India – #Aadhaar Linkage and Other Travails

Many of us have been against the biometrics-based identification numbers since inception and even more vocal about the frightening implications of forcing us to link the Aadhaar number to our telephones, banks, investments, education, healthcare and almost every activity of our lives including death. We hope that the Supreme Court of India will hear our concerns and halt the crazy expansion of Aadhaar’s remit to give the government extraordinary control over our lives while compromising our privacy and finances in a poorly-governed country where there is no redress for citizens for their day-to-day problems.

However, the majority of Indians have no such fears. They dutifully enrolled for Aadhaar and even supported the biometric identification. For several of them, including senior citizens, the horrendous implications of biometric linkages began to sink in only when their fingerprints were rejected. Read this comment by Ravinder on Moneylife’s website to understand the panic and helplessness of a person who faces real-life issues. It  drives home the draconian implications of this Frankenstein’s monster.

Ravinder writes: “Myself, at the age of 64, also likely to lose my identity because of botched up implementation of the programme. My mobile phones are not getting linked; my bank account is likely to go inactive beyond 31st December: my pension will be stopped: my entry into airports is likely to be denied (as they are likely to introduce biometrics tools at the entry points): and all for the simple reason that the biometric machines do not recognise my fingerprints even after having them updated at Aadhaar Centre two times. The consequences are far reaching which one cannot imagine right now as more and more agencies start using the same. I have written everywhere, from UIDAI (Unique Identification Authority of India) to department of public grievances and others and also talked to mobile operators many times. Nobody listens. I am desperate and sometimes start thinking of ending of my life. It is getting too much for me to handle. It’s high time the Government and the Supreme Court does something about it.”

Worried at the tone of this comment, I called up Ravinder, hoping to reassure him. The conversation exposed how even a retired Central government officer is helpless in the face of callous officialdom. His banker reluctantly accepted his life certificate this year based on other identification, but warned him that his pension could be withheld the next time the biometrics failed. No solution was offered. His telecom service-provider’s solution was shocking—he asked Ravinder to obtain a phone in his son’s name so that Aadhaar is not a problem. This is a daft and disempowering suggestion to a financially independent senior citizen who needs his own phone for digital transactions. A similar suggestion was made regarding his property.

Do we seriously expect senior citizens to give up control over assets only because the government doesn’t care? Ravinder desperately sought solutions from UIDAI and others, but nothing happened. Every other day, UIDAI announces solutions to mitigate the problems of senior citizens, including not mandating biometric verification for them. That has yet to show results; moreover, we do not know if these biometric exceptions will lead to fraud in an already unverified Aadhaar database. Yes, Aadhaar data has not been independently verified.

Meanwhile, Ravinder and other senior citizens will remain in limbo until the five-member bench of the Supreme Court conducts a full hearing in January 2018 and decides the matter.

Even as conscientious objectors to the biometrics-based Aadhaar number have their eyes peeled on the Supreme Court hearing, it appears that information technology (IT) and cyber-security audit service-providers have been engaged in a quiet, but more serious tussle with the UIDAI. This is about the manner in which UIDAI empanels various service-providers and consultants.

All service-providers contracted by UIDAI are expected to have high competence, integrity and are approved through a fair selection process. But this is not being done. What better example of this than the quiet cancellation of a massive 49,000 Aadhaar enrolment centres on the ground that they were indulging in fraudulent practices? Today, when new Aadhaar linkage rules are being notified almost every other day, a number of enrolment centres where biometrics can be updated, linked or modified, have vanished. People have taken to social media to complain bitterly about the fact that even centres listed on UIDAI’s website do not exist; there are long queues at the few that remain. People are being issued about 20 to 30 tokens a day as part of a queue system to get the work done.

Meanwhile, more serious charges about UIDAI’s internal functioning have started surfacing. These include: nepotism in appointment of friends as consultants and bending rules to favour large consulting/audit firms or friends for Aadhaar enrolment as well as audit work even though they do not qualify, with disastrous results.

The selection of Aadhaar enrolment centres is a good example. India has two depositories connected to the two national stock exchanges that have the custody of sensitive dematerialised data and ought to be prime candidates for safe Aadhaar enrolment centres, since they already have verified data of millions of investors. Yet, the National Securities Depository Ltd is approved while the Central Depository Services Ltd (CDSL) has been rejected, although both these organisations are large and professionally-run and are owned by financial institutions. On the other hand, several registrars & transfer agents, with no prior experience, who are far lower in the pecking order, are approved as centres.

There is a lot of talk about how more sensitive contracts are being handed out too. On 11th December, UIDAI withdrew the appointment of Deloitte Touche Tohmatsu India LLP as an empanelment agency for conducting information security assessment of UIDAI ecosystem partners. This appears to have been the result of a spate of complaints about the appointment. Sources say that UIDAI had floated two similar requests for Empanelment (RFE) in May and November 2017, seeking applications for audits and e-KYC; but these weren’t widely circulated.

Further, the eligibility criteria were made ridiculously stiff, designed to keep out many qualified cyber-security firms. UIDAI imposed a requirement of a turnover of Rs300 crore in three preceding years, for work that offers a fee of just about Rs 1.65 lakh per audit! The Central Vigilance Commission has a set of guidelines to prevent government undertakings from gaming the eligibility criteria to allow their chosen firms to win bids. But this does not seem to bother UIDAI.

Strangely, Deloitte was allegedly chosen, although it did not qualify—at least, that is the case made out by one of the complaints sent to UIDAI that I had the opportunity to review. For instance, UIDAI required applicant companies to be registered in India for five years; have a minimum specified annual turnover in the past three financial years (as mentioned above); employ a specified number of technically qualified personnel; and have completed a minimum number of audit assignments. Deloitte, essentially a foreign company, allegedly, did not meet these criteria (the complainant had provided specific proof of this to UIDAI) but was still empanelled as the sole auditor of IT infrastructure security audit for a period of three years on 29th November.

We understand that several cyber-security firms have written to UIDAI in protest; soon after Deloitte’s appointment was withdrawn without explanation. UIDAI is going to be giving out a lot of contracts for cyber-security audits, given the manner in which Aadhaar linkages have been mandated by the government.  Instead of entering into cosy deals with select consulting firms, UIDAI needs to create a level playing field and distribute its audits to all eligible and qualified cyber-security auditors in a fair and transparent manner. Moneylife had sought UIDAI’s comments on these allegations of favouritism; we had received no reply, at the time of writing.

http://www.moneylife.in/article/aadhaar-linkage-and-other-travails/52480.html