Comptroller and Auditor General of India (CAG) has published a detailed report on the functioning of Unique Identification Authority of India (UIDAI) in which it has pointed out a list of flaws that exist in the Aadhaar infrastructure. The report also underlines pitfalls in the process of generating unique identification numbers for Indian residents through the system that was introduced back in 2009 and received a separate legal backing to the Aadhaar system in 2016. Alongside pointing out the issues, the report names HCL Infosystems and HP as two of the private entities behind some of the major IT problems in the Aadhaar infrastructure.
The 108-page report that was prepared for submission to the President includes a number of flaws that impact the Aadhaar infrastructure. It included the assessment of the unique ID system implemented by the UIDAI that took place between 2014–15 and 2018–19.
One of the biggest problems that the CAG report underlined in the Aadhaar system is duplicate enrolments where HCL Infosystems has been indicated to have a primary role. The IT company was appointed as the Managed Service Provider for handling the end-to-end infrastructure of UIDAI in August 2012. It works with private vendors that provide Automatic Biometric Identification Systems to help identify duplication in the data.
UIDAI has a two-step process to identify duplicate enrolments where the first stage matches demographic data and the second stage looks for biometric matching of fingerprint and iris.
The report said that the nodal body of Aadhaar relies on self-declaration to verify 'Resident' status of applications at the time of their enrolments. It, thus, makes it possible to allow issuance of Aadhaar cards to "non-bona fide residents", as per the audit conducted by CAG.
It has also been brought into notice that the deduplication process by UIDAI is vulnerable for generating multiple Aadhaar numbers. CAG suggested that the authority could resolve this problem by manual interventions.
The report highlighted that UIDAI was not able to furnish any Regional Office-wise data on the number of multiple Aadhaar as it was not available with the authority. However, the UIDAI Regional Office in Bengaluru showed 5,38,815 cases of multiple Aadhaar numbers between 2015–16 and 2019–20. Instances of unique ID numbers with the same biometric data to different residents were also reported in the Bengaluru Regional Office, according to the report.
CAG also noted that up to July 2016, UIDAI had HP responsible for storing the physical sets of records provided by individuals at the time of enrolment. It was found through the audit that all Aadhaar numbers stored in the UIDAI database were not supported with documents.
The constitutional authority said that despite being aware of the fact that not all Aadhaar numbers were paired with the personal information of their holders, UIDAI "was yet to identify the exact extent of mismatch though nearly ten years have elapsed since the issue of first Aadhaar" in January 2009.
It was also found that a large number of voluntary biometric updates took place for the last several years, suggesting incapability in capturing accurate biometric data during enrolments.
The report also pointed out that UIDAI was not able to verify the infrastructure and technological support claimed by third-parties offering submission of identity information for Aadhaar verification.
Since its launch, Aadhaar has been used as an identification source to avail welfare schemes offered by the government. Telecom operators and banks also require Aadhaar numbers to ease customer enrolments for their services. All this led to a massive growth of Aadhaar cardholders in the country. The number mounts to over a billion at this moment.
However, the report noted that UIDAI has not yet developed a data archiving policy through which it could effectively move data that is no longer actively in use.
Entities using Aadhaar verification are also found to be not bound to store residents' personal data in a separate vault.
UIDAI mandated Aadhaar vault requirement for all Authentication User Agencies and e-KYC User Agencies in July 2017. However, CAG's audit suggested that the authority "had not established any measures/ systems to confirm that the entities involved adhered to procedures" for establishing vaults to store data of residents.
The audit report also underlines loopholes in restricting authentication agencies to use only secured devices to store biometric and signatures of Aadhaar cardholders. Further, it suggests that UIDAI chose to not penalise any of the private entities it is working with and instead restructured contracts.
"There were flaws in the management of various contracts entered into by UIDAI. The decision to waive off penalties for biometric solution providers was not in the interest of the Authority giving undue advantage to the solution providers, sending out an incorrect message of acceptance of poor quality of biometrics captured by them," the report said.
Gadgets 360 has reached out to UIDAI, HCL Infosystems, and HP for their comments on the report. This article will be updated when the entities respond.
Security issues, privacy concerns, and infrastructural flaws with Aadhaar were quite well reported in the past. However, UIDAI has not yet brought any major updates to its system.
Affiliate links may be automatically generated - see our ethics statement for details.