Category Archives: Aadhaar

All things Aadhaar…

Aadhaar : A Concept Note

The conceptual framework of Aadhaar

The state has to reach its citizens for various reasons. It needs to provide the citizens with services, and even products at times (in the form grant of physical items). It needs to provide the citizens with information and knowledge to lead a better life. Most democratic states today function as welfare states, and the functions and responsibilities entailing upon the states have seen a large increase over the last two centuries – functions that were considered purely in the private domain are now considered core responsibility of state (vaccination, for instance). In other words, the state and its citizens touch upon each other more frequently than at any other point earlier in time.

The state, therefore, needs to identity its citizens. Uniquely.

How the state identifies citizens and non-citizens

The state needs to identify its citizens to provide services. Certain services are meant even for non-citizens – rule of law, for instance. Many of the services in this latter category are in the nature of Public Goods, and citizens and non-citizens share these services in non-excludable and non-rivalrous ways. The state provides various means to identify these groups, in the form of various identity cards or inclusion in lists that provide certain benefits (BPL cards, for instance, provide access to BPL services). Because the various branches of the state provide different identity systems, most citizens usually have multiple identity documents. A minority of the absolutely disenfranchised do not have any document – citizens, and sometimes, non-citizens.

Thus, the following system existed a while back:

  1. Citizens and non-citizens were separate categories, who could prove their identity through different documents.
  2. Citizens mostly had multiple identity documents to enable them to interact with multiple branches of the state
  3. Some of the citizens could seldom avail services of state (except pure Public Goods), and had no identity documents. For the state, they are invisible (except, maybe, during the Census count).

With multiple documents in existence, there is a problem of duplication in access to services. Same person may avail multiple benefits from different branches of the state, although he may not be entitled. Many of these services are rivalrous – this means that a wrongful grant to someone is a wrongful denial to rightful claimant. Hence, there is a need to connect the various identity documents in such a way that wrongful inclusions are controlled. Or eradicated.

Aadhaar and unique identity

Therefore, the state has to identify its citizens uniquely. This way the state can identify which services the citizen/resident is availing from the various branches of the state. Because the state will now know each individual uniquely, it can discontinue the service wrongly availed earlier by a citizen. To take an example, a person can get two ration cards from different locations under two names (or even same name, as most ration card databases are paper-based and offline, and don’t talk to each other – there was seldom any centralised database, until recently), and take subsidised items meant for two persons when he should take only one. The difficulty in making fake or duplicate identity documents might differ, but almost all of the documents can be issued against duplicate names/identities. There was no criterion that could uniquely bind a citizen to a document in such a way that no two documents can be issued to the same citizen. This is where Aadhaar comes in.

Aadhaar provides that criterion for uniquely identifying a person by harnessing the biometrics of the person concerned. The biometrics – ten fingerprints, two iris scans, along with a headshot of the person – are taken against every person, matched against existing identifying documents provided by the person and verified in a preliminary fashion (Proof of Identity and Proof of Address documents), and then these two sets are combined together for a lifetime and beyond – after verifying that those ten fingerprints, two irises and the headshot have not been used by anyone earlier on that system. This creates a unique binary – each biological person, already identified through his PoI and PoA, is given a number that remains attached with him permanently.

Now that a unique number has been given to the person, his identity/number combination is a unique unit with which the different branches of the state interact. Aadhaar ensures that no person can have more than one number/identity attached to him. This ensures that the services do not go to duplicate identities against the same person.

However, for the benefits of Aadhaar to be reaped properly, all branches of the state must know of the Aadhaar number of the person. In this process, every service of the state in which a person is a beneficiary is attached with his Aadhaar number. This process is called Seeding.

Aadhaar and seeding

Aadhaar only provides a platform or paradigm for identity. It is not an identity card or a separate service. To remove duplicate entries from a service of the state – a process called de-duplication – it must be connected with every such service separately. This whole process is called Seeding. While the Aadhaar project was being fashioned, Seeding was presumed to be a given condition. However, various Supreme Court rulings presently make Seeding a difficult process. In the absence of Seeding, the full benefits of Aadhaar cannot be reaped.

Aadhaar and citizenship

The Aadhaar paradigm does not recognize the status of a person. It is a platform for mere identification of a person – and it does so uniquely for every person. Aadhaar does not separate the citizen from the non-citizen, the rich from the poor, the Dalit from the Brahmin, or the Kashmiri from the Bengali. These attributes are governed by other rules – legal and social. Thus, Aadhaar is not a proof of citizenship, like some other documents are – say, Voter ID or Passport. Aadhaar is given to permanent residents of India – those that have stayed for the last 182 days in India continuously. This would include all legal immigrants from all countries. Needless to add, this would also include illegal immigrants who are able to acquire supporting documents for being legally in India for the concerned period – however, the element of fraud can exist in any system or identification system to an extent. Aadhaar cannot be given to Indian citizens who have been away from India for the last 182 days – like the NRIs. Aadhaar is meant for residents of India, and whole Aadhaar ecosystem uses the term ‘resident’ for its clients/customers.

Thus, Aadhaar and citizenship are separate concepts. However, Aadhaar can be used to create a robust list of citizens. Presently, there is no such list of citizens with the state. Once that list is seeded with Aadhaar, it can be de-duplicated to create a clean list. How one is identified to be a citizen is a separate process, and Aadhaar comes into the picture only after such identification has taken place. Presently, such Aadhaar-based list is being prepared in only the State of Assam in its National Population Register. Rife with political controversies, NPR has not been undertaken in other states. In Assam also, the process is mainly being pushed by the Supreme Court.

The uses of Aadhaar

Aadhaar is seldom the basis of selection of a benefit being given by the state. Once identified to be a beneficiary, Aadhaar conclusively proves such a person, and authenticates him where required. When a beneficiary list is de-duplicated, it ensures that no person takes more than one unit of benefit, unless so permitted. In the present environment, de-duplication is the most major benefit of Aadhaar.

While the issue of seeding is embroiled in legal troubles, the Aadhaar-seeded separated databases cannot be connected. If and when Aadhaar-linked databases are connected, it can provide a lot of data and analyses on the use of the benefits. It can even provide awareness of wrongful drawal of benefits by some. For instance, a car owner cannot be in a BPL list. However, if both the BPL list and the car registration list are seeded with Aadhaar, the system can tell us which car owners are wrongly included in the BPL list – and they can be removed. This level of data-sharing is presently not allowed. However, it is possible to foresee a time in the future when various databases would become connected.

Aadhaar can also be used for Authentication. Aadhaar is a number which is tagged against certain information captured during the enrolment process – the biometrics, PoI and PoA of the resident. Thus, the Aadhaar number and any authenticating biometric (say, a fingerprint scan) may provide the underlying data and prove the identity of the person to the satisfaction of a person providing a service. This reduces the cost and time of verification, and improves the quality of data collection for a service provision (since the data comes verified by a govt. process). Given that this authentication process can also be availed of by private persons, authentication shall be a major application of Aadhaar. For instance, the mobile operator Jio used only Aadhaar based authentication for doing KYC for enrolling subscribers on their mobile platform.

Aadhaar and privacy

The state interacts with its citizens. And Aadhaar as an identity platform helps the state in making fruitful interactions. The frequency and quantum of interaction on the Aadhaar platform will tremendously increase in the future. Although the linking of databases presently faces a legal hurdle, it is realistic to expect that the benefits would outweigh the costs, and may inspire a change in the legal position. This interlinking of databases would enable to the state to know a complete picture of its interaction with a unique individual – compiled from all the branches of the state. This is a possible avenue of the loss of privacy of the individual. However, the scope of this apparent loss of privacy would depend upon a few factors:

  1. What transactions are recorded and for what period.
  2. Whether databases of various branches of the state are linked.
  3. What the state intends to do with the analysis of this data.

While the loss of privacy in a post-Aadhaar world is a valid concern, it must be contextualised with the loss of privacy in a hyper-connected world where each of our action leaves tell-tale digital footprints that is saved for eternity and shared for an auctioned price.

Aadhaar and federal relations

Aadhaar was borne of a Central resolution, and later backed up by a Central Act. It is funded by the Consolidated Fund of India, and partly through user charges and fees from the private entities in the Aadhaar ecosystem. The Aadhaar Act makes the use of Aadhaar mandatory for programs and schemes wherein expenditure is borne by the Centre. Many of the schemes are partly funded by the Centre – there is a legal argument borne by precedent that those partly-funded schemes can also make Aadhaar mandatory for participation. Further, many of the schemes by the State governments are also using Aadhaar, either for ensuring identity or even as a precondition for receipt of benefit. Additionally, even private entities are also harnessing the Aadhaar platform for authentication and related application.

Thus, Aadhaar provides a very interesting case wherein the federal relations between the Centres and the states are tested. The case of federal disharmony is more glaring in those cases where parties of different ideologies are governing in the states. West Bengal, for instance, has frequently raised concerns regarding the implementation of the Aadhaar and schemes harnessing it.

Aadhaar and the future

Aadhaar was born in 2010. From concept to implementation took a very short time, atypical of government projects – it helped that it was initially led by a superstar of private industry Sh. Nandan Nilekani, who inspired a start-up culture in the Aadhaar organisation, called UIDAI. Aadhaar has inspired political opposition in the initial days, but has seen a greater consensus lately and has come to be accepted as an identity platform. Being a powerful tool, it is being used or sought to be used by different branches of the state, with notifications coming out on a daily basis. It is a fast changing field where the possibilities of use and probabilities of abuse are great.

Can I have two Aadhaar numbers?

No.

An Aadhaar number is unique. The uniqueness works two ways, as I explained in So, what is so unique about Aadhaar:

  1. I and only I have that artifact, and no one else – no two person has the same artifact (an artifact can be anything to identify me – a name, number, visual/barcode, etc).
  2. The artifact belongs to me and I have no other artifact – no person has more than one artifact.

One can apply/enroll multiple times – however, since the Aadhaar number is issued against the biometrics of the person (which is unique), only one Aadhaar number would be issued. Ever.

There are various scenarios why a person can apply multiple times:

  1. The person may have forgotten he had applied earlier.
  2. The person may have lost his earlier enrolment details, and goes to enroll again.
  3. No Aadhaar number has been issued against the enrolment as the enrolment got rejected due to:
    1. Enrolment data was not uploaded properly by the operator.
    2. Data quality was not proper. Maybe the biometrics capture quality was not sufficiently good.
    3. The paper documents given may have failed the quality check of the Aadhaar issuing authority (UIDAI).
    4. The enrolment may have been rejected for any unspecified reason by Aadhaar issuing authority.
  4. One may have nefarious motives, and may try to get multiple Aadhaar numbers to create multiple identities.

However, Aadhaar cannot be created like a Driving licence. One person, though, tried to do the same. In this story, a person enrolled twice for Aadhaar, the second time using fake documents. Since the Aadhaar software does not know which is a false document and which is a true document, it merely issues Aadhaar to the first instance that passes through it (and qualifies their internal quality check). By happenstance, Aadhaar got issued against his false documents (because the data of the second enrolment was uploaded and processed before the other enrolment data). So, here is a gentleman who is stuck with a false identity. Since, he has now to compulsorily connect his PAN card, his mobile connection, his bank accounts and everything else with his Aadhaar (and Govt. is pushing hard for it), he won’t be able to connect anything, as the Aadhaar has wrong details.

As soon as this case to the notice of UIDAI (which must have been during the quality check when the second enrolment data was scrutinized against another Aadhaar number that had already been issued), legal action was taken and an FIR was lodged. The man faces upto three years in jail.

The newspaper article claims that the the man is now stuck with his false Aadhaar number for life. That he would have to change his name and restart his life. This is incorrect. Now that UIDAI knows that an Aadhaar number has been issued wrongly, his Aadhaar number would be withdrawn. Upon re-enrolment, he would be issued a fresh Aadhaar number. However, he would have to face the consequences for forgery, and action under Indian Penal Code as well under the Aadhaar Act would be taken against him. For all we know, he would get his valid Aadhaar number in jail! (Aadhaar is available to everyone who are habitually resident in India, even foreigners and convicted prisoners, but not illegal immigrants).

However, children below five years of age can have two or more valid Aadhaar numbers.

How can children get two or more Aadhaar numbers?

If you are reading this, chances are you are an adult. In which case your Aadhaar enrollment process is very different from that of a child below five years of age. Children of this age group (and there is no lower age limit – a baby can be enrolled as soon as it is born) are enrolled through a much shorter process. The following are the salient features of this process:

  1. Enrolment is online, and data is uploaded on real-time basis. Enrolment cannot take place if there is no internet. Adult enrolments happen on offline device.
  2. Enrolment is done with a tab and a fingerprint scanner. Total device cost is below Rs. 10,000. Being small in size and weight, they can be moved about more easily.
  3. During enrolment, only the photo of the child is taken. Fingerprints and iris scans are not taken. There is no detailed application process. Consequently, enrolment time is about 5-7 minutes, as against adult enrolment time of 20-30 minutes.

However, the real difference is the Aadhaar issuing process. In the case of an adult, fingerprint and iris scans are taken, and are tied to the person/number. If he tries to enroll multiple times (like in the case above), the server would check the new biometrics against the old ones (technically called de-duplication), and refuse a new number as one has already been issued. As I said earlier, Aadhaar number is truly unique – and it works both ways.

In the case of children below five years, no biometrics are taken. The child is tagged/mapped against the Aadhaar number of either its mother or father (in other words, the father or mother must have a valid Aadhaar number before a child below five years can be enroled, and he or she must be present during the child’s enrolment). Further, giving a name of the child during the enrolment is also not mandatory (imagine this – a baby of two days can be enrolled on Aadhaar, but he may not have a name yet). Thus, the same child can be enrolled – either by mistake or by mischievous design – more than once. The poor Aadhaar server would merely think that two separate children of the parent has been enroled. Further, if mother goes for enrolment once and the father in the next, Aadhaar server would merely think they are two separate babies (Aadhaar server does not know that the mother and father are related, or that they are wife and husband). In other words, since no biometrics are taken, no de-duplication is done while issuing Aadhaar number to a child below five.

This is so by design. Small children do not have fully formed biometrics, and they can change fast. The logistics of taking the biometrics and then updating them is huge – remember, we are a big country and there are many children here.

So, don’t be alarmed if there are two or more Aadhaar numbers for a child below five years. As soon as the child turns five, he shall have to update his Aadhaar number and give his biometrics. Now, he can have only one number – thus, after five years of age, one of his Aadhaar numbers would become infructuous.

Did you know?

A child below five having an Aadhaar would have to update his Aadhaar biometric details twice – once when he turns five, and again when he turns fifteen. As per present rules, no biometric detail needs updating if an update/enrolment has been done after fifteen years of age.

But don’t bank on this rule for staying put long. I am sure UIDAI is going to come up updation rules in a while…

 

Sakshi Dhoni ko gussa kyon aata hai?

Cricketer Dhoni getting his Aadhaar updated

सवाल है, साक्षी धोनी को गुस्सा क्यों आता है?

If you are the reading type, you would have come across this news: cricketer Mahinder Singh Dhoni goes to a Aadhaar shop to get his Aadhaar updated. The operator clicks a photo to capture his famous moment, and posts it online. He (presumably) clicks a photo of the online application of the update screen and shares with […] and it reaches his company HQ (in this case, a Govt. body called CSC SPV). The company boss, in a gloat-moment, uploads it on Twitter. On the other hand, the photo of Dhoni visiting the update centre is also shared by the IT minister in Govt. of India. The hapless wife of the cricket, Sakshi Dhoni, now expresses her angst: “Is there any privacy left? Information of Adhaar card, including application, is made public property,” she said. When she brings it to the notice of the IT minister regarding the release of the Aadhaar update application screen, he took it seriously and promised swift action: “Thanks for bringing this to my notice. Sharing personal information is illegal. Serious action will be taken against this.”

Action came the next day. The Aadhaar shop (a Common Service Centre under CSC SPV) is banned for 10 years. The poor fellow got punished for his moment with the famous guy.

Question is, is it a privacy leak that the application got leaked? Yes.

Then, is the Aadhaar operator liable for it, or the person who uploaded it on the Official Twitter head of the CSC SPV (which would have happened with management support)? Probably both, but the person who put it on public domain is more liable (do not that WhatsApp is private domain but Twitter is public domain).

Further, is the photo of Dhoni visiting the shop being leaked a privacy concern? Well, no. Mrs. Dhoni accepts as much when she replies to the IT minister that she is more angry about the application form being leaked than the photo her husband in the shop.

The way I see it, it is purely a collateral damage of celebrity status. A celebrity does not have any effective right to privacy. It is true that there is no explicit bargain that a celebrity makes with the society, but it is implicit. I lose my privacy for being famous. Mundane things of famous people are matter of curiosity among general people. It is undoubtedly true that uploading the application form of Dhoni on the public domain is illegal and foolish (it serves no purpose). However, the uploading was done precisely because of the fame quotient of Dhoni – the Aadhaar operator did not upload your or my application.

And therein lies the pitfalls of being famous. Do note, it has got nothing to do with Aadhaar or the security of Aadhaar.

Epilogue:

Lakshman: How secure is Aadhaar if an operator can upload someone’s application?

Rama: How secure is Coca Cola’s secret sauce formula, if the person holding it uploads it on the internet?

Hmm….

 

So, what is so unique about Aadhaar?

When we have less number of people, we can remember people from their names and faces. We still do, like inside our home. We may know the names and faces of a few more, outside our homes. But then humans have a way of increasing their numbers, and we have too many of them now. Today (2017), the estimated population of India is around 134 crores (1340 million).

And how big are the India states? Well, Economist has done a wonderful study, and the results are instructive (click the population tab in the visual below).


Simply put, India is larger than many, many countries put together.

So, how do you provide unique identities to so many people together? Have we not tried to do such things earlier? What do we mean by unique?

What is unique about the Unique ID?

Let’s deal with the unique bit first. Unique means “being the only one of its kind; unlike anything else”. If I have some identity artifact (number, card or anything else), it means two things:

  1. I and only I have that artifact, and no one else – no two person has the same artifact (an artifact can be anything to identify me – a name, number, visual/barcode, etc).
  2. The artifact belongs to me and I have no other artifact – no person has more than one artifact.

In other words, the uniqueness rides both ways. Let’s take real world examples to examine both cases:

  1. Let’s same my name is ‘Arjun Singh’. I can take a Driving License from ‘A’ RTO. So can another person named ‘Arjun Singh’. Thus, just the name does not give uniqueness. It is other pieces of information on the Driving License that provide uniqueness, like the DL number which would be unique to the ‘A’ RTO. In this case, Aadhaar is truly unique. Being a 12 digit number, there are 999,999,999,999 (999 trillion) possible combinations – there is no need to provide one number to two persons to accommodate in the database. In fact, Aadhaar number is issued not just for life, but even beyond life – your Aadhaar number is or will not be re-allotted to anyone else after you die. The number will just lie in some suspended account after your death is registered with UIDAI or some other Aadhaar connected database at some point of time (UIDAI won’t know when someone has died unless it is reported to them. Probably, the Birth and Death Registration System would be compulsorily seeded with Aadhaar soon to make that happen).
  2. Aadhaar ensures that I cannot have two Aadhaar numbers. Since Aadhaar is issued against my biometrics (ten finger prints and two iris prints) that are unique to me, and since only one Aadhaar number will ever be generated against those biometrics (that uniquely identifies me), Aadhaar is built up to be unique. Even if I want, I cannot get two Aadhaar numbers. A case in point is where a man tried to register twice on Aadhaar, the second time with forged documents. Only one Aadhaar was issued, incidentally, against the enrolment with forget documents. While most of the details given in the newspaper report are incorrect, it does point out the scenario where one person tries to get two Aadhaar numbers. However, it is easy to get other identity documents, with or without forged documents. For instance, you can get an identity or other document against real papers where the various databases are not talking to each other. For instance, many people have two or more Driving Licenses (that they use when one is confiscated or cancelled), or two or more Ration Cards (wherein they draw benefits in as many locations as they have cards). Aadhaar makes this impossible. As soon as you marry Aadhaar with these databases (through a process called Aadhaar seeding), those databases can also ensure that no duplicate entries are there (a process called de-duplication).

This is the conceptual framework that provides uniqueness to Aadhaar.

How else is Aadhaar so unique?

There are other levels of uniqueness in the Aadhaar project.

  1. This is conceived as a project that seeks to provide a standard identity document to all residents (as distinguished from citizens – do remember, Aadhaar is a proof of residence, and not citizenship).
  2. All residents is a huge number – about 134 crores (as per 2017) to be precise. This makes it the largest centralised identity system. Further, it is also based on biometrics. Hence, it is also the largest biometrics based identity system.
  3. Without going into the details of it, this is the technologically most sophisticated identity system. But to be fair, since Aadhaar is the latest such notable system, we have been able to leverage the latest technology that would not have been available to earlier systems.

So next time you say Aadhaar is unique, you can really explain why it is really unique.

 

Your biometric hardly matches

I touch you now and then,

Over a cold glass door. Moist,

Now and a little dry when

The cold rushes past, cracks

On my hand.

Then there are the scratches,

As I dig through clods of earth. Moist,

Now and a little dry when

The dry wind rushes, cracks

On my land.

You say, why do you have scratches?

Your biometric hardly matches,

Go now and come back in a week,

Put some Nivea lotion if you want,

Smooth your fingers with some magic trick.

My land is drier now, hands a little moist.

I put on oil and touch the glass door,

And again, it would not open.

I go back, and try no more.

_________________________________

Aadhaar has been a boon for the government. For many on the other side, this technology has been a barrier to a good life. Entitlement rejections is a commonplace instance. In this poetry I wonder how it must feel for a poor farmer to have his entitlement rejected as his ‘biometric hardly matches’.