Know your Aadhaar

Even more confused is a recent submission to the Supreme Court by senior advocate Rakesh Dwivedi on behalf of the Unique Identification Authority of India (UIDAI). In this submission, dated April 12, Dwivedi repeatedly creates the impression that identity information collected by the UIDAI is confidential. This is very misleading.

Under the Aadhaar Act, “identity information” consists of Aadhaar number, biometric information and demographic information. “Biometric information”, as of now, consists of fingerprints, iris scan and photograph, but its scope can be expanded at the UIDAI’s discretion. “Demographic information” refers to demographic details (name, date of birth, address, etc) collected at the time of Aadhaar enrolment. The term “personal information”, not used or defined in the Aadhaar Act, can be understood in more general terms as any information of a private nature.

Aadhaar raises at least four privacy concerns, explained below in a tentative ascending order of seriousness.

Confidentiality of core biometrics: The core biometrics (as of now, biometrics minus photograph) are supposed to be safely stored in the Central Identities Data Repository (CIDR) and not shared with anyone. Some IT experts, however, believe that it is only a matter of time until the CIDR is hacked. That would be a serious breach: If your biometrics are stolen, you would be vulnerable to identity fraud for life. Further, fingerprints are easy to clone or steal outside the CIDR (as Nandan Nilekani himself put it to a Financial Times reporter, “I can steal your fingerprint off your glass”). That, too, presents a threat of identity fraud, given the numerous uses of biometrics in the proposed Aadhaar eco-system.

Confidentiality of Aadhaar numbers: Aadhaar numbers are not supposed to be “displayed or posted publicly” (Aadhaar Act, Section 29(4)). However, this has happened many times, and keeps happening. When Aadhaar numbers are displayed along with other sensitive information such as bank account numbers, it makes the victims vulnerable to various types of fraud.

Sharing of demographic information: In the draft of the Aadhaar Act (known as “NIDAI Bill 2010”), demographic information was supposed to be confidential — authentication only consisted of a “yes/no” response to a query whether a person’s biometrics matched the Aadhaar number being submitted. The Aadhaar Act, however, now allows demographic information to be shared with the entity — say, a bank or telecom company — that requests authentication (Section 8). Further, there is very little protection against this information being shared or misused by the requesting entity, except for a weak “consent” clause whereby demographic information is supposed to be used only for the purpose to which the person has consented at the time of authentication. This is just a cosmetic safeguard. In effect, demographic information is up for grabs. The wide dissemination of demographic information will facilitate large-scale mining of all sorts of personal information by private businesses. It is well known that private businesses already thrive on this type of information for numerous purposes, from targeted advertisement and credit rating to manipulating elections (the recent Cambridge Analytica and Facebook affairs are just the tip of that mountain). Aadhaar is likely to take the mining of personal information — not just demographic information — to new levels. As someone put it in an insightful tweet, “data is the new oil and Aadhaar is the drill”.

State surveillance: By the same token, Aadhaar creates an unprecedented infrastructure of state surveillance. Aadhaar-enabled access to personal information will be even wider for the state than for private entities, because the state has access to numerous Aadhaar-linked databases including the Aadhaar numbers (not accessible, in principle, to private entities). For instance, the state can easily use Aadhaar to link our bank account details with travel details and phone records. Some state governments are already on the job under the State Resident Data Hub (SRDH) project, which “integrates all the departmental databases and links them with Aadhaar number”, according to the SRDH websites. Intelligence agencies, quite likely, are not far behind. To this, the UIDAI responds that the UIDAI is “blind” by design and confines its work to authentication without collecting or collating personal data. This is neither here nor there: The danger of surveillance comes from the government, not the UIDAI specifically.

All this would be easier to swallow if the UIDAI had shown some sense of responsibility and accountability. Instead, it constantly denies the issues, hounds the whistle-blowers, and tries to confuse matters through relentless propaganda. The Aadhaar Act makes the UIDAI a law unto itself. An entire chapter of the NIDAI Bill, aimed at ensuring independent oversight of the UIDAI by a high-powered “Identity Review Committee”, was dropped — how and why one wonders — in the final version of the Aadhaar Act. And of course, under Section 47, no court is allowed to take cognisance of any offence under the Act except on a complaint made by the UIDAI. The unaccountable nature of the UIDAI, an authority of immense powers, reinforces and magnifies all the privacy concerns.