Digital Identities

Design and Uses

A project of the Centre for Internet and Society, India
Supported by Omidyar Network India

Digital ID in India:
Insights from Exploratory Research Mapping

November 6, 2020

Written by Saumyaa Naidu
Edited by Anubha Sinha, Divyank Katira,
and Shruti Trikanad
With inputs from Amber Sinha and Pooja Saxena

Download the research maps as PDF

This blog post can be read along with our exploratory research maps on the digital identity system in India. The maps capture the processes and systems involved in India’s digital ID system, Aadhaar. Following is a summary of the key insights derived from the research and mapping explorations.

The digital ID system in India was conceptualised to provide efficient, transparent and targeted delivery of subsidies, benefits and services, to the residents of India.1 It was also intended to prevent the exclusion of residents who do not possess any identity documents. Hence, biometric technology and big-data processing were put forward as solutions for conducting digital identity verifications.2 Aadhaar, a unique ID for each resident, was envisaged to form the basis of service delivery and access to further digital infrastructure. This digital infrastructure includes IndiaStack which comprises financial applications such as DigiLocker, eSign, eKYC, Unified Payments Interface (UPI), and Aadhaar Auth. The healthcare sector in India is also being conceived as a digital health technology ecosystem through the National Health Stack (NHS) policy by the NITI Aayog.3

Challenges in Aadhaar and the Envisioned Digital Infrastructure

An Exclusionary Ecosystem

The digital infrastructure ecosystem in India has been criticised to be tightly controlled and inherently exclusionary. Aadhaar itself has been reported to exclude residents from access to services due to authentication errors. Biometric verification is also a costly method to adopt, as making available sufficient number of devices for on-site verifications at several services is not feasible.4 The Aadhaar Identification process map shows the steps for enrolling with Aadhaar. There are several steps in this process that can cause exclusion, such as lack of access to a mobile phone, inability to provide biometric data, and lack of network availability and technological access, especially in remote areas.

As the IndiaStack systems map indicates, the IndiaStack layers — Presence-less, Paperless, Cashless, and Consent — form a significant part of this ecosystem. However again, the infrastructural requirements assumed currently for such an ecosystem to function effectively, do not match the infrastructural availability on the ground. Thus, services such as UPI, e-Sign, and e-KYC would still be inaccessible to a large section of the population, as they require access to a mobile phone and network connectivity.

The NHS policy has been criticised too, for being an expensive technology project, potentially violating the fundamental right to health and to privacy. It is also expected to have very little impact on access to healthcare for those who most need it, as digital access and literacy is still absent in many parts of the country.5

There is also lack of clarity in the grievance redressal mechanisms in the identification and authentication processes. Process maps such as that of UPI Identification in IndiaStack indicate multiple points of failure in the flow of data between different entities such as the resident, the Payment Service Provider (PSP), the UPI, and the issuer bank. But, there are no clear options for redressal in these steps.

A Centralised ID System

Through the mapping it was observed that the digital ID system in India has a lack of clear, decentralised practices. The programme has a central repository of the citizens’ data in the form of the Central Identities Data Repository (CIDR). The Aadhaar Authentication process map shows that all of the sensitive data is placed in a single database, making it vulnerable to attacks and presenting a severe security threat. The Unique Identification Authority of India (UIDAI) being the only ID provider in the system places a lot of power and responsibility on a single entity. UIDAI is also a statutory body and hence has the authority to form policies, and laws related to Aadhaar.6 This means that it regulates itself and is not answerable to any other government body.

The Misnomer of ‘Open’ APIs

In recent years, the government of India has taken several initiatives towards openness. A Framework for the adoption of Open Source Software (FOSS) policy in e-governance systems was initiated by the Government of India in 2014. In 2015, the government adopted the Open Application Programming Interfaces (API) policy, to promote software interoperability for all e-Governance applications and systems.7 The Open API policy forms the basis of both IndiaStack and National Health Stack services. Open APIs, in their existing form in the government applications, allow interoperability between different e-Governance applications.

Despite these initiatives, the source code of such applications has not been made available under the open source license, thus not making it possible to be tested and audited openly. Parts of this centralised digital infrastructure remain proprietary. It is still prescriptive of what kind of solutions can be built upon it. Hence, while the IndiaStack and the National Health Stack are built on open APIs, they offer limited opportunity for other stakeholders to build different kinds of services.

Inaccuracy of Data

In the NHS, the legal frameworks and delegation of responsibilities by governing bodies has not been clearly formulated yet.8 Considering the scale of NHS, as it envisages expansive databases that would be updated by different entities, the possibility of there being inaccurate data is quite high, especially in the absence of any incentives for various stakeholders to take additional steps.9 Moreover, as indicated in the systems map of NHS, the dataset will be utilised by multiple stakeholders. This implies that there should be clear and detailed data utilisation guidelines, which is presently missing.10

Threat to Privacy and Security

Aadhaar has been argued to pose severe privacy and security threats to individual data. There have been concerns over the potential misuse of biometric and demographic data being collected by the ID system and its linking with several government and private services. There are also privacy implications of IndiaStack, as services such as eKYC and UPI collect sensitive data of residents during transactions. The financial data allows more power to banks and other financial institutions, as it can be used for creating credit profiles of residents.11

The DigiLocker Authentication process in IndiaStack maps the use of Facebook as an option to log into DigiLocker. The use of a private sector platform to access a service that will store official government documents of a resident, could pose a security concern.