'4.7 Lakh Aadhaar Cards Cancelled As Duplicate, No Assurance That Card Holders Are Indian Residents' : CAG's Audit Of UIDAI

The country's top auditor, the Comptroller and Auditor General (CAG) of India, has pulled up the Unique Identification Authority of India (UIDAI) over a range of issues related to the issuance of Aadhaar cards.

The issues flagged by the CAG raise a cloud over the authenticity and uniqueness of Aadhaar cards and lend credence to the the concerns being raised by data privacy activists with respect to India's unique identification program.

UIDAI is the statutory authority established in 2016 to issue Aadhaar to all residents of the country. As of October 31, 2021, UIDAI had issued 131.68 crore Aadhaar numbers.

In its first ever performance audit report of the UIDAI dated April 6, CAG has examined the UIDAI's functioning between 2014-15 to 2018-2019 and has flagged a range of concerns with its de-duplication process and how flaws in the biometric capture process led to hundreds of thousands of people paying a fee to update their biometrics. It has also criticised the authority for "deficient data management" as in some cases data of Aadhaar card holders have not been matched with their Aadhaar numbers even after 10 years.

It has also criticised the absence of a system to analyse the factors leading to authentication errors, and said that even though UIDAI was maintaining one of the largest biometric databases in the world, it did not have a data archiving policy, which is considered "a vital storage management best practice".

"UIDAI provided Authentication services to banks, mobile operators and other agencies free of charge till March 2019, contrary to the provisions of their own Regulations, depriving revenue to the Government," the CAG report noted. 

It was further noted that the UIDAI did not have adequate arrangements with the postal department due to which a large number of Aadhaar cards were returned back to the government.

Here are the key findings of the national auditor: 

No assurance that all the Aadhaar holders in the country are 'Residents' as defined in the Aadhaar Act

In India, Aadhaar numbers are only issued to individuals who have resided for a period of 182 days or more in the 12 months before the date of application. In September 2019, this condition was relaxed for non- resident Indians, holding valid Indian Passport.

Opining that the UIDAI only requires a "casual self-declaration" to prove this and that there is no system in place to verify the residential status of an applicant, the CAG report notes, 

"…UIDAI has not prescribed any specific proof/document or process for confirming whether an applicant has resided in India for the specified period, and takes confirmation of the residential status through a casual self-declaration from the applicant. There was no system in place to check the affirmations of the applicant. As such, there is no assurance that all the Aadhaar holders in the country are 'Residents' as defined in the Aadhaar Act"

It further added that the UIDAI may prescribe a procedure and required documentation other than self-declaration, in order to confirm and authenticate the residence status of applicants, in line with the provisions of the Aadhaar Act. 

Duplication of Aadhaar

 The CAG registered instances of issuance of Aadhaars with the same biometric data to different individuals indicating flaws in the de-duplication process and issue of Aadhaars on faulty biometrics and documents. UIDAI's de-duplication process is supposed to ensure that no individual can obtain two Aadhaar numbers, and that a specific person's biometrics cannot be used to obtain Aadhaar numbers for different people.

However, flagging the ineffectiveness of such a de-duplication process, the CAG report states, "It was seen that UIDAI had to cancel more than 4.75 lakh Aadhaars (November 2019) for being duplicate. There were instances of issue of Aadhaars with the same biometric data to different residents indicating flaws in the de- duplication process and issue of Aadhaars on faulty biometrics and documents."

The CAG further noted that although UIDAI has taken action to improve the quality of the biometrics and has also introduced iris-based authentication features for enrolment for Aadhaar, the database continued to have faulty Aadhaars which were already issued.

Issue of Aadhaar to minor children below age of five- violates Aadhar Act, avoidable expenditure of ₹310 Crore

In India, Aadhaar numbers are issued to minor children below the age of five based on details given by their parents. However, the CAG report states that this goes against the basic tenet of the Aadhaar Act, which is to confirm the uniqueness of biometric identity. 

"Issue of Aadhaar numbers to minor children below the age of five, based on the biometrics of their parents, without confirming uniqueness of biometric identity goes against the basic tenet of the Aadhaar Act," it said.

It was also noted that apart from violating the statutory provisions, UIDAI also incurred avoidable expenditure of Rs 310 crore on issuance of Bal Aadhaars till 31 March, 2019.

"Apart from being violative of the statutory provisions, the UIDAI has also incurred avoidable expenditure of ₹310 Crore on issue of Bal Aadhaars till 31 March 2019. In Phase- II of ICT assistance a further sum of ₹288.11 Crore was released upto the year 2020-21 to states/ schools primarily for issue of Aadhaars to minor children", the report states further. 

The CAG suggested that since the Supreme Court has stated that no benefit will be denied to any child for the lack of Aadhaar document, UIDAI needs to establish alternate ways to determine the unique identity of children below five years.

All Aadhaar numbers not supported with actual documents containing personal information 

According to the CAG, all the Aadhaar numbers stored in the UIDAI database were not supported with documents relating to personal information of their holders and even after nearly ten years the UIDAI could not identify the exact extent of mismatch.

"Though with the introduction of inline scanning (July 2016) the personal information documents were stored in CIDR, existence of unpaired biometric data of earlier period indicated deficient data management", the report notes. 

Huge amount of voluntary updates by residents led to capture of faulty biometrics

The Aadhaar system allows its users to 'update' their fingerprint and iris scans for a range of reasons. Some of these updates are mandatory but people can also update their biometrics voluntarily. While mandatory updates are free for the residents, voluntary updates are chargeable for the residents at rates prescribed by UIDAI.

The report notes that during 2018-19 more than 73 per cent of the total 3.04 Crore biometric updates, were voluntary updates done by residents for faulty biometrics after payment of charges. 

"During 2018-19 more than 73 per cent of the total 3.04 Crore biometric updates, were voluntary updates done by residents for faulty biometrics after payment of charges. Huge volume of voluntary updates indicated that the quality of data captured to issue initial Aadhaar was not good enough to establish uniqueness of identity", the report states. 

Data protection

The audit report also stipulates that UIDAI should frame a suitable data archival policy to mitigate the risk of vulnerability to data protection.

"UIDAI may levy penalties on Biometric Service Providers for deficiencies in their performance in respect of biometric de-duplication (FPIR/ FNIR) and biometric authentication (FMR/ FNMR). Agreements in this regard should be modified, if required", the report states. 

Click Here To Read/Download Press Release