A bold new biometric identity and access management system is being deployed across India in a bid to combat rampant welfare fraud.
The mammoth system will collect the iris and fingerprint records on a voluntary basis of every one of India’s 1.2 billion men, women and children. Each will be issued with a 12-digit identity number.
The project would be a bold deployment for Australia, but for the second-most populous country in the world and one of its most diverse — in terms of culture, class and language — it is ground-breaking.
Making matters more complex, some 70 percent of Indians live across 640,000 villages and up to 30 percent of the population do not have a bank account.
Identity verification is currently a huge patchwork of systems of which many are simply paper documents issued by regional authorities and not accepted in other parts of the country.
As a result, residents carry up to four forms of redundant identity and duplication of records is rife. This also makes it easy for fake records to be created by corrupt officials seeking to steal welfare payments.
Estimates have suggested up to 40 percent of food rations alone are wasted through a combination of corruption and inefficiency. Most fraud affected food, fertiliser and fuel subsidies.
The biometric Aadhaar system, together with a revamped welfare system loosely based on Brazil’s Bolsa Familia program, is expected to help ensure the $40 billion in subsidies the Federal Governmentissues in direct annual welfare payments— up to 2.2 percent of the country’s gross domestic product — do not line the pockets of corrupt officials.
It is also aimed at making the process of distributing wealth more efficient, eliminating overheads for both the government and those in remote areas who currently spend up to 28 percent of their welfare simply collecting the cash.
The system could even support a cashless society, according to Anjan Lahiri, chief executive of MindTree IT which has secured the Aadhaar maintenance contract. In his future, citizens would pay for a bag of rice with a fingerprint scan.
Aadhaar has been a boon for startups too, which have built applications to leverage the identity platform.
Using a “zoo of open source animals”, as project advisor Srikanth Nadhamuni described, Aadhaar has been rolling out across the nation enrolling some 500 million residents since its launch in 2009. The project is slated for completion in 2019.
Nadhamuni, who will talk at the upcoming AISA National Conference in Sydney next week, said India was “leap-frogging” the point of citizen identity common in many western countries by moving from its current disparate systems to the Aadhaar biometric-based online and federated national platform.
“It is going at a rate of one million enrolments every day,” Nadhamuni said at the RSA Conference earlier this year. “We are adding a Finland every week.”
“This has been a very complex project but that’s not why it is unique – it is because of the human dimension to it.
“We have a real opportunity to get a large number of people in poverty [into] economic progress and prosperity.”
Private sector organisations from banks to airports along with government agencies will also be able to query the Aadhaar database to verify identities. The requests will receive only a pass or fail response to maintain privacy, Nadhamuni said.
Identity layers such as bank PINS and account numbers could be layered on top of Aadhaar authentication should organisations wish.
The project has obvious benefits but also fierce critics who were concerned with both the Government’s ability to secure the hugely valuable data, the apparent intrusion by the Federal Government into state affairs, and for the privacy implications for citizens.
On Sunday, retired Indian High Court judge K.S. Puttaswamy successfully petitioned the Supreme Court in that country to restrain moves by state governments to make Aadhaar mandatory for public services.
The Hindu reported Puttaswamy argued the project was deeply flawed because the project’s underpinning National Identification Authority of India Bill 2010 was rejected by a parliamentary standing committee, adding that there were no checks to prevent undocumented migrant workers from adding themselves to the system.
The Federal Government is now preparing to argue its case to the Supreme Court, claming that Aadhar should be required to access public services.
Letters have been sent to Government from both officials and activists in protest of various elements of the project.
Other privacy pundits have claimed the Government has yet to prove the citizen data would not be sold to private companies or handed to foreign nations.
Then there were the manifold security concerns with biometrics. Various fingerprint scanners have been bypassed by existing, albeit complex techniques that lift prints from surfaces and replicate them within a substance.
A line of iris scanners was last year fooled by creating synthetic iris images that could be applied to contact lenses. This exploited the fact that the scanner read an iris code and not the eye itself.
In addressing some security concerns, Nadhamuni said each of the 100,000 human operators sent to collect registrations — who were employed by a vendor in turn employed by State Governments serving as registrars — would include their own biometric data when citizen’s fingerprints and irises were collected.
This was required as a means to introduce traceability in the event biometric data was fraudulently collected and submitted to the central Aadhaar system.
Each biometric “packet” is PKI encrypted at the point of collection and decrypted “only when needed”. Any one of the three vendors employed to process the data can see only an identification number and not personally identifiable data, according to Nadhamuni.
Third party vendors can only access separate network zones and have restricted account access.
The trio of vendors were employed to introduce competition throughout the life of the project. This was achieved by paying per biometric record processed and sending the lion’s share of records to the then best performing vendor.
Duplicate records were sent across all three for validation — with an astonishing three trillion biometric records scanned each day — creating what Nadhamuni said was a system twice as effective as market offerings.
Java was the programming language of choice for the Linux-based system. It also uses Spring aspect-oriented programming, HADOOP, and runs on commodity blade servers to enable it to “scale gracefully”.
Read the original article here: