Controversial Indian health records reach 140M registrations, 96 percent linked to Aadhaar
The controversial scheme to give everyone an India a Unique Health ID (UHID) has continued apace with 140 million people now signed up. Of these, 96 percent have their records linked to the national biometric ID system, Aadhaar, and the remaining four percent are now being offered the option to link their health ID with their driving license, reports MediaNama (subscription required). The news comes as Privacy International releases a highly critical assessment of the Aadhaar project.
The Ayushman Bharat Digital Mission (ABDM) was launched in September by Prime Minister Narendra Modi to provide universal health coverage, with an IT system for healthcare facilities and staff and a mobile app for citizens. Also known as the National Digital Health Mission (NDHM), it will be the largest public health infrastructure in the world and is proving highly controversial due to fears of it serving as a tool for surveillance.
Registrations were already underway before the launch of universal health coverage. Freedom of information requests found that authorities had been using COVID vaccination management systems to enroll 110 million people receiving vaccines, many without their consent. It is not and cannot be made a legal requirement to link a health record with the unique identifier of Aadhaar.
Praveen Gedam, mission director of the ABDM, said during a webinar on the simplification of the digital health mission for doctors that “Going forward, linkages with PAN, Passport (for Unique Health IDs) so that Aadhaar is not made mandatory because it cannot be made mandatory by way of legal procedures,” as quoted by MediaNama.
In addition to a health ID linker to their Aadhaar, people can potentially have multiple health IDs, on different mobile numbers, by using OTPs. Gedam said that once linking is enabled, Indians with mobile-based UHIDs will get a message asking them to link it with a government-issued ID, according to the report.
“Login using email, login using Aadhaar, login using face, login using mobile number – all these options are being developed already by various product developers,” said Gedam, suggesting biometric login is coming.
600 APIs are coming for private providers to offer integrations with the ABDM’s databases and structure.
Privacy International delivers damning review of Aadhaar ID system
The study finds that even determining the private company stakeholders of the world’s biggest digital ID system is opaque although it has been supported by the World Bank and Bill and Melinda Gates Foundation.
Nor were public consultations recorded to discuss Aadhaar’s development. Its non-modular, proprietary and black box approach makes it a difficult system to assess. Some high-level information has been gleaned on enrolment and authentication, but not on the encryption process.
While little information is given on de-duplication, the UIDAI claim it carries out both biometric and demographic de-duplication and has tendered for projects and awarded two contracts for the former in 2021, to Neurotechnology and TCS.
Biometric de-duplication is particularly problematic for a population of 1.4 billion, where there are now more than a billion people already registered. Case studies show that the UIDAI’s examples of matching based on datasets of just 40,000 people would take hundreds of years to perform on the actual database at best.
And so is the UIDAI doing things properly? Privacy International analyses the issues around confidence levels of records, and applies the process to false positive rates. The aimed-for false positive identification rate (FPIR) of 0.0025 percent, when scaled checking the entire Indian population against itself, that would lead to 24,500,000,000,000 false positives, or 17,500 per person, according to PI calculations.
“Even keeping the FPIR fixed at a seemingly low value, we see that as the population size increases, so will the errors made by the system. This also shows that it is impossible for UIDAI to claim uniqueness within its amassed database which sabotages the idea of using biometrics for identification in the first place,” states the report.
The report provides a roundup of further concerns such as frequent breaches of sensitive personal information, the system’s exclusionary effects and the UIDAI’s ignoring of privacy concerns lead Privacy International to conclude that: “UIDAI is critically failing on keeping up with their vision and mission for Aadhaar. Be it in preserving the privacy of individuals, ensuring security and reliability of the infrastructure, inclusion of individuals, transparency regarding not only processes but also the makeup of the infrastructure, ensuring scalability and even on the most basic thing Aadhaar is conceptually supposed to provide – uniqueness.”
The report also mentions the possibility that the government may export the e-governance software to countries in Africa and Asia as the system is proving influential abroad. This matches concerns raised by Access Now that what they also consider to be a deeply flawed system is being seen as a poster child for digital identity programs.