The UIDAI has announced a phased rollout of facial recognition for Aadhaar starting with telecom companies from 15 September, reports The Financial Express. Telecom companies can now use this as one of the methods for user authentication. Companies which miss the prescribed targets of 15 September may face a monetary disincentive. Additionally, if a telco wants to issue a SIM card providing Aadhaar as one of their identification documents, it will need to take a live photo for its eKYC verification.

“TSPs are hereby directed that with effect from September 15, 2018 at least 10 per cent of their total monthly authentication transactions shall be performed using face authentication in this manner. Any shortfall in transactions using face authentication would be charged at Rs 0.20 per transaction,” said a UIDAI circular, according to an Economic Times report.

Facial recognition was originally announced for rollout in July to address the failures in fingerprint and iris authentication, but was later pushed to 1 August. UIDAI and its CEO Ajay Bhushan Pandey have maintained that facial authentication will be used as an additional form of authentication to “help all elderly or others facing issues with fingerprint authentication”. An earlier circular from  the UIDAI on the launch of facial authentication said that Face Identification will be only used in “Fusion Mode” and will need an additional form of authentication with a fingerprint scan, iris scan or one-time password. ‘Fusion mode’ implies that face authentication will always be combined with either fingerprint or iris authentication. The agency also added that Face Identification will be provided to only certain AUAs (Authentication User Agencies).

Why facial recognition is worrying

1. First, a person’s face changes over time at different ages, and very significantly during adolescence. When Aadhaar enrolment began in 2009, it was collecting biometric information (including photograph) of children aged over nine. If an AUA tries to verify a person’s face with an outdated photograph, it will inevitably run into authentication failures.

2. Secondly, hackers claim that they broke Apple’s Face ID authentication within a week of the iPhone X launch. Bakv, a Vietnamese security firm, claimed that it was able to spoof Apple’s systems by building a mould and paper cutouts. Hackers could easily engineer a social hack with photographs of a target.

3. Third, ArsTechnica pointed out that Apple’s Face ID captures additional facial features over time and uses them for authentication and to make improvements. If the UIDAI follows this example, it would imply constant surveillance over the Aadhaar holder to keep updating its database. Note that publicly, the UIDAI has told the Supreme Court that the Aadhaar system cannot be used for surveillance. In fact, the UIDAI has safeguards built into the law and its systems to ensure that the government cannot use Aadhaar for surveillance even if a court were to permit them. But documents from State Resident Data Hubs (SRDHs) show that they are building a 360-degree profile of residents. The Aadhaar Act specifically states that a 360-degree profile cannot be built using Aadhaar.

4. Finally, Facial recognition technology on existing consumer devices uses the same camera for capturing the reference image of the face and for authentication, something that will be very unlikely with Aadhaar. Additionally, the most reliable (relatively speaking) facial recognition technology, say Apple Face ID is far more advanced than the technology the UIDAI banks upon. The iPhone captures a 3D image of the user’s face with infrared emitters. The UIDAI will rely on 2D images, shot years ago in some cases and in poorly lit conditions. It is bound to fail authentications.