Aadhaar in question? CAG raises red flags against UIDAI’s data security

New Delhi: The latest report on the administration of Aadhaar by the Comptroller and Auditor General (CAG) exposes concerning deficits on the part of the Unique Identification Authority of India (UIDAI) in securing the data of the world's largest biometric identification system. 

The UIDAI was "neither able to derive required assurance" that the information systems of the entities involved in the authentication ecosystem—the requesting entities (REs) and the authentication service agencies (ASAs)—were in compliance with its prescribed standards, according to the report, and "neither did it ensure" auditing by the bodies authorised for this. 

UIDAI has thus failed to perform a basic job with which it has been entrusted—Regulation 12 of the Aadhaar (Authentication) Regulation delegates to the identification authority the responsibility of verifying the information provided by REs and ASAs.

While the proportion of REs audited out of the whole pool increased from 36% in 2016-17 to nearly 56% in 2018-19, the proportion of ASAs audited remained below 50%. As of March 21, the vast majority of REs were private parties. So, if there hasn't been any progress since the 2018-19 audit levels, there should be a lot of red signals about UIDAI's data security management. This is not to argue that the data security issue is limited to private companies; the identifying authority should ensure that both private and public entities participate in the annual audit process. 

Even if the UIDAI has discretionary rights to issue exemptions, cases of such use must be made public in advance and must be based on well-defined benchmarks, as the CAG stated in its report.

The UIDAI was unable to provide assurances on the security of "REs and ASAs accessing and storing" Aadhaar users' personal information via unregistered biometric equipment (used prior to April 2018). Similarly, despite the fact that the UIDAI enforced dedicated vault storage of all Aadhaar numbers and related data gathered by enlisted companies in 2017—with consequences for noncompliance—it failed to satisfy the CAG that the entities involved were following the proper procedure. According to the CAG, the UIDAI "did not develop any measures/systems to validate that the entities involved complied with protocols and was entirely reliant on reports submitted" by the latter.

These are severe cases of the identification authority failing to fulfill its obligation to ensure data security. The CAG audit also highlighted the lack of a system to check an Aadhaar applicant's compliance with the Aadhaar Act's residence requirements. The enormous number of cancellations of "duplicate" Aadhaar defies the Aadhaar system's basic goal of establishing uniqueness of identity, and the large number of voluntary revisions of biometric data is evidence of low registration quality.

There is no arguing that Aadhaar has been a game changer for India, as seen by the JAM system, which has helped plug subsidy leakages and improved targeting for government benefits. Greater financial inclusion has resulted from the Aadhaar-enabled Payments System. The one-of-a-kind ID has even sped up passport processes. However, there is a need to increase public trust.

As the CAG has pointed out, the UIDAI has fallen short on multiple points, all of which will erode such trust. Apart from course correction, UIDAI must proactively develop trust through increased transparency in ecosystem oversight. The government can take a facilitative role if it so desires, as Section 50 of the Aadhaar Act allows it to offer the UIDAI policy guidelines that the authority must follow. Given that the UIDAI has also sought exemption from the scope of the personal data privacy law if it is adopted, it may be in the interest of maintaining public trust in the Aadhaar system that UID holders are assured of a robust and safe ecosystem.

Live TV