Tech

Are People Who Sign up for Aadhaar Actually Who They Say They Are? UIDAI May Not Know

With the Aadhaar agency noting that there is a significant gap between enrolments done and documents handed over by operators, what does this mean for e-KYC and fraud?

The Unique Identification Authority of India (UIDAI) has for six years quietly struggled with a problem that has consequences for its ability to detect fraudulent enrolments and implications for its utility as a sprawling and integrated identification system.

The problem: Are the people who sign up for an Aadhaar number actually who they say they are?  Or, to be more precise,  are all of UIDAI’s enrolment agencies  actually collecting and verifying the ID proof of people who sign up for Aadhaar?

Internal UIDAI documentation shows that for a substantial chunk of enrolments, it just may not be sure.

According to the agency’s internal correspondence with its regional offices, this is mainly because a large number of enrolment agencies and registrars have dragged their feet over a crucial part of the sign-up process: handing over to UIDAI the physical documents that are part of each Aadhaar enrolment they handle.

While these prolonged delays have multiple explanations, some of which are mundane, they nevertheless raise troubling questions over the issue of fraudulent enrolment.

One internal UIDAI estimate – which was part of a set of documents sent by a whistleblower to nine Supreme Court justices in late 2017, a couple of months before the Aadhaar hearings – indicates that the agency allegedly does not have access to identification documents (proof of identity, proof of address) for up to 38% of total Aadhaar enrolments. While parts of these documents could be corroborated, The Wire could not independently verify the final estimate.

How does this work?

Aadhaar identity, to put it simply, consists of two parts: body (biometrics) and biography (demographics).

When enrolment agencies sign up people for Aadhaar, they take their biometrics through scanning and record their demographic information by asking them to submit a number of documents. This includes documentation that verifies a person’s proof of identity (PoI), proof of address (PoA) and date of birth (DoB). These documents can be photocopies of anything from a driver’s licence to a ration card.

The UIDAI’s document management policy – which was written along with Hewlett Packard (HP) – outlines the process that all enrolment agencies and registrars must follow in collecting and collating physical documents submitted during enrolment.

A crucial part of process involves handing over these physical documents to HP, which is what UIDAI calls the the document management system (DMS) agency. HP will then store those documents and digitise them for future access by UIDAI.

An Aadhaar enrollment generates an enrollment ID (EID) and documents are typically attached with an EID, digitised and stored for later retrieval in the CIDR.

Why is this important? Namely because the process of digitising the physical documents allows UIDAI to audit the values entered by the operator at the time of enrolment, if the need arises. It is an important check to ensure the trustworthiness of the Aadhaar database for eKYC.

‘Significant gap’

In December 2015, in an office memorandum circulated to all of its regional offices, the UIDAI noted sternly that there was a “significant gap in enrollments done and documents submitted by Registrars/EAs to the DMS agency for Phase 1 as well as Phase II”.

The note then goes lay out a new process to be followed for the “reconstruction of missing DMS” whereby the DMS agency would share a list of all enrolment IDs for which accompanying documents are “missing”.

Using this information, the UIDAI stressed, all enrolment agencies and registrars were supposed to hurry up and hand over the physical documents (photocopies of PAN cards, ration cards, passports, driver’s licenses etc) they took during the enrolment process.

Screenshot of UIDAI's office memorandum in December 2015. Credit: The Wire

Screenshot of UIDAI’s office memorandum in December 2015. Credit: The Wire

These instructions came after a slew of show-cause notices issued to non-state registrars in October 2015 over “non-submission of documents” and plans to schedule “reconciliation meetings” that would track the process of reconstruction in the months ahead.

Despite this increased push, the UIDAI, it appears, wasn’t satisfied with fidelity of the process. In April 2016, it quietly rolled out a feature that allowed enrolment agencies (EAs) to scan the identification documents themselves. In a notice titled “Mandatory Scanning of Documents Through Enrolment Clients”, it announced that individual EAs no longer had to hand over documents to the DMS agency but could scan it themselves.

The only catch? This system was rolled out only for states where Aadhaar saturation was greater than 80%. There are two broad implications of this decision:

1) Firstly, UIDAI knew that the existing offline document management system had problems, both security and logistical in nature, and yet introduced it anyway.

2) It appears as if the agency initially preferred the quicker, and less secure, method of using a flawed document management strategy to increase Aadhaar penetration.

Stemming the dam

Nearly nine months later, the UIDAI issued a set of guidelines in January 2017 that appeared to allow “offline scanning of ADMS documents” to all enrolment agencies and registrars across the country.

In the accompanying office memorandum, the Aadhaar authority once again acknowledges the problem that it faced, stating that a “large number of documents” had not been handed over by enrolment centres.

“It is understood that there are a large number of documents lying at enrolment centres, for which the EA [enrolment agency] is responsible for safe-keeping. Thus, to mitigate Registrar and EAs liability in case of loss of documents, the UIDAI is providing an opportunity for EAs to scan the pending documents at their end and upload to CIDR,” the notice states.

How big is the problem?

In November 2017, a person who only identifies himself as a “qualified and responsible citizen” sent a series of documents to nine Supreme Court justices. At least two judges confirmed to The Wire receipt of the papers.

These documents, which The Wire has reviewed, contain a list of Aadhaar enrolment agencies and a corresponding number of enrolments that are allegedly missing accompanying documentation.

It estimates that 38% of total Aadhaar enrolments (45 crore out of 115 crore successful enrolments) have “missing documents”. That is, enrolment agencies and registrars have not transferred the accompanying PoI (proof of identity) or PoA (proof of address) documentation of 45 crore enrolments to UIDAI.

To what extent can we trust these figures? The Wire corroborated a number of things including the enrolment agency codes (publicly available with UIDAI) and successful total enrolments by operator, but could not independently verify the final estimate of 38%.

A detailed questionnaire asking about the extent of missing documents was sent to UIDAI CEO Ajay Bhushan Pandey and Vikash Shukla, Head of Media Outreach and Publicity, last week. This story will be updated if and when a reply is received.

It is noteworthy that right to information (RTI) queries on this issue have been stonewalled. An RTI request filed by Anupam Saraph, had asked UIDAI to provide the breakup of PoI/PoA for every Aadhaar generated; what methods of identification (passport, ration card etc) were used.

The request was met with the response “the information is not compiled/available”, even though as per the office memorandum, we know that the UIDAI has that information broken down to the enrolment agency level.

A more official source of missing documents, however, comes from UIDAI itself (archive).  A tucked away corner of its website gives details of “DMS pendency” for over 600 enrolment agencies for four months in 2016: a significant 7.8 crore Aadhaar enrolments were missing accompanying physical documentation between February 2016 and June 2016.

Why is this a threat?  

There could be multiple explanations for why these documents are missing.

Some of the reasons are mundane. For instance, logistical problems between enrolment agencies, registrars and the DMS agency could delay in the handing over of documents. A senior executive of one large enrolment agency confirmed that delays in picking up documents are natural, especially in less-connected and rural parts of the country, as it involves multiple levels of coordination.

Other reasons include physical documentation getting lost or destroyed by accident – a terrible nuisance for Aadhaar holders, who are forced to re-submit their documents or re-apply all over again.

There is another reason, however, whose implications are more troubling and sinister: namely that some of these documents are ‘missing’ because they simply don’t exist and that they are representative of fraudulent enrolments.

In 2012, the ‘missing documents’ problem translating into fraud came back to haunt the UIDAI and prove this last point. The Wire has it in its possession the FIR details of the ILF&S- Hyderabad scam, which while reported in 2012, did not nearly get the attention it deserved.

The scam involved  two different modus operandi:

1) The criminals enrolled ‘people’ through the biometric exception route to bypass the UIDAI’s deduplication system.

2) They also enrolled ‘people’ using their ration cards as proof of identity/proof of address with the document management system.

As per initial media reports, the operator enrolled 30,000 people in 2 months of which 870 were biometric exceptions. The kicker? Most of these enrolments were fraudulent.

When the investigators tried to locate the proof of identity/proof of address documentation, they found that the DMS agency did not have a copy of the identity documents and hence all of them were fraudulent.

When the whole enrolment system was audited for biometric exception misuse, the UIDAI discovered that operators all over the country had fraudulently enrolled 3.84 lakh people through the biometric exemption route.

It is puzzling therefore that the UIDAI not conduct an audit or launch an investigation into the issue of missing documents to determine how many potentially fraudulent PoI/PoA-based enrolments there could be out there.

The UIDAI may believe that the answer is zero – but that clearly isn’t the case. Would such an exercise have raised uncomfortable questions over the rapid speed of Aadhaar enrolment over the last six years?

National security issues

Over the last six years, missing documents have been a continuously-repeating story.

The following publicly-reported incidents prove that Aadhaar generation  without PoI/PoA documentation or verification are quite common. What makes this situation worse is that the government has implicitly encouraged the usage of ‘Aadhaar cards’ as a commonly accepted method of identification, even thought it was never meant for that purpose.

–> Zeebo Asalina, an Uzbek national was caught with a “real” Aadhaar that identified her as Duniya Khan, residing in Delhi. –

–> Pakistani, Bangladeshi and Rohingya refugees have been arrested with Aadhaar.

–> A Chinese national was arrested with Aadhaar (June 2018).

–> Only 188 of the 418 consumers were traceable in Delhi, after Aadhaar based PDS was introduced (55% were untraceable in their current address)

Aadhaar as a society-wide identification method

The basis for using Aadhaar as eKYC is the assumed sanctity of the database. When a significant percentage of the database has missing PoI/PoA documents and the UIDAI refuses to provide straight answers to these questions, it is obvious that the problem is indeed large, as the above checks show.

The biggest problem with  ‘missing documents’  – if a single Aadhaar is repurposed or one person gets two Aadhaar numbers – becomes less of an issue if the UIDAI’s system of ‘deduplication’ and authentication works as advertised. However, there is enough public data available to show that at least 5.32 lakh Aadhaar duplicates do exist and these are acknowledged duplicates, till August 2017.

As acknowledged by Triveni Singh, the IPS officer who investigated the UP Aadhaar hack scam, one of the operators arrested did have two Aadhaar numbers (7:18). Even if one of them had a missing PoI/PoA, then that Aadhaar is a “pure ghost”. Thus missing identity documents create scope for fraud, when biometric deduplication itself is not deterministic and is probabilistic.

Besides this, the UIDAI’s behavior does not leave its users with a sense of confidence. While it did ban enrollment agencies with questionable or fraudulent behaviour temporarily, they are allowed to come back to the ecosystem, as it would impact metrics (enrollment coverage). This is very similar to how it allowed Airtel Payment bank to restart operations – in what some believe as an attempt to shore up falling authentication attempts – after banning it from using e-KYC services.

In this aspect, the system of Aadhaar enrolment resembles a poorly-run ponzi scheme, where any fall in expansion brings the curtains down. So agents delegated to run the enrolment scheme may get banned for cheating too much, but are always brought back quietly when the storm dies down.