Aadhaar: Unique Number, Fingerprints, Iris Scan, and Now Facial Recognition: UIDAI Experiments Continue
Each time doubts are raised about the authenticity of Aadhaar, the Unique Identification Authority of India (UIDAI) comes out with some new gimmick. For example, when there were issues with its 'unique number' claim, UIDAI quickly added fingerprints to it. This was followed by iris scan. The latest in this 'search for uniqueness' is facial recognition of Aadhaar number-holders. Unfortunately, like its earlier experiments with fingerprints, and iris scans, the failure of facial recognition through ‘live face photo capture’ too is most likely to give way to something new, perhaps DNA profiling. This also means that UIDAI will continue to splurge taxpayers’ money on its experiments in search of really unique identification (UID).
While there is no official notification or circular by UIDAI, it published a news report from Asian Age
on its website, which says “Face recognition feature to be rolled out Sept. 15: UIDAI
”. In the report, UIDAI has been quoted as saying, “…‘live face photo’ capture and its verification with the photo obtained in e-know-your-customer (eKYC) will be essential in those cases where Aadhaar is used for issuance of mobile SIMs.” According to the report, unmindful of the directions from the Supreme Court, UIDAI has “finally announced a phased rollout of face recognition feature as an additional mode of authentication, starting with telecom service providers from 15th September.”
Earlier, on 13 March 2018, the apex court had extended the deadline to link Aadhaar to various services, including bank accounts and mobile numbers, until the disposal of the matter by the Court. Chief Justice, Dipak Misra, also clarified that the deadline had been extended covering all the fields, including telecom. The extension of deadline, however, does not apply to the benefits, subsidies and services under Section 7 of the Aadhaar Act. In other words, what UIDAI is trying to achieve through its ‘facial recognition’ feature is to cover up the lacunae in its ‘authentication’ system, if any.
Earlier, talking about success rates of biometric authentication, Ajay Bhushan Pandey, chief executive officer (CEO) of UIDAI had told the Supreme Court that, for government systems, the success rate was 88%; for banks it was 95%; and for telecom it was 97%. "It is lower for government because vested interests are spreading misinformation and the media is helping them," he had alleged.
The documents submitted by Mr Pandey, however, showed a different picture about Aadhaar authentication. Without disclosing the sample size, the UIDAI CEO informed the five-judge Constitutional Bench that the UIDAI had conducted a ‘proof of concept’ where they visited senior citizens in their homes and found 83% success rates for finger prints and 90% for iris scans. Mr Pandey also said that the UIDAI has now developed face recognition technology, which is even more accurate and will be rolled out soon. It is another matter whether even 90% success rate is enough in time-critical situations like admission to hospitals or boarding an airline!
Replying to other query from Justice DY Chandrachud, on whether UIDAI knew if denial of service was happening or only it was limited only to authentication failure, Mr Pandey, had said, “No. But, UIDAI constantly advise (sic) ministries that on the ground there will be exclusion if they solely depend on Aadhaar authentication. Which is why in law, they made exceptions and that any official not obeying and denying services would be taken a strong view of."
The biometric information being collected by UIDAI comprises facial photographs of the individual, all 10 fingerprints and a scan of both irises. UIDAI has been creating a vast data bank containing this personal information. However, it is not just UIDAI that has created such huge database on residents on India. Everyone, who is either a registrar or an agency associated with UIDAI, has created their own set of Aadhaar database. This includes government ministries and departments which, over the years, are coming out as being too careless as they have been publishing Aadhaar-holders’ data on the Internet.
As pointed out by senior advocate Shyam Divan in his article, “The Prime Minister’s Fingerprints: Aadhaar and the Garrotting of Civil Liberties
”, the procedure adopted by UIDAI is so casual that it borders on irresponsible. “Briefly, the entire process at the field level is in the hands of private enterprises known as enrollers who operate freely without any government supervision. The threshold qualifications for an enrolment agency are so low that not one of them is a recognisable name. They comprise an assortment of trusts, societies, proprietary concerns, partnerships and what have you. The biometric information of each enrolee – that set of valuable parameters that we ought to most fiercely guard—is spirited out by filling out a form.
The biometrics are initially stored and collected in private hands before it is (sic) transmitted to the UIDAI Central ID Repository (CIDR) via memory stick or courier or by direct uploading. The UIDAI has no privity (sic) with the enrolling agencies. The loose framework of relationships linking UIDAI to the collection of biometric data is through MoUs with state governments or departments known as registrars. It is these registrars who engage private sector enrolment agencies," Mr Divan had said.
Yet, UIDAI continued to collect biometric data on residents. It also continues with its experiments for its so-called verification and authentication. However, as pointed out by Dr Anupam Saraph, an expert in governance of complex systems, and confirmed through information obtained under Right to Information (RTI) Act, UIDAI does not acknowledge, certify or take responsibility for the identification of any person. In an article published in Sunday Guardian
, he says, “They (UIDAI) cannot. They know that a match of the biometric or photograph associated with an Aadhaar number to one being submitted for authentication does not identify anyone. Just as your username and password to your email account does not identify you. Just as the key that opens the lock to a door does not identify you.
“Identification is a responsible process. It requires someone to take responsibility of identification. To take responsibility it requires the person identifying another to be co-present. Co-presence confirms that the identified person is real and not mere photographic, video-graphic or biometric data. It confirms the identified person is there in their own free will. It causes the person undertaking the responsibility for identification to confirm satisfactory identification for the transaction for which the identification was undertaken. In order to identify a person using an official document (like the passport, driver’s licence or election ID), the official document has to acknowledge or certify that the data captured on the official document is genuine and belongs to the person who it claims to belong. The UIDAI does not take any responsibility of identification. It is not co-present with the person being identified. It does not and cannot confirm whether a real person was present and not their photographic, video-graphic or biometric data,” Dr Saraph added.
Since many experts have already pointed out how biometrics, like fingerprints, and iris scan failures, I will not talk about it here. However, let us look at the latest 'tech salvo', the facial recognition offered by UIDAI.
At present, UIDAI has an image of the Aadhaar-holder captured by a camera (mostly webcams) linked to the PC (personal computer) or laptop at the registrant's desk. These cameras capture image of the Aadhaar-holder, which are not of a high resolution. Plus, there are other factors like poor light on face, which will hamper the quality of the photograph or the captured image. And this is where the main problem lies.
Facial recognition is now becoming popular, mainly due to introduction of FaceID by Apple for its iPhone 8 and iPhone X. But then Apple uses an extremely sophisticated technology, both in terms of camera and the processing chip in the mobile.
For FaceID, Apple uses TrueDepth camera for facial mapping. The FaceID projects and analyses more than 30,000 invisible dots to create a precise depth map or 3-D image of the user’s face. Apple used every trick in the book to train its A11 bionic chips to prevent any misuse. This includes using masks and make-ups, or high-quality photos and videos that were created by professionals. There is one more technology, evil twins, where there is always a one in 50,000 chance of matching a stranger’s fingerprint with the user’s to unlock the device. However, this matching ratio drops to 1 in 1 million with FaceID. That means, even with evil twin, there may be only two identical face maps in every 1 million faces. (Read: Apple FaceID
Now try comparing Apple's FaceID technology (including TrueDepth camera and chip) and UIDAI's facial recognition through the image captured at the time of registration or updating.
“The trust quotient with Aadhaar is falling,” says an editorial from the Times of India,
adding, "Earlier, we were told fingerprints are almost foolproof but then iris scanners were introduced. Goalposts keep changing all the time. Or is it Aadhaar that is floundering?"
In rural India, the villagers say when you give a hammer to a blacksmith, he or she will only think in terms of nailing something. The only difference is that here it is the human body, which is being nailed. If you only have a hammer, you tend to see every problem as a nail. If biometric technologies are at hand, UIDAI, under the influence of technology, continues to see every problem only as an identification problem.
A paper from UIDAI titled “Role of Biometric Technology in Aadhaar Authentication” had stated, “Of the three modes, fingerprint biometric happens to be the most mature biometric technology in terms of usage, extraction/ matching algorithms, standardisation as well as availability of various types of fingerprint capture devices. Iris authentication is a fast-emerging technology which can further improve Aadhaar authentication accuracy and be more inclusive.”
This paper explains, “Authentication answers the question ‘are you who you say you are'..” This is done using different factors like, what you know—user ID/password, PIN, and mother’s maiden name, what you have—a card, a device such as a dongle, and mobile phone and what you are—a person’s biometric markers such as fingerprint, iris and voice. The ‘what you are’ biometric modes captured during Aadhaar enrolment are fingerprint, iris and face. It is noteworthy that this paper refers to biometric markers like ‘fingerprint, iris, and voice, etc’ revealing that after fingerprint and iris, ‘voice’ print is also on the radar and its reference to ‘etc’ includes DNA prints as well.
Such absolute faith in biometric technology is based on a misplaced assumption that there are parts of human body that do not age, wither and decay with the passage of time. Basic research on whether or not unique biological characteristics of human beings are reliable under all circumstances of life is largely conspicuous by their absence in India and even elsewhere.
However, UIDAI seems to have taken the facial recognition route instead of directly going to DNA. While, for a common user, this is one more ‘gimmick’, for UIDAI and its partners, including registrars, this is one more opportunity to make money. Remember, even for updating your mobile number or address, you are required to pay a certain amount of money. In short, Aadhaar-holders need to cough up more money now for this new gimmick of ‘facial recognition’.
You may also want to read...