Government pursuing UID discreetly without answering Parliament or doubts of citizens is leading to the fear that apart from sacrificing the interests of citizens, this humungous scandal when exposed and revealed will have dangerous consequences and unrest amongst people. The plight of those who have given their biometrics and iris to unknown persons will be haunting them forever. This is the second part of a nine-part series on the unique identification number scheme
It all started as a Unique Identity (UID) for 'residents' of this country in 2009 and later it metamorphosed into a huge scandal in the name of "aam aadmi".
Initially we only had doubts that had to be clarified but later when delicate queries were hedged is when we all got suspicious and started following the trail.
The entire 'Scheme' (pun intended) is full of contradictions, hidden facts, hedging, disinformation, impracticality, arbitrariness, and what's more, fraught with threat to national security. In the beginning we were wary of making such a charge or allegation and therefore worded our statements suitably. But when we saw the reply to Right to Information (RTI) queries that were rather irresponsible and blatant, we were convinced that something is shy and that the government and the Unique Identification Authority of India (UIDAI) were hiding important information from the citizens. We then started to ask more questions and each time we got a different response for the same question! We became more curious and our research reveals that the government and the UIDAI have deliberately misled the people of this country.
We started to probe and also simultaneously engage in networking with all those who felt that the government should come upfront and explain. We got tremendous support and that too from various quarters that included almost all independent civil society members of the NAC (National Advisory Council) chaired by Sonia Gandhi.
The issues are several and that too of serious implications involving the security of the nation when data is being shared with a foreign country that too doing the same business with National Database and Registration Authority (NADRA) of Pakistan! Breach of individual privacy, siphoning of huge amount of money from the public exchequer (our taxes) for something we are not quite sure or results not proven. On the contrary, the experience in UK and Australia after pushing it through has been to withdraw and the damage is huge. So can't we learn from others' mistakes? We rely purely on statistics, ground realities and experience to counter all the claims. We have absolutely no hesitation to correct our opinion provided they are convincing and furnished to us straight forward not vaguely as "We should always consider the positives rather than harp on only the negative". Then it becomes a debate.
When we started to approach the authorities we got vague evasive responses sometimes dilatory and also irresponsible.
We went public and held several workshops, symposiums, seminars and also demonstrations that included faking of IDs by people that too in front of none other than MN Vidyashankar-the principal secretary to Government of Karnataka who played a key role in this enterprise. This was in an open house where some distinguished guests were also invited. He ducked for cover and promised many things only to go smug and silent later on. Even emails continuously sent to him were diverted to others and no proper clarification was available to any of our questions till date. It's a different matter that he was transferred from this post to another sometime ago.
We had a strange and vivid experience. Initially the Karnataka government authorities were proactive and also participated in interactive sessions. But later they became totally reticent and refused to come to meetings in which we participated. They didn't express this in so many words but gave flimsy reasons of being busy and tied up.
Some Kannada news channels also told us that they had contacted several top officials and they refused to participate in any debate. So this led to more doubts and wondered why the UIDAI, which boasted of transparency and probity, went into hiding. They couldn't answer tough questions that too with evidence given to them. It became obvious that they were trying to hide many things from the glare of public.
UID was touted as a 'unique' number (not card as many think it to be) and that there would be no other identity needed once this comes into place. But then, when protests started, there was a rider that this is only 'optional' and not mandatory?
We were told that only basic information is collected. But later the truth started to unfold. Banks started collecting all information under Know Your Customer (KYC) norm that intruded virtually into citizen's privacy. The information sought for had nothing to do with regular banking that too of account holders who were comfortable with their operations for decades. There was no legal sanctity to collect these information but the banks still insisted that they were directed by the Reserve Bank of India (RBI) and that itself is sufficient to collect the information. Some of the banks even threatened to freeze the operative accounts if the details were not furnished. In each of these applications there was a provision for the Aadhaar number. This meant that at some stage by deceit the government will have access to our bank accounts and all transactions if they so wanted. That too without the knowledge or permission of the account holder; obviously the KYC doesn't have a disclaimer to the contrary.
We understand that the UID is linked to 24 databases by various service providers. This is the double speak and contrary to their claim.
When the 'uniqueness' was contested, the UIDAI introduced the biometrics and started with the thumb impression. When this was also contested, UIDAI stated that they would collect the impression of all the 10 fingers and also introduced the iris scan as a defence mechanism. When this was also shown as not foolproof and feasible, they scampered and commenced a "proof of concept" (PoC) study.
It is customary to conduct the proof of concept before the launch of any programme not in between or later. Further such proof of concept study is done end-to-end that is with all key parameters that need to be fulfilled or viability of the project itself. Secondly such survey should be done with proper scientific sampling viz: In the rural and labour intensive part like in this case to really get the correct result but it was not so: the entire fiasco was shrouded with mystery and hopelessly done; obviously the results also were skewed. Ultimately it was an "eye wash" and meant only as routine exercise.
UIDAI's identification results are based on 20,000 people chosen from the 60,000 who attended two biometric enrolment sessions. What do the results for all 60,000 look like? Why were the full results not published? How were the 20,000 chosen? What was wrong with the other 40,000? Why don't UIDAI report the de-duplication statistics for the one million people now enrolled on the CIDR, instead of a paltry 20,000 of them?
How many unique pairs of biometrics can be chosen from 40,000? Answer: 40,000 x 39,999 / 2=799,980,000. If UIDAI are right 40,000 is a number of the order of 104, whereas the number of comparisons which have to be made to prove uniqueness is of the order of 108. The population of India is of course not 40,000. More like 1.2 billion or 1.2x109. So that the number of comparisons between pairs of biometrics that would need to be made to prove uniqueness is 7.2x1017. It would take a very long time but, in a perfect world, those 7.2x1017 comparisons could be performed by computer and it could be proved automatically that there are no duplicates, i.e. each electronic identity is unique.
In the real world, problems arise. UIDAI says quite rightly that they must expect the odd false positive. In other words, on occasion, it will look as though two people have the same biometrics. There may be hundreds of reasons for that. Here are just four of them:
1. The equipment used may not be entirely reliable.
2. An over-worked UIDAI agent may by mistake register Mr Narayana's biometrics against Mr Chandrashekar's name.
3. Mr Narayana may have naughtily enrolled twice, once in his real name and once in Mr Chandrashekar's name
4. Mr Narayana and Mr Chandrashekar may genuinely be two different people who happen to have similarly poor biometric quality of their fingerprints and / or iris or the scanner unable to distinguish between the two.
When a false positive arises, it has to be investigated by a team of human beings. It can't be resolved by computer. How many false positives should India expect? In the results section of their report the UIDAI defines the false positive identification rate (FPIR) and they say "we will look at the point where the FPIR (i.e. the possibility that a person is mistaken to be a different person) is 0.0025%". At that point, UIDAI would get two and a half false positives on average for every 100,000 comparisons.
Given that the UIDAI have to make 7.2x1017 comparisons, how many false positives should they expect? Answer: (7.2 x1017) x (2.5x10-5) =1.8 x1013. That's 18,000,000,000,000 false positives for people to investigate and resolve.
Is this acceptable and will it ever happen? To prove uniqueness, every single Indian would have to investigate and to resolve 15,000 false positives. Long before they had finished, many of them would be dead, many more Indians would have been born, and the task would remain incomplete. Using UIDAI's own figures, India can be confident that the proof of uniqueness is not achievable. Not in the real world.
How many more staff would UIDAI need? How much more would UIDAI have to spend on top quality biometrics equipment to make that improvement? If that is feasible, why didn't the UIDAI Biometrics Centre of Competence (UBCC) say so? Why did UBCC "look at the point where the FPIR. 0.0025 %" and not at the point where it's 1.4x10-12, which is what it would have to be to reduce the number of false positives to one million?
If the sea-of-false-positives argument above is correct, then biometrics do not provide the foundation needed for UID, the false conclusions drawn by UBCC in the proof of concept trial report impugn everyone's trust in UIDAI and no-one can be confident that the benefits of UID will ever be achieved.
Presumably the proof of concept trial report is the work of UBCC. They have to say why the sea-of-false-positives argument is wrong, if they can. And here are more questions which could do with a response from them:
a) Over the years, the suppliers of biometric technology have been caught out repeatedly making exaggerated claims for the reliability of their wares. Their marketing material is now a little less gung-ho. UIDAI's suppliers, L-1 Identity Solutions Inc and Morpho among others; do not claim on their websites to be able to deliver unique identification in the case of large population registers. Given the sea of false positives, how could they? So why does the UIDAI claim to be able to deliver unique identification? It's easy to see why the suppliers don't object to being boosted in this way. But why does the UIDAI provide this unsolicited testimonial to the historically flaky products of the mass consumer biometrics industry? Is a field trial of 20,000 big enough to tell India what to expect when it comes to 1.2 billion people?
b) Graduate Management Admission Council (GMAC), the body representing 1,800 business schools in 110 countries, dropped fingerprinting as a way of verifying identity after a two-year trial. If the business schools don't recommend the technology, why does UIDAI recommend it?
c) Why don't Visa and MasterCard rely on biometrically verified payments anywhere in Europe and the US? If they're not good enough for Europe and the US, why should they be acceptable in India?
As it happens, the UK made the same mistake. For years, between 2002 and 2010, the Home Office was in the undignified position of being quite unable to answer probing questions, whether posed by critics or supporters, about their UK ID card scheme. The facts simply don't support the claims the Home Office was making-see for example their document 'Safeguarding identity'-about being able to 'lock' people to a single identity and their fatuous promise that ID cards would "make life easier".
Public money was wasted on a pipe dream. There were many problems with the UK scheme. Not just biometrics. But biometrics is the easiest problem to understand and to discuss objectively and on which to reach an agreed decision, it's quantifiable, there are no difficult value judgments to make, it's just technology. And not a very good technology-whenever there is a large-scale field trial, as opposed to the mere computer modelling exercises favoured by NIST, mass consumer biometrics prove to be too unreliable for the ID card schemes that depend on them. By the time the stillborn scheme was finally cancelled, the Home Office had lost all credibility, it was totally demoralised and it is now excluded from discussions of the UK's new, and still unspecified, Digital Delivery Identity Assurance project.
Further the UIDAI collected 15 Identities that already exist viz: Passport, EPIC and Ration Cards. Therefore they couldn't claim it to be Unique. Whereas all these identities were provided only after eligibility criteria was fulfilled and with verification in each case to genuine citizens as per the provisions of the Citizenship Act.
Thus the claim of it being 'unique' slowly gave way to the National Identity and became just another number, not card, which many confuse it to be. That is why it is the NIA Bill 2010 (National Identification Authority of India Bill, 2010).
In order hasten the enrolment process incentives were given to even private enrolling agencies to mobilize applications. The floodgates were open.
MOUs (memorandums of understanding) were entered with several government departments and banks as well as private agencies such as travel agents, stock brokers and even dubious institutions. Nearly 209 such operators were allowed and when we analysed the selection of such agents it gave rise to more doubts and suspicion. Some didn't even have the domain knowledge or experience to collect such vital information from people.
It was astounding to know that such a valuable and precious data of citizens was handled in a haphazard way. Our doubts came true. Several bloomers and goof-ups surfaced.
Some TV channels also went on an overdrive and exposed the unscrupulous methods and also corruption. A person languishing in Bengaluru prison, Ali got his UID number from Mysore without even visiting the place!
We sent the media clipping to MN Vidyashankar for his comments, he immediately responded saying the culprits were arrested and FIR had been led. "This was just an aberration," he said. Without doubting his statement, we only asked some more questions which he didn't anticipate. He gave excuses and later after persuasive mails he passed it on to his subordinates to respond. Ultimately we never got any convincing fact or particulars that we sought from him. True, a FIR was led. Is that all? What about internal departmental investigations to find out the lacunae in the system and processes in order to prevent such fake IDs? No information was forthcoming on such questions.
We have vivid stories from our media friends who took up the issue and started to support us. Their experience was no better than ours. Media seems to have been strangely silenced.
The Parliamentary Standing Committee examined all these aspects and also summoned the authorities for various clarifications. In a near unanimous decision they came to the conclusion that it is directionless and ill conceived. (Relevant to mention that there were only a couple of dissenting notes and these were not on the merits of the case, but extraneous political affiliations and compulsions and posturing) The report was submitted to Parliament for further deliberations. It is also very pertinent to note that the report deals with invasion of privacy and declares that unless there is a law that protects privacy, this can't be introduced.
But the temerity and audacity with which the authorities are bypassing this report and still continuing to perpetuate the fraud is beyond anybody's imagination. Definitely it leads to the belief that there are some other extraneous considerations and also "hidden hand" that is continuing to perpetuate this programme for their own ulterior motives. Hence it has to be resisted tooth and nail.
Unfortunately we are still not a developed country that can afford this extravaganza and write off huge wasteful expenditure that has no guarantee of success on any basis.
Government pursuing this discreetly without answering Parliament or doubts of citizens is leading to the fear that apart from sacrificing the interests of citizens, this humungous scandal when exposed and revealed will have dangerous consequences and unrest amongst people. The plight of those who have given their biometrics and iris to unknown persons will be haunting them forever.
They have to live in the shadow of the "ghost that is hidden" and may strike in any form and from anywhere will linger in their minds forever!
Read the first part of the series here:
(VK Somasekhar is active in civil society movements having distinguished in fighting for causes on environment, consumer movement and also civic issues. He is a triple graduate with post-graduation in Law as well as Diploma in Journalism, Diploma in Foreign Trade Management. He was also the president (vertical head) of a media entertainment company. He is also the managing trustee of Grahak Shakti, a voluntary Consumer Organisation of standing for over three decades now. A prolific freelance writer with accreditation by the state government and also appears on current issues on various news channels regularly both in vernacular and English media.)