February 22, 2012
Mr. Nandan Nilekani
Unique Identification Authority of India (UIDAI)
Planning Commission, Government of India 3rd Floor, Tower II,
Jeevan Bharati Building Connaught Circus,
New Delhi - 110001
Re: Input to the UIDAI Process Review
Dear Mr. Nilekani,
We are a group of people who have come together recently under the banner of ThinkUID, with the objective of bridging the information gap on Aadhaar and expanding the public support for it. We understand from media reports that the UIDAI is conducting an internal review to strengthen its processes and to respond to some of the concerns of the Home Ministry and the Parliament. Based on our own experiences and interactions with various stakeholders, including ordinary residents, NGOs, and state governments, we have compiled a list of recommendations for your consideration:
1. Take active steps to accelerate the enrolment of the ID-less so that the original promise of Aadhaar may be realized without undue delay.
2. Streamline the enrolment process to make it a more pleasant and predictable experience to the average resident.
3. Strengthen public confidence in the Aadhaar System by supplementing the recently issued biometrics accuracy reports with additional steps to demonstrate that the system can’t be gamed by fakes and duplicates. Include participation of independent agencies in such exercises to increase their credibility.
4. Issue clear policies /guidelines on how residents can update their own demographic data without having to go through multiple touch points, and on how Registrars can keep their information in sync with the UIDAI’s with the least amount of hassle.
5. Consider certain confidence-building measures to show the UIDAI’s seriousness in safeguarding all personal data linked to Aadhaar numbers against potential misuse.
We elaborate on each of these points in the attachment. We will be happy to further discuss them with the UIDAI officials.
We would like to see the Aadhaar project succeed by achieving its objectives and making a marked difference in the life of Indian residents. Aside from these suggestions, if there is any other manner in which we may be of assistance, please let us know.
ThinkUID Core team
Sastry Tumluri, Raj Mashruwala, Raju Rajagopal,Tushar Vashisht
ThinkUID Recommendations to the UIDAI:
1. Enrolment of the ID-less: The government’s commitment to ‘inclusion’ of the poor and marginalized in the Aadhaar system must be prioritized in the next phase of work.
- Accelerate the enrolment of the ID-less; actualize and broaden the ‘introducer’ system; help Registrars explore other enrolment options, including partnerships with local NGOs who work with the poor.
- Publish targets and actual progress in reaching out to the ID-less.
- Work with other departments to roll out specific benefit programs for the ID-less -- the UIDAI must lead the way in showing how technology can accelerate the inclusion of the neediest.
2. Communications and transparency during the enrolment process: The public sees all Registrars and Enrolment Agencies as agents of the UIDAI; and public opinion today is largely based on personal experiences during enrolment and the speed with which the resident gets his/her Aadhaar number. Distancing the UIDAI from the responsibilities of Enrolment Agencies will not help the public image of the project.
- Advise Registrars and Enrolment Agencies on better managing the activities at enrolment stations and provide them tools to do so; provide special enrolment centres and/or drives for those who need extra help and care, e.g. differently abled, the elderly, the non-ambulatory, etc.
- Publish targets vs. actual experience on the time it should take per enrolment, so residents can compare their own experiences with those benchmarks.
- Set clear expectations on when one can expect to get his/her Aadhaar number once enrolment is complete. Put in place a mechanism that will respond to the fear of residents who have been waiting long that their data may have been lost.
- Once the inordinately high back-log of Aadhaar letter printing and mailing has been addressed, ensure that there are no future logistics bottle-necks.
- Display more informative statistics on the UIDAI website: e.g. No of people Enroled, No Enroled via NPR, No De-duplicated, No of Aadhaar Letters Despatched, No Enroled via Introducers; Average waiting time from Enrolment to Receiving Aadhaar Numbers = xx weeks, etc.
- Empower residents to monitor the performance of enrolment agencies and provide facilities for public grievances and suggestions on the spot.
- Revamp the help desk system, enabling it to provide useful information to the callers instead of merely asking them to wait. Create an active alert system to notify the callers when status changes.
3. Accuracy of Biometrics in Enrolment and Authentication: We are glad that the UIDAI has been sharing its proof of concept /pilot studies as well as actual experiences on the ground for public scrutiny. We think the UIDAI can do even more to earn public trust:
- Simulate various fraud scenarios to show that the system can’t be gamed by fake biometrics or by by-passing devices. Involve independent agencies in such studies to further enhance the credibility of the system.
- Explore ways to improve biometric accuracy during authentication with the least number of tries, as this will be far more crucial in gauging the efficacy of Aadhaar on-line authentication.
- Just as one can’t be denied enrolment on account of poor biometrics, ensure that no one is denied services because of biometric failure to authenticate. This requires improving biometric inclusion to those who have difficulty authenticating through fingerprints. It also requires a fool-proof back up procedure for those who can’t be biometrically authenticated.
- Help agencies in using biometric authentication in the correct manner by providing detailed guidelines, training state officials, and publishing various test scenario results.
4. Data Sharing and Data Updates: As the bulk of the welfare benefits flow to the needy through the states, the UIDAI must pro-actively help state governments streamline their processes for benefit delivery, with the recognition that Aadhaar is a necessary but not sufficient condition for actual service delivery. The ultimate test of Aadhaar will be how quickly the states can ‘Aadhaar-enable’ their databases and keep their beneficiary data current on an ongoing basis:
- Define when, where, and how a resident can make changes to their Aadhaar information; Issue a clear policy on how the UIDAI plans to coordinate its work with the NPR.
- Clarify exactly what will be available to the state. Take a proactive part in helping the states build (and operate) their databases (SRDH).
- Integrate KYR+ data capture function into the Aadhaar client, through a plug-in mechanism. This will help collect more KYR+ data by making it an integral part of enrolment.
- To allow SRDHs collect KYR & KYR+ data from central Registrars: Using the plug-ins, allow the Aadhaar client to create 3 separate data packets (instead of the current 2) for use by central Registrar. The Registrar public keys used for this would be part of the plug-in code signed and controlled by the UIDAI. This would eliminate the need to generate separate binaries of Aadhaar client for each Registrar. The base client would remain the same. Each UIDAI-signed plug-in would have the KYR+ fields and the public key of the particular Registrar. Two plug-ins would be required at each central Registrar enrolment station - one for the central Registrar, one for the state Registrar.
- Take a leadership role in suggesting ways in which the state government can maintain accurate and up to date records, without a resident having to visit multiple touch points to update the same data. Ideally, when a resident approaches the government for a service, allow the SRDH to query the CIDR for up-to-date information on the resident. The request should be digitally signed by the SRDH or sent over authenticated channels such as a two-way SSL connection. In this, biometrics information may be omitted if a clear acceptable strategy is worked out between NIC, State Governments and the UIDAI for offline service delivery scenarios. If not omitted, minutiae formats may be better than sharing raw biometrics. Strict guidelines and monitoring mechanisms should be in place to ensure that this request mechanism originates only from SRDH and not any field device; that it originates only after the resident’s consent; that the response ends only at the SRDH and is not passed on as-is to the field; and that the data is used only for service delivery.
5. Privacy and Data Misuse concerns: Given the prominent role of Aadhaar in bringing about the much needed data convergence among welfare programs, it is not enough for the UIDAI to protect its own CIDR database. The UIDAI must shoulder broader responsibility to ensure that all data linked to Aadhaar are protected as vigorously by the respective data owners.
- Specify the data privacy obligations of the Registrar (as distinct from data protection obligations) in the MOUs, to cover both pre-enrolment and post-enrolment data. Provide for more active audit /monitoring and advisory roles to the UIDAI.
- Define the contents and archival duration of authentication records at the earliest, as many fears of data misuse emanate from lack of clarity on this issue.
- Take a more pro-active lead role in pushing for a national data protection and privacy law. In the mean time, take confidence building measures where possible: e.g. commit to providing easy access to resident’s own biographic and authentication trail information, for updating and information purposes.