The UIDAI project is arguably one of the biggest initiatives, in both scope and cost, undertaken in independent India, without any of the expected norms of prudence (oversight) and democratic consensus. Variously estimated to cost anywhere between Rs 40,000 and Rs 150,000 cr (INR), which is roughly equivalent to about USD 1 bn to USD 15bn, it has been kicked off with a Cabinet-sanctioned budget of Rs 1,900 cr (ie about USD 50mn) this fiscal (Apr10-Mar11). The budget is believed to be somewhat of a smokescreen, as it does not appear to include moneys taken from other agencies. However, the lack of clarity about money is not the only issue, as the project has been cleverly positioned within the Planning Commission, an arm’s-length agency charged with perspective planning for the country, which is independent of the usual line of command. As a result, the project has neither Parliamentary sanction nor even a (temporary) Ordinance.
The UID project is in many ways a global watershed, expecting to assign a unique number to every resident of the country, well over 1.2 bn people, a staggering concept, the scale of which has itself been used to justify taking on the project (by equating the immensity of the challenge to its worth). Considering my association with Privacy International, my concern is well-founded on grounds of potential destruction of personal privacy, but this is a very difficult viewpoint to defend in India, which does not have a specific privacy law, and for which the existing Constitutional protections (alluded to, not spelt out) have not always been strongly defended by Indian courts.
An international project, studying Privacy in Asia, seeks to ameliorate this situation, by getting to grips with comprehending Indian attitudes (ie, within the ambit of Asian attitudes). However, given that the UID project is gathering steam and proceeding willy-nilly, it is imperative to make every effort to bring it to a halt, at least a temporary halt, until sufficient information is available.Surprisingly little awareness exists about the UID project itself, about which whatever little is known is largely the ‘party line’ handed out by the UIDAI’s PR effort, itself extremely high profile. To try and stem the tide, volunteer organisations are working to bring crucial information into the public eye, that casts doubt about the UIDAI project, its intentions, and its likely results.
I was part of 3 public meetings, in Pune and in Mumbai, just last week, conducted with Dr Usha Ramanathan, a legal researcher from Delhi and Prof R Ramkumar, a professor from the Tata Institute of Social Sciences in Mumbai.
The first meeting was at Symbiosis Institute, a ‘deemed’ university. There were 5 panelists, Dr Usha Ramanathan, Prof R Ramkumar, a professor from the Tata Institute of Social Sciences in Mumbai, Prof JG Krishnayya, widely acknowledged as the ‘father’ of e-Governance in India, Prof Lalit Kathpalia, the director of the Institute, and myself. The panel was moderated by Anupam Saraph, the CIO of Pune city, and organised by Open Spaces, a very active NGO in Pune, together with the Symbiosis Institute of Computer Studies and Research. It was well attended, with about 50 people present, including students, mediapersons and general public.
About the other panelists: Usha and Ramkumar are fairly widely known (to a limited audience) as opponents of the UID project, Ramkumar having authored an article in Frontline (a popular magazine) in July 2009, shortly after Mr Nandan Nilekani was appointed as chair of the UID Authority of India, a quasi-governmental organisation. Usha has also written and lectured widely. Prof Krishnayya has run the Systems Research Institute in Pune for decades, and this was Mr Narayanamurthy’s first workplace, before he left to start Infosys with Mr Nilekani and 5 others (this link, from a news report published on 21 Jan about a function held to felicitate Prof Krishnayya’s 75th birthday, is interesting as it hints at the relationship between the infosys founders and Prof Krishnayya). Prof Kathpalia has joined academia after about 23 years in the IT sector, including 5 years with Infosys.
Mr Saraph began by introducing the UID project, a subject close to his heart as he has been running an ‘identity’ project in Pune city, aimed at assisting its migrant population, since his appointment 3 years back. As he informed us, Mr Nilekani, whom he also knows personally, was briefed about the existence of this project as soon as he was appointed, but has failed entirely to take note of it or to interact with Mr Saraph. One of the initiative’s chief characteristics is its lack of dependence on a central database, and the second is its entirely voluntary (opt-in) nature. The objective has been to help Pune residents get bank accounts etc in the absence of the documents specified by the Reserve Bank of India’s ‘Know Your Customer’ norms, and flowing from this, other services, as needed, from government agencies (bank accounts that remain unauthenticated under the KYC protocol are frozen, and if fresh, will not be sanctioned).
Mr Kathpalia expressed the belief that a central identity authenticating service was essential to ironing out the kinks in delivery of public services, especially subsidies, in which leakages are felt to severely damage effectiveness, despite the vast budgets.
Prof Krishnayya described the Indian demographic scenario, which broadly divides the country into three very large groups. The Urban sector lives in vary large cities, the semi-urban in smaller cities, and the Rural lives in villages and hamlets with less than 3,000 residents, typically very widely dispersed. The design of public services delivery must take into account the very different conditions each of these geographical dispersals impose on systems, but this has largely been lacking, he feels.
Usha laid out several procedural problems with the project, beginning with the fact that it has been undertaken without even a feasibility study. This lacuna, which might conceivably be a key part of Mr Nilekani’s objective of driving the project ahead at all speed, is being dealt with by using each of its initial phases as opportunities for streamlining. However, problems being thrown up are being wilfully ignored, defeating the purpose of streamlining, especially as they indicate the presence of deep structural and conceptual flaws in Mr Nilekani’s vision (which was expressed in a book he published at the end of 2008, Imagining India, believed to be the reason the Indian Prime Minister invited him to head the project). She has also personally witnessed enrollment processes of migrant workers in Delhi, and observed appalling compromises and the use of coercive techniques to finish the work, with lack of oversight and training resulting in callous disregard of the existing identity information put together by migrant workers for themselves, in some cases, over decades.
Ramkumar described his interactions with Mr Nilekani at the project definition stage, at a retreat attended by senior government officials. He is convinced that Mr Nilekani is now completely impervious to suggestions that this project is flawed, including serious problems with his grasp of the root problems of delivery of public services. This may not even be the purpose of the project, which Ramkumar’s research has revealed is rooted in the Kargil war, a border skirmish with Pakistan in 1999, following which the then government (now in the opposition) proposed to issue the Multipurpose National Identity Card to border residents, evidently to prevent infiltration by undercover militants. A secondary purpose was to stem illegal immigration, most significantly from Bangladesh, which shares a very large land border with India. The issues of foreign militants and immigrants are a popular topic to drum up political support, most typically by right-wing political ideologists, and hardly ever countered by political thinkers representing other viewpoints.
The trouble with MNIC or any other such card concepts is that the Census Act specifically protects the privacy of censused people, thus this database is inaccessible for the purpose of issuing citizen identity cards. To get around this, the Citizenship Act of 1955 was amended in 2004 to enable the creation of the National Population Register, a database of Indian citizens. The exercise is to kick off this year, 2011, by using census data collection staffers to ‘double up’ as NPR data gatherers, thus bypassing the privacy provisions of the Census Act. The ‘right-wing’ government (actually a coalition of interests) was defeated in the following General Elections, but is unlikely to significantly oppose (and hasn’t done so) moves by the present government to create such a database.
The present talk of social service delivery comes across as a smokescreen to cover the underlying ‘national security’ need. In fact, it is very conveniently placed to ease the exit of direct government participation in services delivery, substituting this with an outsourcing model with which Mr Nilekani is well familiar, having helped build Infosys’ commercial business on just this basis. This also explains the surprising lack of public discussion, as this is a very radical policy change, likely to be highly contentious. Widespread corruption within the subsidy schemes also explains why their implementing agencies are poorly positioned to criticise the UIDAI approach, which effectively places the blame for leakage of money and goods on the end-users, the poverty-stricken beneficiaries of those schemes.
Aside from subsidies and services delivery, the UIDAI approach also harps on financial inclusion, ie, bringing the majority of the Indian population within the ambit of the mainstream banking system. As has happened in other parts of the world, the banking system is growing towards increasing automation and lessening emphasis on personal interactions, and this has seen a drop-off in the number of retail branches available per capita. The informal rural banking system, run by moneylenders, is being edged out by microfinance institutions, but these too have proven difficult to operate, with high rates of interest resulting in defaults and the rise of coercive techniques to extract repayments.
The UIDAI project is seen as a fillip to the mainstream banking segment, which will gain a vast number of new accounts to which subsidy payments will be credited directly by government agencies. There is no onus to create branches, as ‘agents’ are being appointed to disburse cash to accountholders, for which identity authentication systems are necessary in order to minimise fraudulent diversions. Such systems are also needed in order to open the bank accounts in the first place, as the documents demanded by the mainstream banking system as identity authenticators are mostly unavailable for the rural poor. Instead, the UID number is being touted as the perfect substitute, and the banking system is already making plans to compulsorily apply the UID number as an identifier. The ‘voluntary’ nature of enrolling for a UID number is thus creeping into a mandatory registration, without which modern life (bank account, telephone services, utilities) life will be impossible.
My contribution comprised an outline of the technology issues relating to the implementation of this project, ending with a summary of its project management flaws. Primarily: biometric information, both fingerprints and iris scanned, is completely unknown and largely unresearched as a tool for use in unique identification. While iris scanning is pretty new, about a decade or so, fingerprints have been used to identify repeat offenders by police/security forces around the world, and as a part of forensic investigation at crime scenes, and their use in access control systems has emerged in parallel only fairly recently, with the introduction of digital emulations of fingerprint patterns. Interestingly, the future of fingerprints in forensics is now in severe doubt, as court cases in the US have revealed that the procedures are fundamentally flawed. Iris scanning is akin to airport bodyscanning, in that the processes are being put in place in various places around the world, without any scientific basis or reason to believe that they are valid or foolproof, while being fundamentally an extreme invasion of personal space (in the case of bodyscanning, also invasive in terms of potentially hazardous radiation exposure). Other biometric identification systems, that at least in theory ought to be more accurate, such as DNA fingerprinting, are far too expensive and slow for this application.
About project management, the lack of a preliminary feasibility study, resulting in a project taking off without a tightly designed process, serious flaws in the process design, including a flagrant lack of process audit during enrollment, the current phase, and the lack of infrastructure to take advantage of ‘voluntarily’ proffered PII to assure tailored delivery of public services. As all these things are supposedly ‘in the pipeline’, the overall design of this project seems to be in the risky Ready, Shoot, Aim style, with ‘problems’ being ‘taken care of’ in due course (the ‘quotes’ are actual phrases used by Mr Nilekani in several interviews).
The other two meetings, with different audiences in Mumbai, covered much of the same ground, excepting that I was not myself a featured speaker or panelist. Instead, a biometrics expert, JT D’Souza, selling biometrics-based access control systems for secure locations, demonstrated how simple it is to spoof fingerprints, using extremely cheap commonplace materials and a little ingenuity. A video capture of the spoofing demo has been uploaded to YouTube.
The first meeting was held in St Xavier’s, a well-known Mumbai college (actually, arguably the best known college in the city). It was primarily for students, and the meeting hall was packed with students from the Economics, Sociology and Mass Media faculties. The post-presentation interaction was also very lively.
The second meeting was for the press, held in the Press Club, Mumbai, a favoured location for non-PR (ie not commercially sponsored) events here. It has resulted already in two news reports from the mainstream press in Mumbai city, and another from Chennai.
An important addition at this last meeting was pointing out the dubious connection between this project and L-1 Identity Systems, a US based company awarded the job of de-duplication, despite 1. its spotty record with other government bodies such as the New York State DMV, which slammed it (in a previous corporate avatar as Viisage Systems) for validating forged driving licenses, and 2. the presence on its board and in top-level positions of former senior persons from US intelligence agencies and armed forces, including Mr George Tenet, former chief of the CIA, whose submissions proved instrumental in assigning legitimacy to the invasion of Iraq, but were subsequently proven to be false, and former Joint Chiefs of Staff head Gen. Colin Powell, who as Secretary of State, actually presented the same false evidence to the United Nations. Last year’s report of World Bank funding for L-1 Identity Systems-focused identity projects in emerging economies, purportedly to improve the quality of delivery of government services, is disquieting, under the circumstances.