The UIDAI Responds to Questionnaires Submitted by Petitioners

The UIDAI responded to the questionnaire submitted by the Aadhaar petitioners on March 3, day 23 of the Aadhaar hearings. The questionnaire pertained to the slideshow presented by UIDAI CEO, Dr Ajay Bhushan Pandey regarding the architecture of the UIDAI and Aadhaar. The questions, submitted by Nachiket Udupa and another, were regarding the rejection rate and the measures taken in this regard. Whereas, the questions, submitted by S. G. Vombatkere and another, pertained to the storage of information.

The UIDAI has categorically stated in their reply to both the sets of questions that they do not track the location of authentication transactions. In response to the former’s questions, the UIDAI stated that the failure, which is rare for iris scans, stands at 8.54% and for fingerprint scans, at 6%. On whether there were any special exceptions made in case biometrics failed, the UIDAI mentioned that other methods of authentication would also be permissible such as an OTP, or scanning the QR code on the back of the Aadhaar card. This is strange since, at its stage of inception, Aadhaar’s main feature was the biometric component being the conclusive proof of identity. Responding to a question posed by the latter, the UIDAI said that they did not have any data to show that the rates of failure are higher for those below the age of 15 and above 60. However, they did mention that fingerprint authentication failures occur more for persons above the age of 70.

On the issue of consent in the case of a minor, the UIDAI said that where a school acts as an introducer, the consent of the parent must be taken since children cannot sign for themselves. However, the issue of consent still arises in situations where the parents themselves are illiterate. The UIDAI further said that there is no possibility of opting out of Aadhaar once a child reaches the age of 18. However, they did mention that the biometrics could be locked. Locking biometrics is another kettle of fish since the biometric component is the main security feature of Aadhaar.

The UIDAI mentioned that they conduct physical quality checks on the enrolment applications received. If an enrolment agency were to violate the guidelines, then the application is itself rejected. Once an enrolment agency is blacklisted, then the agency can no longer process applications. However, though the petitioners had requested the UIDAI to mention how many enrolments of the 49,000 blacklisted agencies had been done by them, the UIDAI did not even mention how many applications were attempted by these enrolment agencies. The second petitioner posed a similar question on the reasons the enrolment agencies were blacklisted. The UIDAI stated that agencies can be blacklisted when they illegally charge for registration, submit poor quality demographic data, provide for invalid biometric exceptions, and other process malpractices. They did mention when these instances cross a particular threshold, the agency is blacklisted, but did not elaborate on what the ‘threshold’ is.

In the case of biometric de-duplication rejections the UIDAI mentioned that as of March 21, 2018, 6.91 crore applications had been rejected. They, however, clarified that these rejections were mostly due to applicants being unaware of the process or enrolling themselves several times because they did not receive their Aadhaar due to postal delays. The UIDAI also stated that since no person has lodged a complaint or filed a suit for being denied an Aadhaar card, the de-duplication is successful. This is a fallacious statement since the level of legal literacy among the general public is not particularly inspiring. Further, low-income people are not particularly keen to go to court. The UIDAI however, mentioned that all applications, irrespective of status, are stored in the Central Identities Data Repository (CIDR). It should be mentioned at this point that the application also consists of scans of other government-issued IDs such as voter cards and driving licenses.

The UIDAI stated that as of March 26, 2018, there have been 18 crore rejections of enrolment packets. Though the petitioners sought clarification on whether any field verification had been conducted to ensure that the verification was justified, the UIDAI only said that the applicants can re-apply. This lack of physical oversight is a major shortcoming since most people in India are aware of how quickly such procedures progress. The pain of applying for any document from any government agency increases, the further away one lives from an urban area. A daily wage earner, for example, would have to forego a day’s wages twice if they had to reapply for an Aadhaar.

From the UIDAI’s responses to the other petitioner’s questions – which somewhat resembled a cross-examination – one can see that the UIDAI plays no role in the veracity of the documents submitted with the application. The veracity of the documents would have to be determined by the Registrar or persons appointed by the Registrar. The UIDAI stated that if the applicant is found to be an illegal immigrant then the Aadhaar is deactivated or omitted. Only persons who have resided in India for 182 days or more in the preceding 12 months are eligible to apply. This provision applies to foreign nationals as well. However, when a person ceases to be a resident, their Aadhaar will be deactivated.

On the issue of information being stored, the UIDAI stated that the biometric readers for verifying Aadhaar can only be registered devices and that the Aadhaar Act does not allow the readers to store biometric information. However, a crime can only be punished once it is found out. Similarly, a biometric reader could be tampered with, either through a software, or a skimming device applied to capture the information. The UIDAI also mentioned that they neither store information such as IP address, GPS location or authentication purpose, nor do they request authentication agencies to do so. However, they did mention that Authentication User Agencies (AUAs) such as banks and telecom companies could store the information to prevent fraud and for their own security requirements. If this is being done the UIDAI is empowered to audit their logs. However, Authentication Service Agencies (ASAs) are not permitted to store the information. They further clarified that the traceability feature of the authentication process from the UIDAI’s perspective pertains only to which device has requested authentication.