UID: Soldiering on
Having gone past phase one, barring a few hiccups, the UID project looks set to achieve its target of giving half of India a unique identification number by 2014. By Harshal Kallyanpur
UID has by far been one of the most significant technology projects undertaken by the Government of India. Designed to give a unique identification number to every citizen in the country, the project would eliminate the need for every citizen to provide a lot of different proof of identification documents in order to get their work done.
The main purpose of the project was to ensure that each and every citizen, regardless of his socio-economic status, could partake of public services from the government. At the same time, UID will also enable an Indian citizen to provide a single proof of identity while availing of different public and private citizen facing services.
The government initiated the project back in September 2010. During the last two years, the UID project has seen enrollments occur across the country with people in many regions, proactively coming forward to get themselves registered for a unique identification number.
It you are a citizen of Mumbai or Bangalore, it is quite likely that you would have heard of the enrollment process at a nearby government-designated enrollment center, such as the municipal corporation office. Enrollment centers have also included banks and post offices. The first phase saw citizens being enrolled across regions such as Andhra Pradesh, Maharashtra, Karnataka and Delhi.
According to RS Sharma, Director General & Mission Director, Unique Identification Authority of India (UIDAI), having enrolled over 20 crore residents ahead of schedule, the UIDAI has now been given the mandate of enrolling 40 crore additional residents by September 2013.
“The second phase of enrollments have commenced in states such as Punjab, Haryana and Himachal Pradesh and will shortly commence in other states as well,” informed Sharma.
Having completed the first phase and, at the onset of the second phase, as of April 2012, the UID project had seen close to 17 crore ‘Aadhaar’ IDs being generated. In its second phase, the project has already seen 6.5 lakh enrollments in Chandigarh, 5.8 lakh in Haryana, 36.2 lakh in Himachal Pradesh and a strong 96.63 lakh enrollments in Punjab.
Data collection: the key challenge
The success of the UID project lies in the accurate collection of information about citizens. However, this has often proved to be the bane of the UIDAI. While it may have had the back-end processes in place, the actual data collection, at the grassroots level, has been subjected to a lot of scrutiny and criticism due to its seemingly inefficient execution.
In most cases citizens, especially those belonging to the backward sections of society have been largely unaware or uneducated about the process. This has led to errors and malpractices in data collection, or at the registrar level where people are assigned to collect the information.
For instance, there have been reports suggesting that information has been captured incorrectly during enrollment. In other cases, while a citizen has got an Aadhaar card and it displays his personal information correctly, the photograph on the card is someone else’s.
There have also been news reports claiming that local politicians have been caught posing as registrars to issue fake UID cards. This situation is compounded by the fact that there would be many citizens who are unaware of the right approach to getting registered for Aadhaar. There have also been claims that anyone can get registered for a UID number by using fake credentials or documents. Some fear that this can lead to illegal immigrants sneaking into the country and getting enrolled in the UID system, a system that is meant solely for the citizens of India.
Therefore, the greatest challenge for the UIDAI is to ensure that data gets captured accurately. This might require them to take a fresh look at some of the existing processes and redesign the same.
Personal information storage
According to Vijay Mhaskar, Vice President, Information Management Group, Symantec India, the government is aiming to cover at least 600 million citizens by 2014. This essentially translates to 600 million photographs, 1.2 billion iris scans, six billion fingerprints and a colossal 600 million addresses.
The UID project mandates the aggregation of data from thousands of delivery centers, branch offices and partners into a central database. Given the magnitude of the project, it translates into an explosion in the volume of information residing in a central database. Managing data volumes this large while ensuring data privacy and information security, will be the primary challenge for the project.
Biswajeet Mahapatra, Research Director at Gartner was of the view that there were still apprehensions around how data was being stored in a database as large as that required for the UID project and how this data would be used, who would be able to access it etc.
He added that the data would be used for authenticating a person for a variety of applications including financial transactions, land records and other confidential information. Having a single point of access to such sensitive information is definitely a cause of concern.
There is uncertainty about who will shoulder the responsibility in the case of data theft or misuse, hacking or any other form of malicious attack carried out on this database. There is also uncertainty about how the current cyber-crime laws would apply to this system and if they can be beefed up in order to protect this data.
The relatively lower levels of regulation and lack of stringent regulations around personal information in India was held up by Mahapatra as an example of how things could go wrong. He gave the example of random telemarketers calling up people to sell products or services. In many cases, they obtain a person’s complete personal information from a database that, in many cases, could be leaked by someone from a competing organization.
With data confidentiality laws being readily exploited, security around personal information getting captured as a part of the UID project remained a concern, felt Mahapatra. “With the UID project storing information about every Indian citizen, including senior government officials and key personalities, an attack on this data could have repercussions at a national level.”
Mhaskar mirrored this view, “Unlike in the case of other enterprises, the breach of data in government organizations can have direct repercussions on the lives of citizens as opposed to solely affecting the bottomline. This drives home the point that cyber security needs to be heightened in such projects.”
He added that identities were quite valuable and that the potential to misuse them was rather high. It is vital that UIDs are protected and made accessible only to authorized individuals. Even those individuals should not have unfettered access as there has to be accountability at all levels.
Putting the right security measures in place involves first defining policies around who can access confidential information. For instance, data gets collected at various centers throughout the country. To prevent it from falling into the wrong hands or getting leaked, security approaches, such as encrypting data before transporting it, are required.
In this case, all of this information pertains to the sensitive and confidential data of citizens. This entails a need for security measures that ensure that this data is easily recoverable and accessible as and when needed.
Comprehensive retention and archival policies are required, especially since this project involves long-term retention of data for a period of a century. In addition, UIDAI would also need high-availability and disaster recovery capabilities with automatic failover in the event of a disaster.
“As the volume of digital data grows rapidly, it will create a gap between the digital data being created and the amount of available storage. We need to consider how and where to store data, keeping in mind hardware costs, management overheads, etc,” said Mhaskar.
Moreover, the same data (such as residential addresses) is stored under different names by multiple people leading to data duplication. It becomes necessary to have mechanisms that ensure that data is captured and stored after being deduplicated without any loss in the integrity of the data.
Mahapatra was quick to add, “The entire process of data collection itself has overrun its budget. Ensuring such high levels of security for the data centers hosting this data will result in an additional financial burden.”
Improving enrollment efficiencies
The UIDAI has taken steps to optimize the enrollment process. However, it would continue to have multiple registrars as this, according to Sharma, offered the most efficient and effective way of completing Aadhaar enrollments in the shortest possible time. It also offered scalability in enrollment, as well as choice to the residents.
“Registrars have been strongly advised to use only UIDAI empaneled enrollment agencies. A critical condition prescribed by the UIDAI is the prohibition of sub-contracting of enrollment work. This must be adhered to by all enrollment agencies,” he added.
Registrars will now have to ensure the presence of verifiers who, in turn, will verify enrollment forms in accordance with the defined procedure and process. There will also be periodic performance checks to ensure that processes are followed.
Accessibility to enrollment centers could also be an issue. UIDAI will run a special campaign to identify and cover the marginalized poor as well as people with disabilities.
Registrars will also be required to establish long term/permanent enrollment stations, which would also act as centers for information updation in the medium to long term. They would also need to develop location-specific enrollment plans and review the Pin Code database in order to ensure error-free enrollments.
“The focus will be on ensuring a high quality of data. Each demographic error will attract a penalty of Rs 150. Process violations, such as capturing biometrics of the wrong person, will lead to a penalty of Rs 500 for every error,” informed Sharma.
Technology to the rescue
For ensuring accuracy in the second phase, the UIDAI is deploying new client software that will look at addressing issues that came up during the first phase.
Sharma explained that the quality of fingerprints varied considerably for citizens engaged in manual labor. In order to ensure the inclusion of these citizens in Aadhaar-enabled service delivery or Aadhaar-enabled payment delivery, it is important to identify the best finger(s) and take the prints of those thereby improving authentication accuracy.
“An API has been developed to facilitate Best Finger Detection (BFD). The best finger for a resident is the one that, when selected for authentication, provides the highest chance of successful authentication for that resident,” said Sharma.
According to Sharma, UIDAI worked with many software, hardware and services vendors for various aspects of the Aadhaar system. The system is said to be built on the principles of vendor neutrality and works with a heterogeneous collection of best-in-class products that are based upon open standards. UIDAI also works with experts in various areas such as biometrics, security, etc and constantly engages and provide vendors with a platform for sharing technology and strategy inputs with the UIDAI team.
Open learning and knowledge sharing sessions conducted over the last couple of years in the areas of next generation data center technology, biometrics, security, software architecture, etc with experts who had shared their views and experiences with the UIDAI team had further helped them in choosing the right kind of technology partner.
For instance, on the hardware side, BioScan10 from BioEnable Technologies, one of various fingerprint scanners that has been certified and adopted by the UIDAI, has seen wide acceptance across enrollment centers in Maharashtra, Andhra Pradesh, Madhya Pradesh, Rajasthan and Bihar. Its ability to capture fingerprints faster with the user not requiring to exert excessive pressure for fingerprints to be captured, is said to be one of the key reasons for its popularity.
The project is currently largely in the enrollment stage. The UIDAI is working towards making its processes more efficient so that it can quickly reach the desired objective of creating a complete database that identifies every citizen in the country. The government, on the other hand, has been working towards making the Aadhaar number a de facto mechanism for many public facing services. In particular, it has aimed to bring the underprivileged into the net of these services. Vendors too have taken note of this and are working on projects that would leverage UID numbers. SAP, for instance, is working with a few device vendors to create a capability wherein, by leveraging the Aadhaar platform, money transfer can be carried out for individuals who lack a bank account.