‘Privacy And Anonymity Through An Independent, Biometric-Driven Universal ID Is The Best Way To Secure Other Systems’

November 17, 2016

In six short years, Aadhaar, India’s biometrics-based unique identification project, has enrolled more than 1.07 billion people. This has allowed hundreds of millions that did not have access to benefits, access to the formal systems that provide those benefits. 

In a freewheeling interview, Dr. Pramod Varma, Aadhaar’s Chief Architect, and CTO of EkStep, a not-for-profit that uses technology to reimagine learning opportunities for every child, spoke to Biometrica’s Kadambari M. Wade on why it was necessary to have an independent biometrics-linked platform. He also spoke on matters of privacy, tracking, Voter IDs, and more.

Why Aadhaar? What was the philosophy behind India opting for a biometric universal identity system?

Dr. Pramod K. Varma, the Chief Architect of India's Aadhaar.
Dr. Pramod K. Varma, the Chief Architect of India’s Aadhaar.

Dr. Varma: There is a bit of history here. India, in one sense, was rather primitive, as compared to a developed country, when it came to something like a birth registry system, which is something you pretty much take for granted in a country like the U.S. Births are almost always registered. You’re then given a Social Security Number, and you start the process of building a profile for an individual. India didn’t have that. Even now, in states like Uttar Pradesh [which borders India’s capital, New Delhi], about 40% of births are not registered.

One situation therefore, was that India didn’t even have some basics, like births and schooling, covered. At the same time, India also had ambitious social protection programs, what you call direct benefit programs, and the allocation for those kept growing in our budgets. It was a huge burden. We were looking at the government needing to reach about 90-93% of 1.3 billion people.

Are you saying that 90-93% of India’s one billion-plus population depends on the government for assistance?

Yes, it’s a huge number — 90 percent or more of Indians depend on some form of state subsidy or assistance. About 600 million people are covered through various forms of benefits, whether for jobs, pensions, scholarships, etc. In 2014 for example, India was spending three hundred thousand crore, or about 2.45 percent of the GDP, on direct subsidies. At current conversion rates, that’s probably about $45 billion in U.S. dollars, every year, on direct subsidies. These were not indirect subsidies like government schools, or infrastructure like roads.

So this was direct living assistance?

Yes, in one form or the other. At the same time, imagine this: When your foundation for doing a lot of these things, like a birth registry or a national identity of sorts, doesn’t exist, and you’re still spending this kind of money, what happens to accountability? There was no mechanism to even measure or understand whether the right people were getting the right assistance, and what we called “leakage” kept increasing. In many programs, the leakage was as high as 50 percent-plus.

That seems exceedingly high.

Yes, in the 1980s, then Prime Minister Rajiv Gandhi said that only 10 percent of subsidies actually went to the people it was expected to go to, with leakage being at about 90 percent. Most studies authoritatively put that figure at around 40 percent. Forty percent of $45 billion means about $20 billion a year was being leaked, which also meant the people that were supposed to be getting this money or grants of some sort were not getting it.

But it was going somewhere.

Yes, it clearly was. There were two primary drivers behind the idea to opt for a UID (unique identifier). The first was providing an identity in general that allowed a person to have a verifiable identity. The second was giving them the ability, through using that identity, to access the formal system, whether that was banking, credit, healthcare, each of which required some kind of ID, and ensuring the efficiency of the subsidy regime. India couldn’t spend anymore, so eliminating the leakage was going to be a huge relief.

So it was believed that a unique identity could completely unlock the system.

Yes, and it was a powerful revelation. What was different was how it was implemented. After Nandan Nilekani took over, the solution became more future looking.

Why biometric identity?

It goes back to my earlier point. Nothing existed. When half the country hadn’t a clue when they were born, or there was no real record of their birth, there was no clean way to create a unique identity. How did you ensure that? The only way we could determine that the same individual was the same individual was through biometrics.

You’ve lived here, in the United States. We’ve just had the general elections and in the lead-up, there was a lot of debate on Voter IDs. How would you define an election system with and without biometrics?

This is an interesting question, and there are two ways to look at this. In the first, you create a purpose-driven solution, one that solves a particular problem completely. If you believe there is a real problem with identifying genuine voters during the elections, and you want to solve that problem, you could clean up a flawed system using a biometric authentication system. You would create an ID in an election system, and then anyone voting has to have that ID authenticated. But that is a solution-driven play, not applicable to anything else.

Could you elaborate?

In India’s case, going back to your question, the need, going forward, to have a biometric authentication may or may not be there, as the identity itself, through Aadhaar, is biometric. So layering a system like an election system on top of an existing identity system, and allowing the election system to take advantage of a preexisting biometric identity, is different from what a country like the U.S. would have to do, if they wished to create an authenticable election system that is based on biometric identity.

And that is because we do not have an underlying digital biometric identity here in the U.S.?

Yes, exactly. You’d have to build an election system as a black box of its own solution. It’s like the Affordable Care Act. You built it from scratch and the identity part of it is internal to it. It’s a solution play. In India, we wouldn’t have to do something like that. In India, through Aadhaar, each person is biometrically unique and because a digitally authenticable platform exists as an independent identity platform for more than a billion people, getting an election system on top of that becomes a very thin application of that identity.

The election system would then be a separate system sitting on top of the ID system?

Any purpose-driven system would. In the case of elections, that particular layered system will then have who can vote, the rules of who can vote, where can you vote, when can you vote. That’s all part of the election layer, not part of the identity layer, and therein lies the major difference. In the U.S., I would assume that if you had to do a biometrics-linked election system, you’d pretty much have to do it as a full stack solution. It cannot be reused anywhere else. In India, because identity is a platform by itself, and an independent one, you can layer other systems, independent of each other, on top of it. So a healthcare system or a banking system can use that same biometric identity. But the biometric identity system doesn’t qualify citizenship. It only qualifies you are who you say you are.

A girl offers her ID to get her ballot to vote. Credit © Lisa F. Young | Dreamstime.com
A girl offers her ID to get her ballot to vote.
Credit © Lisa F. Young | Dreamstime.com

Why can’t an electoral ID system be utilized anywhere else? You’re saying that in India, because you created an independent digital identity platform first, it can then be used for different layers, whether for banking, healthcare, direct benefits, or voting. But if you create a system for electoral identity, why can’t you use that to provide direct benefits?

As an architect, I would think this would go into exactly the same situation as say, social security. Social security, originally, was not meant to be an identity system. It was a benefits system. It has, de facto, become an identity system, sort of. As an architect, I would think differently. If you want a reusable element, then the reusable layer, your identity, should be agnostic to the domain-specific rules or the functional rules of the platform you’re using it for.

So you’re saying your identity system needs to be platform and purpose agnostic?

Yes, you can obviously use election, or ensuring direct benefits, as applications or a need to get the US to use biometric identity. But you still have to have the identity layer separated out, with a different authority horizontally owning the identity, and not put identity under say, the Home Ministry in India, or the Department of Homeland Security in the U.S., or the election guys. If you do that, and tie it into citizenship, the banking guys, for instance, would find it very hard to use that ID, as would healthcare systems, because each of those layers have their own restrictions.

What you’re saying is that ID systems created for specific purposes, like elections, are restricted in scope because that purpose might not suit some other application. And you need an independent identity authority because not everybody that has or needs a bank account can vote. And if an identity platform is only given to those that can vote, it cannot then be used to authenticate non-voters wanting to get a bank account and fulfill KYC norms?

I’m saying exactly that. An election system is very purpose driven. Purpose driven systems are not intended for reuse or repurpose for other purposes. The moment you create a special purpose vehicle, to think that you can generalize it and say, “OK, by the way, because we have it we could use it for this, this and this,” isn’t how technology-driven identity systems work. You’ll end up with a clunky design, and a lack of clarity in ownership, and severe systemic issues. The people who manage elections have a different purpose in life. Their objective is not to manage an identity system for the country.

How early can you get biometrics that can be authenticated for children? Here, for instance, a social security number, which was initially issued only after the age of 14, can now be applied for along with the birth certificate.

We have enrolled 1.07 billion enrolled in our India program in the five-and-a-half years since we’ve begun. We’ve scaled extremely fast. While we do provide an identity number at birth, we do not bother capturing biometrics at that point. Babies’ fingers are too tiny, and their fingerprints would not appear clearly on top of the glass plate on which digital capture has to happen, even though their biometrics have evolved. They evolve in-utero, and you have well formed irises and fingerprint patterns in the womb. We did a lot of proofs of concept and realized we had to get through the terrible twos before we could practically make this work. To get a child to sit around and get workable biometrics wasn’t practical. So we decided those biometrics could be captured at age five.

What do you do when you give an Aadhaar number at birth or pre-age five?

We insist that one of the parents, or a guardian with a biometric identity — keeping in mind that we have children that are orphans and so on — has to vouch for the child and be linked to that child’s identity till the age of five, at which time they are delinked from the parent or guardian in the system. The system is so minimalistic that we do not capture the parent or guardian in the system beyond that age. There are just four attributes — name, date of birth, gender and proof of address at the time. Which goes back to your original question, why can’t a Voter ID be used for other things. Our ID doesn’t detail your relationships, religion, job profile, dependents or anything else. Any other attributes would have to be built into whatever layer you build separately on top of the identity system, be it banking or healthcare or social benefits. The federated model is very important.

If someone is homeless, and you require an address, what do they provide?

The homeless part wasn’t hard. When we conducted camps in homeless shelters, they, for the most, provided that shelter’s address as their address. Now whether they moved around or not, they wanted to settle or not, that was their choice. The idea was to give them the ability, whenever they chose, to get back into the formal system, whether it was to avail of healthcare benefits, or banking, or whatever. At that point, they also have the option to update that address, as control is given back to the identity holder. You can change your name in the system, like after marriage if you so wish, or you can change your gender, there are no strings attached to this.

You’ve mentioned purpose-driven layers a couple of times, and stressed that a biometric identity is only to prove you are who you say you are, and does nothing else. So are you saying that in India, despite more than a billion people having UIDs, for being in the voter registry, you’d need a separate ID. It would be an additional layer?

Absolutely, it has different requirements, which is why the federated and layered model of entitlement has to be understood. Identity is an independent orthogonal topic, necessary when you’re born or living someplace. You need an identity so you can identify yourself to gain access to a system. But whether you’re allowed to drive, or get healthcare, or get a food subsidy or money from the government, is an independent registry. Now of course, they will be linked to the unique identity system, so you won’t get two food coupons, or two votes. So it’s used to prevent duplication or misuse, and to authenticate you as a unique person. But someone would have to verify their eligibility for an entitlement system separately.

That answers my question on how you separate identity and electoral requirement!

Exactly. It depends on the purpose. If you say my purpose is to solve electoral or digital voting, and has nothing to do with creating a digital identity for other purposes, then you could create an all-inclusive digital system for voters and not bother using it for anything else. But you should never ever say, “I’ll build an electoral voting system using biometrics and somehow reuse that for other purposes.” It would become extremely difficult.

So you can’t map a unique ID to being a citizen, as opposed to being ineligible to vote? You can only create a UID, and layer it with anything else.

Yes, a UID is in essence, a starting point. A UID, here in India, has taken on the hard work of ensuring that this person is unique, biometrically, and has established a way to authenticate that virtually, or digitally, across the country. Suppose I walk into a bank and open a bank account. I can verify I am who I say I am digitally, through my UID, but then I also need to prove that I meet whatever banking eligibility is required by the banking system. For a driver’s license, you can prove your ID, but you still need to prove you can drive. And you still need to prove you are not just who you are, but also that you are a citizen, to vote.

A vector of a U.S. driver's license. Credit © Anton_novik | Dreamstime.com
A vector of a U.S. driver’s license.
Credit © Anton_novik | Dreamstime.com

My biometric ID just tells me I am me. A secondary system tells me that if I am me, I am a citizen and meet the criteria needed to be allowed to be vote. Interesting, because in the U.S., in many states, you can now register to vote at your local DMV while filling in your driver’s license form. The form really depends on you being truthful.

Yes. And by the way, as an architect, I’m actually cringing at the thought of why a driver’s license form or process has anything about elections mentioned on it. It is extremely silly. Why depend on someone’s conscience? All a driver’s license needs to do is to ask you is to show an identity that proves you are who you say you are, and then ask you to take a driving test. With UID, it simplifies the process of identity, and ensures you can’t get two licenses.

In India, if your UID doesn’t tell you anything about a person apart from whether they are who they claim to be, and are unique, how do you tackle, for instance, perceived national security problems? Undocumented refugees from Afghanistan or Tibet, or other undocumented migrants from Bangladesh, or Nepal, who could, hypothetically, get a UID, and from thereon, enter the formal system?

I’d like to be clear on this. A UID is not a mechanism to stop cross-border movement. It isn’t a mechanism to solve world hunger, or education issues. But it is necessary to have an identity. If you don’t have it as a system, how do you know who lives here? The idea behind UID is to establish a system that doesn’t currently exist, one that can be built upon. So can there be people here already that should not legally have been here that would get UIDs because they are residents? Probably.

And it’s okay because the system is forward-looking?

If we didn’t build the system now, we wouldn’t have the option, 10 years from now, when we have everyone that’s already here in the system, to have a process of viable verification system in place. At that point, we can look at only providing UIDs at birth or when someone gets a valid visa. We can then hope to have something like a citizen’s registry. Hopefully, one day, you can have a better birth registry, have a better idea of travelers, or migrants, to put in place better national security. If you don’t put in a system now though, what would you build on? The good thing is that when the system starts getting cleaner, when the citizenship registry starts forming, when the travel registry starts forming, India will be able to tighten the ID system, or the layered systems, such as social benefits programs or others.

One of the criticisms of things like Voter ID requirements, or having an identity card, is that it discriminates against people from lower economic groups, because of the difficulty in getting it.

Why is it difficult to get? It shouldn’t be.

If you have to get an ID, it’s half a day’s job, at the very least, as you need to go to a government office, typically open during business hours. For the daily wager, he or she doesn’t have that half a day to spare. It takes away part of a living wage.

If there is a mandate to get an identity, you have to have appropriate laws to protect people and then incentivize them to actually get that ID. The process of getting a biometric identity should be an once-in-a-lifetime event, and you can do that by ensuring that anyone that takes time off work to get that ID is compensated adequately. Frankly, I think the U.S. has been taken over by private systems, and yet, has also been taken over by the creamy layer’s paranoia about privacy. People are ok giving up privacy for convenience, but are paranoid about it otherwise. Unless there’s some give, you will probably not have a government-driven universal identity system like in India. The unfortunate part is that privacy and anonymity through an independent biometric-driven ID is the best way to secure your other systems, but because people don’t necessarily understand how these systems work, they don’t realize it.

Could you talk about the anonymity that a truly anonymous, biometric UID system could provide? The obligation of a unique ID system is just to validate I am who I say I am. With true anonymity in a healthcare system layered on top of a UID system, I would be just a number. No one would know I have X disease. The UID in India, though, gives you a name, so it’s not completely anonymous.

Here’s what you need. Take that healthcare system that is built as a layer on top of the UID to carry your digital health records. It should, for instance, have a design mechanism that needs to verify biometric identity only once, and then have an anonymous alias used internally. It should be the same with voting systems. When you design a voting system on top of a UID system, that doesn’t mean the UID is anonymized, but that a layered voting system can ensure they do a biometric identification, discard the real identity, and actually anonymize and record the fact that you voted. Obviously the voting system has to also not record whom you voted for, so you have to anonymize that too, and a bunch of things.

So in true anonymity, you have an identity connected to your name, but when you show that identity in a layered system, you’re just a number or a unique alias?

Yes. You might want to also ask why healthcare systems should continue to store an identity? Why can’t the system store an anonymous alias? These are design questions related to how a healthcare system is built, not how an identity system is designed or built. That identity system is simply saying you are who you are. What attributes of the ID system are embedded in the healthcare system, is a question of design of healthcare systems. So the layered systems that are built on top of ID systems must ensure privacy and anonymization of information, depending on the need — a school system would be very different from a healthcare system.

I get that. So the attributes that are layered on top of any specific tags actually determine the privacy and anonymity?

Exactly. And that is where the design construct has to apply, to prevent discrimination and any inherent prejudice that might exist. Some of that might exist irrespective of a digital ID system. However, this was also why in the case of UID, it didn’t have a religion or caste attribute.

What happens if someone takes over someone’s identity, says they’ve changed their name?

That is a very detailed technical discussion, on how we’re protecting biometrics to prevent reuse or misuse. There is a certification we have built in Aadhaar, called registered devices specification, which allows devices to authenticate biometrics, check for “live-ness” and so on. Take a hypothetical, very extreme, Minority Report kind of case, say, if someone artificially imitated your iris with “live-ness. To update your ID, you would have to go to an Aadhaar touch point, where an Aadhaar operator using our own software, not available to you, needs to sign off on your update. If the operator has colluded with you on this, we’ll know when that audit trail is checked. You get a physical and digital notification and if you turn around and say you didn’t change your identity, we can trace it back to the enrolment center, the operator and the device on which it was recorded.

But you can’t build a system for the extreme exceptions, in any case …

We can’t. But I think the question we have to ask is if it happens, could we track down the problem. And we’ve done whatever is technologically possible to ensure that we can. Internally, every one of our ID records is encrypted and tamper-proof, so no database admin, no human, can see our data. A DBA can’t change what they cannot see. And finally, once the technology stops, the laws of the land kick in.

Knowing what you know now, what would you have done differently in the architecture of India’s UID?

I think it’s more process than architecture. The eKYC as a feature was thought about not in 2009, but in 2012 — we realized the importance of digital ID sharing, as opposed to a photocopy of a paper, halfway through. What I’m trying to say is that we would have done some process improvements, rather than architectural improvements. Our architecture is extremely minimalistic. All it does is give you those four attributes. Name, Address, Date of Birth and Gender. The system does not even record the purpose or location of authentication. We don’t know if X person is voting or opening a bank account. The minimal architecture ensures it works well.

If a unique identifier is the ultimate securer of privacy, in your opinion, is that the way forward for a country like the U.S.? Should you lose all privacy by providing your biometrics to an anonymous system, to gain a secure, private ID and workable systems down the line?

It’s debatable and depends on how extreme your privacy rules are. Even in the U.S., you don’t just say you have no ID when asked for some by law enforcement, or a hotel you’re checking into, or for something else. Unless you’re completely off the grid in every way and do not interact at all with society, you have some form of ID. You can’t build programs for those off the grid situations. You build it for everyone else.

Final question. What would say to people that talk of an all-knowing state, or “big brother watching you?”

I think the Indian UID program has done extremely well, allowing millions to get into a formal system and access benefits. We store no purpose of transaction or transaction details, leading to a very federated or distributed system. I think India’s UID program is a brilliant system to imitate, because of extreme minimalism of architecture and the fact that it is what’s called a zero knowledge system. The layered systems don’t speak to each other.

One of the biggest worries when our program in India began was that fear of Big Brother watching you, that the system would become this massive, all-knowing database. But look at our design, the zero knowledge system. There’s no profiling data, and zero transaction data. What else could we do to ensure privacy?

The writer can be reached on kmurali@biometrica.com