Moody's Investors Service, a prominent global rating agency, has raised significant concerns regarding India's Aadhaar, the 12-digit universal identity system, and has cast doubt on the dependability of biometric technologies. According to its recent report, "The system often results in service denials, and the reliability of biometric technologies, especially for manual laborers in hot, humid climates, is questionable."
Calling Aadhaar the the “most trusted digital ID in the world”, the Indian government has dismissed the report, stating that the investor service made “sweeping assertions against Aadhaar” without citing any evidence or basis.
These concerns arise one year after India's primary auditor, the Comptroller and Auditor General (CAG) of India, criticised the Unique Identification Authority of India (UIDAI) for inadequate data management related to Aadhaar.
What does the Moody's report say?
Moody, in its report, Decentralised Finance and Digital Assets, stated that Aadhaar, the world's largest digital ID programme, allows access to public and private services with verification by fingerprint or iris scans, as well as alternatives such as One-Time Passcodes, with the goal of integrating marginalised groups and expanding social benefits access.
However, it notes, that the system faces hurdles, including the burden of establishing authorisation and concerns about biometric reliability, especially for manual laborers in hot, humid climates.
Although the report does not explain how climate affects biometric authentication, there have been several researches which support the claim. According to research, the texture of fingerprints alter according to the climate. For instance, in humid climate, fingers become saturated and wrinkled, resulting in acquisition of fingerprints of degraded accuracy.
On the other hand, hot and arid climate leads to skin dryness, posing challenges for fingerprints authentication. Dry, non-pliable skin fails to lay flat on sensors, preventing the ridges from making sufficient contact. As a result, the resultant fingerprint quality is compromised.
The remarks made in the report hold importance given the government's utilisation of Aadhaar to channel direct benefit transfers for beneficiaries of official welfare programmes. This includes the directive to enforce Aadhaar-based payments for workers under the Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA) scheme.
In August, the government postponed the deadline for transitioning to the Aadhaar-based payment system (ABPS) for MGNREGA beneficiaries for the fifth time, extending it until December 31, 2023.
Emphasising that ID systems like Aadhaar result in the centralisation of sensitive data within specific organisations and heighten the potential for data breaches, Moody's report advocated for decentralised identity (DID) systems like digital wallets, which leverage blockchain technology to grant users greater control over their personal information and mitigate online fraud risks.
How did the government respond?
The UIDAI outrightly refuted the assertions made by Moody's, emphasising that no tangible evidence was presented to substantiate the claims. According to the government agency, nearly a billion Indians have used Aadhaar to authenticate themselves more than 100 billion times in the last decade.
In response to concerns about the effectiveness of Aadhaar biometrics in India's hot and humid climate, the government stated that biometric submission is also available via contactless methods such as face authentication and iris authentication.
The press release by Ministry of Electronics and Information Technology asserted that the Aadhaar enjoys the trust of more than a billion Indians and cited favourable assessments of the system by international organisations such as the IMF and World Bank.
The statement unequivocally affirmed that there have been no documented breaches of the Aadhaar database thus far. They stated that Aadhaar's structure incorporates cutting-edge security measures and its systems align with international security and privacy standards.
Aadhaar's lingering concerns
Despite evolving into the primary form of identification for more than 1.3 billion Indians, concerns regarding Aadhaar's privacy and dependability have consistently surfaced throughout the years.
In a report released last year, the CAG highlighted concerns about data-matching issues, authentication errors, and deficiencies in archiving within the Aadhaar system. The report noted instances where Aadhaar card holders' data had not been appropriately matched with their Aadhaar number, even after a decade in some cases.
Another budding problem is the integration of this primary ID system with the banking system in the form of Aadhaar enabled payment system (AePS). A series of recent scams have exposed the vulnerabilities of the AePS and how cyber criminals are exploiting loopholes in the system to pull scams, either by cloning fingerprints or stealing them from government websites.
Due to these potential loopholes with the Aadhaar system, security researchers have advocated against the use of biometrics as passwords, let alone building an entire identification system upon it. This is because numeric passwords can be changed, in face of a data breach, but bodily features (iris or fingerprints) in the form of passwords leads to irreversible damage if breached.