Centre for Internet & Society

As India makes Aadhaar compulsory for a range of services, concerns about potential data breaches remain more than six years after the govt started building the world’s largest biometric identification system.

The article by Komal Gupta, Apurva Vishwanath and Suranjana Roy was published in Livemint on April 21, 2017. Pranesh Prakash was quoted.


The Aadhaar project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor. Photo: Priyanka Parashar/Mint

On 29 March, a storm broke out on social media after private data that former Indian cricket captain M.S. Dhoni had furnished to get enrolled in India’s unique identity system, known as Aadhaar, were leaked online.

The popular cricketer’s wife, Sakshi, flagged the matter on Twitter, tagging information technology (IT) minister Ravi Shankar Prasad. “Is there any privacy left? Information of Aadhaar card, including application, is made public property,” Sakshi fumed on the microblogging site.

The minister replied: “Sharing personal information is illegal. Serious action will be taken against this.”

It turned out to be the fault of an overenthusiastic common services centre in Dhoni’s home town of Ranchi licensed to enrol people in Aadhaar. The centre was promptly blacklisted. “We have ordered further inquiry on the matter and action will be taken against all those involved in the leak,” said Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India (UIDAI), which administers Aadhaar.

The matter blew over soon enough, but it served to illustrate the lingering concerns about potential data breaches and privacy violations surrounding Aadhaar, which has become the world’s largest biometric identification database with 1.13 billion people enrolled in it in the past six years.

The project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor.

It has now become mandatory for everything ranging from opening a bank account and getting a driver’s licence or a mobile phone connection to filing of income tax returns. Even government school students entitled to a free mid-day meal need an Aadhaar number.

Aadhaar

The use of Aadhaar has only expanded with the government going on an overdrive to promote cashless transactions and payment systems linked to the biometric ID system after banning old, high-value bank notes in November in a crackdown on unaccounted wealth hidden away from the taxman.

For instance, the Aadhaar-Enabled Payment System (AEPS) empowers a bank customer to use Aadhaar as her identity to access her Aadhaar-enabled bank account and perform basic banking transactions like cash deposit or withdrawal through a bank agent or business correspondent.

The customer can carry out transactions by scanning her fingerprint at any micro ATM or biometric point-of-sale (POS) terminal, and entering the Aadhaar number linked to the bank account. A merchant-led model of AEPS, called Aadhaar Pay, has also been launched.

Last week, Prime Minister Narendra Modi launched the BHIM-Aadhaar platform—a merchant interface linking the unique identification number to the Bharat Interface for Money (BHIM) mobile application. This will enable merchants to receive payments through fingerprint scans of customers.

“Any citizen without access to smartphones, Internet, debit or credit cards will be able to transact digitally through the BHIM-Aadhaar platform,” a government statement said.

Aadhaar’s growing importance in the economy has only served to deepen concerns about potential data breaches. And there are other concerns as well.

For instance, the Aadhaar biometric authentication failure rate in the rural job guarantee scheme, which assures 100 days of work a year to one member of every rural household, is as high as 36% in the southern state of Telangana, according to data released by the state government.

“Aadhaar is supposed to be an enabler and it will happen only when it is made voluntary. Biometric authentications might fail due to poor data connectivity and transactions might not happen even though the Aadhaar number of the person is there; so, what’s the benefit,” asked Pranesh Prakash, policy director of the Centre for Internet and Society, a Bengaluru-based think tank.

Aadhaar was the brainchild of the previous United Progressive Alliance (UPA) government, which lost power in the 2014 general election to the National Democratic Alliance (NDA). The first 10 Aadhaar numbers were handed over to residents of a small village called Tembhli in Maharashtra on 29 September 2010 in the presence of then prime minister Manmohan Singh, Congress party president Sonia Gandhi and Aadhaar’s chief architect Nandan Nilekani, a co-founder of software services giant Infosys Ltd.

After coming to power, the NDA systematically went about making Aadhaar the pivot of government welfare programmes. In March last year, Parliament passed the Aadhaar Bill to make the use of Aadhaar mandatory for availing of government subsidies despite resistance from opposition parties.

Last month, finance minister Arun Jaitley said the 12-digit number would eventually become a single, monolithic proof of identity for every Indian, replacing every other identity card.

To be sure, Aadhaar has helped the government better target beneficiaries of its welfare programmes, cutting out middlemen and corruption. For instance, the government claims to have saved about Rs50,000 crore in cooking gas subsidies by linking the Aadhaar number with bank accounts in which the subsidy is directly transferred.

Yet, Aadhaar has its critics, who have challenged the project on grounds including potential compromise of national security, violation of the right to privacy and exclusion of people from welfare programmes. The Supreme Court has cautioned the government that no citizen can be denied access to welfare programmes for lack of an Aadhaar number.

Before cricketer Dhoni’s data breach made the headlines, in February, UIDAI filed a complaint against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics. The breach was noticed after one individual performed 397 biometric transactions between 14 July 2016 and 19 February 2017. All three entities have been temporarily barred from offering Aadhaar-related services until UIDAI makes a final decision.

Pranesh Prakash of the Centre for Internet and Society said rules on the use of Aadhaar data are inadequate.

“UIDAI is allowed to share the information of a person from its database on its website, after taking proper consent of that person. However, there is no law which states what should be done if any other party does that with the same individual. Such rules must be in place,” Prakash said.

Four years after the Aadhaar project took off, a retired judge took the government to court. K. Puttaswamy, a former judge of the Karnataka high court, moved the Supreme Court in 2013, arguing that Aadhaar violated his fundamental right to privacy under the constitution. The case opened the gates for legal challenges to Aadhaar. Over the next few years till date, at least a dozen cases had questioned the legality of the project.

Ramon Magsaysay award winner Aruna Roy brought a case on behalf of manual workers whose faint finger prints, she said, often go undetected. Currently, only 44 million out of the 101 million beneficiaries of India’s rural job entitlement are paid through Aadhaar.

To be sure, India’s Constitution does not contain a black and white reference to a “fundamental right to privacy”, that the government cannot violate. The list of rights says “no person shall be deprived of his life or personal liberty except according to a procedure established by law”—often interpreted by courts as an all-encompassing right including right to live with dignity, right to speedy justice and even a right to clean air.

Nilekani, the man behind Aadhaar, has cautioned that privacy is a broader issue involving how people retain their privacy in day-to-day life. “Privacy is an all-encompassing issue because of the rapid rate of digitization the world is seeing. Your smartphone has sensors, GPS and is generating more and more information about everything; voice-activated devices could also be recording your conversations. There’s a profusion of CCTV cameras at malls, restaurants, ATMs recording your movements,” Nilekani said in a recent interview with The Economic Times.

But this is where a problem arises. Although there is concurrence on the need for a privacy law, there is a great reluctance on the part of the government to come out with one.

“We don’t have a comprehensive privacy law; all our databases are unlinked. The government is trying to link the databases using Aadhaar for all schemes but a separate privacy law must be there for protecting any piece of information, whether or not linked to Aadhaar,” said Rahul Matthan, a partner at law firm Trilegal and a Mint columnist.

Matthan said first a privacy law must be put in place and then there has to be a discussion on what all it must include.

The government on its part pointed out that India’s apex court itself has been indecisive on a right to privacy.

“The larger question on privacy needs to be settled by the court. Till then, one cannot comment on secondary concerns,” attorney general Mukul Rohatgi said in an interview.

In 2015, the Supreme Court decided that a bench of at least seven judges will rule on the privacy issue, while clarifying that the government cannot make Aadhaar a mandatory proof of identity for its welfare schemes. Twenty months after the judicial order, the larger bench is yet to be formed by the apex court. The passing of the Aadhaar Act in Parliament to provide statutory backing to Aadhaar also indicates a departure from the Indian government’s position of not taking a legislative stand while an issue is under the apex court’s consideration.

For example, one of the reasons the Indian government has shown restraint in repealing a colonial law that criminalizes homosexuality is because the apex court is seized of the issue.

In the absence of legislation and pending an authoritative ruling by the top court, whether 1.3 billion Indians are entitled to their privacy remains a grey area. Meanwhile, the government is seemingly in the final stretch of its Aadhaar enrolment drive.