Detailed Aadhaar infrastructure deficiencies in CAG audit report

The Comptroller and Auditor General (CAG) of India has published a detailed report on the functioning of the Unique Identification Authority of India (UIDAI) in which it has pointed out a list of loopholes in Aadhaar infrastructure. The report also highlights shortcomings in the process of generating Unique Identification Numbers for Indian residents through a system that was introduced back in 2009 and the Aadhaar system received a different legal backing in 2016. Pointing out the issues, the report places HP as two private entities behind some major IT problems in HCL Infosystems and Aadhaar Infrastructure.

The 108-page report, prepared for submission to the President, contains several loopholes that affect the infrastructure of Aadhaar. This included the evaluation of the Unique ID system implemented by UIDAI between 2014-15 and 2018-19.

One of the biggest problems of the CAG report highlighted in the Aadhaar system is duplicate enrollment where HCL Infosystems has been indicated to be a primary role. The IT company was appointed as the Managed Service Provider in August 2012 to handle UIDAI’s end-to-end infrastructure. It works with private vendors that provide automated biometric identification systems to help identify duplications in data.

UIDAI has a two-stage process to identify duplicate enrollments where the first stage matches demographic data and the second stage looks for biometric matching of fingerprint and iris.

The report said that the nodal body of Aadhaar relies on self-declaration to verify the ‘resident’ status of applications at the time of their enrollment. This, thus, makes it possible to allow the issuance of Aadhaar cards to “non-genuine residents”, as per the audit conducted by the CAG.

It has also been brought to the notice that the deduplication process by UIDAI is unsafe for generating multiple Aadhaar numbers. The CAG suggested that the authority can solve this problem through human intervention.

The report said that UIDAI was not able to furnish any regional office-wise data on the number of Aadhaars as it was not available with the authority. However, the UIDAI regional office in Bengaluru showed 5,38,815 cases of multiple Aadhaar numbers between 2015-16 and 2019-20. According to the report, instances of unique ID numbers with the same biometric data were also given to different residents at the Bengaluru Regional Office.

The CAG also noted that as of July 2016, HP was responsible for storing the physical set of records provided by individuals at the time of enrollment with the UIDAI. It was found through audit that all the Aadhaar numbers stored in the UIDAI database were not supported with the documents.

The statutory authority said that despite being aware of the fact that not all Aadhaar numbers were linked with the personal information of their holders, the UIDAI is “yet yet to identify the exact extent of the mismatch, though earlier Aadhaar numbers were issued”. Almost ten years have passed” in January 2009.

It was also observed that a large number of voluntary biometric updates occurred over the past several years, suggesting an inability to capture accurate biometric data during enrollment.

The report also pointed out that UIDAI was not able to verify the infrastructure and technical support claimed by third parties offering to submit identity information for Aadhaar verification.

Since its inception, Aadhaar has been used as an identity source to avail welfare schemes offered by the government. Telecom operators and banks also require Aadhaar number to facilitate customer enrollment for their services. Due to all this, there was a huge increase in the number of Aadhar card holders in the country. This number has now exceeded one billion.

However, the report said that UIDAI has not yet developed a data collection policy through which it can effectively move data that is no longer actively in use.

Entities using Aadhaar verification are also not obliged to store personal data of residents in a separate vault.

UIDAI made the requirement of Aadhaar Vault mandatory for all authentication user agencies and e-KYC user agencies in July 2017. However, the CAG’s audit suggested that the Authority had “not established any measure/mechanism to confirm that the entities involved followed the procedures for setting up the vault”. Store residents’ data.

The audit report also highlights loopholes in restricting authentication agencies to use only secure devices to store biometrics and signatures of Aadhaar cardholders. Further, it suggests that UIDAI opted not to penalize any private entity and instead restructured the contracts.

“There were lapses in the management of various contracts entered into by UIDAI. The decision to waive off penalties for biometric solution providers was not in the interest of the Authority, giving undue advantage to the solution providers, sending the wrong message of acceptance to the poor The quality of the biometrics captured by them,” the report said.

Gadgets 360 has reached out to UIDAI, HCL Infosystems and HP for their comments on the report. This article will be updated when bodies respond.

Security issues, privacy concerns and structural flaws with Aadhaar were well-reported in the past. However, UIDAI has not brought any major update to its system yet.


Source link

What Do You Think About this News