Centre for Internet & Society

The objective of the UID project is to provide identity infrastructure that is not susceptible to fraud or error. This note highlights parts of the operational design of the project, which are flawed. We plead that each point be taken into consideration and that the design be suitably revised.

Flawed aspects of the operational design

  • During enrolment: false identities

Initial proof of one’s identity is best proved through multiple, standardized documents. The UID lists seventeen acceptable documents.1 Acceptance and verification of only one of these identities is necessary for enrolment. This is a lower standard than existing forms of identity such as the Passport or the PAN card.2

  • During transactions: technology will not solve corruption

In every transaction that requires the use of the Aadhaar number, there are four points where corruption is possible and delivery of services will not take place:

  1. The technology fails, and does not perform authentication;
  2. The authority fails and delivers a false positive or false negative;
  3. The local administrator fails to deliver the service after authentication;
  4. The biometric fails due to biological changes, and thus the individual is denied benefits; and
  5. Fraudulent use of face biometrics at the transaction level.
  • During transactions: high cost of centralization with limited benefits

Verifying unique identity for every transaction will introduce an unnecessary authentication overhead. In the UID Bill, there is provision for standardized authentication fees.3

At some point service providers will pass on the authentication cost through a required authentication fee to the residents. This will take place with no entitlement of any service or guarantee against fraud.
  • During redressal: no guarantee of quick and adequate remedies

The delivery of services is guaranteed only when there is an optional way for transactions to be completed. If an Aadhaar number holder attempts to complete a transaction, and the UIDAI rejects it, the individual can make a request for re-verification with the registrar.4

If the UIDAI still rejects the request, the individual must file a complaint to the UIDAI contact centre and wait for appropriate remedial action,5 yet the UIDAI is not liable for the loss of service.

  • During upgrades of the system: patchwork approach to data protection

It is more secure to have pro-active data protection than re-active data protection. The data protection legislation that is meant to secure data processed in the UID project will be established only after the UID bill becomes law. One can only assume that the UID will respond to every new policy development in a patchwork fashion.

1http://uidai.gov.in/index.php?option=com_fsf&view=faq&Itemid=206&catid=24

2 http://passport.nic.in/, http://nrisharejunction.com/pan.aspx

3 Chapter 3, Section 23 (2) (o): The National Identification Authority of India Bill 2010

4 http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf

5 http://uidai.gov.in/images/FrontPageUpdates/aadhaarhandbookver1.2.pdf pg.18

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.