Centre for Internet & Society

The UID project will centralise a humongous amount of data but the fear is that it might fall into the wrong hands.

The Unique Identification (UID) project is already up and running. It’s touted as a watershed in inclusive politics, of bringing people, who by virtue of physical remoteness, their station in society or other liabilities were excluded from the system, back into it. UID Chairman Nandan Nilekani recently said that the aadhaar number will not replace the passport, driving license or the voter identity card and that by 2014, 60 per cent of the country’s population will have the 12-digit UID number. The idea, though it has not been made explicit, is that Aadhaar will eventually become the key document for the common man to navigate the system, whether it is opening a bank account or making a rent agreement to booking a train ticket or applying for a job.

In fact, there is the implicit danger that sooner than later the original idea of inclusiveness could be turned on its head by denying benefits to people who don’t have the Aadhaar! “There is nothing to ensure that you will continue to receive the same benefits like those who have the UID number. The claim that it is not mandatory is legally correct.  But in practice it would not be,” said Prof Sridhar Krishnaswamy of W B University for Juridical Sciences.

It is a fundamental premise that data subjects ought to have “inalienable moral rights” about the “integrity” of the data collected about them. But even as UID is one of the best things that could have happened to deepen the democratic process in our society, the often un-remarked fact is that the project has also become the biggest industrial collector of personal information. Considering the size and heterogeneity of the Indian population, it becomes as big as Google, and the implications of this are quite frightening.  The UID draft bill, which has to be cleared by Parliament for it to become law, has only perfunctorily looked at the dangers posed by such huge and centralized collection of data. It glosses over the issue, content with making conservative noises about “the interlinking of databases”. This only shows how casual our policy makers, even the most enlightened of them, are towards the whole issue of safeguarding privacy.

The Bangalore-based Centre for Internet and Society (CIS) has analyzed the draft UID bill in considerable depth. They have identified three main areas where the bill needs to be drastically reworked: (i) plugging all loopholes which would enable corporate organizations from accessing information from the Aadhar database for their own commercial or R & D purposes; (ii) stipulating a maximum period for the data to be stored; (iii) to be transparent about the methods it uses to collect, store and disseminate data.

Prof Krishnaswamy agreed that the UID bill has not taken the corporate threat seriously enough. He contends that the UID authorities should take small, concrete steps that would act as effective safeguards. “In the mobile phone segment, user information is stored only for six months.  Now, the government is proposing a similar time cap for ISP too. But when it comes to UID there is no such time limit.  It means personal information could be held perpetually,” he explained. All that UID Assistant Director A K Pandey had to say to this was, “if that is it, then we have to live with it.”

Another worrying aspect of the proposed bill, according to Usha Ramanathan, an activist and expert on identity and digital issues, is its failure to fix accountability on the main players including enrollers, outsourcing companies, and the UDAI authority itself. “The data collector and data controller should be equally held responsible for the protection of data,” she said.  However, UID authorities themselves are of the view that the apprehensions are being overplayed. Pandey maintained that there was nothing in the UID that would compromise the privacy of individuals.  “You go to a bank or the LIC office and you give whatever information they ask you. But when it comes to UID alone you say the information you give could be dangerous.  We don’t quite understand this,” he retorted. He played down the fears that in the central data storage vital information could go corrupt. “We have taken adequate measures to protect it. We will have a backup,” he said.

The issue of transparency of data collection and storage remains. The CIS analysts feel that the UID should put out a synopsis of the algorithms it will use in collating and protecting data so that the public at large can be reassured of the firewalls that are in place. Then there is also the issue of not having concrete provisions in the UID bill to deal with special cases like whistleblowers and victims of abuse whose identities need to be protected even more carefully. 

The UID authority also bypasses the question of whether it is confusing data protection with the larger issue of protection of privacy. A person’s identity is more than her date of birth, surname, religion, fingerprint or even the sum of these. Such information is basically data and allows governments or corporate bodies to provide a person a nominal identity, one that is indispensable if she is to be part of a socio-political system. The state and corporate entities conveniently deny a person her self, thereby reducing her to a subject instead of seeing each individual as a thinking, acting agency.

Be that as it may, right now the concern of civil society is to make at least protection of data as foolproof as possible. Aadhaar is just one of the projects that pose a threat to the privacy of individual citizens. There is the broader problem of how the Internet and mobile phones, the popularity of social networking sites such as Facebook and Twitter, and the widespread use of credit and debit cards has led to blatant misuse of personal information gathered online, sharing of consumer data without consent and the state’s own Big Brother surveillance. The need for an effective privacy law in India is imperative.

Read the original in Bangalore Mirror

Filed under: