Centre for Internet & Society

It appears that with each passing day, the government is linking an increasing number of benefits and government services to the 12-digit biometric-based Aadhaar number for Indians, despite growing concerns around its data privacy and security.

The article by Rimin Dutt and Ivan Mehta was published by Huffington Post on March 24, 2017. Sunil Abraham was quoted.


Aadhaar, which collects among other information, citizens' iris scans and fingerprints and stores them into a centralised database for a prolonged time with only loose guidelines and no pre-existing laws to ensure the privacy of that data, is now linked to no less than 38 government schemes, including the government's latest directive –- that Aadhaar become mandatory for tax filing and securing PAN numbers -- introduced by Finance Minister Arun Jaitley earlier this week.

Jaitley openly admitted on Wednesday in the Parliament that the government, in effect, would be forcing people to get Aadhaar in an effort to increase tax compliance.

Aadhaar's use, by no means, is restricted to government agencies alone. A growing number of private financial institutions are now fulfilling their "Know Your Customer" or e-KYC formalities by making Aadhaar compulsory. The government is also in the process of making Aadhaar the basis of all financial transactions.

While the timing of the government's aggressive push of Aadhaar, in itself, is raising eyebrows among political observers, there are some serious concerns about this unique experiment that deserve stronger scrutiny.

Why disregard the Supreme Court?

In making Aadhaar mandatory for filing taxes and securing core taxpayer identity, the government has openly gone against a Supreme Court order from last year that explicitly stated that the Aadhaar Card scheme is "purely voluntary" and cannot be made mandatory until the court has decided on this.

The government has defended its move, saying it is allowed to do so under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.

However, as Gopal Krishna, a member of the Citizens Forum for Civil Liberties, writes in Business Today, the passage of the Act by the Parliament "does not automatically imply that any agency can make UID/Aadhaar compulsory disregarding the Supreme Court's orders."

According to Krishna, in doing so, the government is "clearly stepping beyond" the mandate of the Aadhaar Act, and also acting in contempt of the Parliament, according to him.

In addition, if tax evasion was the driving factor behind the move, it begs the question — wouldn't forcing people to get Aadhaar actually do the opposite by adding another layer of hassle?

Indeed, tax experts have noted how this requirement may hinder tax collection. Archit Gupta, Founder & CEO ClearTax.com, a tax service provider told HuffPost India, "The [Aadhaar] announcement is likely to be a dampener to tax filers, specially first-timers ... FY 2016-17 filing is expected to see a large number of first-time filers due to demonetisation efforts, and this move may make them more guarded."

Why not strengthen PAN?

The government already has an extensive mandate for the Permanent Account Number (PAN) cards, which are required to validate several important services or for undertaking transactions such as buying and selling property or jewellery worth over ₹2 lakhs. Last year, the government, in fact, said that the National Pension System (NPS) scheme would accept PAN cards over Aadhaar cards to validate new customers.

On Wednesday, however, Jaitley said PAN cards have been misused by certain people to evade taxes, and there are reports that Aadhaar may become the ultimate authenticating document. However, the continued and growing use of PAN along with Aadhaar adds an extra layer of formalities for citizens to access government services, which are their constitutionally guaranteed rights.

How safe is Aadhaar anyway?

Depending on who you talk to, the safety concerns of Aadhaar come up as a pressing issue, especially in the wake of a recent security incident when the Unique Identification Authority of India initiated police action against entities associated with Axis Bank including Suvidhaa Infoserve and e-sign provider eMudhra, which had allegedly engaged in unauthorised authentication and impersonation by illegally storing Aadhaar biometrics.

Earlier this month, in a separate incident, security researcher Srinivas Kodali warned Indian authorities of a website that was leaking Aadhaar demographic data of over five lakh minors, as well as the existence several parallel databases that had key identification data linked to Aadhaar, Scroll reported.

In the absence of any privacy laws in India, these security concerns have assumed even greater significance.

UIDAI, the authority behind Aadhaar, has maintained the technology behind Aadhaar is robust and that it uses advanced encryption to transmit and store data. It specifically denied that any breach of centralised data took place in the Axis Bank incident, saying the case was an isolated incident.

However, in a rather ironic twist in the Aadhaar Act, which itself contains no provisions to address privacy concerns, any legal action against any misuse or theft of Aadhaar data can only be initiated by UIDAI, leaving citizens with no legal recourse should a breach occur.

That represents an obvious conflict of interest as it gives exclusive power to the very authority that is responsible for the security and confidentiality of identity information and authentication records, PRS Legislative Research, has noted.

In addition, the controversial Aadhaar Act contains several other inherent dangers such as the potential to profile citizens based on the linking of other databases with Aadhaar by studying patterns of behaviour.

"Techniques such as running computer programmes across datasets for pattern recognition can be used for various purposes such as detecting potential illegal activities...However, these can also lead to harassment of innocent individuals who get identified incorrectly as potential threats," noted PRS Legislative.

There are currently no safeguards to prevent inappropriate profiling, instances of which could increase as more and more private organisations link their data to Aadhaar, and potentially exploit data for commercial purposes without the consent of citizens.

The US, in comparison, has laws in place that require agencies that collects data to submit an annual report to US Congress on all such data mining activities.

Other unresolved concerns

There are several other concerns related to the widespread use of Aadhaar card and the power it is afforded under the Aadhar act. The act allows UIDAI to collect biometric information beyond iris and fingerprint scans, for example, to include other bio-data such as DNA, noted PRS.

The act also allows private agencies to use Aadhaar, which contradicts an earlier stated objective of the scheme that sought to restrict the use of Aadhaar for only government expenditures.

"It allows private persons to use Aadhaar as a proof of identity for any purpose. This provision will enable private entities such as, airline, telecom, insurance, real estate etc. companies, to require Aadhaar as a proof of identity for availing their services," PRS has noted.

There's also the worrying prospect of Aadhaar being used as a surveillance tool by the government, instead of an e-governance technology, Sunil Abraham, executive director of research organisation, Centre for Internet and Society, told the The Hindu Business Line, adding biometrics only make citizens transparent to the state and not the state transparent to citizens.

"We warned the government six years ago, but they ignored us," said Abraham.

Krishna has a more dire warning: "The JAM Trinity -- Jan Dhan Yojana, Aadhaar and mobile numbers -- may well be a fish bait to trap unsuspecting citizens into the world's biggest transnational biometric database to turn them into subjects under surveillance forever in the name of a set of welfare and anti-poverty policies.

What has been done to address the security concerns?

It is unclear what the government or UIDAI may have done in the wake of the security incident to upgrade its systems. According to an expert HuffPost Post India talked to, many third party apps that are using Aadhar data may not be screened or audited for security, which is a huge worry.

Kodali told HuffPost India that Aadhaar has potential design issues when it comes to information security.

"By design it allows anyone store information of the Aadhaar holder through [application programming interface]. This is creating many parallel databases with Aadhaar as a key," he said.

He notes that security is an afterthought for many institutions and companies.

"UIDAI and the architects of Aadhaar do not accept that data can be a liability instead of an asset," he said. "The mandatory nature of Aadhaar without the right infrastructure and skilled workforce is not just a cyber security issue, but a national security issue."

When will India get privacy laws?

No one quite knows. But there's a growing call for a need for strict privacy laws, given the move towards digital financial transactions and growing e-commerce use. Most advanced economies including the US, the UK, France, Australia and New Zealand have enacted privacy laws.

However, in India, the right to privacy still doesn't exist despite it being recognised by even the UN charter of human rights. Article 12 of the Universal Declaration of Human Rights states, "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

The potential for cyber criminals to misuse citizen data isn't lost on even prominent IT industry experts.

Recently, the chief of IT industry body Nasscom R Chandrashekhar told PTI that personal data of online consumers can never be fully secure, emphasising the need for strict consumer protection laws. "More than 3 million credit card data details were misused recently. Let us face it, these kind of security breaches will take place. There is nothing called fully perfect security in IT," he said.

To be sure, Aadhaar has been lauded by several prominent experts and economists, and it is, undoubtedly, an ambitious project to potentially aid financial inclusion for a large population that has historically been outside of a formal financial services net. India also has one of the lowest tax compliance rates, making tax collection a priority for the government.

Recently, Paul Romer, World Bank's chief economist told Bloomberg, "The system in India is the most sophisticated that I've seen ... It's the basis for all kinds of connections that involve things like financial transactions. It could be good for the world if this became widely adopted."

But given the sensitivity of citizen biometrics data and potential for misuse, the government ought to be held accountable for its proper use and ensure enough safeguards are put in place before its imposition on each citizen.