Since the first announcement in September 2010, more than 1 crore Aadhar IDs have been issued by the Unique ID Authority, and over the next five years, it intends to issue 600 million UIDs. At the Aadhaar Development Track conference organized by NASSCOM in Bangalore yesterday, key personnel from the authority including Head of Technology Srikanth Nadhamuni, Chief Product Manager Sanjay Jain and Pramod Varma, Chief Architect, enlightened developers about how the system actually works.
The UID Number
The UID number, which is the key demographic element of the system, is a randomized 12 digit number which is independent of the user’s data, meaning that it does not depict any of the information provided by the user such as a region code or his/her date of birth, which might make it guessable. It does not follow a regional bifurcation unlike systems where a set of digits are fixed for region codes. The 11 digits are random numbers while the 12th digit is a checksum to authenticate them.
The main role of the Unique ID authority is to enroll citizens for Aadhaar with the help of partner agencies, and develop and deploy an authentication system, for various other agencies who want to deploy Aadhaar.
- Demographic: At the time of enrollment, a citizen is required to fill 4 compulsory fields: Name, Gender, Date of Birth and Address. There are two optional fields as well, Email address and Mobile number.
- Biometric: In addition to this demographic information, Biometric information is also collected through a finger print scan of all 10 fingers and a scan of the iris. While the iris scan is converted into a unique 1024 digit number, the fingerprints capture the minutiae i.e the location and angle of end points of finger prints. Since fingerprints become stable after the age of 15, a re-enrollment will be done at that point for individuals who were enrolled below that age. According to the UIDAI, the price of front-end enrollment devices including iris and fingerprint scanners has been reduced to less than Rs 1 lakh over the last year.
- Storage: All this information is stored by the Central Identities Data Repository (CIDR) at its secure back-end. The information which an agency wants to verify might or might not include biometrics. It might only request for partial information as well. For example an agency might want its users to submit the Aadhaar number and a finger print scan of the index finger or thumb.
- Response: The Aadhaar backend will simply verify the info and return a Yes or No response. If it gets a scan of one or more fingers, it will simply compare the minutiae to all fingers and if it finds a match return the response. Anonymized data will be collected as analytics to see how efficiently data collection at the time of enrollment is being carried out.
- An Authorised User agency such as a the Government, Banks, insurance companies can deploy UID for transactions or also for KYC -Know your customer. All authentication user agencies need a license key. So it can ask an individual to furnish his Aadhaar number along with other demographic details such as Name or Gender and also a biometric attribute such as a finger print or an iris scan, in addition to other verification elements that it chooses.
- Data is encrypted at source and only the UIDA’s CIDR can decrypt it. Also the returned response is verified by UIDAI to prevent infiltration.
- So its entirely upto an agency to decide what all it wants to verify. Once the data is sent to Aadhaar’s CIDR for verification, it is compared and in return, a Yes or a No reply is sent back.
- Apart from Yes or No responses, Aadhaar does not send any other data back, except in cases of National Security, for which protocols have not been decided.
- However there is no possible technical solution for the man in the middle attack. Only awareness can help prevent fraud. Anyone posing as an enrolling or authentication agency can collect data, the same way as one can in other systems.
- The agency will limit the number of verification attempts per ID to limit data collection. This will prevent over-zealous agencies to pose multiple questions to collect more data.
- Once enrolled, one cannot exit from the system. Even for deceased individuals, records are maintained, although they are updated to reflect the demise.
- A system for updating records is still being developed. It will also take care of problems like change in biometrics due to accidents, disease and other reasons.
- Although the sensitivity of biometric identification systems can be adjusted, it impacts the cost. Also there are minor possibilities of false negative or false positive results.