Operator Authentication in Aadhaar Enrollment
In a mammoth program like Aadhaar, it is not unusual that various types of frauds will be committed at different points. One of the common frauds is the creation of fake identities, a widespread issue in all other IDs issued to-date. To prevent such frauds, the system must not only create various safeguards, but also include vigilance and monitoring to raise alerts of potential fraud. It must also be able to trace every action by the resident, operator, supervisor and the enrolling agency to allow for comprehensive checks.
Aadhaar relies on biometrics, not paper documents. The resident’s biometrics are essential to ensure that the resident is enrolled only once. However, not all biometrics – ten fingers and two irises -- can be captured for all residents. To accommodate people whose complete biometrics cannot be captured, Aadhaar’s enrollment software allows for “biometric exceptions”. This enables the operator to record missing biometrics and continue with the resident’s enrollment. It is essential that this feature be not abused by the operator and enrolling agencies. Therefore additional safeguards are in place: The operator and the center supervisors are key individuals during the enrollment process. Both of them are first trained and certified. Both of them must obtain Aadhaar numbers and hence provide full biometrics before they can enroll the residents. Both are issued user name and password.
Operator security in Aadhaar enrollment
- Although the operator initially logs in with username and password, (s)he is required to provide his biometrics with every enrollment regardless of “biometric exceptions”. This is done to ensure that operator’s username and password are not used by unauthorized persons.
- Before even de-duplication is done, operator's fingerprint is checked to verify that the named operator indeed was present for the enrollment.
- If the operator's fingerprint does not match with what is on the record, the entire enrollment goes on hold. Enrollment verification process (see next section) is carried out.
- If the operator's fingerprint matches, the enrollment moves to the next step of de-duplication.
- If biometric exceptions are present (missing finger, missing eye), several additional steps are used during the enrollment. First, operator must take resident's photo showing missing hand/finger or eyes. Second, a supervisor has to verify the details and approve the enrollment. Supervisor also has to put his fingerprint as proof.
- In case of biometrics exceptions which are at around at 0.15%, biometric de-duplication is not possible. Instead, name and address are compared against the entire database to check for duplicates. Select number of them is also manually checked.
- Various reports are generated to ensure that overall enrollment process is "within" control. For example, a report lists number of enrollments per operator per day, per week and per month. Any operator doing exceptionally high rate of enrollment is flagged and is investigated.
Operator exception process. Process for when operator’s fingerprints don’t match in step 3 above. It was observed in Phase 1 (enrollment done from September 2010 until February 2012) that significant number of times, the operator’s fingerprint attached to the enrollment did not match with the fingerprints on record. There were a number of valid reasons for non-match. A process was developed to allow the enrolling agency to review these exceptions and certify that the enrollment to be genuine.
- The enrolling agency is notified to verify that the enrollment is genuine.
- The enrolling agency is legally responsible for data quality and authenticity of the enrollment. There are penalties and punishment stipulated in the EA contract.
- If the enrolling agency does not respond within 21 days, it is assumed that enrolling agency has approved authenticity of the enrollment. This limit was placed because enrolling agency was taking too long to respond, ultimately causing delays in Aadhaar enrollment turn around time.
Bottom line, the enrollment agency is notified about the exception and it is their duty to vouch for authenticity of the enrollment.
Recently, a number of cases of fraud were reported. In one case, a person was enrolled with the name “Kothimeer” (Coriander) and with fictitious demographic details. In another, an operator was alleged to have fraudulently created fake identities. It is believed that he or other operators using his name even after he was dismissed enrolled using “biometric exception”, claiming the residents biometrics were missing. In both cases, the supervisor must have colluded. Additional management staff responsible for checking authenticity of the enrollment when operator fingerprint did not match must have been complacent.