Labelling Aadhaar as a threat to privacy is simply an attempt at scare-mongering.
With efficient implementation, it will be an extremely useful tool for governance.
Like demonetisation and the goods and services tax (GST), Aadhaar has been in the news for both good and bad reasons. On the one hand, we have heard how crores of rupees in non-entitled subsidies have been saved by the government, but on the other, we have had horror stories of destitutes being deprived of entitlements because of the lack of an Aadhaar identity. In general, those who believe in the current Prime Minister are bullish about Aadhaar, but they forget that many of them had opposed the same on the grounds of privacy when it was proposed by the previous government. What is missing in the discourse is a clear understanding of how Aadhaar operates and how it could fail.
Ever since it was freely and finally admitted that 90 per cent of all money that the central government transmits to citizens as subsidies is stolen by middlemen, there has been a demand for a direct benefit transfer (DBT) mechanism. One obvious way is through bank accounts: instead of selling 3 kg of rice to Ram once a week at Rs 2 per kg, make him buy the same rice at Rs 20 per kg from the market, but send the difference, Rs (20-2) x 3 x 4 = Rs 216, to Ram’s bank account every month so that he does not have to spend any more than Rs 2 per kg. But since there are thousands of people who call themselves Ram, we would need to connect “our” Ram’s bank account to “our” Ram’s hungry body, using a marker that is unique to “our” Ram, namely his fingerprints and iris scan. This is the genesis of the Aadhaar database and the Aadhaar number.
But this simple concept has been criticised for three major reasons – namely privacy, potential for misuse and operational inefficiency. Before we examine these aspects in greater detail, let us look at how the database is created and used.
To create a new Aadhaar number for a new registrant, we need the (a) biometrics – iris scan and all 10 fingerprints; (b) name, gender, date of birth and address; and (c) optionally, a cellphone number and an email address. Since biometrics is the only data that is guaranteed to be unique for each person, a de-duplication exercise is carried out to check if another Aadhaar number has already been generated for the same set of biometrics, to ensure that no one person gets attached to two or more Aadhaar numbers.
To confirm a person’s identity using Aadhaar before he is allowed to avail of any benefit or service, a verifier has to transmit the person’s Aadhaar number to UIDAI (Unique Identity Authority of India) along with either biometric data (as in the case of banks or phone companies) or name and date of birth (as is the case with some mutual funds). In either case, UIDAI responds either with (a) a binary YES/NO that confirms or denies the association of the Aadhaar number with the accompanying data, or with (b) a more detailed extract from the Aadhaar database, which includes photograph, but specifically excludes the “core” biometric information.
In some less critical situations, for example, where a physical copy of Aadhaar needs to be downloaded, the optional phone number or email address is used to send a one-time password to establish an association between the Aadhaar number and the phone/email and hence by extension to the name of the person. In this, it must be clearly understood, and communicated to all, that the physical possession of the Aadhaar card – which can be manufactured by anyone with a computer and a printer – is no proof of anything at all and should never be used for any kind of verification.
Now let us look at privacy and potential for misuse, the two major concerns.
The basic data that is stored is quite primitive. Name, gender, date of birth and address are already available with the government in voter cards and election rolls, but the optional phone number and email are an addition. Frankly, phone/email is a better way of contacting a person in today’s times, so there is no ideological difficulty in storing that information. The real, new addition is the biometrics, but that is a part of the original design to prevent duplication. So, prima facie, there is no real privacy concern unless there is misuse, and this misuse can be of two types – first, deliberate misuse by the government, and second, illegitimate misuse by hackers.
By requiring individuals to link Aadhaar numbers to bank accounts and cellphones, the government gets an easy way to discover who owns and operates which bank accounts and telephone numbers. But this demand is nothing new. Under anti-money laundering schemes, the banks are in any case required to use stringent know your customer (KYC) processes to know their customers. Similarly, because of terrorism and other security concerns, telephone companies are forced to use similar KYC processes. Whether such intrusive knowledge is necessary is irrelevant to the Aadhaar debate. If we have accepted KYC processes in banks and telephones, then there is no additional loss of privacy in linking bank accounts and telephone numbers to Aadhaar and thus simplify traceability. Hence, the claim that Aadhaar represents a new mechanism to misuse private information is baseless.
Moreover, insinuations that Aadhaar can be used by the government to surreptitiously know bank balances from linked accounts or to surreptitiously listen in to private telephone conversations on linked phones are so ludicrous and absurd that these are not even worth countering.
However, this does not mean that any government agency – from the municipality crematorium to the motor vehicles department – or even private agencies like hospitals and airlines should start demanding Aadhaar for rendering services. Rules framed under the Aadhaar Act 2016 should stipulate which public services require Aadhaar and this information must be made available on the UIDAI website.
What happens when things go wrong? There is no point in claiming that the Aadhaar database is “totally secure and hacker proof”. No computer system ever is. So what we should plan for is to estimate the damage to the registrant if the data is compromised. Let us examine what could happen if the Aadhaar database is hacked and the information falls into the hands of unauthorised people, or if the government goes rogue and starts using the information in a manner not envisaged under the Aadhaar Act.
What all can a criminal do with the text information about a person that is stolen from the Aadhaar database? Neither can he open a new bank account, nor get a new telephone SIM, as both require biometric validation. At best, he can attempt to get phone banking access to a bank account by quoting the date of birth, but knowing this, no sensible bank should ever accept date of birth as a verification question.
Can he take a loan and wreck the Aadhaar registrant’s credit rating? This is unlikely unless there is collusion with the employees of the bank to which the registrant’s loan is linked, but they have the number anyway – so there is no incremental exposure. Can the phone number be used to access bank accounts through UPI (united payment interface) apps or digital wallets? This is theoretically possible if someone clones your SIM, but if we want to guard against this, we should not share our phone numbers with anyone at all. In fact, the worst-case scenario is a barrage of spam or crank calls. But then again, this is already an issue with many of us, and not really an Aadhaar-specific abomination.
Can the picture of the registrant be misused? The government, or a criminal, can use a public image of an individual, say in a newspaper or on social media, and use face recognition technology to identify him. This may, in principle, be used to identify either real criminals or persons hostile to the government, but the possibility of its effective use is pretty low. Hence, the threat is quite far-fetched.
Finally, the biometrics. In principle, this should never reach anyone outside UIDAI, but what if it does? There do exist locks and access control devices that use biometrics like fingerprint and iris scans to grant access to assets that could range from iPhones to nuclear weapons, and these may, in principle, get compromised. But the process of transferring data from the digital format to the access control device is, to say the least, very complicated. Readers may recall the movie Angels and Demons, where a dead scientist’s eye was gouged out and used to open a vault protected by a retinal scanner, to understand how complex the process is, and even then, it has been proven that this is simply impossible. Retinal scanners need a living eye to focus on a point, and cannot be fooled by a static image of the iris pattern. Similarly, while it may be possible in principle to steal one’s fingerprint images and use them at a crime site to implicate the owner, the physical challenges of actually doing so are so very high that the probability of its occurrence is quite low.
So net-net, a hack of the Aadhaar database could of course result in a flood of spam on your phone and email inbox, but all the other scenarios described have a very low probability of causing actual damage. In fact, many of the conveniences that we use – passport, air travel, cellphone, online banking, Gmail – have a greater probability of causing damage to our privacy, and in a throwback to Heisenberg’s Uncertainty Principle, let us accept that it is impossible to maximise both privacy and convenience at the same time. One must always trade off any one against the other. Unless you are like Richard Stallman – the open source guru and privacy fanatic, who does not use cellphones, credit cards, hotel Wi-Fi, the Google search engine, Facebook and many other conveniences of daily life in his quest for total privacy – a lot of information about you is already in the public domain, and Aadhaar will hardly add anything more to that. Hence, Aadhaar being a threat to privacy is more of an urban myth or an attempt at scare-mongering. The recent unauthorised access of the Aadhaar database, as reported in the Tribune, must be seen in this context.
But even if the threat to privacy recedes, Aadhaar faces the one big challenge that hobbles and frustrates all bold policy initiatives in India – the threat of poor implementation. Like demonetisation, GST or even more prosaic projects like building roads and highways, the Aadhaar project is full of operational pitfalls. First, there was an immense shortage of biometric equipment and trained staff, and it was quite difficult to get an Aadhaar number to begin with. Then, there were significant process issues that were not thought through adequately. For example, what to do about people with age, medical or disability-related problems that do not allow biometrics to be captured easily? Some of these problems have been highlighted, both in the mainstream media as well as on social media, and remedial action has been taken as an afterthought, but much more detailed-level planning needs to be done to handle genuine exceptions to the regular processes.
What is immediately needed, however, is to flood the country with low-cost but high-reliability biometric devices that can communicate seamlessly with the Aadhaar database and allow instant confirmation of a person’s Aadhaar number and hence his identity. Unless the Supreme Court puts a roadblock to many of the ambitious Aadhaar-based projects that the government has in mind – particularly in the area of digital payments and smartphone wallets, we will see an exponential increase in the number of verifications. Without a quick and reliable verification mechanism, these projects will falter, and Aadhaar will be blamed for it.
Finally, the Aadhaar database should not become a single point of failure for the nation. What this means is that even if the database is hacked into and corrupted, no critical operation like banking, stock market or public distribution system should come to a halt and cripple the nation. Critical systems should be loosely coupled to the central database, and there should be adequate workarounds that allow bypass, but with clear audit trails.
In 1985, when this author arrived in the United States for his PhD programme, he realised to his chagrin that there was no way that he could register at the university or open a bank account without a social security number (SSN), which he, as a foreign national, did not have. But this scenario had been anticipated, and the university had been authorised to allot a temporary SSN to new foreign students that could be used in lieu of the actual one for up to six weeks. The real SSN was of course allotted by the social security administration after a thorough verification of immigration credentials, which took about four weeks, and all that the author had to do after that was to go back to each organisation and have his temporary SSN replaced by the real one.
If the Aadhaar implementation is thought through and planned as effectively as this, it will surely become a useful tool for governance in India. While it is far from being fault-free, a lot of “criticism” of Aadhaar is due to the fact that it is killing lakhs of non-existent ghost teachers, ration-card holders, and students, in whose name taxpayers’ money was being stolen from the public exchequer.