What I learned in India about their National ID System

From IIW

What I Learned In India About Their National ID System (Aadhaar)


Thursday 14G

Convener: Kaliya Young

Notes-taker(s): Kaliya Young


Tags for the session - technology discussed/ideas considered:



Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


I was in India for two months between January and March to study their National ID system as part of the New America India-US Public Interest Technology Fellowship.

My research paper for this is focused on comparing the US Social Security Number system with the Aadhaar system. It will be released in June on their site.


The high level take away is that the India system is a vast and sprawling system. Each week I was in India I learned about a new piece of it or feature that I didn’t know about.


The UIDAI was founded in 2010 and was a quasi-legal entity created by executive order with its head joining the cabinet even though they were not elected to parliament.


They devised a system to collect the biometrics of citizens along with demographic information and based on that issue to citizens a number via a card sent to them in the mail.


They managed to enroll all of the residents of India because they got other agencies to help and to pay them per enrollment. These included state level governments, the post office and banks. These then outsourced enrollment to enrollment agencies and individual operators who bought equipment to do enrollment.


The UIDAI to get states to participate worked with them to support collecting additional information at the state level beyond the core demographics that they were collecting. This was called KYR+ (Know Your Resident - Plus) Information into State Resident Data Hubs. They required that the state level government use software that they created.


Then at the state level they started with the consultancies doing most of this work to merge together all the databases of various programs together using the Aadhaar as linking key as it were. Except the mostly didn’t get citizens to tell various programs what their Aadhaar number (known as organic seeding) they would do algorithmic matching and connect the data without the individual’s awareness or consent. This was known as Inorganic seeding.


Today there is a set of Authentication Service Agents and Authentication User Agents all hooked up to the CIDR to do authentication in the field.


They also have a set of services that do what is called eKYC the querying of a the national level database to have it send the demographic information (name, address, date of birth and gender) in the form of an “electronic document” that can meet the FATF requirements for KYC. That is for the banking system. India also has KYC requirements for the phone system so phone providers wanted this.


When talking with over seas Indians who were in my session afterward the session they described their experiences with registering for banks and phone companies and wondered where the consent for the KYC happened. They didn’t realize that they actually pulled information from the CIDR.


When enrolling people they also ask for a phone number. They use this to remote authenctation that is people who want to do authentication can ask for an OTP this is used for Authentcation. The trouble with this is that not everyone has a phone many people in remote places gave the UIDAI the phone number of the local head man.


India also created a Universal Payments Interface system and created an Aadhaar look up service that lets people send money by just knowing the Aadhaar number of people. One challenge that is happening in the field with this system is that people are encouraged by various financial service providers to open a new bank account - they do a eKYC process for this and then this over-writes the record in the look up service at the center and they are then are having their benefits going to this new bank and not the one they had originally set in the system.


There is the ability for employers to hook up their daily attendance system up to the CIDR. I met people in India who had to do this. I opens up the question is it an appropriate use of a National ID system to be monitoring people’s daily attendance at work?


There is the DigiLocker where you can pull all sorts of different documents in digital form from various agencies.


They have a mobile application for Aadhaar number holders.


You can sign documents using Aadhaar.


We didn’t get into it but they also have a new type of ID called a Virtual ID that can be created as a one-time ID to both KYC and Authentication.


The system is sprawling and seems to be growing with new attack surfaces created. The over seas Indian’s present thought I did a great job explaining the system and


The ISPRIT a trade association of Indian software makers has a model for how Aadhaar should work putting it at the center of a bottle neck of Indian’s us of applications in what they call the India stack.



14G28.jpg



Books I would recommend in this order.


  • The Aadhaar Effect: Why they World’s Largest India Project Matters by N.S. Ramnath and Charles Assisi
  • Decent on Aadhaar: Big Data Meets Big Brother edited by Retina Khera
  • A Biometric History of India’s 12-Digit Revolution
  • In Pursuit of Proof: A History of Identification Documents in India by Tarangini Sriraman
  • Rebooting India: Realizing a Billion Aspirations by Nandan Nilekani and Viral Shah

IIW28 TH 14G What I Learned In India About Their National ID System.jpg