Lessons from the World’s Largest e-Identity Program – India’s Aadhaar

Since its launch in 2009, India’s e-Identity program, Aadhaar has been the subject of intense debate. Its ardent supporters promote it as a solution to the country’s notoriously wasteful welfare system and its opponents label it a gross violation of privacy. Being Aadhaar-registered myself and having studied the development of the program extensively, the merits on both sides are evident. Given the scale and significance of the Aadhaar program, its evolution over the past nine years offers valuable lessons for the future of eID across the world. It is worth noting however that eID refers not to a single type of identity solution, but to a host of different solutions, varying in scope, objectives and underlying technologies.

Background

The roots of Aadhaar can be traced back to a 2005 report by the Government of India which shed light on the inefficiencies of the Targeted Public Distribution System (TPDS) – the mechanism through which subsidized food, cooking fuel and fertilizers, among other necessities, were delivered to qualifying citizens. At the time of publication of the study, it was found that only 43% of the government expenditure on food subsidies reached the Below Poverty Line (BPL) populations. [1]

These findings led to a process of extensive reflection on the means to streamline the subsidy delivery process, culminating in the formation of the Unique Identification Authority of India (UIDAI) in 2009, which today manages the Aadhaar program. As stated by the UIDAI, “Aadhaar is a strategic policy tool for social and financial inclusion, public sector delivery reforms, managing fiscal budgets, increase convenience and promote hassle-free people-centric governance. Aadhaar can be used as a permanent Financial Address and facilitates financial inclusion of the underprivileged and weaker sections of the society and is therefore a tool of distributive justice and equality”

Aadhaar is a randomly generated 12-digit number, unique to each Aadhaar holder. In order to obtain an Aadhaar number, residents are required to provide a combination of demographic information and biometric information including ten fingerprints, two iris scans and a facial photograph. According to the Aadhaar Act 2016, enrollment in the program is entirely voluntary. However, this hasn’t been entirely true in practice as shall be highlighted in the following sections.

Impact

Since the issuance of the first Aadhaar number in 2010, 1.19 billion unique Aadhaar numbers have been issued to Indian residents, making it by far the most inclusive government identity program in the country. [2] With its open APIs, Aadhaar has served as a foundation upon which an entire ecosystem of services has emerged, including eKYC, digital signatures, instant payment infrastructures, etc.

The launch of eKYC led to a significant fall in the cost of customer onboarding, leading to financial inclusion on an unprecedented scale. The Economist estimates that the cost of KYC is likely to have fallen from 1,500 Indian Rupees (USD 23.43) before Aadhaar to as low as 10 Indian Rupees (USD 0.16) currently. [3] As of October 2017, the annual per capita income in India was estimated to be USD 1,990. [4] As a result, prior to Aadhaar, large sections of Indians were not economically feasible customers for banks. The government reports that 309 million new bank accounts have been opened since August 2014, bringing hundreds of millions of unbanked Indians into the formal economy. [5] This has been supported in part by the introduction of Aadhaar based eKYC.

The Aadhaar eKYC Process

Note: The authentication process varies based on the service provider and the possession of an Aadhaar-linked phone number by the user. The process could also involve multi-factor authentication, combining the authentication mechanisms highlighted above in Step 1.

Linkages of Aadhaar numbers to bank accounts enabled the launch of the Direct Benefit Transfer (DBT) scheme by means of which subsidy benefits are deposited directly into the bank accounts of beneficiaries. DBT has helped plug leakages in subsidy delivery by fighting black marketing and eliminating fake identities, which deprived deserving citizens of their subsidies. The government claims that DBT has saved the exchequer USD 8.9 billion between 2013-14 and 2016-17. [6] The veracity of these claims has come under intense scrutiny by diverse actors, including the country’s own Comptroller and Auditor General. Nonetheless, even critics do admit that the DBT scheme has led to savings despite the inflated figures reported by the government.

Privacy Challenges

While the developmental potential held by Aadhaar has been displayed in the financial inclusion and savings recorded by the government, the future of Aadhaar rests upon the government addressing the privacy challenges associated with it. The usage of biometric data and the storage of this data in a centralized database have raised concerns since the conception of the project. The validity of these concerns was vindicated in 2017 when a YouTube clip displayed a replay attack, i.e. when the biometric capture is stored on a computer and reused for future authentication transactions.

In May 2017, a report by an NGO, The Centre for Internet and Society (CIS), revealed that four government portals had published data which revealed the Aadhaar numbers of 130-135 million residents and the bank account numbers of around 100 million residents. [7] And earlier this year, it was reported that at a price of USD 8, racketeers were selling administrator access to Aadhaar portals through which one could key in any Aadhaar number to find the corresponding name, address, postal code, phone number, email ID and photograph. [8] The UIDAI has dismissed this as a case of misreporting and the validity of this report remains unconfirmed.

To the UIDAI’s credit, there have been developments which bolster security over the past year. In September 2017, the UIDAI enforced the “Aadhaar Registered Devices” technical specifications which limit participation on the Aadhaar authentication network to devices complying with the newly established security standards. In January 2018, the UIDAI announced the launch of Virtual ID, a randomly generated temporary 16-digit number, with the objective of preserving the secrecy of the permanent Aadhaar numbers. Nonetheless, privacy concerns remain, paramount among them being the storage of biometric data on the UIDAI databases.

Challenges to the Constitutional Legitimacy of Aadhaar

In the aftermath of the privacy breaches, the future of Aadhaar currently hangs in the balance. The constitutionality of the Aadhaar Act (2016), which provides legal backing to the project, is the subject of litigation at the country’s Supreme Court. While petitioners have long challenged Aadhaar on grounds of breaching privacy, it is over the past year that the legal battles have gained impetus. The current government is pushing to make Aadhaar mandatory to access subsidies and to link Aadhaar numbers to bank accounts, phone numbers, income tax records and several other vital documents. While by law, enrollment in the program is entirely voluntary, the recent government push to make Aadhaar mandatory to access subsidies and basic services in the economy, is raising the costs of staying out of the system significantly.

In August 2017, in a landmark judgement, the Supreme Court ruled that the Right to Privacy is a fundamental right. In light of this judgement, challenges to the constitutional validity of Aadhaar are expected to revolve around three arguments: collection of biometric data amounts to a violation of bodily integrity, Aadhaar violates the right to informational self-determination and the threat of a surveillance state posed by linking Aadhaar to a host of services in the economy. [10] The Supreme Court of India has begun hearing petitions challenging the constitutional validity of the program.

Lessons Learnt

Citizen approval is necessary and is influenced by a variety of factors: The Aadhaar program with enrollment of 1.19 billion covers over 90% of the country’s population. Despite the widespread voluntary enrollment, existential questions linger over it owing to the privacy concerns plaguing the program. Keeping with the true spirit of democracy, it is vital that a structural reform of this magnitude addresses the concerns of its citizens satisfactorily. Furthermore, owing to the complexity of such programs, its success hinges upon effectively educating citizens about the benefits and the challenges. As evident in the Indian case, public opinion is shaped by diverse information sources including sources spreading disinformation. Thus, in democracies, it is of paramount importance that governments are responsive to public concerns and also effective in communicating their response to these concerns. In the Indian case, questions about privacy concerns have often been met with defiance, which fails to assuage the fears of the citizens. This offers lessons and also raises questions for democracies across the world making the transition from paper-based governance to e-governance.
Access Controls are vital: The biggest leaks associated with Aadhaar to this point have come from insiders. It is thus vital to restrict access to sensitive data on a “Need to Know Only” basis. The sale of Aadhaar portal access as reported by an Indian newspaper was enabled by Village Level Enterprises whose role had been rendered obsolete after the government revoked their licenses to enroll new Aadhaar applicants. This also highlights the need to update access permissions on an ongoing basis in line with the evolution of internal roles of network participants.
Training of concerned officials on compliance and security: The Aadhaar leaks also highlight the importance of training officials on appropriate handling of data. This would involve establishing a robust information security compliance code and ensuring that the concerned individuals are educated on the code.
Learning from attackers: The future of the Aadhaar program depends on the swift response of the UIDAI to the recent breaches, fortifying their defenses to prevent future incidents. Information security is often an arms race which means that it is impossible to design an infallible system. However, it is possible to minimize the risk of breaches by establishing a system for continual monitoring and learning, to protect against an evolving landscape of security threats.
e-Readiness: The final lesson revolves not around security, but around inclusion. In developing country contexts, it is vital that governments are able to develop strategic IT infrastructure which can enable the entire populace to benefit equitably from the introduction of digital service delivery mechanisms. e-Readiness extends beyond just the availability of IT infrastructure to e-literacy which is often necessary to access the entire range of services enabled by eID programs.