back to article HCL and HP named in unflattering audit of India’s biometric ID system

India’s Comptroller and Auditor General has published a performance audit of the nation’s Unique Identification Authority and found big IT problems – some attributable to Indian services giant HCL and to HP, but others due to poor decisions by the Authority. The Authority (UADAI) oversees “Aadhaar” – a twelve-digit ID issued …

  1. tip pc Silver badge
    Alert

    should have chosen ............

    complex government requested IT project gone wrong and the vendors profited handsomely, where have we seen that before?

    prospective buyers, of outsourced services, beware!!

    1. Korev Silver badge
      FAIL

      Re: should have chosen ............

      UAIDI chose not to penalize[sic] HCL for those failures, and even restructured contracts so it could waive requirements to seek liquidated damages.

      Here's a bit of the problem...

  2. Pascal Monett Silver badge
    Trollface

    I have the solution

    Give the contract to Capita.

    I'm sure that'll work out fine.

    1. Korev Silver badge
      Thumb Up

      Re: I have the solution

      And get Dido Harding in to lead the project too...

  3. veti Silver badge

    Fingerprints

    You know how everyone's fingerprints are totally unique, right?

    Yeah, actually not so much. That's a bit of 19th century science that worked well enough when you were comparing fingerprints from a few hundred or even thousands of records. But it's only very recently that we've started to record them by the tens of millions. And in that use scenario, it turns out there's a very high chance of misidentifying people.

    We need to stop thinking of fingerprints as the gold standard of positive ID.

    I don't know what the story is with iris scans, but I wouldn't be surprised if it's similar.

    1. Jim Mitchell

      Re: Fingerprints

      Multiple people might have the same fingerprints, and multiple people might have the same iris scan patterns, but how many have the same fingerprints, the same irises and the same face? If the system actually worked as intended, it seems designed to cope with that fact that us puny humans aren't as unique as we think. Its just that it doesn't work.

      1. veti Silver badge

        Re: Fingerprints

        I'd bet there are thousands of scenarios where the data set collected for input is incomplete, damaged or corrupted before it even gets into the database. Someone badly scratched their hands the day before being scanned. Someone has two fingers, or one eye, missing. Someone failed to label all the records correctly upon collection. The air pollution was particularly bad one day and the subject's eyes were unusually bloodshot. Incomplete paperwork is a thing, significant levels of illiteracy, and we haven't even touched on deliberate fraud and corruption yet.

        In a population the size of India's, there must be millions of records affected by issues like these. Making it very hard to validate the samples that are collected. And I'm sure I don't have to tell you what happens when you input vast terabytes of data without pre-validating it.

    2. DS999 Silver badge

      Re: Fingerprints

      You might have the same (or rather similar enough that software can't tell the difference within the margin of error) on ONE finger, but even if your right index fingers match with someone else you won't also match on your other fingers.

      Same for irises and faces. By taking all of those you account for that issue, as well as for those who may not have all 12 fingers and irises.

      That's not to say securing this goldmine of information isn't potentially a huge problem, but I doubt there will be any issues with false matches given the ability to check so many independent biometrics per person.

      1. veti Silver badge

        Re: Fingerprints

        You're just assuming all these biometrics are independent. Is there any actual study to back that up?

        And it's not just software matching that can go wrong. Highly trained human experts can make the same mistakes. It's a dirty secret of fingerprint identification that there have been horrifyingly few systematic trials, and (as far as I know) absolutely none at this sort of scale.

        1. DS999 Silver badge

          Re: Fingerprints

          That's a pretty safe assumption, given that police take prints of all 10 fingers. If they were all the same/similar they wouldn't need to do that. Even identical twins do not have identical fingerprints, though they are often somewhat similar so this is something that's obviously highly environmentally dependent - they are already fully formed when you are born.

          The idea that fingerprints and irises would be correlated is laughable. Burden of proof on you for that one. I will admit I have no idea if our left and right irises are the same/similar so there may be some redundancy there.

    3. cantankerous swineherd

      Re: Fingerprints

      the clumber park rapist being a case / stitch up in point.

  4. Korev Silver badge
    Coat

    At this point readers may be wondering who ran UAIDI’s technology, because not archiving data or checking stakeholder security suggests they did not do it brilliantly.

    The answer is HCL – the Indian services giant was awarded a contract to manage UAIDI tech in 2012 and still has a role today.

    Sounds like HCL didn't use an ACID-compliant database

  5. VoiceOfTruth

    Where is the data stored? Or more importantly, where is the data accessible from?

    HP is an American company, and that means it can be coopted/coerced/willingly cooperate with collecting any and all information it has on any random Indian that the USA feels like spying on.

    1. Jim Mitchell

      Re: Where is the data stored? Or more importantly, where is the data accessible from?

      Providing a subsystem for this project and having access to the data in that system are not the same thing.

  6. Primus Secundus Tertius

    Cases elsewhere

    "…475,000 Aadhaars with the same biometric data used to describe different people."

    The Onion, a satirical American publication, once reported on the doctor who used the same magnetic resonance scan for all her pregnant patients.

  7. Raj

    0.3 percent

    There are close to 1.4 billion Aadhaar cards in use. Every resident of India gets one - even non citizens. The quoted figure is just over quarter of a percent.

    They underpin every major public benefit in India - direct benefits transfer (personal subsidies and income supplementation), the national health program and even CoWin, the Covid vaccination registration system. India has performed almost 1.9 billion vaccinations, a billion of them unique individuals, all registered using Aadhaar.

    DBT alone has cut $30 billion of prior graft - several times the cost of UIDAI .

    https://www.financialexpress.com/economy/dbt-savings-rs-2-23l-cr-counting/2378657/

    https://dashboard.CoWin.gov.in

    The CAG is only ever going to write unflattering reports. That’s their statutory role - they’re supposed to find problems and ask the hard questions, and to do it loudly and openly.

    This is a system that’s actually working - the largest or second largest digital ID system on the planet by a long distance, 2x the size of anything Europe combined would run, over a subcontinental sized country with a fraction of Europe’s per capita income.

    What’s the problem here exactly ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like