There Is A Privacy Issue With The Aadhaar Card

The Benefits Of Aadhaar Cannot Hide The Infirmities In The Project

When Attorney-General Mukul Rohatgi argued before the Supreme Court that there was no fundamental right to privacy and petitions challenging the Aadhaar project for violating privacy, should be dismissed, many were dismayed but not surprised. After all, the Narendra Modi government has, from the outset, been giving Aadhaar a big push, never mind that the Bharatiya Janata Party had strongly opposed the project when it was in the opposition, on grounds of both compromising privacy as well as legitimising illegal immigrants. Aadhaar is now the lynchpin of the JAM Trinity – Jan Dhan Yojana-Aadhaar-mobile banking – trinity that the government is banking on for delivering subsidies in a more efficient, effective and economical way.

Giving people a unique identity number and linking it to bank accounts will undoubtedly bring about a massive reduction in the diversion of subsidies and welfare benefits that is rampant in India. But there are legitimate concerns that need to be addressed. A look at the noise over Aadhaar:

The Back Story

The first, hesitant steps to give every citizen an identity card and number were taken by the National Democratic Alliance government of Atal Behari Vajpayee. Called the Multi-Purpose National Identity Card (MNIC) project, its objective was compulsory registration of every citizen and non-citizen living in India in a National Population Register (NPR). Citizens would get a MNIC and number while non-citizens would get a multi-purpose residency card. The Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules, 2003 were issued that made it compulsory for everyone to be enrolled in the NPR. A pilot project started in 13 states in 2003.

The United Progressive Alliance (UPA) government ran with the ball and the Citizenship Act 1955 was amended in 2004 to insert a Section 14A which authorises the central government to compulsorily register every citizen and issue a national identity card.

Two years later, in 2006, the UPA also initiated the Unique Identification (UID) project. To be implemented by the Department of Information Technology, this had an entirely different objective – it was about identifying beneficiaries of welfare programmes and doles and giving them a unique ID so that leakages and diversion could be eliminated.

Later the government decided to bring the two schemes – NPR and UID – together.

As the modalities for this were being worked upon by an empowered group of ministers (EGoM), the Planning Commission suggested setting up a Unique Identity Authority of India (UIDAI). The government decided to initially anchor it in the Planning Commission for five years and later make it a statutory authority. Accordingly, the UIDAI got established in 2009; it was then that the UID got the Aadhaar name.

The Aadhaar enrolment campaign by the UIDAI was launched in 2010. The enumeration exercise for the 2011 Census by the Registrar General of India (RGI) also started that year; it also involved capture of bio-metrics, though this was done after the enumeration. It was decided that the NPR database would be sent to the UIDAI for bio-metric de-duplication and assigning of a unique ID number which would be added to the NPR database.

Soon the home ministry (then headed by P. Chidambaram) and the Planning Commission were at loggerheads over the two exercises. Chidambaram was not satisfied with what he called “the degree of assurance” with which the UIDAI was going about its task. He felt the NPR was better from the perspective of internal security. Then Planning Commission deputy chairman Montek Singh Ahluwalia weighed in on the side of the UIDAI.

As a compromise it was decided that:

• UIDAI would undertake enrollment for Aadhaar in a specified number of states where it had made significant progress, while the NPR would capture the bio-metrics of people in the rest.

• In addition to its original target (set in phases) of covering 20 crore people, UIDAI would enroll another 40 crore.

• The NPR would not capture bio-metrics for people who already had an Aadhaar number/card. It would, however, note the number in its records and source the bio-metric information from UIDAI.

Currently, the NPR bio-metrics collection exercise is going on in 12 states and UIDAI is doing enrolments in 24 states.

The RGI, which does the NPR exercise, sends the bio-metrics it captures to UIDAI for de-duplication and assigning of an Aadhaar number. The NPR, which is kept with the RGI, will have demographic data, bio-metrics and Aadhaar number.

The Design Flaw

Chidambaram was right in voicing security-related concerns over the poor due diligence in the case of Aadhaar and rooting for NPR. The NPR is based on a house-to-house survey. The Aadhaar enrolment only requires people to approach UIDAI with some select documentary proof or, if such proof is not there, through an `introducer’ – anyone from an elected representative (gram pradhan/councillor/MLA/MP) to local teachers, anganwadi workers, doctors, representatives of NGOs, etc. This is what had the home ministry under Chidambaram worried – that the exercise would, willy-nilly, end up legalizing illegal immigrants.

The NPR is about identifying citizens; Aadhaar is only about authenticating the identity of people. Whenever he was quizzed about Aadhaar, former UIDAI chairman Nandan Nilekani would always take pains to clarify that it was not a citizenship document.

Right now, the NPR exercise, like Aadhaar, covers all usual residents in the country. The next step will be to verify citizenship status of everyone in the register. Citizens could get a smart card with the Aadhaar number, but there is no decision on this yet.

The Legal Backing . . . Or Lack of It

The NPR has got legal backing, since the Citizenship (Amendment) Act authorises it. Aadhaar has no legal backing to date. The UIDAI is still functioning on the basis of an executive action – six years after it was set up.

A National Identification Authority of India Bill was tabled in 2010. It proposed the setting up of a National Identification Authority of India (NIAI) to issue Aadhaar numbers to individuals after collecting and verifying specified documents and recording bio-metric information. This would be stored in a centralised depository and those seeking to verify a person’s identity (e.g. banks) could do so by checking the Aadhaar number given to them with this depository. The NIAI can share information about individuals, with their written consent, with government agencies and can share information with security agencies.

The Parliamentary Standing Committee on Finance, headed by Yashwant Sinha, rejected the Bill in 2011. Its concerns related to:

• The Aadhaar number will be available to every resident – citizen or non-citizen.
• The original mandate of identifying below poverty line families had been exceeded by extending Aadhaar to every resident.
• The ministries of finance, home and planning, as well as the National Informatics Centre (NIC) had expressed objections to various aspects of the functioning of the UIDAI, which were being ignored.
• The lack of clarity on whether the Aadhaar number would become compulsory.
• The possible misuse of the huge database of people and the lack of a data protection law
• The involvement of a large number of private vendors in an exercise relating to sensitive personal information.

The Bill is still pending, which means the UIDAI is functioning without legal sanction.

Is Aadhaar a Game Changer?

Yes it is, in some respects and for some people.

For the migrant population in cities, who live in slums or unauthorised clusters and keep shifting homes, any work that required them to provide proof of identity and residence – opening a bank account, applying for a ration card or even a gas connection – was always a problem. Aadhaar gave them an identity document that would remain valid wherever they moved. The Jan Dhan Yojana would not have been the resounding success it is if it were not for Aadhaar.

For the government, Aadhaar, when linked with a bank account or a ration card, is a fool-proof way of ensuring that doles, subsidised goods and other welfare benefits go only to the person entitled to it. It also eliminates duplication, a fairly common problem with one ration card being issued in more than one name or migrant workers holding a ration card in the village and in the towns.

True, Aadhaar is only about identification, not eligibility; it does not seek information on income or any of the parameters that put people in the BPL category. Nilekani has also often clarified that Aadhaar does not automatically entitle one for welfare benefits. But while Aadhaar does not certify that X belongs to the BPL category, it will ensure that a dole meant for X goes into his bank account. So it will eliminate chances of, say, a school principal opening a bank account and spiriting away the scholarship money meant for poor students who were not even aware they were getting money. This actually happened in a government school in South Delhi.

The danger: There is, however, a caveat to this. What happens to people who do not get an Aadhaar number/card (homeless people, for example) but may be entitled to government welfare benefits? Will they be denied these benefits because they do not have Aadhaar? There is no conclusive answer to this, but this issue needs to be addressed.

So is the Opposition Unjustified?

No, it is not. The strong opposition to Aadhaar stems primarily from three valid and inter-related concerns, which detract from its admittedly useful aspects:

• Privacy, or the lack of it, is the biggest problem with the entire Aadhaar project. This is an issue which brings together people of different ideological persuasions, even those who agree with the concept of Aadhaar.

Bio-metric data of individuals is being collected under Aadhaar (yes, also under NPR but there is a difference between the two that will be explained later). There are many private players involved in the whole chain of registering for and generation of Aadhaar numbers before the database finally goes to the government-controlled Central Identities Data Repository (CIDR).

Enrolling individuals for Aadhaar is done by registrars which are mainly government and public sector agencies. But they can hire enrollment agencies which can be private players to collect demographic and bio-metric information. Enrollment agencies cannot outsource work but they can hire enrollment operators and supervisors through third parties.

While the UIDAI claims that it has robust security measures in place to ensure that there is no leak from the CIDR, there is no foolproof system in place to guard against breach of data from any of these points. Or to ensure that enrollment agencies and operators do not keep a copy of the database when they hand it over to the government. Usha Ramanathan, who has been crusading against Aadhaar for several years, has often pointed out the casual manner in which enrollment agencies and operators handle the information available with them.

The UIDAI lists severe penalties for fraud or unauthorized access or use of data, but says “following are the possible criminal penalties in the Bill [the NIAI Bill]”. But the Bill has not been passed yet. Right now the only safeguard against breach of privacy is good behaviour on the part of everyone involved. There is no legal guarantee against it. Remember also that India does not have a data protection law.

• The lack of legal backing is the second big problem with Aadhaar. Swarajya columnist J. Sai Deepak has written extensively about the problems with Aadhaar. One of the points he makes is that Article 21 of the Constitution, which deals with the fundamental right to life and personal liberty says “no person shall be deprived of his life or personal liberty except according to procedure established by law”. He also points out the Supreme Court, while delivering judgments in various cases relating to state surveillance and privacy has always emphasized that any action of the government must be backed by a formal statute or legislation.

Saideepak also draws attention to the wide mandate of the UIDAI, which includes defining the usage and applicability of Aadhaar for the delivery of various services. Giving so much power to a body which has no legislative sanction is, indeed, unprecedented and extremely worrying.

• In its defence, the UIDAI has always held that the fears relating to privacy are unfounded, that the information it collects is very basic – name, gender, date of birth and address – and is already in the public domain in various forms. It also says that it does not divulge any information but only confirms or rejects any bio-metric data that is sent to it for verification.

That argument holds only if Aadhaar is a standalone piece of document that establishes one’s identity. But that is not the case. Aadhaar is the go-to document to access various public services and, as Ramanathan has been pointing out in various articles, is extending to private services as well. This is the third main concern with Aadhaar – the confusion over whether it is voluntary or mandatory and whether the lack of it can be used to deny someone a service. Related to this is the fact that it will become a single point of access to information about everything concerning an individual. That is why the privacy issue is paramount.

If Aadhaar remains, as the original intention was, a document for people who lack proof of identity and address to enable them to access banking services as well as welfare programmes, then there is perhaps not much of a problem. Only those who need such a document will enroll for it and any sharing of information between agencies will relate to name, address and bank account and the welfare provision they are accessing. The only agencies that will be involved will be government departments and banks.

But Aadhaar is not confined to this. A provision in the NIAI Bill allows Aadhaar information to be shared with security agencies. A column in the Aadhaar form asks people to tick if they want the Aadhaar number to be linked to their bank account or whether the information can be shared. When even educated people miss this, it would be too much to expect poor and near-illiterate people to be aware of this provision.

Aadhaar is slowly becoming compulsory for a wide variety of services, despite the Supreme Court ruling that this should not be done. Seeking consent for linking the Aadhaar number with the bank account means nothing when banks insist on customers providing Aadhaar numbers. Income tax assessees are being asked to provide their Aadhaar numbers from the 2015-16 assessment year.

The Election Commission is putting out advertisements asking people to link their Aadhaar numbers with their election identity cards. In Delhi, even witnesses to property-related transactions registered in courts have to provide their Aadhaar numbers. A Goa court asked UIDAI to give the Central Bureau of Investigation the bio-metrics of everyone enrolled under Aadhaar in the state to help it solve a gangrape case, as this report in the Indian Express shows.

The UIDAI may be right in saying that it only verifies if an identity is genuine, but with Aadhaar becoming compulsory for a whole host of services, what is there to stop a government agency tracking all of a person’s actions through the Aadhaar number, without even approaching UIDAI for verification? Or for someone else to do the same without hacking the CIDR?

The government may have sound reason to push Aadhaar. But it needs to address the many genuine concerns that are developing around it.

Also read:

A combination of Jan-Dhan Yojana, Aadhaar card, and mobile phones (JAM) may help check leakages in welfare schemes.

Why is the Mainstream Media Silent on the (il)legality of the UID Project?