Open Letter to the Finance Committee: Operational Design
The objective of the UID project is to provide identity infrastructure that is not susceptible to fraud or error. This note highlights parts of the operational design of the project, which are flawed. We plead that each point be taken into consideration and that the design be suitably revised.
Flawed aspects of the operational design
- During enrolment: false identities
Initial proof of one’s identity is best proved through multiple, standardized documents. The UID lists seventeen acceptable documents.1 Acceptance and verification of only one of these identities is necessary for enrolment. This is a lower standard than existing forms of identity such as the Passport or the PAN card.2
- During transactions: technology will not solve corruption
In every transaction that requires the use of the Aadhaar number, there are four points where corruption is possible and delivery of services will not take place:
- The technology fails, and does not perform authentication;
- The authority fails and delivers a false positive or false negative;
- The local administrator fails to deliver the service after authentication;
- The biometric fails due to biological changes, and thus the individual is denied benefits; and
- Fraudulent use of face biometrics at the transaction level.
- During transactions: high cost of centralization with limited benefits
Verifying unique identity for every transaction will introduce an unnecessary authentication overhead. In the UID Bill, there is provision for standardized authentication fees.3At some point service providers will pass on the authentication cost through a required authentication fee to the residents. This will take place with no entitlement of any service or guarantee against fraud.
- During redressal: no guarantee of quick and adequate remedies
The delivery of services is guaranteed only when there is an optional way for transactions to be completed. If an Aadhaar number holder attempts to complete a transaction, and the UIDAI rejects it, the individual can make a request for re-verification with the registrar.4
If the UIDAI still rejects the request, the individual must file a complaint to the UIDAI contact centre and wait for appropriate remedial action,5 yet the UIDAI is not liable for the loss of service.
- During upgrades of the system: patchwork approach to data protection
It is more secure to have pro-active data protection than re-active data protection. The data protection legislation that is meant to secure data processed in the UID project will be established only after the UID bill becomes law. One can only assume that the UID will respond to every new policy development in a patchwork fashion.