Insights into Editorial: Is Aadhaar a breach of privacy?
Since its inception, Aadhaar has been criticised as a project which violates privacy. India not having a law on privacy has added to this problem. In fact, then chairman of UIDAI, Nandan Nilekani, wrote to the Prime Minister as early as in May 2010 suggesting that there was a need to have a data protection and privacy law.
Aadhaar was designed as a digital identity platform which is inclusive, unique and can be authenticated to participate in any digital transaction. This has transformed the service delivery in our country, conveniencing residents and reducing leakages. Direct benefit transfer, subscription to various services and authentication at the point of service delivery are some of the benefits which have accrued.
What are the main security concerns related to Aadhar?
- Aadhaar is mass surveillance technology. Unlike, targeted surveillance which is a good thing, and essential for national security and public order — mass surveillance undermines security.
- Also, experts argue that biometric information is necessary for targeted surveillance, but not suitable for everyday transactions between the state and law abiding citizens. It can easily be misused.
- Even though the UIDAI claims that this is a zero knowledge database promising high level of security, there is a chance for misuse using the unique identifiers for the registered devices and time stamps that are used for authentication.
How privacy is ensured in Aadhar?
- Aadhaar followed the principle of incorporating privacy by design, a concept which states that IT projects should be designed with privacy in mind.
- Aadhar collects only minimal data, just sufficient to establish identity. This irreducible set contained only four elements: name, gender, age and communication address of the resident.
- Under the scheme, random numbers with no intelligence are issued. This ensures that no profiling can be done as the number does not disclose anything about the person.
- The Aadhaar Act also has clear restrictions on data sharing. No data download is permitted, search is not allowed and the only response which UIDAI gives to an authentication request is ‘yes’ or ‘no’. No personal information is divulged.
- Besides the minimal data which UIDAI has about a person, it does not keep any data except the logs of authentication. It does not know the purpose of authentication. The transaction details remain with the concerned agency and not with UIDAI.
- UIDAI has also built a facility wherein one can ‘lock’ the Aadhaar number and disable it from any type of authentication for a period of one’s choice, guarding against any potential misuse.
Why there is a need to protect citizen information?
- India is rapidly becoming a digital economy. We are a nation of billion cell phones and yet we have antiquated laws for data protection and privacy. Problems of ID theft, fraud and misrepresentation are real concerns.
- Identifying citizens for providing various services, maintaining security and crime-related surveillance and performing governance functions, all involve the collection of information. In recent years, owing to technological developments and emerging administrative challenges, several national programmes and schemes are being implemented through information technology platforms, using computerised data collected from citizens.
- With more and more transactions being done over the Internet, such information is vulnerable to theft and misuse. Therefore, it is imperative that any system of data collection should factor in privacy risks and include procedures and systems to protect citizen information.
What should the government do?
- Instead of arguing that privacy is not a fundamental right, it should assure the citizens that it has the technology and systems to protect the data collected.
- It should assure the citizens of India that it will do everything possible to prevent unauthorised disclosure of or access to such data.
- It should recognise all dimensions of the right to privacy and address concerns about data safety, protection from unauthorised interception, surveillance, use of personal identifiers and bodily privacy.
- The data controller should be made accountable for the collection, processing and use to which data are put.
As an alternative to the collection of biometric information few experts have suggested shifting to smart cards. How will this help?
- Biometrics allows for identification of citizens even when they don’t want to be identified. Smart cards which require pins on the other hand require the citizens’ conscious cooperation during the identification process.
- Once smart cards are disposed nobody can use them to identify. Consent is baked into the design of the technology.
- If the UIDAI adopts smart cards, the centralized database of biometrics can be destroyed just like the UK government did in 2010. This would completely eliminate the risk of foreign government, criminals and terrorists using the breached biometric database to remotely, covertly and non-consensually identify Indians.
- Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminates the need for a centralized transaction database.
This century comes with certain risks. Therefore, we need to take a level-headed approach and ensure that ample safeguards are put in place for data protection and privacy. The government should recognise both the need for Aadhaar and the need for stringent rules concerning access to and security of citizens’ biometric data, in order to preserve their privacy.