Aadhaar Final Hearing [Day 23]: AG Discusses Responses To Questionnaire On Powerpoint Presentation

With the PowerPoint presentation by Dr. Ajay Bhushan Pandey, UIDAI CEO, on the technical and security aspects of the Aadhaar project having concluded last week, Attorney General (AG) KK Venugopal on Tuesday, Day 23 of the Aadhaar final hearing, discussed the responses to the questionnaire submitted by the petitioners in context of the presentation.
Following are the key takeaways from the hearing before the five-judge constitution bench of the Supreme Court:

Rate of authentication failure

The AG advanced that the authority does not keep a record of state-level data as to the statistics of authentication failure as the location is not captured at the time of authentication. However, at the national level, he acceded that the rate of failure in respect of iris scan is 8.54%, and for fingerprints 6%.

Biometric exceptions

For leprosy patients, for whom fingerprint authentication may not be feasible, iris scan may be resorted to.
In the unlikely event that both of the above fail, the AG pointed towards alternative means of authentication such as one time passwords (OTPs) on the mobile number and scanning of QR code on the reverse side of the Aadhaar card.
He added that even the statutory framework requires ‘requesting entities’ to provide for measures for handling biometric exceptions.  He cited Section 5 of the Aadhaar Act, Regulation 6 of the Aadhaar (Enrolment And Update)
Regulations 2016, and Regulation 14 of the Aadhaar (Authentication) Regulations 2016, as the special provisions for enrolment of residents with biometric exceptions.
Justice DY Chandrachud and Justice AK Sikri remarked that the UIDAI, being responsible solely for the architecture of the Aadhaar scheme, could not assert that there have been no instances of denial of rightful entitlement.

Biometric deduplication rejections

The AG submitted that over 6 crore rejections could be attributed to the deduplication which is effected by the Aadhaar scheme with a view to avert fake identities. Also, many individuals innocently apply for enrolment multiple times because of the delay in getting their Aadhaar cards due to postal delays, loss or destruction of their cards or confusion about how the system works. Each time one applies for Aadhaar, the system identifies this as a new enrolment.
He added that the Aadhaar project has been implemented after deliberating on all alternatives for years. He also assured that as and when the need arises, the Aadhaar Act of 2016 and the Regulations thereunder could be amended. Advancing that the project is a policy decision adopted by the Executive at the topmost level, he prayed that its constitutional validity may not be questioned.

Rejection of enrolment packets

The total rejection figure for enrolment packets is 18 crores as on March 26. These rejections are due to various technical reasons like:
1. Data quality reject such as address incomplete, name incomplete, use of expletives in names, address, photo is of an object or of another photo, age photo mismatch etc.
2. Failure of operator/supervisor/introducer/Head of Family validation

Option of opting-out upon attaining majority

One may not revoke consent upon attaining the age of 18 years, but residents may permanently lock their biometrics, only temporarily unlocking the data for authentication as per Regulation 11 of the Authentication Regulations.

Verification/correctness of documents submitted for enrolment/updation

For verification based on documents, the verifier present at the enrolment centre will verify the documents. Registrars/enrolment agency must appoint personnel for the verification of documents.

Identification of individual

Biometric authentication of an Aadhaar number holder is always performed as 1:1 biometric match against his/her Aadhaar number (identity) in the CIDR. Based on the match, the UIDAI provides a ‘yes’ or ‘no’ response; the former implying a positive identification. Each enrolment is biometrically de-duplicated against all (1.2 billion) residents to issue the Aadhaar number (or Unique identity).

Whether authentication is probabilistic

Not probabilistic; in case of authentication failure on the ground that biometrics were not correctly captured, family-based authentication, alternative modalities, biometric fusion or non Aadhaar-based exception process may be adopted.

Whether rate of authentication failure is higher among individuals below 15 years and above 60 years of age

No conclusive evidence; chances of authentication failure is higher only in case of fingerprint authentication among individuals above 70 years of age.

Reasons for blacklisting of 49,000 enrolment agencies

Said enrolment operators were blacklisted at the stage of quality assurance for the following reasons-
• Illegally charging the resident for Aadhaar enrolment
• Poor demographic data quality
• Invalid biometric exceptions
• Other process malpractice

Whether Point of Service (PoS) readers store biometric information

It was submitted that the UIDAI mandates use of registered devices which rules out possibility of storage of biometric data; Regulation 17(1)(a) of the Authentication Regulations restrains ‘requesting entities’ from storing any data.

Time, date, location and purpose of authentication

The UIDAI asserted that the IP address or GPS coordinates of the device effecting the authentication or the purpose of location is not received by any entity in the Aadhaar architecture. Section 32(3) of the Aadhaar Act and Regulations 18 and 20 of the Authentication Regulations were relied upon in this behalf.
However, it was admitted that “Authentication User Agencies (AUAs) like banks, telecom etc, in order to ensure that their systems are secure, frauds are managed, they may store additional information as per their requirement under their respective laws to secure their system”.