Aadhaar is a 12-digit unique identification number issued by the Indian government to every individual resident of India. The Unique Identification Authority of India (UDAI), which functions under the Planning Commission of India, is responsible for managing Aadhaar numbers and Aadhaar identification cards.
The Aadhaar project was initiated as an attempt towards having a single, unique identification document or number that would capture all the details, including demographic and biometric information, of every resident Indian individual. Currently there are a plethora of identity documents in India including passports, permanent account numbers (PANs), driving licenses and ration cards. The Aadhaar card / UID will not replace these identification documents but can be used as the sole identification proof when applying for other things. It will also serve as the basis for Know Your Customer (KYC) norms used by banks, financial institutions, telecom firms and other businesses that maintain customer profiles. Aadhaar numbers will eventually serve as the basis for a database with which disadvantaged Indian residents can access services that have been denied to them due to lack of identification documents.
A resident Indian can apply for the Aadhaar number and card by submitting the existing proof of identity (passport, PAN card, driving license, etc.) and proof of address (phone/ power bill, bank statements, etc.) and by undergoing biometric profiling (fingerprints and iris scan) at any Aadhaar center.
Aadhaar project, also known as UID (unique identification), is an initiative rolled out by Government of India under which a unique number is provided to every Indian citizen for identification. The number can help citizens to avail several benefits and services. So far, more than one crore cards have been issued. This Manager’s Guide will touch upon the project objectives and explain the role of IT in Aadhaar’s implementation.
1. Aadhaar project: Scope and benefits
The need for Aadhaar project arose after the discovery of fake and duplicate records and non-existent beneficiaries in government’s welfare schemes for the underprivileged. This was mainly due to poor attempts at verification of demographic and biometric information. The Aadhaar project will address these issues. Unique Identification Authority of India’s (UIDAI) overarching goal is to ensure that a significant number of underprivileged citizens are brought under the UID system.
Aadhaar project will furnish each Indian citizen with a unique, 16-digit identification (UID) number representing 12 identity parameters corresponding to the demographic information. This also includes an individual’s fingerprints and iris scan that form a biometric record mapping to the Aadhaar number. All data would then be collected and stored in a central database known as CIDR (Central ID Repository). CIDR will be used by security agencies for proactive threat monitoring and investigations as well as by service providers for providing prompt services especially to the underprivileged class.
2. Software applications used
Aadhaar database a.k.a. CIDR (Central ID repository) is hosted on a central system powered by data centers. This data is used to serve Aadhaar project’s core objectives such as:
(1) Enrolment application is used for receiving new client enrolment requests and capturing new data. After verifying the uniqueness of the request, the Registrars enroll the data that is received in magnetic media from various logistic providers. This data is then uploaded to Aadhaar database post-validation. The Registrars include (but are not restricted to) ministries and departments of state and central governments, banks and other financial institutions, telephone companies, etc. Once this is done, the Aadhaar number is generated for the request.
(2) Authentication application will conduct online authentication of identity (demographic and biometric information) done by querying the Aadhaar database that responds to such queries in the form of Valid/Invalid type of response. Also, de-duplication of biometric data is done by assigning a scaled data fusion score to each duplicate record. This score is in the range of 0 to 100, with ‘0’ indicating the least level of similarity and ‘100’ as the highest level of similarity.
(3) Fraud detection application detects identity fraud by catching fraud scenarios. Few examples: registration for non-existent applicants, misrepresentation of information, multiple registration attempts by same applicant, user impersonation, etc.
In addition, a number of support applications have been developed to ensure effective functioning of the Aadhaar project. Some of them are:
(4) Administrative application provides user management, role-based access control, automation and status reporting.
(5) Analytics and reporting application provides enrolment and authentication statistics for both public and partners.
(6) Information portal provides administrative access for internal users, partners, and general information/reports/ grievance requests details to public.
(7) Contact center interface application provides query and status update functionality.
(8) Logistics interface application interfaces with the logistics provider for letter printing and delivery management.
3. Information security risks involved
(1) UIDAI plans to transfer operations related to Aadhaar project to an external service providersome time down the line. Given that Aadhaar database holds sensitive data of Indian citizens, it is critical that the chosen provider is trustworthy.
(2) Unauthorized access to Aadhaar project database could have disastrous effects.
(3) Ownership of PKI (Public Key Infrastructure) implementation lies with the Registrars (refer to section ‘Software applications used for Aadhaar‘). As a result, there is a risk of use of broken encryption algorithms by registrars at the time of receiving updates from CIDR thereby compromising data confidentiality.
(4) Inadequate measures for securing local copy of enrolment data held by Registrars (refer to ‘Software applications used for Aadhaar‘) at their end.
4. Criticism and challenges
The Aadhaar project has also received criticism.
(1) Possibility of burdening the existing system of photo-identification instead of creating a new Aadhaar project from scratch.
(2) Given the sensitivity of data being held, contracts should have been awarded only to Indian vendors but that doesn’t seem to be the case.
(3) Backup mechanism and recovery time objectives of Aadhaar project database in case of natural/technical failure may prove a challenge considering the scale of the project.
(4) UIDAI may also face operational challenges. For instance, updating of the current demographic information, change of residence or marital status, by existing Aadhaar holders, promptly and securely may be challenging.