Inconvenient Truths
Vickram Crishna, IIT Delhi Alumnus
Ram Krishnaswamy, IIT Madras Alumnus
mendacious: (m’eh’n-d’ay’sh’uh’s) adj. Lying; untruthful: False; untrue.
ingenuous: (‘i’n-j’eh’ny-’uh’s) adj. Lacking in cunning, guile, or worldliness; artless: Openly straightforward or frank; candid
Some time ago, Mr Nilekani was quoted by an Indian newspaper, describing his work at UIDAI . Some highlights of this interview, in the light of the very recent incident in Delhi, on Feb 11, when he, together with Mr Pronob Sen of the Planning Commission, met the Parliamentary Standing Committee on Finance, make for an absorbing read (if you like cliffhangers).
The Committee is reported to have been puzzled by the UIDAI approach. In its haste to have the Aadhaar established as the most superior verification solution, it has been fencing around alternatives. It now seeks to discourage work-seekers who are not registered with Aadhaar.
Members of Parliament asked Mr Nilekani at the Standing Committee meeting to explain why mandatory links were being forged between Aadhaar and social benefit schemes (his earlier boast was that such links would be ubiquitous, not mandatory, wordplay that evidently did not impress the Committee). He could not answer this (it has been asked before by members of the public, but he refused to answer in such fora also). Instead, he is said to have promised to return with a PowerPoint presentation that would allay their doubts! An extraordinary response, and an extraordinarily weak promise. A Minister who failed to deliver an answer to such a question in a House of Parliament could lead to loss of confidence in the Government, if our Parliament functioned as planned.
He told the newspaper, “Our focus is on people who are marginalised and vulnerable, the migrants and the homeless. They are the ones who need Aadhaar the most.” Unfortunately, the UIDAI has not substantiated this reasoning with any published research. How large is this segment, and to what extent do they deserve specialised treatment that will not be available to some other segment of the people who are disempowered in other ways? The UID is only useful to such people when it will be usable universally, meaning the entire country is blanketed with identification nodes connected as needed to the UID database, which in turn must be linked 24/7 with all other databases that might be needed to affirm the claimed aspect of the identity (be it BPL or a credit card).
When will this day come? Till it happens, we will see one segment of the people favoured over others, simply because their peculiar circumstances might be well served for using UID, whereas some others may be left out for years to come. Most likely, the charmed segment lives in those parts of those cities that are also perceived to be ‘better’, given the endless migration of people from rural to urban conglomerations. However, registering for Aadhaar is meant to be voluntary, and denial of benefits should not be a stick used to browbeat citizens. No wonder the Parliamentarians perhaps felt that Aadhaar had not been fully thought through.
- Has there been any study of the alternative paths possible to supporting the ambitions of people to enter the mainstream (assuming that awareness about what the implications of being mainstreamed is becoming widespread)?
- What costs did they envisage?
- What were the pitfalls in them, and how do they compare to the possible pitfalls that await an implementation like Aadhaar?
- Who will bear the cost for the service delivery agencies to use Aadhaar in whatever form is needed to carry out their work, on demand, as, when and where needed?
- Has it been factored into the budgets of these agencies (such as those engaged with NREGS)?
Actually, it hasn’t, and this should be a very disturbing wake-up call. This is why there are no documents on the UIDAI website that relate to comparative studies - including both costs and benefits - of possible solutions to India’s vexing problems of chronic poverty.
What is almost certain is that credit companies and retailers will find it very profitable to put in all kinds of supporting infrastructure for their purposes. Unfortunately, the desperately poor are not really valuable clientele for such services at present, so this benefit will be readily felt by those ready to go on paying for it, and who will find it worth paying for the convenience of Aadhaar.
If public money is expected to be spent on maintaining Aadhaar for all into the future, this roadmap needs to be clearly spelt out.
All this assumes that the enrollment process dictated by UIDAI is foolproof, and that it will invariably bind a person’s true biometrics (such as a fingerprint) to the Aadhaar. However, the reality of enrollment is far from the ideal painted on the UIDAI website. Reports from different cities, published in the mainstream media, show that the process itself, based on biometric registration that fails frequently, is being subverted by forcing ‘acceptance’ (after four failed tries) of the biometric scans. This is useless, as the registrant will find the identification proof, ie, a subsequent scan, fails to find a correct match from the database.
UIDAI is silent about the rates of false acceptance and false rejection inherent in such processes, even though its own Study Group report on biometrics spelled out the issues. Actually, as figures, the rates are fairly low, but this is deceptive. These are not absolute numbers, but ratios, and very low ratios turn out to be enormously large numbers when applied across a gigantic population - failures of identifying tens and hundreds of thousands of people, on a nauseatingly frequent basis, each failure necessitating an expensive and risk-fraught procedure to re-establish broken links in the UIDAI-defined identity chain.
These are real people, people who have perfectly good identities on their own, people known to their families and their friends, but not known to the State. Does UIDAI seek to ‘help’ people, by giving them an identity? Or is it helping to disempower people by denying them the identities they inherently possess?
This is the falsity built into the core of every centralised scheme of identity resolution, that a failure of the State is the fault of its people. Proponents of centralised systems do not seem to be able to recognise this flaw, a kind of social dyslexia. Unfortunately we do not have social dyslexia as a recognised ailment to be documented by state-run hospitals, the way our education ministry seeks to empower children with dyslexia by making it possible for them to experience the mainstream school system (that doesn’t work well in practice either, a sad commentary on how diligently we pursue our ideals of inclusiveness).
The centralised linking of discrete silos of personal information carries with it palpable risks of data leaks and consequent misuse. Nobody can know whether these will overcome the attraction of convenient identification when interacting with these systems (retail, banking, security cordons - things that form a part of daily life in the modern economy). Certainly, these dangers are not palpably felt in urban circles as much as they already are in the rural areas, where security forces, be they police or paramilitary, have earned a reputation for frequent infringements of civil rights. In urban areas, people tend to worry as much about white-collar crime, especially the kind that hits individuals. The misuse of a central information system is not a question of whether, it is only when. The rich possibilities for misuse will itself create the environment for it, just as it has in the USA, with the social security numbering system.
One of the biggest fears expressed worldwide about centralised identification systems, one that is at the heart of disquiet about the growing misuse of the USA’s social security system number, the SSN, is that subsequent generations of administrators and lawmakers treat the database as being endowed with more capability than intended. The USA’s SSN was actually conceived of a number that was illegal to be used for anything other than a convenience towards delivery of state-administered social benefits, yet today it is used to certify all manner of extraneous conveniences in a very complex web of demands and need fulfilments. The result is that the incentive to create fake identities, to game the system, is very high, and that is very obvious in the USA, where the estimated number of false SSN-backed identities is allegedly around 12 million, near about 5% of the country’s population.
In India, doubtless spurred on by our regular high rate of GDP growth, quoted by people - who do not understand real economics - as reflecting an improvement of lifestyle capabilities in India, we (well, to be precise, the service providers - companies and organisations that give the impression of scrambling to board the UID bandwagon) are not waiting for Aadhaar to become a reality before adding to the basket of features. Starting with bank accounts, supposedly one of its greatest benefits, we now have the Prime Minister (at a function commemorating 5 years of MGNREGA, the world’s biggest work-for-pay guarantee scheme) endorsing a biometric-based worker identity scheme, whereby exclusion from registration will bar people from qualifying for the guaranteed benefits. Forget the country’s minuscule organised sector worker base, even the vast majority of India’s people, who survive y-o-y on temping, will find Aadhaar a new hurdle.
In this case, the PM cannot be easily accused on not understanding economics, but the pronouncement does indicate some lack of familiarity with the weakness of a biometric identity system applied across a very large population (it works reasonably well for tightly monitored situations where it supports a mix of identity markers, such as entry into secure facilities that are actively guarded, where failure of the biometric identifier can be worked around fairly quickly, with documented alternative processes replete with checks and balances.
This is typical of IT workplaces, with which Mr Nilekani is familiar, but not of ration shops and manual labour workplaces in remote and far-flung parts of the country, with which he is not (he chattily refers to his superior knowledge of ground realities in New York).
One of the worst potential abuses of the concept of automated identity verification systems is the premise that personal information is in any case available from a number of sources, and experts already know how to access such information, so linking those diverse bits of information using an Aadhaar does not add to the risks in any way. Mr Nilekani puts it this way, “Even today, without the UID, your credit card details could be accessed by someone who may manipulate it and your privacy may be breached.” In the IT sector, discrete databases are called silos, mirroring commodity storage systems used in agriculture and industry, and Aadhaar will provide a link to such databases, maintained by different agencies, such as NREGS, PDS, banks, insurance companies, and so on. The UIDAI database itself will not store all this information.
Mr Nilekani, just like other businessmen, critics of State-guaranteed personal privacy protection, is being a trifle ingenuous when he talks about identity theft. It would be unfair to call it mendacious, as he is possibly not well informed, although his former employer, Infosys, is a big player in the banking IT sector.
In the credit card industry, identity frauds (nearly all arising from identity theft) are a well-accepted part of doing business, averaging around 6% a year globally, and this number has not significantly changed over the years, although improvements in the physical card systems are regularly being suggested. These new cards are a lot more expensive than the ubiquitous magnetic-stripe cards, which are prey to misuse. It is not surprising that they not been substituted. The industry prefers to bite the bullet and absorb the losses, which are built into their costs (the credit card sector is enormously profitable), rather than introduce too many complexities to their customers. Solving the identity fraud problem is secondary.
Aadhaar, on the other hand, does not have a card, and there is no budget to pay for such a card. Instead, the person must make a claim for being a specific Aadhaar holder (it is a 12 digit number, and will almost certainly have to be written down for the user to be able to convey it - think of the usage of multiple languages, scripts and almost universal illiteracy as typical obstacles to memory), and then present some sort of biometric - at the moment, this would be a single fingerprint - for verification. A dispassionate observer might hazard a guess that the failure rates in practice will be in excess of the credit card sector’s 6%, even if some Herculean effort puts the infrastructure in place by 2015, when 600 mn Aadhaar’s are targeted to deliver social benefits, if not milk and honey, across the country.
The Herculean effort in this case is being masterminded by Mr Satyen (Sam) Pitroda, who promises to deliver broadband connectivity to government offices by then. How this translates into verification points at places where people actually live and work is something that does not find mention in UIDAI’s breezy press releases.
It may be quite pertinent to recall that Mr Pitroda’s previous attempt to bring about a game-changing technology intervention, the landmark modular telephone switch, was wrecked by a change of government, and the powerful international telecom industry ensured that the modular switches were never installed in numbers that would justify the effort.
This kind of disruption in idealistic plans is an obvious risk, especially given that the next General Elections will be in 2014, and that the size of India’s own IT industry remains, despite the obvious growth, a minnow by global standards.
Already, much of the technological base for Aadhaar is being entrusted to foreign companies. This has other problems, of security and national integrity, but that is another discussion by itself.
