Part of the problem in understanding how inadequate Aadhaar can be lies in the fact that most people cannot distinguish between authentication and identification.

RN Bhaskar

RN Bhaskar

Aadhaar, the world’s largest biometric identity scheme, is actually not capable of identifying anyone. It is merely an authentication scheme, and passports will continue to be needed as a foolproof means of identification.

This is the inescapable conclusion from the shocking response to an RTI query: the Unique Identification Authority of India (UIDAI) has sidestepped the whole issue of whether Aadhaar identifies an individual.

As Anupam Saraph, IT expert who filed the RTI request, says, “We had asked the UIDAI to explain the difference between identification of an individual and authentication of biometric or demographic data. The UIDAI ïn its reply [in a rather confusing manner] has stated that authentication is defined under the Aadhaar (Enrolment and Update) Regulations, 2016 (1 of 2016) as the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.  This does not define identification.”

“The Unique Identification Authority of India does not identify anyone. “

Part of the problem in understanding how inadequate Aadhaar can be lies in the fact that most people cannot distinguish between authentication and identification.

For instance, as Saraph explains, when you get an email from a person named X, it does not automatically mean that X has written the email.  The user name and password may have been known to X’s secretary.  It is possible that the email has been written by the secretary, and not by X himself.  Similarly, when a hacker manages to get the username and password of X, he can send out messages in the name of X. The recipient may think that the email has come from X, but it has not.  It has been sent by the hacker, who managed to get the email service provider authenticate the username and password, and granted him access to the service in X;s name. That is nothing but authentication.

On the other hand, when a passport is given, this is done after the police identifies the person.  The police visits the homes of neighbours, and asks them if they know the individual concerned.  The names and addresses of the ‘identifiers’ are noted down for purposes of record. Only after such a process has been satisfactorily completed does the police give its go-ahead.  The applicant is then cleared for receiving the passport document.

The same thing happens when – conventionally — a person applies to a bank for opening a new account.  The bank asks the person to provide two witnesses who can identify him.  Only after the witnesses testify that they know the person, does the individual get a bank account.   The names of the witnesses are preserved as records with the bank. The individual has then been identified, not authenticated.

In both cases of identification explained above, the witnesses who have identified the individual will be held responsible for promoting misrepresentation or fraud or worse, if it turns out that the individual is someone else and not the person he claimed to be.

That is the reason why bank accounts are considered reasonable proof of identify.  Passports, in almost any country, are considered to be the highest level of proof.  That is also the reason why the present government’s willingness to remove the address page was problematic for many.  The passport provides proof of the person and his address.

The driving licence does this too, but it is given on the basis of documents.  The person is not identified the way a bank account holder is conventionally identified. Ditto with PAN cards. Election cards, however, are given on the basis of identification, but by the enumerators visiting the homes of the persons concerned.

And that is the reason why when anyone says that the passport will gradually become irrelevant as proof of identity in India and that Aadhaar would be considered as the most important document, such claims are laughable.  They are frighteningly worrisome as well. The passport process (and the election card process) actually identifies people.  The Aadhaar process does not.

So what is the Aadhaar process?  Well, to put it simply, the government of India appointed UIDAI (Unique Identification Authroity of India) without consulting the authorities in charge of the National Population Register (NPR) which is the final arbiter on citizenship.  The UIDAI in turn appointed several agencies who in turn appointed other agencies looking after the Aadhaar enrolment programme. This author, for instance, went to a centre manned by a share registry firm called Karvy.

At each Aadhaar registration centre, there are people appointed only for the purpose of such registration work.  They are usually temporary employees, with a limited job assigned to them. The process of identification, normally, should be done by people who are permanent employees – like bank officials or police personnel.  It is difficult to track down temporary staff when the process of identification needs to be audited.

The Aadhaar centre person collects two of your documents – passport, electricity bill, driving licence, PAN card, ration card – then takes your fingerprints and a retina scan. Anyone who has gone to an Aadhaar centre knows how rudimentary the facilities are.

Unlike the election card, or a passport, where the photograph is quite clearly visible for facial recognition, many Aadhaar cards have the photograph as a dark blob, making visual comparison of the Aadhaar photograph with the face almost impossible.  So one has to reply only on the Aadhaar number. It is this number which is then authenticated by the UIDAI’s central servers as belonging to a particular name.  If the original applicant had submitted forged documents either in collusion with the temporary staff of the Aadhaar registration centre, or without the knowledge of the staff, the person will be “authenticated” not identified.  Even a photograph comparison with the face is not possible. Nor is there the image of a signature that PAN cards have.  The entire process hinges on a number, nothing more.  And this is authenticated, not identified.

That raises the next question:  Have frauds been discovered?  The answer is yes.  According to a statement made by Union minister Ravi Shankar Prasad on 10 April 2017 and widely reported in the media, as many as 34,000 Aadhaar registration agencies had been blacklisted.  There is no indication as yet of how many people these agencies had already registered for their Aadhaar cards.  Experts believe that assuming 50 people at each of these centres for 365 days a year, the numbers registered could easily exceed half a million.

Hence it is ironic that the Aadhaar card is being used for identification. “This revelation comes even as the Supreme Court is hearing over 22 PILs challenging the use of Aadhaar. The Aadhaar is being used widely by government and private parties for identification of individuals. The revelation that the UIDAI does not identify anyone comes as a shocker for processes that rely on the UIDAI for identification,” says Saraph.

“It is evident that the UIDAI distorts the legal meaning of identification and authorisation causing legal sanction to processes that have neither the consent nor the knowledge of authenticated individuals as they were never identified,” he adds.

Can this lead to huge financial frauds? Yes, indeed. But that will be discussed later. But an indication here should suffice.  The government has allowed authentication through an Aadhaar card enough to get a SIM card, transfer property, transfer money and even open bank accounts.  No longer will the bank manager be required to identify the proposed account holder. Suddenly, authentication is sought to become more important than identification.