India's Comptroller and Auditor General conducted an audit of the Unique Identification Authority (UIDAI) which oversees the twelve-digit biometric ID system “Aadhaar.” The audit found several issues caused by poor decision making by the authority and incompetence from service providers like HP and HCL.
Aadhaar is essential to accessing government services. UIDAI was tasked with collecting the biometrics needed to create the 12-digit Aadhaar; ten fingerprints, a face photo, and two iris scans.
Over 99% of India's adult population has enrolled in the program.
However, the audit found that there were multiple problems with the program. For instance, it found that about 475,000 had the same biometric data but were assigned to different people. The duplication of data resulted in many Aadhaar IDs not working.
We obtained a copy of the audit report for you here.
Another problem was UIDAI failing to “carry out verification of the infrastructure and technical support” of the organizations it used to collect biometric data and to provide other services. The authority ignored one of the rules of information security: “an entity's security is only as good as its partners.'”
The audit states that UIDAI was not strict in requiring security checks from service providers, meaning it was also not sure that the devices used to collect the biometric data were secure.
The audit found out that some of the devices used to collect the biometric data were so low quality that the data was unusable.
Some of the data could not even be linked to a person.