Send me an email if you want to get involved. There’s also an active group in Bangalore. Most people who are actively following this debate are on the google group uid-indias-orwell. For others, look at the article list below.
There is little discussion or clarity about the UID project in mainstream media. Most newspaper reports are essentially excerpts from the draft approach document with little critical analysis. However, many people in the civil society are raising important questions about the project. These concerns are around two main themes: the potential use of the database by the State for repressive and undemocratic ends; and the monetization of the database for private profit. There are multiple issues under each that should have been debated in the public domain before going full steam on the project. Following are some critiques that discuss some less publicized aspects of the UID project. If you have any other resources, please email me or add in the comments section.
- UID – Issue Overview (Download as PDF) (NEW)
- Justifying the UIDAI – A Case Of PR Over Substance?, Ruchi Gupta (EPW) (NEW)
- Biometrics are “inherently fallible” – conclusion of a 5 year US study by the National Research Council commissioned by none other than CIA, amongst others (NEW)
- For comments on the draft NIA Bill, please scroll down to updates on July 13 and 14 (4 sets – me, Usha, Graham and CIS)
- Draft Right to Privacy Bill
- UID Press Conference – Statement, Signatures and Short Video Transcript
- Profile of First UID Number Recipient and Possible Ramifications
- Unique Identity Bill, Usha Ramanathan (EPW)
- The Foundations of Aadhaar, Himanshu (Mint)
- Not All That Unique, Reetika Khera (HT)
- UID An Assault On Individual Liberty (Business Standard)
- Reimagining Citizenship, Ravi Shukla (EPW)
- Sovereign State and Mobile Subjects, Anant Maringanti (EPW)
- The Personal is Personal, Usha Ramanathan (Indian Express)
- High cost; high risk, R. Ramakumar (Frontline)
- The Politics of Identity, Ruchi Gupta (Indian Express)
- The Tips of Your Fingers, Jay Griffiths (Orion)
- UID Critique
- A Gathering Storm – How UID Will Transform India Into A Police State
- Implications of Registering, Tracking and Profiling, Usha Ramanathan (Hindu)
- An evaluation of biometrical fingerprint systems, Ton van der Putte and Jeroen Keuning
- UID Numbers – A Discussion
- Eyeing IDs, Usha Ramanathan (Indian Express)
- Prof. Kundu on the exclusionary use of the UID project
- A National ID Card Won’t Make Us Safer (Bruce Schneier via Nikhil Tripathi) (Talks about ID cards but most logic holds)
- UID Debate in Bangalore – Agenda, Panelists and Videos
Archive of all articles critical of UID / Aadhaar
UIDAI Documents here
An archive of all news reports, blog posts on UID here
Aadhaar / UID related tweets here
Video Excerpts from the UID Press Conference
Fallibility of Biometrics here
While the very concept of the UID project should have been discussed and debated in the civil society, given the advanced stage of the project (first #s expected between August 2010 – February 2011), complete transparency around the following questions is essential to ensure democratic end-use and rationalize costs.
Update (March 6, 2010): Response from Deepika Mogilishetty (Legal Advisor, UIDAI) in italics below
The MOU’s are being discussed with State Governments once finalised will be made available as public documents.
What are the legislative and design safeguards to ensure that state and central governments do not use UID numbers to selectively track individuals/communities, and/or withhold/withdraw essential services?
The UID system has some basic features that will safeguard individuals and will be reflected in the legislative and regulatory framework:
- information on the UID database about the individual is limited and the sole purpose is to establish identity of the UID holder,
- authentication services of the UIDAI will respond with a yes or no in relation to queries about a UID holder,
- UID database will not hold information on religion, caste, community, etc.
- UID database will not be able to confirm anything else about the person other than their identity in relation to their UID number.
- there will be no data flow out of the UID database, except under due process of law (e.g. court order).
- UID database will not contain any transaction data.
As regards delivery of services, this is the responsibility of the service provider, if there is unjust denial or withdrawal of service that is a matter to be resolved with the service provider.
If there is a denial of service due to authentication problems, UIDAI will have sufficient support systems in place to resolve the matter in a quick and effective manner so as to avoid any inconvenience to the individual.
The legislative and regulatory framework for the UIDAI is being developed and will be put up for discussion, comments and input from the public.
What are the incentives (in addition to the ~100 as registration fee) provided to private operators (insurance, telecom and banks) to share their customer database with UIDAI? Additionally how will the Authority prevent data convergence by these registrars and other private organizations?
Anyone who wishes to have a UID number can approach a Registrar and enrol as per the procedure prescribed. People who choose to enrol give their information with the full knowledge that it is for the UID number. The UIDAI is not paying Registrar’s to share their customer databases. Registrar’s who partner with the UIDAI are doing so with the intent of providing enrolling services to people.
The mechanisms to compensate Registrars are being examined and will be made available once a final decision is taken.
The data collected by the UIDAI is for establishment of identity and authentication, the UID database will be secure and there will be strict protocols in place to protect against unauthorised access and use. Convergence of existing databases will need to be addressed and governed under a larger data protection regime applicable to the whole country and therefore this is a matter beyond the mandate of the UIDAI.
The approach document estimates annual savings of Rs. 20K crore by eliminating duplicates in state welfare schemes. What are the underlying assumptions and calculations for this number?
The sum of Rs 20,000 crores is an assumption which has been arrived at based on reports of the Planning Commission and Comptroller and Auditor General which have quantified leakages in the PDS system (food and fuel subsidies), NREGS.
Various reports peg UIDAI cost at Rs. 15K-30K crore. What are the Authority’s internal calculations and what are the measures/processes in place to ensure rationalization of expenditure incurred? Where has the money allocated last year been spent, and what is the targeted expenditure for the Rs. 1900 crore allocated in this year’s budget?
The accounts for last year will be finalised by the end of March and will be published as soon as it is available. We propose to put into the public domain a detailed plan for spending RS 1900 crores allocated in this year’s budget.
The complete budget of the UID project is in the process of being formulated and will be made public when the exercise has been completed.
Update (March 3):
- Ravi Shukla argues that the UID will be be used “
as a node point bearing citizen data and therefore capable of operating as a facilitator and mediator of market information
- [...] [to move the definition of a citizen]
to debt legible consumer citizen as opposed to the relatively more inclusive idea of the political citizen
- .” (Reimagining Citizenship, EPW). The following
- in Economic Times supports his contention. UID #s will form the basis of collecting resident/citizen credit history to “score” their credit worthiness. This history is developed by information sharing by banks, telecoms, insurance etc companies thus essentially killing the individual’s right to privacy. Relevant excerpts below.A host of new credit information companies (CICs) are coming up to provide banks with a comprehensive database of borrowers’ track record. [...] Helping link the borrowers to their credit histories will be the Unique Identification Authority of India (UIDAI) with its social security-like number, which has received a government support of Rs 1,900 crore in the recent Budget. [...] Last week, the Reserve Bank of India (RBI) gave operating licence to Experian Credit Information Company [...] Experian is the first credit information company to receive operating licence after the Credit Information Companies (Regulation) Act was passed in May 2005. [...] Earlier in 2009 the central bank had given in-principle approvals to two companies — Equifax Credit Information Services and High Mark Credit Information Services. Both are expected to get full-fledged operational licences before the end of FY10. [...] CICs maintain a centralised database on borrowers and rate their creditworthiness based on the information on their existing liabilities and past repayment record. The scoring is based on the analysis of the information provided by banks, which have already extended credit facilities to the borrowers. If a borrower goes to multiple lenders, then new lenders will benefit from these scores while making a lending decision and pricing the loan appropriately.
The success of the model is based on information sharing between members
- [emphasis added] — NBFCs and banks. While Cibil enjoys a patronage of 200 credit grantors as members and has a database of about 1.5 million credit accounts, Experian has already obtained commitments from 39 lenders, even before starting full operations. Though the CIC Act has similar provisions for telecom and insurance companies, these are yet to take off commercially.
Update (March 19)
9 (i) states that the registrars can collect any additional information they may require in order to provide services. This renders the UIDAI assurance that only basic identity information will be collected (to prevent discriminatory profiling) useless.
9 (j) states that the registrar can charge the user a fee for UID enrollment. This is wrong because the beneficiary is essentially coerced into sharing the colossal costs of the UID project since service delivery will likely be made contingent on enrollment.
10 states that if UID is unhappy with the registrars (if processes and standards for enrollment are violated), then the Authority will make some attempt to work things out, failing which UIDAI “will have the option” de-register registrar or demand replacement. What will happen to the users who are enrolled through this “de-registered” registrar? Will they need to be enrolled again? What about the services they are using in the meanwhile? Also, registrars will likely get some financial benefit for providing enrollment services – if a registrar is de-registered, what about the penalties?
Update (March 14)
Census, NPR and UID Related queestion: UIDAI is using the Census as a registrar. However, information in the Census will be recorded as given, without documentary proof or other verification checks. On the basis of this information, the UIDAI will de-duplicate the NPR and issue UID numbers. How will the verification and enrollment standards of UIDAI be met?
Update (March 15)
This surprised even me – apparently biometric readers accept even photocopied fingerprints.
Update (March 18)
Census to skip Naxal controlled villages This news is significant because the Census will feed into the NPR, which will then be used to issue ID cards and also a UID #. In fact Nilekani calls the Census an “important registrar“. Another news report above talks about a Rs. 1000 fine for refusing to participate in the Census. The two combined together will essentially criminalize those individuals who are left out of the Census/NPR exercise as evidenced by the ID card/UID #. In Chhattisgarh especially, a villager without n ID card can easily be labeled by the police as a Maoist.
Update (May 4)
Significant differences between UIDAI’s PR speak and their actions. Some examples below.
Stated Position -> Actual
1. Constitution by Parliament Act -> Plan Comm Notification
2. UID # will be voluntary -> Conflated with mandatory Census and NPR; registrars may mandate enrollment before providing service
3. UID # to improve delivery of welfare services -> UIDAI not responsible for any improvements/leakages. Home Ministry launching a fingerprint database for criminals (Rs. 15K fingerprint reader in each police station of 22 states)
4. Data collection restricted to basic identity info -> MoU with AP/MP states that registrars can collect additional info required by them
5. Individual privacy will be protected -> We have no privileged information since the data already exists in many public databases
6. UID # will be random with no intelligence in # itself -> 12 digit number with 4 hidden digits (for pin/residence)
7. UIDAI will ensure data quality -> Registrar responsible for data quality; UIDAI and registrar not liable in case of intentional fraud by user
Update (May 5)
“The UIDAI would be proposing a UIDAI Act to provide for statutory powers and responsibilities to the authority. This Act would address the issues of privacy and data security of the UIDAI database,” Mr Nilekani said. This Act if it is to be meaningful and truly intended for regulation and not just parliamentary sanction for UIDAI must include certain safeguards to preemptively block certain types of usage, and protect the public in case of misuse or implementation glitches. Some draft UID-LegislativeSafeguards
Update (May 11)
UIDAI CSO meeting in Delhi on May 6h. Discussion was around three main areas: potential misuse (privacy, security etc); implementation ((in)efficiency of registrars; exclusion of marginalized groups like homeless, remote rural etc); and technological (feasibility; open-source software etc). Since there were around 35 people with diverse interests, the discussion wasn’t focused; however the following was agreed upon:
- UIDAI will share draft of UIDAI Act before submitting to govt (news report here)
- UIDAI will redesign website for RTI Section 4 compliance
- Future CSO meetings will be organized around specific interests – technology, economics, security concerns etc
- UIDAI will list concerns raised in previous CSO meetings and actions/decisions taken for each on their website
PM okays NATGRID despite opposition by Pranab (violation of privacy) and Antony (existing Joint Intelligence Committee satisfactory). Chidambaram, our resident human rights advocate says “The NatGrid will provide a system of information to all the agencies about any person the moment a button is pressed,” and “country can’t pay price in name of privacy”
UK moves to cancel National Identity Cards and National Identity Register: Both Parties that now form the new Government stated in their manifestos that they will cancel Identity Cards and the National Identity Register. We will announce in due course how this will be achieved.
Update (June 02)
Update (June 02)
1. All the CSO meeting notes are now up on the UIDAI website. As for action taken, I am not sure that the earlier meeting action items were specific enough to track point by point, but I do plan to write a consolidated action taken report soon. We will, however, start with the May 6th meeting notes for a point by point update as action is taken.2. We have been striving to get the UID draft law into shape for public comment and expect it to be available very soon. FAQs will be updated once the UID Law is out for comments.3. Srikanth Nadhamuni heads up the technology group (he was at the May 6th meeting, as you may recall). You may reach him at email@example.com. By copy of this e-mail, I am forwarding to him the technology/biometrics related questions you have asked.4. Re:NPR and UIDAI, as our DG mentioned on May 6th, there is a joint institutional mechanism set up to go into the details and we will update our FAQs as we get better clarity on the interfaces.5. I understand that a third party vendor is about to commence work on redesigning the UIDAI website soon. If you have a specific list of criteria to make the website RTI compliant, please do share them with us so we can discuss them with the vendor. At some point in the next few weeks, I do plan to come and meet Nikhil, Shekar and other MKSS folks for a follow up discussion of the May 6th dialogue.6. As for your questions related to budgets and other matters, responses to which will involve several disciplines with UIDAI, I plan to internally discuss practical mechanisms to respond to questions from CSOs and citizens, and I will get back to you. That aside, UIDAI has not been routinely responding to news reports such as the one you have referred to.
- UIDAI is using the Census as a registrar. However, information in the Census will be recorded as given, without documentary proof or other verification checks. On the basis of this information, the UIDAI will de-duplicate the NPR and issue UID numbers. How will this verification and enrollment standards of the UIDAI be met?
The FARs and FRRs have to be tuned as the system is operationalized for best results.
A very good question, The NPR exercise does incorporate a verification check, although it is not based on documentary proof. The process of verifying enrolments in the NPR is based on public display of the name and other fields with photograph at the village, any corrections that gets reported will get incorporated and only the verified list is sent to UID for enrolment.
- As per the Iris Paper, 10 fingerprints would yield de-duplication accuracy of 95%; the addition of iris scan will improve accuracy up to 99% (though the committee declines to make an accuracy prediction). Even assuming a 1% error rate, on a population size of 1.2B, this is still 12M errors (the incidence of error will be likely highest in poor rural areas given the quality of data collection and bad fingerprints). The UIDAI position seems to be that corrections/updation will be initiated by the user – are there any supplementary mechanisms?
There are 2 kinds of errors that can exist in such a biometric system:
1)FAR – False Acceptance Rate – The system falsely accepting person A for person B since their biometrics are very similar.
2)FRR – False Reject Rate – The system falsely rejects the biometrics from the same person as not matching.
The FAR and FRR of a biometric system are inversely proportional to each other (if you try to get better FAR, the FRR increases and the vice versa). In order to maintain a high level of accuracy as well as to reduce vendor lock-in we are designing 2 different sub-systems for ‘enrolment’(needs better FRR) and ‘authentication’(needs better FAR).
As you will see from the “UID Biometric Design Standards” report page 44( biometric accuracy) that with 10 fingerprints the FAR error is close to zero, this is relevant during ‘authentication’ another important consideration is UID authentication takes the UID number and the biometrics, which means we pull up the resident’s record and simply match the captured fingerprint against the 10 for that person only – a lot simpler problem, WE ARE NOT COMPARING THE FINGERPRINTS AGAINST 1.2BILLION PEOPLE during authentication.
During enrolment when we de-duplicate the enrolment records to maintain uniqueness, here the FRR become more important(don’t want to accept 2 duplicate biometric records as different and hence not catch a duplicate enrolment), but since the enrolment sub-system is quite separate from authentication we can try and improve FRR without any need to keep FAR low.
Update June 30
Email from Raju Rajagopal (CSO Coordinator)
The Bill states that the purpose of the identification numbers issues by the National Identification Authority (NIA) is to “facilitate access to benefits and services”. The range of services where these identification numbers will be used need to be explicitly defined, benefits quantified and the associated costs calculated.
Further, given that the identification numbers (UID) are being issued to facilitate access for the beneficiary, enrollment for a identification number must be 100% voluntary (for all services, regions, in the present and future). Given the voluntary nature of the UID number and its beneficent purpose for the enrolled individual, legislation should include only the essential enabling framework to realize benefits and safeguards against the misuse of the UID number and its database.
The comments on the draft NIA Bill have been made keeping the above in mind. It is also suggested that comments and feedback received on the draft NIA Bill must be made available to the public through the UIDAI website. Further a public meeting should be held to discuss comments received to develop public consensus. Last, the two-week window for comments should be extended to allow other interested persons to send feedback.
The main Sections of the Act, which need amendment/further specification, are summarized below. Detailed comments follow.
1.The National Identification Authority of India Bill, 2010 (NIA Bill) appears to be largely aimed at achieving statutory status for the Authority rather than its regulation
2.The Bill does not contain details of implementation, which are covered by the phrase, “as may be specified by regulations”. Parallel draft regulations should be put out for public review since potential for misuse is contingent on the details of implementation and safeguards included therein
3.Safeguards against misuse of UID numbers must be included in the Bill (see enclosure: 0713_UID_LegislativeSafeguards)
4.Clause 32(1) and 33(b) in conjunction are tantamount to tracking of individuals by the State. Further these two clauses have no relevance to the stated purpose of improving delivery of welfare services, and must be deleted
5.An explicit list should be made and included in the Act, for which UID numbers can be used. Any other use should be barred and enforced with strict penalties
6.UIDAI assumes no liability for any consequences to due security breach/inaccuracies. Moreover clause (46) gives it sole locus standing to move court. This clause must be deleted
7.The National Identification Authority must be an autonomous body, completely independent of the Central and state governments. The NIA must be answerable only to the Judiciary as per the provisions of the Act.
Further, I think it will be useful if the comments and feedback received on the draft NIA Bill were made available to the public through the UIDAI website; and if a public meeting could be held on the same to develop public consensus. Last, some interested persons have been unable to respond due to the short two-week window for comments – it will be helpful if the deadline for comments could be extended for at least another week.
Dear Ms Mittal
Please find attached my submission and covering letter.
Could you please confirm they have been received.
Will you be publishing submissions on your website? If so, you have my consent to publish both documents.
I hope you do publish submissions, as it will allow all those who have submitted, and other interested parties, to be better informed.
Graham Greenleaf AM
Professor of LawFaculty of Law, University of New South Wales – Room 224 UNSW SYDNEY NSW 2052 Australia (UNSW CRICOS Provider No: 00098G)
Co-Director, Australasian Legal Information Institute (AustLII)
Co-Director, Cyberspace Law and Policy Centre
Asia-Pacific Editor, Privacy Laws & Business InternationalInternational Scholar, Kyung-Hee Law School, Seoul, Korea, 2009-10 Third set of comments on the draft NIA Bill here (Center for Internet and Society, Bangalore)
Update July 15
With reference to Draft NIA BIll (Clause 33b): “It remains to be seen whether the legislative process will continue to exempt CIDR from all laws concerning, say, requests for data concerning criminal suspects, where perhaps the authorities hold fingerprints of a suspect but no other identifying data. Will the Authority be able to deny them access to the fingerprint matching which could disclose the name, addresses, photo, telephone number and email address of such wanted persons? It is also not unreasonable to ask whether, even if the first version of the legislation does do this, will it continue unamended?”, Graham Green, in response to the Draft NIA Bill. Download paper (recommended read)
Related: Ajay Maken recently announced fingerprinting in all police stations of the country, allocating Rs. 15K per police station to buy biometric readers. With UID fingerprinting all residents of the country, there’s the risk of police lifting fingerprints from various crime scenes, and asking UIDAI to match against database to get names, address etc of all people. There are many problems with this – fingerprint matching is not 100% accurate and innocent people could be harassed (read this article: http://www.nature.com/news/2010/100317/full/464344a.html); second, more likely, ordinary people will become suspects just by virtue of having been present at the scene; third, this type of evidence could be manipulated in insurgent areas, esp. given poor accountability record of our law-and-order machinery.
Even individuals pro UID concept have serious misgivings about the registration process and the potential for exclusion therein. UIDAI enrollment model is two-step outsourcing – first to the Registrars (state government; banks etc), who will further outsource part/whole enrollment to enrollment agencies (EA). UIDAI has therefore put out a list of 221 agencies authorized for enrollment. These enrollment agencies will be accountable not to UIDAI but to the Registrars, who will be accountable to UIDAI. Quick glance through the list – some of the qualified EAs include #21 Baruanagar Tea Estates; #34 Classic Coal P Ltd; #117 Manish Agarwal Engineers & Contractors; #160 Rhyme Organics & Chemicals Ltd; #163 Sagar Foods. Many of these will function in rural areas with low literacy rates. Each EA will incur a hardware cost of Rs. 3 lakhs and additional costs for training and space. UIDAI will pay EA for each enrollment. The eligibility threshold is just Rs. 50L turnover and 2-years of incorporation (see Amendments to RFE and Clarifications to Pre-Bid Queries for more details).
It’s very hard to imagine that all private companies (with a primary profit motive) will somehow fulfill their duties with complete honesty and sensitivity towards the marginalized enrollee.
Email to UIDAI
Hope you’re well. Just wanted to check in with you regarding the status of a few things we discussed earlier:
- Budget: You mentioned in your previous email the inability to provide details since it involved several disciplines within UIDAI. Since then news reports indicate that UIDAI submitted an annual budget of ~Rs. 7000 crore – can you please share?
- FAQ section: You indicated that the FAQ will be updated once the draft law’s been put out. Please let us know the status. One FAQ that many people are interested in is the potential linkage between UID and the National Investigative Agency and/or NATGRID. This seems to be substantiated by the draft NIA Bill, specifically clause 32(1) and 33(b). Please do include this question in the update (and circulate response prior).
- NIA Bill: Please let us know the next steps on the draft NIA Bill. Further, given the immense amount of interest in the Bill, it will be helpful if all the public comments received be uploaded online.
- CSO Meetings: Finally, is the tech open house in Bangalore (and any other CSO meeting) finalized? If yes, please do update the website so that interested persons may participate. In addition, can you please upload the minutes of the CSO meeting on migrant labor that you mentioned in your last email.
Update (Sep 22)
Update (Sep 22)
Update (Sep 25)
Email to Raju Rajgopal (UIDAI CSO Ccordinator):
attended by Nandan Nilekani and Pronab Sen from the PC. After an
initial intro, there was a flurry of questions from Moinul Hassan of
the CPI (M). He was quite provocative and it appears Nandan and Pronab
did not have answers for most of the questions. With Moinul Hassan
leading, the BJP members also joined in with many critical questions
and ultimately Nandan had to leave saying that he would come back
The main points raised were this:
1) Why do you want a Bill for this? Why cant you function under the PC
as a department?
2) Why do you want to come to us after starting the work? Are we to
stamp it uncritically?
3) How can you make this UID number compulsory for social schemes? If
we have universal rights over entitlements, how can we deny a right to
someone, just because he/she does not have a UID number?
I heard that for the 3rd question, even Pronab Sen agreed with the members.
In sum the social sector part came in for huge criticism. “Why are you
linking this number with all socail sector schemes?” was a constant
So, much work ahead. We are not to get complacent with this.
- There have been recent reports of hard questions asked by the Standing
- Committee on Finance to Nandan Nilekani on the NIA Bill – however the same
- committee is already advocating UID linked cash transfers, so how serious
- can those questions be – esp the one questioning the compulsory linking of
- social sector schemes with UID?
“The Committee would like to emphasise that direct cash transfers to bank
accounts of beneficiaries will also facilitate the process of ‘financial
inclusion’ being attempted by the banking sector. Such a scheme may also be
integrated with the Aadhar project of the Unique Identification programme to
be implemented on a national scale, which will go a long way in plugging the
rampant leakages in the dissemination of benefits to the poor,” said the