Insights into Editorial: All that data that Aadhaar captures
In 2009, the government of India launched a new identification program that has gone on to become the largest biometric database in the world. The program, known as Aadhaar, has collected the names, addresses, phone numbers—and perhaps more significantly, fingerprints, photographs, and iris scans—of more than 1 billion people. In the process, Aadhaar has taken on a role in virtually all parts of day-to-day life in India, from schools to hospitals to banks, and has opened up pathways to a kind of large-scale data collection that has never existed before.
The Indian government views Aadhaar as a key solution for a myriad number of societal challenges, but critics see it as a step toward a surveillance state. Now, the Aadhaar experiment faces a significant threat from the Indian Supreme Court.
Privacy had emerged as a contentious issue while the apex court was hearing a batch of petitions challenging the Centre’s move to make Aadhaar mandatory for availing government schemes. With recent Supreme Court order affirming that privacy is a fundamental right, one of the central questions that came up there was how does the government view the fundamental right to privacy and what does this mean for the government’s Aadhaar programme?
CEO of the Unique Identification Authority of India (UIDAI), asserted, “The Aadhaar Act is based on the premise that privacy is a fundamental right.” He also clarified that the judgment would not affect Aadhaar as the required safeguards were already in place.
What is Aadhaar?
Aadhaar is a 12 digit unique-identity number issued to all Indian residents based on their biometric and demographic data. The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established by the Government of India, under the Ministry of Electronics and Information Technology, under the provisions of the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016.
To obtain an Aadhaar number, an individual has to submit his, (i) biometric (photograph, finger print, iris scan) and (ii) demographic (name, date of birth, address) information. The Unique Identification Authority (UID) may specify other biometric and demographic information to be collected by regulations.
At the time of enrolment, the individual will be informed of, (i) the manner in which the information will be used, (ii) the nature of recipients with whom the information will be shared, and (iii) the right to access this information. After verification of information provided by a person, an Aadhaar number will be issued to him.
To verify the identity of a person receiving a subsidy or a service, the government may require them to have an Aadhaar number. If a person does not have an Aadhaar number, government will require them to apply for it, and in the meanwhile, provide an alternative means of identification. Any public or private entity can accept the Aadhaar number as a proof of identity of the Aadhaar number holder, for any purpose. Aadhaar number cannot be a proof of citizenship or domicile.
The Role of UID Authority
The key functions of the UID authority include,
- specifying demographic and biometric information to be collected during enrolment,
- assigning Aadhaar numbers to individuals,
- authenticating Aadhaar numbers, and
- Specifying the usage of Aadhaar numbers for delivery of subsidies and services.
The UID authority will authenticate the Aadhaar number of an individual, if an entity makes such a request. A requesting entity (an agency or person that wants to authenticate information of a person) has to obtain the consent of an individual before collecting his information. The agency can use the disclosed information only for purposes for which the individual has given consent.
The UID authority shall respond to an authentication query with a positive, negative or other appropriate response. However, it is not permitted to share an individual’s finger print, iris scan and other biological attributes.
The UID authority shall record the entity requesting verification of a person’s identity, the time of request and the response received by the entity. The purpose for which an individual’s identity needs to be verified will not be maintained.
However, Aadhaar in its current form is a major threat to the fundamental right to privacy. Why?
Open to all Indian residents, Aadhaar was optional at first and associated with only a handful of government subsidies, including those for food and liquefied petroleum gas for cooking. It was targeted at those who needed help the most, particularly rural villagers who lacked official forms of identification, and were therefore unable to open bank accounts or access welfare programs in the past.
But over time, Aadhaar has been used as a way to apply data-driven improvements to a wide range of government and private-sector services. Aadhaar was soon linked to so many activities that it has now become almost impossible to live in India without enrolling. Participation in the program is a requirement for filing taxes, opening bank accounts, receiving school lunch in the state of Uttar Pradesh, purchasing railway tickets online, accessing some public Wi-Fi, participating in the state of Karnataka’s universal health-care coverage, and benefiting from a wide range of welfare programs. This increased ambit of usage of Aadhaar has also raised privacy concerns.
- Types of information
The Aadhaar Act 2016 puts in place a framework for sharing most of the Central Identities Data Repository (CIDR) information.
In the Aadhaar Act, biometric information essentially refers to photograph, fingerprints and iris scan, though it may also extend to “other biological attributes of an individual” specified by the UIDAI.
Identity information has a wider scope. It includes biometric information but also a person’s Aadhaar number as well as the demographic characteristics that are collected at the time of Aadhaar enrolment, such as name, address, date of birth, phone number, and so on.
The term “personal information” (not used in the Act) can be understood in a broader sense, which includes not only identity information but also other information about a person, for instance where she travels, whom she talks to on the phone, how much she earns, what she buys, her Internet browsing history, and so on.
Among three different types of private information: biometric information, identity information and personal information. The first two are formally defined in the Aadhaar Act, and protected to some extent. Aadhaar’s biggest threat to privacy, however, relates to the third type of information.
- Sharing identity details
The Aadhaar Act puts in place a framework to share it with “requesting entities”. The core of this framework lies in Section 8 of the Act, which deals with authentication. In the initial scheme of things, authentication involved nothing more than a Yes/No response to a query as to whether a person’s Aadhaar number matches her fingerprints (or possibly, other biometric or demographic attributes). In the final version of the Act, however, authentication also involves a possible sharing of identity information with the requesting entity.
When biometric information is used to access a service via Aadhaar, such as purchasing a new cell phone, the service provider receives that person’s demographic data (name, address, phone number), and the government receives the metadata—specifically, the date and time of the transaction, the form of identification used, and the company with which the transaction was carried out. That information can paint a vague but intimate long-term picture of a person’s life, and raises concerns about both government surveillance and private-sector abuse.
Quite likely, this little-noticed change in Section 8 has something to do with a growing realisation of the business opportunities associated with Aadhaar-enabled data harvesting. “Data is the new oil”, the latest motto among the champions of Aadhaar, was not part of the early discourse on unique identity.
Section 8, of course, includes some safeguards against possible misuse of identity information. A requesting entity is supposed to use identity information only with one’s consent, and only for the purpose mentioned in the consent statement. But it is difficult for anyone to read the fine print of the terms and conditions before ticking or clicking a consent box.
One more concern is that the Aadhaar Act includes a blanket exemption from the safeguards applicable to biometric and identity information on “national security” grounds. Considering the elastic nature of the term, may make identity information accessible to the government without major restrictions.
- Mining personal information
There is ample evidence of misuse. For instance:
- 210 government agencies published full names, addresses, and Aadhaar numbers of welfare beneficiaries;
- 120 million users’ Aadhaar information appears to have been leakedfrom the telecommunications company Reliance Jio;
- Bank-account and Aadhaar details of people were disclosed through certain open-government portals;
- The government’s e-hospital databasewas hacked to access confidential Aadhaar information.
The proliferation and possible misuse of identity information is one of the privacy concerns associated with Aadhaar, and possibly not the main concern. A bigger danger is that Aadhaar is a tool of unprecedented power for mining and collating personal information. Further, there are few safeguards in the Aadhaar Act against this potential invasion of privacy.
For example, if Aadhaar is made mandatory for SIM cards, the government will have access to your lifetime call records, and it will also be able to link your call records with your travel records. The chain, of course, can be extended to other “Aadhaar-enabled” databases accessible to the government — school records, income-tax records, pension records, and so on. Aadhaar enables the government to collect and collate all this personal information with virtually no restrictions.
What should the government do?
- Government should assure the citizens that it has the technology and systems to protect the data collected.
- It should assure the citizens of India that it will do everything possible to prevent unauthorised disclosure of or access to such data.
- It should recognise all dimensions of the right to privacy and address concerns about data safety, protection from unauthorised interception, surveillance, use of personal identifiers and bodily privacy.
- The data controller should be made accountable for the collection, processing and use to which data are put.
As an alternative to the collection of biometric information few experts have suggested shifting to smart cards. How will this help?
- Biometrics allows for identification of citizens even when they don’t want to be identified. Smart cards which require pins on the other hand require the citizens’ conscious cooperation during the identification process.
- Once smart cards are disposed nobody can use them to identify.
- If the UIDAI adopts smart cards, the centralized database of biometrics can be destroyed just like the UK government did in 2010. This would completely eliminate the risk of foreign government, criminals and terrorists using the breached biometric database to remotely, covertly and non-consensually identify Indians.
- Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminates the need for a centralized transaction database.
This century comes with certain risks. Therefore, we need to take a level-headed approach and ensure that ample safeguards are put in place for data protection and privacy. The government should recognise both the need for Aadhaar and the need for stringent rules concerning access to and security of citizens’ biometric data, in order to preserve their privacy. The very foundation of Aadhaar must be reconsidered in the light of the privacy judgment.