• Associate Sponsor

Targeted delivery: Grievance system, robust cybersecurity critical to Aadhaar’s success

Even as the govt is making efforts to make Aadhaar mandatory for schemes and services, experts say that it is necessary put in place safeguards such as secure data security system for a successful unique identity programme.

Written by Pranav Mukul | New Delhi | Updated: October 17, 2017 2:38 am
aadhaar, aadhaar card, aadhaar card data, aadhaar card privacy, uidai, aadhaar card data hack, cyber security, cyber security india, cyber attack, cyber security for aadhaar card, cyber warfare, cyber attackers, cyber risk mitigation, Indian express A five-judge Constitution Bench of the Supreme Court is set to hear a batch of petitions on Aadhaar related matters in November (Illustration: C R Sasikumar)

Alongside the government’s move to build an ecosystem around Aadhaar that aims to reduce its overall subsidy burden by making targeted delivery of these benefits, legal experts and analysts suggest that it may be necessary to simultaneously put in place a number of safeguards. These include having a robust data security system, a grievance redressal mechanism and ensuring that there is no basis for exclusion of any of the beneficiaries. In the due course, over 135 Central government schemes are slated to leverage Aadhaar as an authentication mechanism.

For many of these schemes and services, while the respective ministries have not used the term “mandatory” in their notifications, they have said that the beneficiaries will be “required to furnish proof of possession of Aadhaar number or undergo Aadhaar authentication”, before a deadline, which has now been extended to December 31, 2017, in most cases. These include schemes such as Mahatma Gandhi National Rural Employment Guarantee Scheme, targeted public distribution system, Employees Pension Scheme and Central scholarships, among various others.

Interestingly, a majority of these notifications that call for people to furnish their Aadhaar details to receive benefits under the schemes start with an identical template: “Whereas, the use of Aadhaar as identity document for delivery of services or benefits or subsidies simplifies the government delivery process, bring in transparency and efficiency, and enables beneficiaries to get their entitlements directly in a convenient and seamless manner and Aadhaar obviates the need for producing multiple documents to prove one’s identity,”. After this, the notifications detail the scheme being run by the respective ministry and then citing Section 7 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, notify the requirement of Aadhaar, or proof of enrolment, to avail the benefits.

Section 7 of the Aadhaar Act states:

“The Central government or, as the case may be, the state government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment”.

Even as most of these schemes use the provisions under Section 7 of the Aadhaar Act to use the biometric identity system as a tool for delivery of services, some of the services for which Aadhaar has been made mandatory do not have visibly evident benefits for the end-consumers. For instance, the order by the Department of Telecommunications (DoT) to make Aadhaar-based verifications mandatory for all the existing mobile subscribers by February 2018.

When contacted, Cellular Operators Association of India’s (COAI) director general Rajan Mathews told The Indian Express that using Aadhaar-based e-KYC verification, mobile operators will be able to conduct the verification in a “much more secure way”. “Previously, it was a very document-oriented process and was subject to all kinds of leakages. We had to verify whether the documents submitted were true or fraudulent, and as a result, the industry was subject to a lot of penalties imposed by the DoT. This will hopefully reduce all that,” Mathews said. “Benefit to the consumer is that someone won’t be able to able to acquire a connection based on his or her fraudulent documents,” he added. Furthermore, according to COAI estimates, the industry will have to bear a cost of nearly Rs 2,500 crore to re-verify all of the existing mobile subscribers in India. Even though Mathews said that Aadhaar-based e-KYC was a much more secure way to conduct verification, legal experts believe that a lot needs to be done to make Aadhaar secure.

“It’s not just about making Aadhaar mandatory, it’s about creation and a continued subsistence of an Aadhaar ecosystem, which is going to be far bigger than Aadhaar. Before making Aadhaar mandatory, as a nation, we need to work on cyber security, which we have not. My personal belief is that with Aadhaar, India is sitting on a volcano, which is about to burst. You have no clue of what kind of potential ramifications Aadhaar breaches will have on people’s privacy, private lives and digital existence in the coming times,” said advocate Pavan Duggal, who specialises in cyber law.

“Aadhaar will constitute, according to me, India’s critical information infrastructure and if that stands compromised, India’s position as a nation will be thoroughly jeopardised. There’s no running away from the fact that Aadhaar is now a reality, so let’s start identifying loopholes and plug them before making it mandatory,” Duggal added.

Concurring with Duggal, another lawyer, who is involved in the Aadhaar case in the Supreme Court, said, on condition of anonymity, that making Aadhaar mandatory would also give rise to problems of exclusion on the basis of inability of a person to link their Aadhaar with a specific service due to any reason. “If a person is unable to link his Aadhaar with bank account or mobile number for any reason, it is as good as them not having Aadhaar. A lot of time Aadhaar linking does not happen for a host of reasons, including biometric failure,” the lawyer said.

A five-judge Constitution Bench of the Supreme Court is set to hear a batch of petitions on Aadhaar-related matters in November.

Schemes/Services for which Aadhaar number, authentication or enrolment is required

Linking of Aadhaar with Mobile Number
Department: Department of Telecommunications
Last date: February 6, 2018

Linking of Aadhaar with PAN card
Department: Ministry of Finance
Last date: December 31, 2017

Central Sector Scholarship Scheme for College and University Students
Department: Ministry of Human Resource Development
Last Date: December 31, 2017

Opening of post office accounts
Department: Ministry of Finance
Last date: December 31, 2017

Opening of National Savings Certificate
Department: Ministry of Finance
Last Date: December 31, 2017

Opening of Public Provident Fund
Department: Ministry of Finance
Last Date: December 31, 2017

Opening of Kisan Vikas Patra
Department: Ministry of Finance
Last Date: December 31, 2017

Pradhan Mantri Ujjwala Yojana
Department: Ministry of Petroleum and Natural Gas
Last Date: December 31, 2017

Employees’ Pension Scheme
Department: Ministry of Labour and Employment
Last Date: December 31, 2017

Availing crop insurance under Pradhan Mantri Fasal Bima Yojana
Department: Ministry of Agriculture and Farmers Welfare
Last Date: December 31, 2017

To receive benefits under Incentive Scheme for providing employment to Persons with Disabilities in the Private Sector
Department: Ministry of Social Justice and Empowerment
Last Date: October 31, 2017

Note: The list is not exhaustive

For all the latest Technology News, download Indian Express App

  1. R
    Reader
    Nov 2, 2017 at 8:59 am
    The biometrics-based Aadhaar program is inherently flawed. Biometrics can be easily lifted by external means, there is no need to hack the system. High-resolution cameras can capture your fingerprints and iris information from a distance. Every eye hospital will have iris images of its patients. So another person can clone your fingerprints and iris images without your knowledge, and the same can be used for authentication. That is why advanced countries like the US, UK, etc. did not implement such a self-destructive biometrics-based system.
    (0)(0)
    Reply
    1. R
      Reader
      Nov 7, 2017 at 7:41 pm
      If the biometric details of a person are COMPROMISED ONCE, then even a new Aadhaar card will not help the person concerned. This is NOT like blocking an ATM card and taking a new one.
      (0)(0)
      Reply
    2. R
      rajan
      Oct 17, 2017 at 6:46 am
      This aadhar scheme is the brainchild of an incompetent failed techie and a unqualified fraud and dramatist.
      (5)(0)
      Reply
      1. R
        Reader
        Oct 17, 2017 at 5:17 am
        A centralized and inter-linked biometric database like Aadhaar will lead to profiling and self-censorship, endangering freedom. Personal data gathered under the Aadhaar program is prone to misuse and surveillance. Aadhaar project has created a vulnerability to identi-ty fraud, even identi-ty theft. Easy harvesting of biometrics traits and publicly-available Aadhaar numbers increase the risk of impersonation, especially online and banking fraud. Centralized databases can be hacked. Biometrics can be cloned, copied and reused. Thus, BIOMETRICS CAN BE FAKED. High-resolution cameras can capture your fingerprints and iris information from a distance. Every eye hospital will have iris images of its patients. So another person can clone your fingerprints and iris images without your knowledge, and the same can be used for authentication. If the Aadhaar scheme is NOT STOPPED by the Supreme Court, the biometric features of Indians will soon be cloned, misused, and even traded.
        (5)(0)
        Reply
        1. R
          Reader
          Oct 17, 2017 at 5:27 am
          UK’s Biometric ID Database was dismantled. Why the United Kingdom's biometrics-linked National Identi-ty Card project to create a centralized register of sensitive information about residents similar to Aadhaar was scrapped in 2010?? The reasons were the massive threat posed to the privacy of people, the possibility of a surveillance state, the dangers of maintaining such a huge centralized repository of personal information, and the purposes it could be used for, and the dangers of such a centralized database being hacked. The other reasons were the unreliability of such a large-scale biometric verification processes, and the ethics of using biometric identification.
          (5)(0)
          Reply
          1. R
            Reader
            Nov 2, 2017 at 9:02 am
            The Aadhaar program was designed in 2009 by mainly considering the 'Identi-ty Cards Act 2006' of UK, but the UK stopped that project in 2010, whereas India continued the biometrics-based program. We must think why the United Kingdom abandoned their project and destroyed the data collected. (Google: 'Identi-ty Cards Act 2006' and 'Identi-ty Documents Act 2010' )
            (0)(0)
          2. R
            Reader
            Oct 17, 2017 at 5:34 am
            The US Social Security Number (SSN) card has NO BIOMETRIC DETAILS, no photograph, no physical description and no birth date. All it does is confirm that a particular number has been issued to a particular name. Instead, a driving license or state ID card is used as an identification for adults. The US government DOES NOT collect the biometric details of its own citizens for the purpose of issuing Social Security Number. The US collects the fingerprints of only those citizens who are involved in any criminal activity (it has nothing to do with SSN), and the citizens of other countries who come to the US.
            (4)(0)
            Reply
          3. P
            Paanchal Thakur
            Oct 17, 2017 at 3:28 am
            A criminal waste of public funds for a misconceived idea!!! In practice, biometric verification of IDs work satisfactorily only for limited groups of people like employess of offices, factories, etc. To make it a mass verification system for IDs of 1.3 billion people is sheer stupidity. The failure rate of 5-10 percent under ideal test conditions is in itself a disqualification. In reality, it is seen to be between 20-40 percent which is disastrous. It only proves that even though Nandan Nilekani is a master s-a-l-e-s-m-a-n, he is an incompetent technocrat. Using smart cards with embedded chips is the best available solution for authentication on a mass scale. If the Modi regime has an iota of wisdom, it will dump biometrics in favour of smart cards. It is better late than never to dismantle unworkable ideas conceived by incompetent people.
            (5)(0)
            Reply
            1. P
              Paanchal Thakur
              Oct 17, 2017 at 3:18 am
              In practice, biometric verification of iden y works satisfactorily only for limited groups of people like employess of offices, factories, etc. To make it a mass den y verification system for 1.3 billion people is sheer stupidity. The failure rate is 5-10 under ideal test conditions is itself a disqualification. In reality, it is seen to be between 20-40 which is disastrous. It only proves that even though Nandan Nilekani is a master sman, he is a incompetent technocrat. Using a smart card with an embedded chip is the best available solution for authentication on a mass scale. If the Modi regime has an iota of wisdom, it will dump biometrics in favour of smart cards. It is better late than never to dismantle unworkable ideas conceived by incompetent people.
              (2)(0)
              Reply
              1. Load More Comments