'When people come for authentication again, the process of informed consent will have to be carried out.'
'We will have to understand what the security implications are and how much data could be put in the public domain.'
'Now that we have a law, certain responsibility will be cast on the people who are doing the enrolment or authentication when they handle sensitive personal data.'
A B P Pandey, director-general and mission director of Unique Identification Authority of India, below, left, speaks to Nitin Sethi on how the efficacy of Aadhaar will be monitored and what challenges it faces as it reaches the one-billion enrolment mark.
Excerpts:
On the challenges now that the law is in place.
The government will have to notify necessary rules under the law and UIDAI will have to frame the regulations that will govern the jobs we are doing.
This is a unique case.
Usually, what happens first is a law is passed and thereafter the institutions are built and operations start.
Here, it has happened the other way round.
Now, everything has to be kind of retrofitted into the Acts and the regulation.
What changes would it entail for UIDAI?
I would say that this Act has very good data protection and privacy provisions.
What we shall have to do is obtain the consent of every individual and that consent has to be informed consent.
We have to go through this process of obtaining informed consent.
For all the one billion people enrolled?
No, for the people who will be enrolling in future.
What about the consent of those already enrolled?
It is not required because the Act validates all actions done earlier.
So this will apply to the new enrolments.
Similarly for authentication.
When people come for authentication again, the process of informed consent will have to be carried out.
This is very important from people’s point of view, as it will assure them their data is secure.
Will that require back-end tweaking?
That is correct.
First, the policy and regulations are to be put in place.
Then, we have entered into various agreements with our partners -- those agreements will have to be changed.
Next, all these things have to be reflected in the field.
For example, it could require changing a form to be filled.
Some electronic processes for doing such tasks might also require modifications.
There is research being done through your centre on how biometrics can be used more efficiently in India. Do you foresee Iris data being used more for authentication, along with fingerprints?
We are already using three sets of biometrics -- fingerprints, Iris and photographs.
This meets our requirements for the next few years.
But, particularly for infants, there is an issue of how well-formed are fingerprints. I am told some research is going on where the print of heels of infants are perhaps more well-formed than the fingerprints.
Perhaps after a few years, supposing if that technological development comes, we should be in a position to include that in our system.
We will not collect biometrics only for the sake of collection.
There have been reports of how in some places where biometric is being used, like in Rajasthan for the public distribution system, the rate of failure of fingerprint authentication is much higher than expected.
At certain places, if the fingerprint fails, they have an option.
Either they go for Iris or, if the mobile number is registered, through the one-time password system.
Sometimes even that doesn’t work because of connectivity problems.
So, the government should always have an exception system in place where based on the paper Aadhaar card, services can be given and an entry could be made for those exceptional cases.
Is UIDAI moving towards mobile-based authentication as it progresses?
Yes, I see it moving.
Our systems should have the options. One has to know for what kind of transaction you have to collect biometrics for confirmation of identity or for what purpose you can use the confirmation through mobile phones or go for both in a combination.
In Aadhaar, we have a multi-factor authentication system.
It could be any combination of the three options we have provided -- fingerprints, Iris and mobile OTP.
Are you able to monitor how Aadhaar is being used and what is its efficacy?
For example, whether biometric identification through fingerprints is working or not.
At UIDAI, we’ll not have any data on the purpose or location of authentication -- for what purpose is Aadhaar being used and from where the transaction has originated.
But, we shall have to have information of what kind of people are failing those transactions -- whether there is some problem with their biometrics or whether the biometrics need to be updated or the machines are working alright or if someone is attacking us, etc.
Is there a system already in place for monitoring the efficacy of Aadhaar? Say, if I come to you six months down the line and ask how is the biometric system working?
We monitor this.
In one day we get, say, two million requests.
Of that, we naturally have the information that so many have failed or so many passed.
The failure could be for various reasons.
Someone could have tried to falsify an identity.
It could be a fingerprint failure.
We try to monitor the failure rate.
Would I, as a citizen or a journalist, have access to this data on the efficacy of Aadhaar?
At this stage, we don’t know how much of the data will be put in the public domain.
We will have to understand what the security implications are and how much data could be put in the public domain.
How would you monitor that the authentication through Aadhaar has been done legally and only for the purpose one was permitted to use the authentication system. Who monitors that?
We will have a process laid down, an agreement.
Now that we have a law, certain responsibility will be cast on the people who are doing the enrolment or authentication when they handle sensitive personal data.
Then there is an obligation cast on them that they use it for a specific purpose.
We will have our system that we shall have some kind of audit of user authentication agencies to see to what extent they are compliant.
Are the protocols in place for you to share periodically with the public how these agencies used the data and if they breached the law?
It all depends on what kind of audit mechanism we have.
At the moment, we don’t have one in place?
Right.
We also have to realise the sheer number of agencies we work with.
We shall have to work out a workable arrangement as to how it is be done or if it’s to be based on self-certification.
Some judgment call will have to be taken. It shouldn’t happen that we start doing very closely-tied audit of every transaction.
Say, by the Comptroller and Auditor General?
CAG audits only what the government does.
Here, there will be a whole lot of government and those outside the government will be using it as well. We are dealing with a 1.25-billion number.
Therefore, what would be the form of audit, whether it would be an audit by some independent auditors, etc, will have to be thought through and we shall come out with an appropriate response.
The top image is used for representational purpose only. Photograph: Reuters