Some IT projects had hallmarks of some terrible tech from Indian services giant HCL and to HP and others due to poor government decisions.
The Authority (UADAI) oversees “Aadhaar” – a twelve-digit ID issued as a national identity number. Aadhaar is essential to access government services but can also be used by third parties – banks and mobile carriers use it to verify the identity of applicants for new accounts.
UADAI arranges for collection of the biometrics needed to create an Aadhaar - ten fingerprints, two iris scans, and a facial photograph – through enrollment agencies and registrars and provides authentication-as-a-service using Aadhaar numbers.
More than a billion Aadhaar IDs have been issued and over 99 per cent of India adults have enrolled in the scheme.
However, the report found shedloads of issues with the project including a situation where 475,000 Aadhaars with the same biometric data used to describe different people. De-duplication efforts were so bad that staff reverted to manual processes to address the problem. Aadhaar ID cards didn’t work as a result – attempts to authenticate users failed.
UIDAI failed to carry out verification of the infrastructure and technical support” of organisations that sought to join its third-party ecosystem. The audit found that UAIDI was lax in requiring participants to complete security checks – which is problematic because that left the organisation unsure of devices used to capture biometrics conformed to its security requirements.
Whatever devices were used, capture of biometrics was often ineffective and some of the resulting data was unusable. Other biometric data captured but not paired to any person.
Third-party users of Aadhaar-as-a-service were not billed – despite revenue raising being an integral part of UAIDI’s mission.
UAIDI’s technology was run by HCL which got the contract in 2012 and still has a role today.
The audit report found the company selected the provider of Automatic Biometric Identification Systems, but service levels were not met.
UAIDI chose not to penalize HCL for those failures, and even restructured contracts so it could waive requirements to seek liquidated damages.
HP provided a document management system that stored Aadhaar enrolment data digitally and on paper but was plagued by inconsistent data delivery that saw the creation of many incomplete records.
The audit concludes that the failure to enforce security standards across the Aadhaar ecosystem means the scheme poses a privacy risk to Indians, while waiving penalties to underperforming suppliers sent the message that sub-standard work was acceptable.