06 A ‘permanent identity’ that ‘cannot be duplicated’

The biometric identification—the fingerprints, photograph of the face and the iris scan—are supposedly a foolproof way of ensuing that the identity of the person. There are two problems here—one in data capture (permanence) and the other is data integrity (duplication).

Data capture is a Herculean task, apart from being a logistical nightmare (just think of the thousands villages without electricity, multiply that by the number of ration shops, thasildhars offices and banks… and you begin to get the idea). UIDAI itself seeks to update its database periodically, because the face changes, people grow up, grow old…. Not so well known is that fingerprints also change, and faster for manual labourers—the very section it is marketed as supposed to be helping, and in whose name everything is being done. So they will have to update their fingerprints much oftener than others—resulting in their losing a days wage (plus bribe costs) for each update.

Identification of ‘terrorists’—especially killed ones will not be enhanced by the use of biometrics. Fingerprints have a success rate of only 44% and an error rate of 22% even in controlled circumstances. The use of mehandi makes fingerprint comparison difficult, as the UIDAI Biometric standards committee itself admits (p52) Lawsonia Inermis (commonly known as henna or mehandi) can cause significant differences in the quality of fingerprint images. Widely used by women in the Indian sub-continent during festivals, henna is applied on hand/fingers and when applied, fingerprint sensors may not properly capture fingerprint features.

The iris scan is ineffective after death. Fingerprints are unreliable after rigor mortis, not to speak of conditions of mutilation after burns or decay in water. Iris changes periodically for those suffering from a variety of common diseases—retinopathy, chronic glaucoma, hypertension and diabetes. As a point of interest, India is the diabetes capital of the world, with 50.8 million Indians suffering from diabetes. By 2030, nearly 9% of Indians are likely to be affected from the disease.

About 35% of the population will not even be within acceptable limits of error in biometrics. The the iris does not stabilise before eight years of age and the fingerprints do not stabilise before 16 years. So children will not be covered with any degree of accuracy—and should be exempt from this futile exercise. But to ensure ‘profitability’ their biometrics are going to be captured any way. As UIDAI tells us, Aadhaar is ‘for every individual, including infants’.

Investment to monitor government schemes such as Sarv Shiksha Abhiyaan and Integrated Child Development Schemes will come to naught. Aadhaar cannot address the corruption or bogus claims. Even with Aadhaar, mothers can still claim to have delivered five babies in 60 days and claim Rs 1000 as incentive’—as they did in Bihar on July 2010. Ironically, since the biometrics of children are going to be captured any way we are actually adding another layer of corruption—a high tech one at that—because it will give an incentive for those collecting the biometrics to inflate the numbers.

The case of Keralam is intriguing, and a pointer to what would happen. As usual, UIDAI relies on others—called registrars—to do their data collection. The registrars are free to collect whatever other information they want, so long as they collect the stipulated demographic and biometric data for UIDAI. In Keralam, not only are the registrars IT@School collecting the biometrics of six million students, but they are also collecting the class and roll number into their Student Management System. It is certain that such data will not be erased, leading to privacy and security concerns. This certainly is not the ‘black database [that] no one can read from’ as promised by Nilekani. This process is called ‘creeping functionality’. In this case it is by design since though UIDAI will ‘only’ give the number, the government is making it mandatory for opening back accounts etc.

The draft NID Bill even has provision for other enrolling agencies—an agency appointed by the Authority or by the Registrars, as the case may be, for collecting information under this Act (2i)—meaning an infinite spiral of sub-contracting. It is the contractor with the lowest skills that will win the bid and become the enrolling agent—and he will give it to a 10 standard fail person to do the actual work. Even the premier snooping agency, the National Technical Research Organisation the actual operators listening in are lowly-paid officials earning about Rs 8,000 to Rs 10,000. They can cause immense harm and blackmail people they are tapping. Not all will be Nilekanis sitting there. Guess which way accountability is going?

A critical part of it all is data collection. The [Biometrics Standards] Committee feels that the UIDAI should collect photograph and ten fingerprints as per ISO standards. The people collecting this data are going to be from the lowest quotation contractor. A look at the mess for the voter ID cards is a pointer in the direction.

The biometrics are difficult to replace for the ordinary citizen, yet easy for the government and criminals. The duplication and falsification software already exists, for fingerprints, iris scans and for the face. At the moment it is a bit expensive, about Rs 1500 per iris, but it will not always remain so. The economies of scale will kick in. When many people want to duplicate, it will become cheaper in the grey market. In case of computerising railway ticketing, the investment to hack and block book is disproportionate to the returns. In the case of the UIDAI goldmine, any investment will be worth it. Once hacked, the cost of duplication is so low that we will probably have people selling it for Rs 30 on the sidewalks of Kathmandu, and under Rs 10 in Burma Bazaar.