Monday, March 19, 2012

Genesis of UIDAI - Part 2

A few months ago, UIDAI was clouded with uncertainty about the vision and mission of UID. The point of contention was NPR and UID. Both these initiatives were based on a similar foundation: creation of a centralized identity register. The EoGM was supposed to conclude on the merging of the two initiatives; however that was never done. This delayed decision making led to the outburst in media between PC and UIDAI Chairman in late 2011, early 2012. A lot of speculations were being made about UIDAI's existence, about corporate celebrities not surviving in the government system, and what not…..the real reason for this friction was because of the rivalry between the Finance and Home Ministries - UIDAI is housed under Finance Ministry (via Planning Commission) where as NPR is housed under Home Minstry(1)

And then during late January, both the entities decided to wave white flags towards each other. There was an agreement, thanks to the Prime Minister. And the agreement was truly a neutral, diplomatic agreement to keep both the entities satisfied. Just another classic example of how Indians avoid confrontation, they shy away from dealing with the real problem instead chose to make a temporary fix to the burning issues. The decision - both UIDAI and NPR have split the work of enrollment: UIDAI is allowed to enroll 600 M (400M in addition to the 200 already enrolled); whereas NPR is allowed to enroll the remaining residents. NPR will work along the coastal and international border areas mainly; in addition to the allocated geographies! (2)

However, what puzzles me is (and I have not managed to find answers) is the cause and genesis of NPR. NPR's website clearly states that creation of NPR is for (3):

  • Helping in better utilization and implementation of the benefits and services under govt schemes
  • Improving planning
  • Improving security

NPR database is created in the following manner: (4)

1. Creation of demographic data by getting demographic information from citizens

2. Capturing biometric data from citizens

Demographic data is collected as a door-to-door activity, the data is captured in NPR schedules - paper-based forms. The data is then digitized by scanning the NPR schedules and applying ICRs (Intelligent Character Recognition SW).

Biometric data is collected via camps - the hardware equipment and registrars used for biometric enrollment is essentially the same as the one used by UIDAI. The biometric data is then sent to UIDAI's database for de-duplication and generating an UID number.

So, for the areas where NPR is responsible for doing enrollment, the database can be shared but vice-versa has not been addressed at all.

So, to summarize the duplicity of UID and NPR leaves a lot of questions unanswered:

(1) Sharing the data between NPR and UIDAI

While it is clear that the geographies in which NPR will do the enrollment, they will capture the data and share it with UIDAI. However, UIDAI's mandate states that it is not supposed to share the biometric data with any entity unless it is a question of national security. So how will NPR's database be populated for the geographies where UIDAI will do the enrollment

(2) What is the "use" of NPR's database?

UIDAI has been building Aadhaar enabled payment systems, Aadhaar bridge gateway, opening up the authentication interface for a cloud-based Aadhaar service etc. However, I have not seen any plans on NPR for using the database either for security purposes or for other social benefits

(3) Duplicity of storage and maintaining the infrastructure

UID captures 6 fields, NPR captures 15 fields for demographic data and both UID and NPR capture Iris, Photo and ten fingerprints for biometric data.

This amounts to ~8.1 MB of data per person (5)

For 1.2 Bn Indians/residents of India, ~9.7 PB of data storage is needed for UID and a fraction more for NPR.

Approx 10 PB of data is equivalent to 200 Million four-drawer filing cabinets filled with text OR ~133 years of HD-TV video!(6)

The costs involved in the storage and managing such infrastructures is humungous - are we really duplicating all of this? I hope the decision makers have given it a "good" thought, otherwise your money and mine is being used for initiatives which are not only redundant but also reap no incremental benefits to the common man!








Tuesday, March 6, 2012

Genesis of UIDAI - Part 1

All this while I was under the 'assumption' that the idea of UID had come up during the BJP regime, and it was being concepted primarily for security purpose - on similar lines as the social security concept of the occidental society! But well, I was I started exploring the genesis of UID. Here is the background for those who are interested:

In March 2006, the seeds of UID were sown with the concept of "Unique ID for BPL families". The idea came from Dept of Information Technology. Total budget allocated was 46.7 Cr 2

In July 2006, Processes Committee was set up to come up with the idea of a common database. They suggested the need of a UID Authority to be created under executive order set up under Planning Commission, to ensure pan-departmental and neutral identity (please note: this was a recommendation from the Processes Committee!)1

At the same time, RGI was engaged in the creation of NPR (National Population Register) and issuance of Multi-purpose National Identity Cards to citizens of India

Between Nov 2007 and 2008, it was decided by EGoM (empowered group of ministers) to set up UIDAI under Planning Commission

It was decided that UIDAI would be anchored in the Planning Commission for five years after which a view would be taken as to where the UIDAI would be located within the Government

In Eleventh Five Year Plan, the main objective of UID was clearly drafted:

"The long term objective of the UID Project is to create a Core Database (CDB) for all residents, each having a unique identification number, which is regularly updated and is easily accessible to, and is used by, all departments for identification of residents in the country. The CDB would be used as the basis for identifying a person and enabling cross-linkage of major databases in the country. It is envisaged that the UID could significantly reduce identity related fraud, reduce leakages and allow for better targeting of government schemes"3

What remains to be understood is why was NPR started? What was the strategy decided for NPR and UID?

The second meeting of the EGoM was held on 28 January 2008. It decided on the strategy for the collation of NPR and UIDAI. Inter-alia, the proposal to establish UIDAI Authority under the Planning Commission was approved.3

Wait for Part 2 to understand the idea of NPR and why it originated, strategy of UID and NPR merging together i.e. if I manage to find that information!



Tuesday, February 21, 2012

How safe is UID?

Snippet from Mr Nandan's interview with Business Today

Privacy is something you trade for convenience. Even when you talk on the phone, you are subjecting yourself to the risk of being overheard -talking on phone could be taken as invasion of privacy. But the fact that I have a cell phone and anybody can reach me anywhere is an empowering thing that I am willing to take the risk for that. When you want to apply for loan, you will share all details of your assets---now that is also confidential information. But you are doing that for the benefit of getting a better loan. The information we collect is name, age, date of birth and sex. This is information that is already available if you have a voter card or a passport.

That says it all! UID is a game-changer for the common man - In Mr Nilekani's own words, UID is set to do the same to common man, what liberalization did to middle class in India!

Anyway, back to the authenticity of the technology of UID used. Security and safety regarding UID can be broadly classified in the following buckets:

(A) Enrollment: Criminals getting enrolled via fake documents
(B) Enrollment: Duplication - Already enrolled residents enrolling more than once
(C) Enrollment: Violation of document verification - KYR
(D) Data Center: Vulnerable to hacking attacks
(E) Authentication: False Rejection Rate
(F) Authentication: False Acceptance Rate

(A) Enrollment: Criminals getting enrolled via fake documents>

Yes this is a strong possibility. But the whole vision and mission of UID is inclusion and what can a UID give you:
  • Creating a bank account - but remember this is a no-frills bank account
  • Getting a SIM card - this is a threat
  • Access to subsidy - Per person subsidy is marginal, and would a criminal / terrorist be interested in subsidy?
  • Other privileges - We don't know what shape this monster will take, if it is tamed it will provide immense benefits to one and all
Overall, UIDAI has created a process for getting people enrolled. Does technology play a role in blocking criminals or people who are a threat to the nation from the UID system - NO! It is the process which has to be made more stringent. Fake documents and id proofs are a common problem in India. That needs to be addressed.
From UIDAI's side, stringent policies and processes for document verification should be imposed

(B) Enrollment: Duplication - Already enrolled residents enrolling more than once >

This is where technology plays a vital role. If someone tries to re-enroll in the UIDAI system, the biometric de-duplication on UIDAI's servers should catch such an imposter.
There was a pilot run by UIDAI for verifying whether biometrics / fingerprint is good enough to detect such anomalies, and the numbers are extremely impressive:

Tests were done with 84M enrolled population

Failure to enrol (FTE):
Every resident gets an Aadhaar number

Biometric FTE:
0.14% = 1.68 M people
De-duplicated using demographic data and checked manually for fraud. The legitimate cases among these are issued Aadhaar number

False Positive Id Rate FPIR:
0.057% = 0.684 M people
At the rate of 1M enrollments / day - 570 cases to be reviewed manually to ensure that eligible people are not denied Aadhaar numbers

False Negative Id Rate FNIR:
0.035% = 0.42M : Number of Duplicates, Worse Case Scenario
0.00018% = 0.0021M : Number of Duplicates Best Case Scenario

All the numbers have been derived from the report published by UIDAI

(C) Enrollment: Violation of document verification - KYR

I have not seen the real action, and I also know for a fact that some of the media articles are exaggerated and misconstrued, but the KYR verification plays a significant role and the registrars and various entities should ensure that the processes are followed-to-the-tee

(D) Data Center: Vulnerable to hacking attacks

The article says it all :)

(E) Authentication: False Rejection Rate

Yet to see the results from UIDAI

(F) Authentication: False Acceptance Rate

Yet to see the results from UIDAI

The enrollments and security aspects from technology perspective have been addressed well by UIDAI. What remains to be seen is how will authentication unfold?

Sunday, December 4, 2011

The need for UID in India

Why do we need one unique identity system? In India, we do not have any single identity system which has 100% penetration, 100% 'safe', 100% inclusive and cannot be easily faked. There are at least 20+ acceptable documents for proof-of-identity and even more documents acceptable as proof-of-address.

The below table gives an indication of the penetration of the existing acceptable forms of identification and proof-of-address

UID overcomes the problems of

  • non-inclusiveness
  • low or medium coverage
  • possibility of duplication
And most important, it is is digital - you don't have to carry any documents. You just need to remember your 12 digit number! How cool is that.

Watch out for the next post on the authenticity of UID.

Sunday, November 6, 2011

The Identity - UID and India!

Who doesn't want an identity? Each one of us wants to be identified, acknowledged and differentiated. Think about it - be it our work, be it our house or be it our clothes, we want to be different, we want to be unique, we want to have an identity!

People from all strata, from all parts of the society have an identity in various forms. The more privileged people like you and me have identities in various forms like an identity at work, in our social circles, an identity via which various services get delivered to us, an identity via which various avenues open for us. Think about it, right from the time you are born - you get an identity in the form of a birth certificate, you enter school via an identity - be it in the form of your family name, birth certificate or something else (well the extent of commercialization in education sector in India today, I would not be surprised!)

For the lesser privileged people as well there is an identity in their own small circle - be it the orphans on the street or the other under-privileged folks, everyone has and needs an identity in their social circles. Unfortunately the identity of these people is restricted only to a very very small community which essentially cuts all their avenues to opportunity.

Enter Mr Nandan Nilekani and his experienced team of technologists and bureaucrats who have managed to pull together an incredible feat of setting up the WORLD'S LARGEST BIOMETRICS DATABASE! The uniqueness of this central database is not only that it provides unique identification for one and all in India, but is also meant to be inclusive and social unlike that of the other western countries.

This blog is dedicated to the cause of Aadhaar. I have been actively following the Aadhaar initiative for a while now, and I must say that it has invoked a lot of emotions in me. I am proud to see such a 'unique' system being set up where the corporate world is marrying into the govt system, and coming together to create a new India!