HCL and HP named in unflattering audit of India’s biometric ID system

India’s Comptroller and Auditor General has published a performance audit of the nation’s Unique Identification Authority and found big IT problems – some attributable to Indian services giant HCL and to HP, but others due to poor decisions by the Authority.

The Authority (UADAI) oversees “Aadhaar” – a twelve-digit ID issued as a national identity token. Aadhaar is essential to access government services but can also be used by third parties – banks and mobile carriers employ it to verify the identity of applicants for new accounts. UADAI arranges for collection of the biometrics needed to create an Aadhaar - ten fingerprints, two iris scans, and a facial photograph – through enrollment agencies and registrars, then provides authentication-as-a-service using Aadhaar numbers.

More than a billion Aadhaar IDs have been issued and over 99 per cent of India adults have enrolled in the scheme.

Aadhaar lacked a data archiving policy

The audit report found plenty of problems with the project, among them around 475,000 Aadhaars with the same biometric data used to describe different people. De-duplication efforts proved so poor that staff reverted to manual processes to address the problem. Many Aadhaar ID cards didn’t work as a result – attempts to authenticate users failed.

Infosec types never tire of pointing out that an entity’s security is only as good as its partners’. Yet UIDAI “did not carry out verification of the infrastructure and technical support” of organisations that sought to join its third-party ecosystem. The audit found that UAIDI was lax in requiring participants to complete security checks – which is problematic because that left the organisation unsure if devices used to capture biometrics conformed to its security requirements.

Whatever devices were used, capture of biometrics was often ineffective and some of the resulting data was unusable. Other biometric data captured but not paired to any person.

Third-party users of Aadhaar-as-a-service were not billed – despite revenue raising being an integral part of UAIDI’s mission.

UAIDAI also lacked a data archiving policy for several years. The audit explains the rudiments of tiered storage and the very good reasons to retire some data and points out that the organization therefore cost itself money and may have created compliance problems.

• Sri Lanka to adopt India’s Aadhaar digital identity scheme
• India uses controversial Aadhaar facial biometrics to identify COVID vaccination recipients
• India makes buying a used cow easier than buying a used car

At this point readers may be wondering who ran UAIDI’s technology, because not archiving data or checking stakeholder security suggests they did not do it brilliantly.

The answer is HCL – the Indian services giant was awarded a contract to manage UAIDI tech in 2012 and still has a role today.

The audit report found the company selected the provider of Automatic Biometric Identification Systems, but service levels were not met – possibly the reason for duplicate Aadhaar numbers and the other messes mentioned above.

UAIDI chose not to penalize HCL for those failures or the biometrics providers, and even restructured contracts so it could waive requirements to seek liquidated damages.

HP’s role in the mess was providing a document management system that stored Aadhaar enrolment data digitally and on paper but was plagued by inconsistent data collection and delivery that saw the creation of many incomplete records.

The audit concludes that the failure to enforce security standards across the Aadhaar ecosystem means the scheme poses a privacy risk to Indians, while waiving penalties to underperforming suppliers sent the message that sub-standard work was acceptable.

The document concludes with a strong recommendation that UAIDI take heed of the recommendations in the audit – especially those pertaining to information security.