India’s Comptroller and Auditor General released a performance audit of the country’s Unique Identification Authority and found major IT problems, some attributable to Indian services giant HCL and HP, but others to bad government decisions.
The Authority (UADAI) oversees “Aadhaar” – a twelve-digit ID document issued as a national ID number. Aadhaar is essential for accessing government services, but can also be used by third parties – banks and mobile operators use it to verify the identity of applicants for new accounts. UADAI organizes the collection of biometric data needed to create an Aadhaar – ten fingerprints, two iris scans and a facial photograph – through enrollment agencies and registrars and provides authentication as that service using Aadhaar numbers.
Over 1 billion Aadhaar ID cards have been issued and over 99% of Indian adults have enrolled in the programme.
Aadhaar had no data archiving policy
the audit report found many problems with the project, among them about 475,000 Aadhaars with the same biometric data used to describe different people. Deduplication efforts proved so poor that staff reverted to manual processes to fix the problem. Many Aadhaar ID cards therefore failed – attempts to authenticate users failed.
Infosec types never tire of pointing out that an entity’s security is only as good as that of its partners. Yet UIDAI “failed to verify the infrastructure and technical support” of organizations that sought to join its third-party ecosystem. The audit found that UAIDI was lax in requiring participants to complete security checks – which is problematic as it left the organization uncertain of which devices used to capture biometrics complied with its security requirements.
Regardless of the devices used, biometric data capture was often inefficient and some of the data obtained was unusable. Other biometric data captured but not associated with a person.
Third party users of Aadhaar-as-a-service have not been charged – although revenue collection is an integral part of UAIDI’s mission.
UAIDAI also lacked a data archiving policy for several years. The audit explains the basics of tiered storage and the very good reasons to retire certain data and points out that the organization therefore cost itself money and may have created compliance issues.
At this point, readers may be wondering who spearheaded UAIDI’s technology, as a failure to archive data or verify stakeholder security suggests they didn’t do it brilliantly.
The answer is HCL – the Indian services giant won a contract to manage UAIDI technology in 2012 and is still playing a role today.
The audit report revealed that the company had selected the automatic biometric identification system supplier, but the service levels were not met – possibly the reason for the duplicate Aadhaar numbers and other mentioned disorders. above.
UAIDI chose not to penalize HCL for these failures, and even restructured the contracts so it could waive requirements to seek damages.
HP’s role in this mess was to provide a document management system that stored Aadhaar registration data digitally and on paper, but was plagued with inconsistent data delivery that resulted in many incomplete records being created.
The audit concludes that failure to meet security standards across the Aadhaar ecosystem means the program poses a risk to Indians’ privacy, while the removal of penalties to underperforming vendors has sent the message that substandard work was acceptable.
The document ends with a strong recommendation to UAIDI to take into account the recommendations of the audit – in particular those relating to information security.