CAG’s audit report creates a case for dismantling of UIDAI and scrapping of UID/Aadhaar Number database project
CAG’ performance audit of functioning of UIDAI is partial and incomplete
The total estimated budget of the biometric UID/Aadhaar number project and its cost: benefit analysis has not been disclosed till date. Unless the total estimated budget of the project is revealed, all claims of benefits are suspect and untrustworthy. How can one know about total savings unless the total cost is disclosed? Can limited audit of continuing expenditure of Unique Identification Authority of India (UIDAI), an instrumentality of Union of India be deemed a substitute for total estimated budget of the biometric UID/Aadhaar number project of UIDAI? It has been admitted by CAG that the audit of functioning of the UIDAI is partial because of non-transparency.
The report of the Comptroller and Auditor General (CAG) of India arising from performance audit of functioning of the UIDAI for the period from 2014-15 to 2018-19 is incomplete because it is based on statistical information “to the extent as furnished by UIDAI” upto March 2021. There is also a need to compare the audit of UIDAI’s functioning during 2009-2014 with the audit of 2014-2019. CAG is constrained to indicate that its audit of UIDAI is dependent on the limited statistical information on generation, update and authentication services of Aadhaar and financial information provided by UIDAI. It implies that the UIDAI’s audit of its functioning is not based on all the information demanded by CAG. It is noteworthy that the Ninth Audit Advisory Board of CAG comprises of Nandan Nilekani, Chairman of the Board, Infosys Technologies Ltd. Coincidentally, Rohini Nilekani, chairperson, Arghyam Foundation too has been a member of this Board in the past. It is yet to be ascertained whether the presence of Nilekani in CAG’s Board influenced the outcome of CAG’s audit given the fact that Nilekani, the co-founder of Infosys who was appointed as the first Chairman of UIDAI on July 2, 2009 by the Planning Commission of India while he was still serving Infosys as its CEO, President and Managing Director. His resignation from Infosys became effective from July 9, 2009.
While Nilekani was the Chairman of UIDAI, the Parliamentary Standing Committee on Finance in its Sixty-Ninth Report on the ‘Demands for Grants (2013-14)’ observed, “A provision of Rs. 2,620 crore has been allocated in Budget Estimate (2013-14) for Unique Identification Authority of India (UIDAI) and a major part of the budget provision for Rs. 1,040 crore is earmarked for ‘Enrolment Authentication and Updation’, out of which an amount of Rs. 1,000 crore has been earmarked under the head ‘other charges’.”It is apparent that CAG has not been furnished details by UIDAI regarding these “other charges”for audit.
It must be recalled that under Nilekani’s tenure UIDAI extended “undue favour” to Wipro Ltd. As a consequence UIDAI incurred an avoidable expenditure of Rs.4.92 crore on an annual maintenance contract, according to the report of the Comptroller and Auditor General (CAG) of India presented to the Parliament. UIDAI also incurred a loss of Rs.1.41 crore by not routing advertisements through the Directorate of Advertising and Visual Publicity. Unmindful of manifest conflict of interest UIDAI had entered into a contract with Wipro in May 2011 for supply, installation and commissioning of servers, storage systems, security systems and accessories with incidental services in the data centres of the authority in Bengaluru and Delhi/NCR at a cost of Rs.134.28 crore.
This is not the only case of irregularity and corruption by UIDAI. It awarded projects to several companies without issuing tenders. In a RTI reply UIDAI itself disclosed that total project contracts worth Rs.13,663.22 crore were awarded without any tenders of which an amount of Rs.6,563 crore has been already spent on issuing 90.3 crore Aadhaar till May 2015.
As of March 2022, UIDAI has incurred expenditure which includes undefined “other charges” pointed out by the Parliamentary Committee. Shouldn’t UIDAI provide the details of the expenses incurred under “other charges”?
Budget and Expenditure of UIDAI since its inception in 2009
Expenditure (in Crore) INR
$Excess expenditure met from unspent grant of 2018-19
*Excess expenditure met from unspent grant of 2018-19 & 2019-20 and UIDAI Fund
**Including Rs. 680 crore received as third and final supplementary grant
UIDAI’s expenditure upto March 2022 is enclosed.
Source: UIDAI’s website
The Parliamentary Committee on Finance has noted in its report as to why inflated targets were consistently being given by UIDAI. It observed, “the total budgetary allocations made for UIDAI since its inception up to BE 2013-14 is Rs 5440.30 crore, out of which Rs. 2820.30 crore has been utilized upto 31.03.2013 and the remaining amount of Rs. 2620 has been allocated in BE 2013-14. The Ministry has informed that the average cost per card is estimated to range from Rs 100 to Rs 157. Taking the average cost per card to be Rs. 130, the total expenditure for issuing 60 crore cards is estimated to be about Rs 7800 crore. Thus, the expected requirement of funds during 2013-14 is Rs. 4979.70 crores, whereas only Rs. 2620 crores have been kept for BE 2013-14, which is thus grossly inadequate.” It is apparent that there is more to it than meets the eye.
It is noteworthy that Aadhaar is the brand name of Unique Identification (UID) Number. The UID project was renamed the Aadhaar project after the UIDAI avowedly had a nationwide competition to find a logo and a brand name. Curiously, Aadhaar name echoes the name of Bangalore based Adhar Trust that Nilekani and Rohini Nilekani set up to fund their initiatives into a government function.
It is germane to recollect that the notification of January 28, 2009 that set up UIDAI, provides the terms of reference (TOR) for its work. There is no reference to the collation of the UID number database with the electoral database in the TOR. But the TOR does refer to “collation and correlation with UID and its partner databases.” If this reference to ‘partner database’ included the electoral database, the UID/ Aadhaar enrolment form never revealed it and took Indians and Indian residents for a ride. CAG would have audited these aspects had full details been furnished to it by UIDAI.
It may also recalled that one of the earliest documents that refer UIDAI is a 14-page long document titled ‘Strategic Vision: Unique Identification of Residents’ prepared by Wipro Ltd for the Planning Commission envisaged the close linkage that the UIDAI’s Aadhaar would have with the electoral database. The use of the electoral database mentioned in Wipro’s document remains on the agenda of the proponents of Aadhaar. Unmindful of conflict of interest Wipro remains a beneficiary of contracts awarded by UIDAI.
Like the CAG’s audit report of 2016, the CAG’s audit report released in April 2022 too makes a specific reference to WIPRO Ltd. There is a reference to Agreement with Data Centre Development Agency (DCDA), Bengaluru and Agreement with DCDA, Manesar with Wipro Ltd. CAG has remarked that “The file related to AMC part was only provided for scrutiny. The file related to selection process of the vendor was not made available. Since the contract involved technical issues, the same was out of the scope of the Audit for scrutiny.” Had UIDAI provided the required files related to “selection process of the vendor”, the audit report would have ensured that sunlight is indeed the best disinfectant.
The current chairman of UIDAI, J Satyanarayana has been the member of the Task Force for preparation of the Policy Document on Identity and Access Management under National e-Governance Programme (NeGP) submitted its report in 2006. Coincidentally, the Processes Committee of the Planning Commission set up in July 2006 was assigned the task of preparing “Strategic Vision: Unique Identification of Residents” to Wipro Ltd during the same period. This report talked about “Citizen Identities” and “Owner of identities”. This April 2007 report reveals that “National UID Project: This project has been initiated, with Voter ID Numbers and BPL households in the first instance.” It emerges from the report that long before the arrival of Nilekani in July 2009 as Chairman of UIDAI, the UID/Aadhaar project was already unfolding. But this aspect has not been audited by CAG as yet. The report of the Task Force also discloses that each registered judicial court has a unique identification (UID) number at Subordinate Courts, High Court and Supreme Court. This effort seems to be part of profiling and surveillance of judicial institutions. The path being traversed by National Judicial Data Grid (NJDG), a database of orders, judgments and case details of 18,735 computerised District and Subordinate Courts that has created as an online platform under the eCourts Project has reached the stage of launch of the Interoperable Criminal Justice System (ICJS) to integrate and make data interoperable between different institutions such as police, prisons and courts involved in the criminal justice system. This seems pave the path of extinction of separation of powers envisaged in The Spirit of the Laws (1748) by Montesquieu. UIDAI’s UID/Aadhaar identifier project is not a scheme in isolation.
These UID/Aadhaar linked initiatives are part of 360° surveillance initiative to record every aspect of Indians based on convergence of every imaginable database in furtherance of World Bank’s eTranform Initiative launched in partnership with France and South Korea as well as six MNCs Gemalto, IBM, L-1 Identity Solutions, Microsoft and Pfizer. In his role as Secretary, Department of Electronics and Information Technology (DEITY), Satyanarayana informed the Parliamentary Standing Committee on Information Technology that he had no problem if intelligence agencies continue to collect the meta data of Indians in the wake of disclosures by Edward Snowden. Notably, the UID project which began in the DEITY and returned to DEITY which has been renamed as Ministry of Electronics and Information Technology (MEITY) after spending its formative years in the erstwhile Planning Commission of India. Given the fact that Criminal Procedure (Identification) Act 2022 has been enacted after the enactment of Aadhaar Act 2016 and the enactment of The DNA Technology (Use and Application) Regulation Bill, 2019 is imminent, it is apparent that UID, NPR, NJDG and ICJS are part of one and the same surveillance architecture, which is essentially a project of Ministry of Home Affairs (MHA). MHA and MEITY’s UIDAI are oblivious of the fact that metadata has the ability to redefine human existence in ways which are yet fully to be perceived. Mining of meta data results in the creation of new knowledge about individuals; something which even she/he did not possess.
The Court of Justice of European Court (CJEU) has struck down the provision allowing collection of such metadata on grounds of lack of purpose limitation, data differentiation, data protection, prior review by a court or administrative authority and consent, amongst other grounds. It observed, “Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the providers of electronic communications services must, in order to ensure the full integrity and confidentiality of that data, guarantee a particularly high level of protection and security by means of appropriate technical and organisational measures. In particular, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period” in Tele2 Sverige AB v. Post-och telestyrelsen and Secretary of State for the Home Department v. Tom Watson, Peter Brice, Geoffrey Lewis (2016).
In Maximillian Schrems v. Data Protection Commissioner (2016) the CJEU struck down the transatlantic US-EU Safe Harbor agreement that enabled companies to transfer data from Europe to the United States on the ground that there was not an adequate level of safeguard to protect the data. It held that the U.S. authorities could access the data beyond what was strictly necessary and proportionate to the protection of national security. The subject had no administrative or judicial means of accessing, rectifying or erasing their data.
Drawing on these cases, Supreme Court of India in Writ Petition (Civil) 494 of 2012 observed that data collection, usage and storage including biometric data requires adherence to the principles of consent, purpose and storage limitation, data differentiation, data exception, data minimization, substantive and procedural fairness and safeguards, transparency, data protection and security. CAG’s audit unequivocally reveals that UIDAI has failed to adhere to the principles of consent, purpose and storage limitation, data differentiation, data exception, data minimization, substantive and procedural fairness and safeguards, transparency, data protection and security. CAG’s audit ought to have factored in the fact that “metadata is not defined in the Aadhaar Act '' given the fact that technical, business, and process metadata remains unaddressed. As a consequence, it is not limited to only process meta data like “authentication record” referred to Section 2(d) of the Aadhaar Act which means the record of the time of authentication, identity of requesting entity and the response provided by the UIDAI.
CAG’s audit ought to have examined the all the possible uses of information contained in Central Identities Data Repository (CIDR) of 12-digit biometric Unique Identification (UID)/Aadhaar numbers and their consequences with specific reference to illegitimate access to technical metadata, business meta data and process meta data. It is possible that UIDAI’s non-cooperation acted as an impediment in auditing these aspects.
The Executive Summary of CAG’s audit report begins by talking about “Identification of the right individuals” for “welfare schemes”. Immediately after that it starts talking about how “Citizens were required to furnish multiple documents....to various Government as well as private agencies.” It refers to the inconvenience of “those who did not have any of these identity documents.” It states that in order to “overcome the challenge, the Union Government decided to introduce a unique identity (UID) for the residents of India” in 2009. Contrary to the claims of the promoters of biometric UID/Aadhaar like Nandan Nilekani that “Millions of people without any ID, now have an ID”, the fact is that of all the Aadhaar numbers issued to Indian residents till date – 99.97 per cent had pre-existing identification (ID) documents. This has been revealed in a reply to an application of Ujjainee Sharma and Trishna Senapaty under Right to Information Act by UIDAI. This proves that ‘an inability to prove identity” has not a major barrier to access benefits and subsidies.
During a meeting at the World Bank on digital identity, where more than a dozen companies were represented, it was underlined that the Bank has a central role in the promotion of internalisation of digital-biometric identification by developing countries such as India and Pakistan. UIDAI's ex-Chairman Nilekani gave a lecture on Societal Platforms: Building beyond Aadhaar for Sustainable Development held on October 13, 2017, with Paul Romer, Chief Economist and Senior Vice President, World Bank, as one of the panellists. The event was organised by Washington-based Center for Global Development (CGD) in partnership with the World Bank Group, Bill and Melinda Gates Foundation and Omidyar Network. It is noteworthy that Microsoft is a partner in Bank’s eTransform Initiative.
In November 2009, Tariq Malik was awarded the ID Outstanding Achievement Award at the Global Summit on Automatic Identification in Milan. He received one of the highest awards in IT, Sitara-e-Imtiaz (Star of Excellence), from the President of Pakistan in 2013 for innovative, citizen-centric ICT application and services rendered for Pakistan. Nilekani was given the ID Limelight Award at the ID World International Congress, 2010, in Milan, Italy, on November 16. Malik used to head the National Database and Registration Authority (NADRA) in Pakistan. Nilekani used to be head of the UIDAI. In another apparent coincidence, both Malik and Nilekani spoke at the meetings of CGD in April 2013 and July 2014, respectively.
It is noteworthy that Safran Morpho (of the Safran Group) was a key sponsor of the ID Congress. Its subsidiary called Sagem Morpho Security was awarded a contract for the purchase of biometric authentication devices on February 2, 2011, by the UIDAI.
In his lecture titled Technology in the Service of Development: The NADRA Story, Malik said, "By 2008, we improved the data architecture to include the full set of 10 fingerprints and a digital photograph. This technology was powerful enough to enable full deduplication of the national database and greatly reduced the prevalence of dual identities and identity theft. We asked the people to register and framed this in terms of a strategic partnership with the state, which in turn would recognise them as citizens. Registration was still technically voluntary, but people could not open a bank account without an ID card or obtain a passport or enter into any transaction with the state. An ID card was also needed to obtain a gas or electricity connection and to pay utility bills. These requirements made it very difficult to function without enrolling and caused people to register.” At the same time, we developed a system to scrutinise candidates contesting the election that would connect the databases of NADRA, the Federal Bureau of Revenue (FBR), the National Accountability Bureau (NAB) and the State Bank of Pakistan." According to him, "Security versus privacy is a very hotly debated issue these days. From Pakistan's perspective, extraordinary security circumstances demand extraordinary steps to revamp governance. The state is eroding very fast, and it has to restore its writ to avoid collapse at the hand of outlawed and terrorist groups. At the same time, it is my strong belief that privacy of citizen data must be guaranteed in a fragile state like Pakistan. It is sad that Pakistan does not yet have an official data privacy law."
It is clear from his lecture that the biometric identification project called NADRA is a convergence project. It has put all the people of Pakistan under surveillance by admittedly making registration under NADRA "technically voluntary" but structuring its implementation in a way that has coerced Pakistanis to register with NADRA to get social benefits, services and subsidies by converging pre-existing databases.
In his lecture titled Can Technology Leapfrog Development? The Aadhaar story, Nilekani said, "A lot of people ask about privacy and security and all that. Fundamentally, this is just an ID system, it gives you an ID and verifies that ID. So the UID database does not collect all kinds of data about you - (it only collects) very basic information about you (name, address, DoB, sex and biometrics) and provides verification services with a yes or a no.”
"Similarly, from a security perspective, also a lot of work has happened to make it secure. We came to the conclusion that if we take sufficient biometric data of an individual, that person's biometrics will be unique across a billion people. Now we have to find that out - we haven't done it yet - so we'll discover it as we go along. And our belief now is that accuracy across the entire billion people is 99.99 per cent in terms of not having duplicates," he added.
He observed, "The purpose of this project is twofold. One, to give millions of people IDs, which they can have to get access to entitlements and services, and second, to improve the quality of expenditure by the government on various public programmes," added Nilekani. Prophetically, he disclosed, "You can use it for train tickets or mobile connections. We expect that in the next few years, this will be used as the basic KYC (know your customer) for all kinds of services. For voting, bank accounts, mobile connections. It is using tech to reach out, and reach out to a large number of people." Besides this address, Nilekani had delivered another lecture at the World Bank headquarters on April 24, 2013, in the presence of World Bank President Jim Yong Kim and Chief Economist Kaushik Basu.
It emerges that India's UID project is an imitation of Pakistan's project. Biometric UID/Aadhaar is a convergence project that has put all the residents of India under surveillance using social benefits, services and subsidy as a fish bait while keeping it "technically voluntary" but has coerced Indian residents to register for the Central Identities Data Repository (CIDR) of UID/Aadhaar numbers structurally. As in Pakistan, India, too, is implementing this biometric identification project without having a right to privacy law in place. Both countries display a similar lackadaisical approach towards peoples' privacy. India is imitating Pakistan about the erosion of authority, which is being hollowed out by transnational commercial tsars and by compromising national security by showing unpardonable callousness towards the privacy of present and future generation of legislators, soldiers and heads of governments and the State.
Coincidentally, both Malik and Nilekani were speakers at the National Identification Conference, an international conference organised by Harvard FXB Center for Health and Human Rights in collaboration with other Harvard schools from November 19 to November 21 in 2015. Ajay Bhushan Pandey, as Director General of UIDAI was also a speaker at that conference.
In an interview, Julian Assange, founder of WikiLeaks, informed Imran Khan about the grave act of omission and commission. Assange said, "we discovered a cable in 2009 from the Islamabad Embassy. Prime Minister Gilani and Interior Minister Malik went into the [US] embassy and offered to share NADRA. The system is currently connected through passport data, but the government of Pakistan is adding voice and facial recognition capability and has installed a pilot biometric system as the Chennai border crossing, where 30,000 to 35,000 people cross each day. The NADRA system is the voting record system for all voters in Pakistan. A front company was also set up in the UK called International Identity Services, which was hired as the consultants for NADRA to squirrel out the NADRA data for all of Pakistan. What do you think about that? It seems to me that that is a theft of some national treasure of Pakistan, the entire Pakistani database registry of its people." When Imran Khan became the Prime Minister of Pakistan he refused to get himself biometrically profiled. It is not clear as to what extent he made use of the insights from Wikileaks during his brief tenure in the matter of NADRA.
Whenever Nilekani or other proponents of UID/Aadhaar speak, they simply articulate whatever has been voiced by the head of Pakistan’s NADRA. Every word spoken and every step taken by the UIDAI are an exercise in imitation of Pakistan's initiative.
Biometric unique identification (UID) initiative has its roots in Washington. At the outset, inspired by the Peruvian economist Hernando de Soto Polar's 2000 book The Mystery of Capital: Why Capitalism Triumphs in the West and Fails Everywhere Else, Nilekani began arguing that a national ID system would be a big step for land markets to facilitate the right to property and undo the 1978 abolition of the same, which will bring down poverty! But he never explained the rationale of this unique proposition. In the post-Capitalist and the post-Socialist era, such assumptions of triumph have been found to be deeply flawed. In fact, even the title of the book sounds weird in the post-financial crisis era. Nilekani published these arguments in his book. The 76-year-old de Soto, known for his work on informal sector 'extralegal economies', is the Honorary Chair of Washington-based World Justice Project, an initiative of the American Bar Association (ABA) that is working to advance the rule of law around the world. He has worked with the World Bank and appears to be an advocate of property rights-based democracy.
In a 2012 article, de Soto concluded, "We need increased truth-telling: increased recognition of what exists and who owns it." Such propensity creates a compelling argument against centralised databases, which will be hard to defend in the face of big data predators. He fails to acknowledge that radical changes for the betterment of humanity happen outside the realm of legal rights framed by existing institutional mechanisms, which is being captured by commercial tsars. It is evident that the World Bank is lending support to projects, which make even the right to have natural rights conditional on being biometrically profiled to secure beneficial owners of all ilk from future battles.
It may be recalled that after Nilekani took charge as the Chairman of the UIDAI on July 23, 2009. Robert B. Zoellick, the then World Bank chief, met him on December 4, 2009. What transpired at these meetings is not in the public domain. The World Bank's e-Transform Initiative (ETI) formally launched on April 23, 2010, in Washington for converging private sector, citizen sector and public sector, and the Interpol's e-identity database project appears to be linked to UID related initiatives of North Atlantic Treaty Organisation (NATO), a controversial military alliance whose role is at the centre of Russia-Ukraine war. The UID related initiatives and the announcement of Finance Minister Pranab Mukherjee's for voluntarily seeking the full-fledged Financial Sector Assessment Programme by the International Monetary Fund and the World Bank in January 2011 appear to be linked. The e-identity of the Bank and UID/Aadhaar-related projects are part of the same Washington-based initiative. It is high time CAG is given the mandate of auditing the projects of World Bank Group and other international financial institutions to bring them under legislative oversight.
The World Bank's ETI seeks to leverage ICT to build a knowledge-sharing network that helps governments of developing nations to leverage best practices and improve the delivery of social and economic services. The knowledge-sharing network will focus on areas such as electronic Identification (eID), e-procurement, e-health and e-education, areas vital to promoting the participation of citizens in democratic processes such as voting, and helping undocumented citizens get access to health and welfare programmes. The World Bank reported it was funding 14 projects related to e-government and e-ID around the world. Are citizens supposed to believe that the World Bank Group is working to ensure that India's national interest and its citizens' rights are protected?
"The speed and precision with which developing countries administer services are dependent upon many factors, not the least of which is the ability to verify the identities of those receiving services," said Mohsen Khalil, Director of the World Bank's Global ICT Department, in a statement at the launch of the ETI.
A careful examination of UIDAI documents reveals that this scheme is linked to the electoral database too. A confidential document of UIDAI titled ‘Creating a unique identity number for every resident in India’, leaked by Wikileaks on November 13, 2009 reads: “One way to ensure that the unique identification (UID) number is used by all government and private agencies is by inserting it into the birth certificate of the infant. Since the birth certificate is the original identity document, it is likely that this number will then persist as the key identifier through the individual’s various life events, such as joining school, immunizations, voting etc.” CAG’s audit report should have paid attention to these aspects as well.
Under Article 151 of the Constitution of India, the CAG is supposed to submit the accounts of the Union of India to the President of India, who gets it laid before each House of Parliament. UIDAI has signed contracts in the name President of India, wherein the latter has been taken for a ride by foreign firms who have managed to take possession of all present and future Indians including present and future Presidents and his subordinates.
The Executive Summary of CAG’s audit report begins by talking about “Identification of the right individuals” for “welfare schemes”. Immediately after that it starts talking about how “Citizens were required to furnish multiple documents....to various Government as well as private agencies.” It refers to the inconvenience of “those who did not have any of these identity documents.” It states that in order to “overcome the challenge, the Union Government decided to introduce a unique identity (UID) for the residents of India” in 2009. In the very first paragraph, the audit report commits the error of words like “individuals”, “citizens” and “residents” interchageably as if they are synonyms of each other. In the second paragraph it informs that “Aadhaar is now established as an important identity document for residents” and UIDAI has generated more than 129 Crore Aadhaars till March 2021. It states that Aadhaar is the brand name of a 12-digit unique number which is issued to “residents” of India.
The report states that “Various Ministries/Departments of the Government as well as other entities such as banks, mobile operators, rely upon Aadhaar for identity of the applicant.” This observation is deeply problematic because Aadhaar Act does not refer to “other entities such as banks, mobile operators” in the aftermath of the enactment of Aadhaar and Other Laws (Amendment) Act, 2019 that replaced the Aadhaar and Other Laws (Amendment) Ordinance, 2019 which was promulgated in March 2019 to delete Section 57 of the Aadhaar Act relating to use of Aadhaar by private entities. This was done as per the directions of the 5-Judge Constitution Bench of the Supreme Court and recommendations of Justice B.N.Srikrishna(Retd) Committee. On 26 September 2018, the Court ruled that Section 57 of the Aadhaar Act is unconstitutional. CAG’s audit report fails to pay attention to it while stating that the Supreme Court upheld the constitutional validity of the Aadhaar (Targeted delivery of Financial and Other Subsidies and Benefits) Act 2016.
It specifies that Aadhaar number is meant only for those “residents” who have resided at least 182 days in India immediately preceding the date of application for enrolment for Aadhaar number as Section 2 (v) of the Aadhaar Act, 2016. The report records that “In September 2019, this condition was relaxed for non-resident Indians holding valid Indian Passport. However, UIDAI has not prescribed any specific proof/ document or process for confirming whether an applicant has resided in India for the specified period and takes confirmation of the residential status through a casual self-declaration from the applicant. There was no system in place to check the affirmations of the applicant. As such, there is no assurance that all the Aadhaar holders in the country are ‘Residents’ as defined in the Aadhaar Act.”
It has detected that “There were instances of issue of Aadhaars with the same biometric data to different residents indicating flaws in the de-duplication process and issue of Aadhaars on faulty biometrics and documents.” It underlines that the Aadhaar database continued to have Aadhaars.
The report asserts that “Issue of Aadhaar numbers to minor children below the age of five, based on the biometrics of their parents, without confirming uniqueness of biometric identity goes against the basic tenet of the Aadhaar Act” unmindful of the fact that “Supreme Court has stated that no benefit will be denied to any child for want of Aadhaar.” It brings to light the fact that UIDAI continues to incur avoidable expenditure on the issue of Bal Aadhaars.
Unmindful of legal complications or inconvenience to holders of Aadhaar issued prior to 2016, UIDAI has failed to identify and fill the missing documents in their database.
The report points out that “the quality of data captured to issue initial Aadhaar was not good enough to establish uniqueness of identity.” It reveals that UIDAI is “not in a position to identify reasons for biometric failures and residents were not at fault for capture of poor quality of biometrics.” It also reveals that UIDAI does “not have a system to analyze the factors leading to authentication errors.”
UIDAI has failed to “carry out verification of the infrastructure and technical support of Requesting Entities and Authentication Service Agencies before their appointment in the Authentication Ecosystem.”
UIDAI has failed to adopt a “data archiving policy, which is considered to be a vital storage management best practice” while maintaining one of the largest biometric databases in the world.
In violation of the Supreme Court’s verdict and in violation of Aadhaar Act 2016 (as amended in 2019), UIDAI is providing “Authentication services to banks, mobile operators and other agencies”. In the aftermath of the deletion of Section 57 which provided for “the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect”.
The deletion of this provision is in compliance with the Court’s judgment. In the majority judgment, it is stated that apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services. This can be on the basis of purported agreement between an individual and such a body corporate or person. Even if we presume that the legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of individual biometric and demographic information by the private entities.
The part of Section 57 that allowed for people to voluntarily provide their Aadhaar number to body corporates and individuals, especially on the basis of a contract between the person providing the Aadhaar number and the person acquiring/ authenticating the Aadhaar number, has been held to be unconstitutional by the Supreme Court. But the amendment to Section 4 of the Aadhaar Act that deals with ‘Properties of Aadhaar number” re-introduces clauses that have already been ruled to be unconstitutional.
UIDAI has failed to levy penalties on Biometric Service Providers for deficiencies in their performance in respect of biometric de-duplication and biometric authentication. CAG recommends that “Agreements in this regard should be modified, if required”. This also creates a logical compulsion for States to unsign their MoUs with UIDAI.
The audit of the functioning of UIDAI reveals that UID/Aadhaar has put the privacy of present and future residents, Prime Ministers, Chief Ministers, judges, legislators, soldiers, civil servants and intelligence officials and their families at risk. It shows how contracts awarded by UIDAI in the name of the Presi favour private entities.
It is noteworthy that a case pertaining to such questionable contracts has been pending in Delhi High Court since 2014. It seems the beneficiaries of the contract have overwhelmed the public institutions through electoral bonds.
The audit report concludes that "There were flaws in the management of various contracts entered into by UIDAI. The decision to waive off penalties for biometric solution providers was not in the interest of the Authority giving undue advantage to the solution providers, sending out an incorrect message of acceptance of poor quality of biometrics captured by them."
The report reveals that "UIDAI had not ensured that the client applications used by its authentication ecosystem partners were not capable of storing the personal information of the residents, which put the privacy of residents at risk. The Authority had not ensured security and safety of data in Aadhaar vaults. They had not independently conducted any verification of compliance to the process involved."
CAG has detected that although the "Aadhaar Act stipulates that an individual should reside in India for a period of 182 days or more in the twelve months immediately preceding the date of application for being eligible to obtain an Aadhaar. In September 2019, this condition was relaxed for non-resident Indians, holding valid Indian Passport. However, UIDAI has not prescribed any specific proof/ document or process for confirming whether an applicant has resided in India for the specified period and takes confirmation of the residential status through a casual self-declaration from the applicant. There was no system in place to check the affirmations of the applicant. As such, there is no assurance that all the Aadhaar holders in the country are ‘Residents’ as defined in the Aadhaar Act."
But CAG is yet to audit contracts by UIDAI that enabled transfer of Central Identities Data Repository (CIDR) containing all Aadhaar numbers along with corresponding demographic information and biometric information of Indian residents to foreign and domestic firms, recommend deletion and fix accountability for such a grave act that compromises national security.
Notably, Banks and Telecom operators are not mentioned in the Aadhaar Act. All advertisements, SMSs and demands for Aadhaar number are illegitimate and illegal. Supreme Court has declared Section 57 of Aadhaar Act as "Unconstitutional", outlawing Aadhaar "use for other purposes".
The Public Accounts Committee ought to seek a complete report on UIDAI by CAG. It must ensure that the audit is not constrained by miserly sharing of details by UIDAI. CAG's audit has vindicated the position which Citizens Forum for Civil Liberties (CFCL) has been articulating since 2010. CFCL has been demanding UIDAI's audit for a long time. The audit report records that "statistical information on generation, update and authentication services of Aadhaar and financial information referred to in the Report have been updated upto March 2021, to the extent as furnished by UIDAI." It indicates that UIDAI has not furnished all the statistical information on generation, update and authentication services of Aadhaar and financial information in its entirety. Parliamentary Standing Committee on Finance and Public Account Committee ought to seek all the information that has been withheld from CAG by UIDAI.
CAG’s audit report on the functioning of UIDAI is akin to the report of London School of Economics on UK’s National ID project, which was endorsed by the Parliamentary Standing Committee on Finance in its 42nd Report because biometric ID technology is unreliable and unsafe technology and poses risk to the safety and security of citizens. The LSE report created a logical compulsion for abandonment of their ID project, the former creates a compulsion for the dismantling of UIDAI and scrapping of the UID/Aadhaar project.
Current Status of UID/Aadhaar Number
In the light of the verdict of 9-Judge Constitution Bench ofSupreme Court dated 24 August 2017 in Justice K.S.Puttaswamy (retd) v. Union Of India, the verdict on Aadhaar Act by 5-Judge Constitution Bench of Court dated 26 September 2018 in Justice K.S.Puttaswamy (retd.) v., Union Of India, Section 25 of Aadhaar and Other Laws (Amendment) Act, 2019 and the verdict of 5-Judge Constitution Bench of Court dated 13 November, 2019 in Roger Mathew v. South India Bank Ltd, there is a compelling constitutional and legal logic for the State and its instrumentalities contest any demand for UID/Aadhaar number. States have the option to unsign the MoUs they signed with UIDAI citing these new developments and the audit report of the CAG.
On 13 November, 2019, the 5-Judge Constitution Bench of Court observed, “Given the various challenges made to the scope of judicial review and interpretative principles (or lack thereof) as adumbrated by the majority in K.S. Puttaswamy (Aadhaar-5) and the substantial precedential impact of its analysis of the Aadhaar Act, 2016, it becomes essential to determine its correctness. Being a Bench of equal strength as that in K.S. Puttaswamy (Aadhaar-5), we accordingly direct that this batch of matters be placed before Hon’ble the Chief Justice of India, on the administrative side, for consideration by a larger Bench.” It asserted unequivocally that “It is clear to us that the majority dictum in K.S. Puttaswamy (Aadhaar-5) did not substantially discuss the effect of the word ‘only’ in Article 110(1) and offers little guidance on the repercussions of a finding when some of the provisions of an enactment passed as a “Money Bill” do not conform to Article 110(1) (a) to (g).”
A joint reading of Article 110 (1) of the Constitution of India, Aadhaar Act, 2016, verdict of Hon’ble Supreme Court dated 24 August 2017 in Justice K.S.Puttaswamy (retd) v. Union of India on fundamental right to privacy, the verdict on Aadhaar Act by 5-Judge Constitution Bench of Court dated 26 September 2018 that declared Section 57 of Aadhaar Act, 20016 to be unconstitutional in Justice K.S.Puttaswamy (retd) v., Union of India, Section 25 of Aadhaar and Other Laws (Amendment) Act, 2019 that omitted Section 57 of Aadhaar Act 2016 and the verdict of 5-Judge Constitution Bench of Court dated 13 November, 2019 in Roger Mathew v. South India Bank Ltd, makes it crystal clear that “the Money Bill must deal with the declaration of any expenditure to be charged on the Consolidated Fund of India (or increasing the amount of expenditure) and, therefore, Section 7 of the Aadhaar Act did not have the effect of making the bill a Money Bill as it did not declare the expenditure incurred on services, benefits or subsidies to be a charge on the Consolidated Fund of India.” The Aadhaar Act does not do so. Besides this when the Speaker of Lok Sabha certified Aadhaar Bill as “Money Bill”, she did so with respect to a Bill which contained Section 57 which has now been declared unconstitutional by the Constitution Bench of the Court. The constitutionally indefensible provision under Section 57 of Aadhaar Act could not have been part of the Bill which was deemed Money Bill. This makes the Money Bill certification of Aadhaar Bill constitutionally questionable. The insertion of a provision Section 24 to provide for what has been rejected in Section 57 too is impermissible. When the illegitimacy, illegality, impropriety and immorality of this provision of a “Money Bill” has been conclusively established through Aadhaar Amendment Act 2019, Aadhaar Act enacted as “Money Bill” has been deemed questionable it is established as illegitimate. CAG’s audit report on the functioning of UIDAI must be read with the observations of the Court in Roger Mathew v. South India Bank Ltd. When the 7-Judge Bench pronounces its verdict it will have to draw from both the CAG’s audit report of April 2022 and the observations of the 5-Judge Bench in November 2019.
The author is a law and public policy researcher. He had appeared before the Parliamentary Committee that examined the National Identification Authority of India Bill, 2010 that was withdrawn in March 2016 and enacted later as Aadhaar Act 2016. He is the convener of Citizens Forum for Civil Liberties (CFCL)