. The enormous number of cancellations of “duplicate” Aadhaar defies the Aadhaar system’s basic goal of establishing uniqueness of identity, and the large number of voluntary revisions of biometric data is evidence of low registration quality.