Aadhaar Notes – Part I: Some Quick Fixes

The Aadhaar (TARGETED DELIVERY OF FINANCIAL AND OTHER SUBSIDIES, BENEFITS AND SERVICES) Act 2016 aims to provide for, as a good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services. While the objectives for the Act are noble, the manner of implementation has been shoddy and it often accomplishes the opposite of what the Act attempts to do.

Much of the debate around Aadhaar and UIDAI often finds the participants occupying extreme ends of the spectrum, calling either for its dismantling it or a flat out refusal to discuss its flaws. This post is an attempt to find a middle ground and discuss concrete steps that can potentially weed out some of the flaws and work towards a more citizen-friendly version.

The Rationale

Systems can be used (independent of the design or intent) in ways that includes or excludes the participants. The primary objective of a welfare program is to ensure that the deserving must get their benefits and, secondarily, it should eliminate, fraud and wastage. A truly inclusive program will not deny the deserving, while working in parallel to eliminate the non-deserving. A program that excludes as a default will result in a lot of the deserving being excluded from the benefit in the pursuit of efficiency over fairness.

As it stands now, the social contract that Aadhaar sets up between the government and the citizens is one where the state considers the citizen an adversary looking to unfairly benefit off it, till proven otherwise, solely on the basis of the existence of an Aadhaar number. This stems from approach that Aadhaar is the solution to a multitude of problems.

Solving problems of identity, authentication, efficiency and transparency require multiple tools and not a single tool. Some of these problems are completely unrelated to the issue of identity. It is more than possible to have a population tick all the boxes to certify efficiency, identity and transparency and still have a lot of the problems remain unfixed even with 100% Aadhaar coverage.

The Crucial Design Flaw

The UIDAI projects the zero-knowledge nature of the core Aadhaar services as a key facet that allows it to guarantee a high level of privacy. This is absolutely correct if you look at it solely from the perspective of the services that UIDAI provides. The flaw is that a service that only authenticates identity cannot guarantee things like efficiency, good governance etc.

Aadhaar alone does nothing to enable this; it depends on the larger ecosystem to provide this, which may or may not be possible using Aadhaar. Thus, claim that Aadhaar in its current avatar will enable it all is incorrect.

Let us take an example of how this works in real life:

Sita is a bank account holder with Example Bank. Bank wants to authenticate if Sita is who she claims to be. They collect and send Sita’s Aadhaar number and verifies it with biometric or SMS OTP to validate that it is indeed Sita who the bank is interacting with.

This is all what Aadhaar provides within the realm of identifying someone. It does not tell the bank if Sita is a great person. It does not tell if Sita can be trusted to pay back her loans etc..

What happens after this between the Sita and Example Bank is of no concern to UIDAI. This design allows UIDAI to not have to deal with what happens further in the loop. They call it the “zero knowledge” interaction. But, at the same time, UIDAI claims that just by its existence the Aadhaar number makes things more efficient and transparent without having any interest or say in how that is being done.

This flaw is glaringly obvious when things do go wrong, as it has happened in the recent spate of data disclosures by service providers across the country. UIDAI washes their hands off these problems as not theirs to solve. The resulting scenario is one where there is a distinct lack of ownership of the data that is collected by service providers.

The service providers only know they need to collect the Aadhaar number of their users. UIDAI will have nothing to do with how the data is collected, how it is used and how it is disseminated. The beneficiaries are left in a situation where, should a problem arise with the seeding where it is mandatory, they risk losing access to services that they were previously legitimately entitled to with no clearly mentioned redressal mechanisms.

Another problem in taking this “Aadhaar will fix everything” approach is that it cannot fix everything.

Let us go back to Sita to see how this can play out.

Assuming Example Bank has already seeded Sita’s Aadhaar number, without any further authentication, they can still provide services in Sita’s name and it will look perfectly legitimate if the service requires only Aadhaar as the key identifier. This is precisely kind of fraud that is most prevalent in India and it is one that Aadhaar, with its zero knowledge model, cannot solve.

On the other hand, it is very much possible that during an audit where Sita’s use of the services are crosschecked with another data source and found to be fraudulent. Based on this alone Sita can be denied services for no fault of hers and there will be little recourse available for her to prove that this is not true.

Lastly, not having an Aadhaar number can result in the denial of a service that Sita is legitimately deserving of otherwise and probably has the documentation to support too. This fails all of the stated goals of Aadhaar and also fails the fairness principle. In effect, you suddenly denying people who are perfectly legitimate and should receive the benefit.

As it stands, the entire process of seeding and how that data is further used is flawed and a growing mess. It needs to be rethought and re-calibrated to address the crucial flaws. Some of the ways in which this can be done:

1. Halt the seeding until a framework is established to ensure all stakeholders are properly educated about how to handle Aadhaar data. Currently, very few people know the entire picture. Even fewer people know what is the correct picture.

The way in which it is being done right now carries the risk of putting the service provider DBs in a state from where it will be difficult to get a clear picture of the linkage between the internal ID and the Aadhaar number. This is a hard problem to solve and needs to be done in a measured manner; unlike the breakneck speed at which it is being attempted.

2. Stop denying services on the basis of no Aadhaar if there are other documents that provide identity. Even the Aadhaar Act itself stresses on the this aspect where people should not be denied access to services if they can prove who they are with other documents.

3. Appoint an external auditor for auditing both UIDAI and the service providers. The idea originally was proposed in this excellent technical paper on Aadhaar: http://www.cse.iitm.ac.in/~shwetaag/papers/aadhaar.pdf

4.  For the current service providers who have seeded with Aadhaar data, audit them to ensure compliance. A good place to start from would be to enforce the AUA checklist for service providers: https://authportal.uidai.gov.in/static/AUA%20Compliance%20Checklist.pdf

5. Set up comprehensive processes and documentation for service providers to ensure that seeding is handled properly. Make it mandatory for seeders to explain in clear terms what is being collected, what happens in the backend and how the data will be used.

6. Publish granular stats in a voluntary manner about state/district/taluk level about Aadhaar(enrolment, auth attempts, auth failures). If the government truly believes in data, then embrace it and use it to better services. Take the ambiguity out of understanding how well is it working. The data is already there: need to make this searchable easily visusalized.

This is a good start, but it needs a lot more of work: https://data.uidai.gov.in/uiddatacatalog/dataCatalogHome.do

7. Have a single location that lists information about valid service providers and the reasons why they are performing Aadhaar seeding. Provide a simple mechanism (email/SMS/toll free number) by which people can verify the details regarding a service provider who is performing the seeding.

8. Initializing seeding should be a clearly defined process. This should be done with a circular from the service provider first, followed by a verification message from the UIDAI that a particular entity has been cleared as a valid seeding partner.

9. Provide a simple means by which an Aadhaar registration center/AUA/ASA can be looked up and validated.

10. Establish guidelines for making Aadhaar mandatory for something. You should not be able to randomly point at something and say, make Aadhaar mandatory for it. Establish SLAs for a region or a service before it can be brought under consideration as a mandatory thing.

11. Introduce penalties for SLAs not being met in Aadhaar-mandatory environments. Make it non-mandatory till the SLAs are not met again.

12. Ensure that service providers are given service specific tokens than just yes/no. Make it illegal to store Aadhaar numbers in any manner outside the CIDR. Ensure they are periodically audited for compliance in storage and dissemination.

13. Educate the customer how enrollment is done, de-duplication is done, auth is done.

14. Educate the customer about their rights. How to ask questions, what to ask questions about. They are completely in the dark right now. So much so that the likelihood that anyone asking for Aadhaar right now will get it easily from the people because they are used to giving it out for everything.

15. Educate the user about consent: at enrollment, authentication.

16. Make the user part of the de-duplication process. There is no visibility the user has in this at the moment.

17. Make the Aadhaar documentation better. There are numerous formats/versions floating around. There is no consistent way of versioning docs, naming them or having a clear location from where you search them, access them or find versions properly.

18. Don’t lose control of domains (uidai.net that used to host services is no longer with UIDAI).

19. Have a comprehensive redressal framework in place.

Edit: Added one crucial point from @kshashi:

20.  Be more open to criticism and researchers studying the underlying technical and policy framework. There are a good bunch of people who work on the right side of the law researching these things. Have them on your side working with you.