Aadhaar authentication on phones is for manufacturers to decide: Ajay Bhushan Pandey

Ajay Bhushan Pandey, CEO of UIDAI speaks to Nitin Sethi on the way forward for Aadhaar now that allregulations are in place and addresses some controversies that are dogging theplatform.
You have the regulations in place now to operationlise the entire Aadhaar law?

Yes, when Aadhaar Act says certain actions such as enrolment, authentication, privacy, will happen as per regulations.

To operationalise the act, the regulations had to be put in place. This week we have done so to make all provisions of the act operational.

There are still no regulations in some areas, such as a grievance redress mechanism? What other such things are left to detail out?

In case of regulations in several places we have said that something or the other will be done as per process approved by the UIDAI or specifications approved by UIDAI.

Already there are specifications and processes in place. Now these regulations will have to be read along with those process or mechanism document. Today we already have those documents in place.

The regulations say that all processes that were being followed so far and are not inconsistent with the act and the regulations will continue to have legal bearing.

For example if you are using the enrolment software or hardware, what should be the specifications? All these cannot as such become part of the regulations. So in regulations we have said these specifications will be laid down by the authority and we had already laid them down earlier.

So when will the grievance redress system become functional?

Actually if you see, we already have a grievance redressal system within the UIDAI. We have a call centre. Any resident can call 1947 and can register their grievance.

Today every day we get 1.5 lakh calls every day. Of these 50% are addressed through the automated system and the rest need handling by operators.

We monitor every week the nature of the difficulty people are facing? What is the predominant complaint at the moment?

That changes from time to time. Currently people are concerned where they can get Aadhaar or that they have enrolled but not received it. We devise our media strategy accordingly to educate people and if some corrections have to be made within our system we try to address that as a systematic issue besides attending to the individual problem.

Another area where these regulations are silent is what happens in the case of biometric failure? Or does it exist elsewhere in your processes?

Biometric failure are at either at the time of enrolment or authentication. We have a detailed document about what happens when a person does not have a biometric or only a partial biometric. Our regulations prescribe what is available should be taken and Aadhaar generated. If unfortunately a person does not have any biometric then we have a mechanism in place in our process document.

Coming to authentication, if the biometric does not happen we have a detailed process document. Say if one finger print does not work. We have a system of best finger detection process. In cases where none of the fingers can be authenticated then Iris can be used. These protocols to handle such cases are in the process documents.

But are these protocols for biometric failure part of your contractual agreement with entities that use authentication?

It is a question of education and training. This contractual agreement was there that they adhere to all guidelines and processes of UIDAI. Now the same thing is included in the regulations, so it’s at a higher level.

So if at a ration shop if the authentication system fails and someone is unable to get her or his rations, as grievance redress where would he or she go

I would address this problem in this manner. If a person’s authentication fails then what is required to be done by the person on the other end. He can find out which is the best finger and ask him to give the best finger. If none of the fingers are working then the Iris can be used.

But Iris scanners are not being used.

We are recommending and saying if you come to me with a grievance we can deal with it only systematically. In case finger prints are not working he should be able to authenticate through iris, which is not very costly. A stand-alone costs around Rs 2,000. This is one. If supposing that doesn’t work. We have seen in many places, particularly in Andhra Pradesh when programme was being rolled out, the authentication did not work because of signal issues.

Some makeshift kind of antenna helped in boosting the signal. We had detailed discussions with BSNL and others to maybe create towers there.

Today AP has 28,000 ration shops and 6 crore population. All of them are taking ration through biometric authentication and they are not facing problems of such a large scale.

How much is the biometric authentication failure rate?

In the range of 4-5% which they are able to address manually. AP is big enough state. AP is more advanced than most other states on count of connectivity.

I wouldn’t say that because in rural areas of Andhra Pradesh it won’t be as good. If it can be tackled up to this level in Andhra Pradesh then most other states can also reach this level of efficiency except maybe some few states such as those in the northeast.

So you get audit report of each entity that is using authentication to see what is the failure rate?

Yes. We get that. We get total macro picture and also entity wise also of which entity is having higher failure rate and which has lower and we advise them how to improve.

Are these available in public domain for people to see?

I don’t know, I will have to check with the mutual agreements. From UIDAI side we don’t publish these reports. The entities themselves may be doing it.

But they are not doing so, I checked with all the states doing PDS through Aadhaar.

I would have to check with the contracts if confidentiality is not there then we might as well put it out but frankly this aspect we shall have to check.

The other aspect we have also found some amount of failure is the backend and communication infrastructure which is to be put in place. Otherwise it will get blocked there and tied up.

In Rajasthan’s case, there is an answer in Parliament that states that the backend infrastructure is not in place to ensure biometric authentication for PDS.

That is actually what we found out. We have advised them officially about it. If Andhra Pradesh has reached this point, it is not happened overnight. It is not a small job. These problems are part of the work in progress because people are doing it for the first time. These problems would come but the idea is to identify these problems and address them. So in Rajasthan we diagnosed that in few cases it was because of biometric failure but it was also because of infrastructure.

Does the food ministry here use this data to see how the use of Aadhaar is working or impeding delivery of supplies to people?

Right now the food ministry is in various stages in different states. Some states they are digitising, in some they are collecting Aadhaar or validating it. In some states they are procuring the machines. In some states they are in the stage of using it. We are in the position to help them. There is a few states where a full scale operation is in place such as Andhra Pradesh and Telangana. If AP can do it for 6 crore people and the failure is not to the level that there is a huge hue and cry then it means that the system can work in most states. What we periodically do is take the teams from other states to where it is working to showcase and help learn.

What are the areas where Aadhaar can now be made mandatory or universal quickly?

One is the LPG. It is in full readiness. Around 15 crore consumers they have done seeding of 13 crore roughly.

Remaining can be asked to enrol for Aadhaar, as the act requires to either give Aadhaar number or if he doesn’t have one to enrol for one. Also we have provided that in case someone does not have an Aadhaar number the entities or concerned departments can enrol the people right there through their own machinery.

UIDAI does enrolment through its registrars and now we have empowered state governments and departments to do their own enrolment by setting up their centres of the residual beneficiaries who are not in large number.

The main fear of making Aadhaar mandatory was that some people may get excluded. That has been addressed in the regulations and responsibility has been cast on the concerned department that if you are asking for Aadhaar number and a beneficiary doesn’t have it you provide facility for enrolment.

If he still doesn’t get one then you take action as per the law.

So scholarships could be the next area. Scholarships are availed by the educated lot. Students are available in schools and colleges so if they need to be enrolled it can be done.

Similarly in case of schemes such as MNREGA. Out of 10 crore active workers Aadhaar has been collected for almost 7 crore workers. Now all workers are coming for work every day so if anyone doesn’t have Aadhaar their enrolment can happen.

So in MNREGA too Aadhaar can be enforced very quickly?

Absolutely. In other major schemes as well such as ICDS or Sarv Siksha Abhiyan or Rashtriya Ucchh Siksha Abhiyan scheme.

Children can be enrolled at schools. Wherever you have a population that is coming out to a centre it is easy to enrol those who need to be enrolled.

Wherever 90% of beneficiaries have Aadhaar the remaining 10% can be enrolled through these departments or centres.

So where is the challenge for Aadhaar to reach?

Challenge will be there where Aadhaar enrolment coverage is lesser than the national average, particularly where earlier work was being done by the National Population Register.

There the task is to first increase enrolment  to reach a certain saturation level.

We heard the chief economic advisor talking about writing a chapter in the next economic survey on delivering cash instead of benefits in kind? Is Aadhaar platform ready to do so by 2018 if required by the government?

I haven’t heard about it. But I shall tell you about the infrastructure that is available for any kind of cash transfer. Today 32 crore people have their Aadhaar numbers linked to bank accounts on NPCIL platform.

What does that mean? These 32 crore people can be transferred cash in a secure manner directly into their bank accounts by any government.

Out of these 32 crore people can use micro ATM to withdraw money – they are cash transfer compliant. What is

happening every month is that more than a crore people are coming on to this platform

Then the push is, under different schemes and departments people’s Aadhaar are linked to their bank accounts then they too become cash transfer compliant for all kinds of purposes. LPG has 13 crore people seeded. If your bank account is linked to Aadhaar for any purpose or benefit then you become cash transfer compliant for all purposes.

So you are saying connecting 1.2 billion people’s accounts…

I am not sure we need to reach that level because not everyone is going to be beneficiaries but only those who are needy and requires benefits is mapped on through one programme or the other.

So how does this cashless, paper-less and presence less cash transfer as Mr Nilekani proposes take place?

The biggest problem with any credit system is the lack of credit history and identity of the person. If you want to give credit to someone you want to confirm his identity, location and what is the credit history of that person. This problem is not much for those who are well to do. It’s for the ones who really need the credit most. They have a problem of identity and also credit-worthiness. Aadhaarwill provide identity. And supposing your credit history from various services providers is also linked to Aadhaar you can.

You mean in terms of what subsidies one is getting from different government schemes that can be used for repayment?

Number one that and number two supposing he has a bank account linked to Aadhaar then if he has already taken certain credit earlier, how has he behaved. If say a person needs credit for land improvement then has he taken such loans earlier and how he has behaved and if he has land records…all these can be assessed. So if all those things are actually linked using Aadhaar then the decision to give micro-credit becomes possible. Aadhaar can finally do this.

But here is the catch. When we are saying that all this other information about someone is linked and attached to his Aadhaar number and can be accessed then where is the privacy?  The Aadhaar architecture, regulations and act addresses it. How?

If you have given your Aadhaar number for one purpose it can only be used for that purpose. It cannot be disclosed or used for another purpose for any other purpose. Say if an Aadhaar holder has done ten different transactions with ten different authorities, these authorities cannot share the details without prior consent of the person. So if I need microcredit I will give a specific consent that you can check my records with these 10 authorities.

So that is where a consent manager comes in to place?

Yes, and our Aadhaar regulations provide for this. What it says is, based on consent different entities can share the data and maintain a log for this. The consent is required each time. So there would be a strong privacy protection and at the same time people can use this mechanism to allow access to others to their transaction histories.

While you provide for these privacy safety latches, if someone still breaches my privacy and shares my data what options do I have?

Under the Aadhaar law any such breach is a criminal offence and a person can be punished. There is a process for this.

So I would need to go to UIDAI authority and file a complaint?

At this point of time yes you shall have to come to UIDAI if there is a violation of the Aadhaar law.

Because only the authority can act on it…

The complaint has to be filed by UIDAI or any officer authorised by it. Over a period of time we shall create a whole mechanism and authorise several others to act on the complaints on behalf of UIDAI.

Why can only UIDAI file a complaint and not the person who suffered the breach of privacy, considering UIDAI authority is the delivery agency and it is being asked to check breach of its functioning ? Why can’t I go and file an FIR saying my privacy has been breached?

Under the general criminal law the police officer understands the issues of say what is grievous bodily injury or assault and therefore they are in a position to act. But this is a specialised act. Let us say a person goes to complain about Aadhaar law then the person should be able to understand whether an offence has been committed or not. This is a problem in all specialised laws not just UIDAI. Take other economic crimes it all requires someone should understand that violation has been committed and a complaint should be lodged. So that was the logic, that this is a specialised area and before the investigative machinery is set into motion there is a pre-check by a specialised body.

What is the controversy over UIDAI asking for biometric authentication through its protocols being imposed on phone companies and operating systems, such as those of Google?

We initiated a discussion with all device manufacturers and those providing operating systems. We want to make Aadhaar universally available. So, what we said to them, if they want, we can provide Aadhaar authentication facilities through their devices. I gave them the example of how GPRS has become a de-facto standard across smartphones.  So what we have said is, in case a device manufacturer or an operating system provider is interested we can make their devicesAadhaar enabled. If that happens people can sign in and carry out Aadhaar-based transactions from their phones too. If they want, they can put it in some of their devices and not in others or maybe in one model or choose not to do so. Ultimately it is the people who will decide what they want.

If a company has five smart phone models and one has Aadhaar identification in the future the consumer may decide to buy that one and not the other one. So, we are not mandating that phoneshave it, we are merely saying we are willing to provide support for it.

Are they facing technical problems with encryption requirements?

We are working on it. This will require a lot of work. We have had three rounds of discussions with them. We need to work with all of them – device manufacturers, operating system providers. We are talking to them that in case you decide to use Aadhaar how is the data kept and transferred in a secure manner and what should be the encryption mechanism. We shall have several more meetings before we decide what the best standard process to follow is. And this is something which will be only for those who are willing to participate.

So you are not saying you shall make it mandatory

At least from the UIDAI side we have not said it shall be mandatory. We cannot make it mandatory under the law. If you see in every case we just offer the facility and the government decides if it wants it mandatory for some scheme or not. We say we just want to enable Aadhaar. If Aadhaar is going to be used on some platform or device it has to be standardised for authentication.