The UIDAI has delayed the introduction of facial authentication service for Aadhaar by a month to August 1 in order to “ensure a smooth rollout”, reported The Economic Times. UIDAI CEO Ajay Bhushan Panday said the feature needed ‘fine tuning and adjustment” to see how it performs in the field, after which it will become available to Authentication User Agencies (AUAs).
The UIDAI earlier announced facial recognition will be used in “Fusion mode” i.e. alongside other biometric information to address failures in authentication with fingerprints and iris scans. Often, older people and labourers have worn out fingers, which leads to lapses in the verification of their Aadhaar numbers.
The UIDAI had announced the feature in January 2018 and had scheduled it for introduction on July 1, 2018.
Facial authentication is problematic as it poses security and privacy concerns, and possibly expands the scope for surveillance of Aadhaar holders. It has been pointed out earlier that the mAadhaar app stores user’s eKYC data on the phone itself — this includes the Aadhaar Number, Name, address, photograph among others. An individual’s photograph is classified as ‘biometric information’ under section 2(g) of the Aadhaar Act, 2016. The UIDAI issued a false statement saying that the mAadhaar app does not capture or store any biometric information.
Why facial recognition is worrying
1. First, a person’s face changes over time at all ages, and very significantly during adolescence. When Aadhaar enrollment began in 2009, it was collecting biometric information (including photograph) of children aged over nine. If an AUA tries to verify a person’s face with an outdated photograph, it will inevitably run into authentication failures.
2. Secondly, hackers claim that the broke Apple’s Face ID authentication within a week of the iPhone X launch. Bakv, a Vietnamese security firm, claimed that it was able to spoof Apple’s systems by building a mold and paper cutouts. Hackers could easily engineer a social hack with photographs of a target.
3. Third, ArsTechnica pointed out that Apple’s Face ID captures additional facial features over time and uses them for authentication and to make improvements. If the UIDAI follows this example, it would imply constant surveillance on the Aadhaar holder to keep updating its database. Note that, publically, the UIDAI has told the Supreme Court that the Aadhaar system cannot be used for surveillance. In fact, UIDAI has said safeguards built into the law and its systems to ensure that the government cannot use Aadhaar for surveillance even if a court were to permit them. But documents from State Resident Data Hubs (SRDHs) show that they are building a 360-degree profile of residents. The Aadhaar Act specifically states that a 360-degree profile cannot be built using Aadhaar.
4. Finally, Facial recognition technology on existing consumer devices uses the same camera for capturing the reference image of the face and for authentication, something that will be very unlikely with the Aadhaar. Additionally, the most reliable (relatively speaking) facial recognition technology, say Apple Face ID is far more advanced than the technology UIDAI banks upon. The iPhone captures a 3D image of the user’s face with infrared emitters. The UIDAI will rely on 2D images, shot years ago in some cases and in poorly lit conditions. It is bound to fail authentications.
Note that, the decision to push back the introduction of face ID system comes just days after UIDAI extended, by one month to July 1, the deadline for service providers and agencies like banks and telecom companies to fully deploy Virtual ID system and accept such IDs in lieu of Aadhaar number. Read the problems and logistical issues with VID here.