The Unique Identification Authority of India (UIDAI) is a central
government agency of India.^ Its objective is to collect
the biometric and demographic data of residents, store them in a
centralised database, and issue a 12-digit unique identity number
called Aadhaar to each resident.^^ It is considered the
world's largest national identification
As of March 2016, the original legislation to back UIDAI is still
pending in the Parliament of India.^ However, on 3 March
2016, a new money bill was introduced in the Parliament for the
purpose.^ On 11 March 2016, the Aadhaar (Targeted
Delivery of Financial and other Subsidies, benefits and services) Act,
2016, was passed in the Lok Sabha.^ On 26 March, 2016,
The Aadhaar (Targeted Delivery of financial & Other Subsidies, Benefits
& Services) Act, 2016 was notified in the Gazette of India.^
Some civil liberty groups, like Citizens Forum for Civil
Liberties and Indian Social Action Forum (INSAF), have opposed the
project on privacy concerns.^^^^
On 23 September 2013, the Supreme Court of India issued an
interim order saying that "no person should suffer for not getting
Aadhaar" as the government cannot deny a service to a resident if s/he
does not possess Aadhaar, as it is voluntary and not
mandatory.^ In another interim order on 11 August 2015, the
Supreme Court of India ruled that "UIDAI/Aadhaar will not be used for
any other purposes except PDS, kerosene and LPG distribution
system" and made it clear that even for availing these facilities
Aadhaar card will not be mandatory.^^^
* * *
Aadhaar authentication on phones is for manufacturers to decide: Ajay
Interview with Chief executive officer, Unique Identification Authority
Nitin Sethi | New Delhi
September 16, 2016 Last Updated at 00:25 IST
Ajay Bhushan Pandey
Govt pushes for mobile phones with vernacular language access
Aadhaar law has good data protection & privacy provisions: A B P Pandey
I have long said we need a privacy law but Aadhaar has safeguards:
India's Aadhaar mandate for smartphone makers may rile global firms
Why is the UIDAI cracking down on individuals that hoard Aadhaar data?
Ajay Bhushan Pandey, CEO of UIDAI speaks to Nitin Sethi on the way
forward for Aadhaar now that allregulations are in place and addresses
some controversies that are dogging theplatform.
You have the regulations in place now to operationlise the entire
Yes, when Aadhaar Act says certain actions such as enrolment,
authentication, privacy, will happen as per regulations.
To operationalise the act, the regulations had to be put in place. This
week we have done so to make all provisions of the act operational.
There are still no regulations in some areas, such as a grievance
redress mechanism? What other such things are left to detail out?
In case of regulations in several places we have said that something or
the other will be done as per process approved by the UIDAI or
specifications approved by UIDAI.
Already there are specifications and processes in place. Now these
regulations will have to be read along with those process or mechanism
document. Today we already have those documents in place.
The regulations say that all processes that were being followed so far
and are not inconsistent with the act and the regulations will continue
to have legal bearing.
For example if you are using the enrolment software or hardware, what
should be the specifications? All these cannot as such become part of
the regulations. So in regulations we have said these specifications
will be laid down by the authority and we had already laid them down
So when will the grievance redress system become functional?
Actually if you see, we already have a grievance redressal system
within the UIDAI. We have a call centre. Any resident can call 1947 and
can register their grievance.
Today every day we get 1.5 lakh calls every day. Of these 50% are
addressed through the automated system and the rest need handling by
We monitor every week the nature of the difficulty people are facing?
What is the predominant complaint at the moment?
That changes from time to time. Currently people are concerned where
they can get Aadhaar or that they have enrolled but not received it. We
devise our media strategy accordingly to educate people and if some
corrections have to be made within our system we try to address that as
a systematic issue besides attending to the individual problem.
Another area where these regulations are silent is what happens in the
case of biometric failure? Or does it exist elsewhere in your processes?
Biometric failure are at either at the time of enrolment or
authentication. We have a detailed document about what happens when a
person does not have a biometric or only a partial biometric. Our
regulations prescribe what is available should be taken and Aadhaar
generated. If unfortunately a person does not have any biometric then
we have a mechanism in place in our process document.
Coming to authentication, if the biometric does not happen we have a
detailed process document. Say if one finger print does not work. We
have a system of best finger detection process. In cases where none of
the fingers can be authenticated then Iris can be used. These protocols
to handle such cases are in the process documents.
But are these protocols for biometric failure part of your contractual
agreement with entities that use authentication?
It is a question of education and training. This contractual agreement
was there that they adhere to all guidelines and processes of UIDAI.
Now the same thing is included in the regulations, so it's at a higher
So if at a ration shop if the authentication system fails and someone
is unable to get her or his rations, as grievance redress where would
he or she go?
I would address this problem in this manner. If a person's
authentication fails then what is required to be done by the person on
the other end. He can find out which is the best finger and ask him to
give the best finger. If none of the fingers are working then the Iris
can be used.
But Iris scanners are not being used.
We are recommending and saying if you come to me with a grievance we
can deal with it only systematically. In case finger prints are not
working he should be able to authenticate through iris, which is not
very costly. A stand-alone costs around Rs 2,000. This is one. If
supposing that doesn't work. We have seen in many places, particularly
in Andhra Pradesh when programme was being rolled out, the
authentication did not work because of signal issues.
Some makeshift kind of antenna helped in boosting the signal. We had
detailed discussions with BSNL and others to maybe create towers
Today AP has 28,000 ration shops and 6 crore population. All of them
are taking ration through biometric authentication and they are not
facing problems of such a large scale.
How much is the biometric authentication failure rate?
In the range of 4-5% which they are able to address manually. AP is big
enough state. AP is more advanced than most other states on count of
I wouldn't say that because in rural areas of Andhra Pradesh it won't
be as good. If it can be tackled up to this level in Andhra Pradesh
then most other states can also reach this level of efficiency except
maybe some few states such as those in the northeast.
So you get audit report of each entity that is using authentication to
see what is the failure rate?
Yes. We get that. We get total macro picture and also entity wise also
of which entity is having higher failure rate and which has lower and
we advise them how to improve.
Are these available in public domain for people to see?
I don't know, I will have to check with the mutual agreements. From
UIDAI side we don't publish these reports. The entities themselves may
be doing it.
But they are not doing so, I checked with all the states doing PDS
I would have to check with the contracts if confidentiality is not
there then we might as well put it out but frankly this aspect we shall
have to check.
The other aspect we have also found some amount of failure is the
backend and communication infrastructure which is to be put in place.
Otherwise it will get blocked there and tied up.
In Rajasthan's case, there is an answer in Parliament that states that
the backend infrastructure is not in place to ensure biometric
authentication for PDS.
That is actually what we found out. We have advised them officially
about it. If Andhra Pradesh has reached this point, it is not happened
overnight. It is not a small job. These problems are part of the work
in progress because people are doing it for the first time. These
problems would come but the idea is to identify these problems and
address them. So in Rajasthan we diagnosed that in few cases it was
because of biometric failure but it was also because of
Does the food ministry here use this data to see how the use of Aadhaar
is working or impeding delivery of supplies to people?
Right now the food ministry is in various stages in different states.
Some states they are digitising, in some they are collecting Aadhaar or
validating it. In some states they are procuring the machines. In some
states they are in the stage of using it. We are in the position to
help them. There is a few states where a full scale operation is in
place such as Andhra Pradesh and Telangana. If AP can do it for 6 crore
people and the failure is not to the level that there is a huge hue and
cry then it means that the system can work in most states. What we
periodically do is take the teams from other states to where it is
working to showcase and help learn.
What are the areas where Aadhaar can now be made mandatory or universal
One is the LPG. It is in full readiness. Around 15 crore consumers they
have done seeding of 13 crore roughly.
Remaining can be asked to enrol for Aadhaar, as the act requires to
either give Aadhaar number or if he doesn't have one to enrol for one.
Also we have provided that in case someone does not have an Aadhaar
number the entities or concerned departments can enrol the people right
there through their own machinery.
UIDAI does enrolment through its registrars and now we have empowered
state governments and departments to do their own enrolment by setting
up their centres of the residual beneficiaries who are not in large
The main fear of making Aadhaar mandatory was that some people may get
excluded. That has been addressed in the regulations and responsibility
has been cast on the concerned department that if you are asking for
Aadhaar number and a beneficiary doesn't have it you provide facility
If he still doesn't get one then you take action as per the law.
So scholarships could be the next area. Scholarships are availed by the
educated lot. Students are available in schools and colleges so if they
need to be enrolled it can be done.
Similarly in case of schemes such as MNREGA. Out of 10 crore active
workers Aadhaar has been collected for almost 7 crore workers. Now all
workers are coming for work every day so if anyone doesn't have Aadhaar
their enrolment can happen.
So in MNREGA too Aadhaar can be enforced very quickly?
Absolutely. In other major schemes as well such as ICDS or Sarv Siksha
Abhiyan or Rashtriya Ucchh Siksha Abhiyan scheme.
Children can be enrolled at schools. Wherever you have a population
that is coming out to a centre it is easy to enrol those who need to be
Wherever 90% of beneficiaries have Aadhaar the remaining 10% can be
enrolled through these departments or centres.
So where is the challenge for Aadhaar to reach?
Challenge will be there where Aadhaar enrolment coverage is lesser than
the national average, particularly where earlier work was being done by
the National Population Register.
There the task is to first increase enrolment to reach a certain
We heard the chief economic advisor talking about writing a chapter in
the next economic survey on delivering cash instead of benefits in
kind? Is Aadhaar platform ready to do so by 2018 if required by the
I haven't heard about it. But I shall tell you about the infrastructure
that is available for any kind of cash transfer. Today 32 crore people
have their Aadhaar numbers linked to bank accounts on NPCIL platform.
What does that mean? These 32 crore people can be transferred cash in a
secure manner directly into their bank accounts by any government.
Out of these 32 crore people can use micro ATM to withdraw money ' they
are cash transfer compliant. What is
happening every month is that more than a crore people are coming on to
Then the push is, under different schemes and departments people's
Aadhaar are linked to their bank accounts then they too become cash
transfer compliant for all kinds of purposes. LPG has 13 crore people
seeded. If your bank account is linked to Aadhaar for any purpose or
benefit then you become cash transfer compliant for all purposes.
So you are saying connecting 1.2 billion people's accounts...
I am not sure we need to reach that level because not everyone is going
to be beneficiaries but only those who are needy and requires benefits
is mapped on through one programme or the other.
So how does this cashless, paper-less and presence less cash transfer
as Mr Nilekani proposes take place?
The biggest problem with any credit system is the lack of credit
history and identity of the person. If you want to give credit to
someone you want to confirm his identity, location and what is the
credit history of that person. This problem is not much for those who
are well to do. It's for the ones who really need the credit most. They
have a problem of identity and also credit-worthiness. Aadhaar will
provide identity. And supposing your credit history from various
services providers is also linked to Aadhaar you can.
You mean in terms of what subsidies one is getting from different
government schemes that can be used for repayment?
Number one that and number two supposing he has a bank account linked
to Aadhaar then if he has already taken certain credit earlier, how has
he behaved. If say a person needs credit for land improvement then has
he taken such loans earlier and how he has behaved and if he has land
records'�all these can be assessed. So if all those things are actually
linked using Aadhaar then the decision to give micro-credit becomes
possible. Aadhaar can finally do this.
But here is the catch. When we are saying that all this other
information about someone is linked and attached to his Aadhaar number
and can be accessed then where is the privacy? The Aadhaar
architecture, regulations and act addresses it. How?
If you have given your Aadhaar number for one purpose it can only be
used for that purpose. It cannot be disclosed or used for another
purpose for any other purpose. Say if an Aadhaar holder has done ten
different transactions with ten different authorities, these
authorities cannot share the details without prior consent of the
person. So if I need microcredit I will give a specific consent that
you can check my records with these 10 authorities.
So that is where a consent manager comes in to place?
Yes, and our Aadhaar regulations provide for this. What it says is,
based on consent different entities can share the data and maintain a
log for this. The consent is required each time. So there would be a
strong privacy protection and at the same time people can use this
mechanism to allow access to others to their transaction histories.
While you provide for these privacy safety latches, if someone still
breaches my privacy and shares my data what options do I have?
Under the Aadhaar law any such breach is a criminal offence and a
person can be punished. There is a process for this.
So I would need to go to UIDAI authority and file a complaint?
At this point of time yes you shall have to come to UIDAI if there is a
violation of the Aadhaar law.
Because only the authority can act on it'�
The complaint has to be filed by UIDAI or any officer authorised by it.
Over a period of time we shall create a whole mechanism and authorise
several others to act on the complaints on behalf of UIDAI.
Why can only UIDAI file a complaint and not the person who suffered the
breach of privacy, considering UIDAI authority is the delivery agency
and it is being asked to check breach of its functioning ? Why can't I
go and file an FIR saying my privacy has been breached?
Under the general criminal law the police officer understands the
issues of say what is grievous bodily injury or assault and therefore
they are in a position to act. But this is a specialised act. Let us
say a person goes to complain about Aadhaar law then the person should
be able to understand whether an offence has been committed or not.
This is a problem in all specialised laws not just UIDAI. Take other
economic crimes it all requires someone should understand that
violation has been committed and a complaint should be lodged. So that
was the logic, that this is a specialised area and before the
investigative machinery is set into motion there is a pre-check by a
What is the controversy over UIDAI asking for biometric authentication
through its protocols being imposed on phone companies and operating
systems, such as those of Google?
We initiated a discussion with all device manufacturers and those
providing operating systems. We want to make Aadhaar universally
available. So, what we said to them, if they want, we can provide
Aadhaar authentication facilities through their devices. I gave them
the example of how GPRS has become a de-facto standard across
smartphones. So what we have said is, in case a device manufacturer
or an operating system provider is interested we can make their devices
Aadhaar enabled. If that happens people can sign in and carry out
Aadhaar-based transactions from their phones too. If they want, they
can put it in some of their devices and not in others or maybe in one
model or choose not to do so. Ultimately it is the people who will
decide what they want.
If a company has five smart phone models and one has Aadhaar
identification in the future the consumer may decide to buy that one
and not the other one. So, we are not mandating that phones have it, we
are merely saying we are willing to provide support for it.
Are they facing technical problems with encryption requirements?
We are working on it. This will require a lot of work. We have had
three rounds of discussions with them. We need to work with all of them
' device manufacturers, operating system providers. We are talking to
them that in case you decide to use Aadhaar how is the data kept and
transferred in a secure manner and what should be the encryption
mechanism. We shall have several more meetings before we decide what
the best standard process to follow is. And this is something which
will be only for those who are willing to participate.
So you are not saying you shall make it mandatory?
At least from the UIDAI side we have not said it shall be mandatory. We
cannot make it mandatory under the law. If you see in every case we
just offer the facility and the government decides if it wants it
mandatory for some scheme or not. We say we just want to enable
Aadhaar. If Aadhaar is going to be used on some platform or device it
has to be standardised for authentication.
_/ Frederick Noronha http://about.me/noronhafrederick http://goa1556.in
_/ P +91-832-2409490 M 9822122436 Twitter @fn Fcbk:fredericknoronha
_/ Hear Goa,1556 shared audio content at https://archive.org/details/goa1556
# distributed via <nettime>: no commercial use without permission
# <nettime> is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: http://mx.kein.org/mailman/listinfo/nettime-l
# archive: http://www.nettime.org contact: nett...@kein.org
# @nettime_bot tweets mail w/ sender unless #ANON is in Subject: