On July 10, Alf Goransson had a first-hand experience of what Cinderella must have gone through at the stroke of midnight after the grand ball. The 59-year old CEO of Sweden’s security services firm Securitas AB was informed that he had been declared ‘bankrupt’ by a Stockholm District Court order.
No, this was not another Borris Becker or Vijay Mallya-case.
According to media reports, Goransson was an unassuming victim of online identity theft. The perpetrator hacked the CEO’s digital identity and used it to seek a loan of an undisclosed amount, after which a bankruptcy application was filed against Goransson.
“The identity theft took place in March. Goransson didn’t know he had been hacked until this week,” the company stated on July 12. Ironically, the CEO of the company that provides security and background checks as a service, could not ensure the safety of his own online identity.
Interestingly (eerily?), Sweden was the first country globally to provide each citizen with a personal identification number, which is a must-use element in every interaction with the state.
Now, why should we, as Indians be concerned over this incident? Before we get into the details, consider this. Digital identity—check. Digital transaction—check. Tadaa! There comes the connection—Aadhaar—the 12-digit unique identification (UID) number.
The high-profile case is a hard pill to swallow—it yet again underscores the various fears that Aadhaar critics have been fielding in India, time and again.
If the CEO of a Swedish company could be an easy prey to an online identity theft, what prevents perpetrators from meddling with the 1.16 billion (as of June) biometric online identities ‘stored’ in the database of the Unique Identification Authority of India (UIDAI), the statutory authority that is involved in Aadhaar enrollment?
Problems galore
It is an understatement to say that the current hue and cry surrounding Aadhaar became louder and mainstream due to the government’s unnecessary haste to make it mandatory to avail benefits and link it with various services including SIM card, PAN card and bank accounts, paving way for all sorts of surveillance theories.
In fact, the myopic approach of the previous UPA and the current NDA governments, as well as the UIDAI towards regulating the implementation and governance of the Aadhaar is culpable for the current conundrum. The deplorable mindset the brains behind the Aadhaar adopted to go ahead with a huge data collection drive involving personal details of this country’s citizens without a proper data privacy policy in place is disappointing if not astounding.
What the champions of Aadhaar failed to realise is that this was not a mere case of egg and chicken but a matter in which identities were at stake. A law regulating data privacy should have been in place prior to the roll out of the new system, let alone before making it mandatory. It is worthwhile here to note that Aadhaar enrollments began as early as 2010, years before The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act was passed by the Lok Sabha in March, 2016.
360 degree view of the person
The UIDAI says that from the Aadhaar database only a ‘yes’ or ‘no’ response would be send out in case of an identity verification request—which means that there is no sharing of the collected information. However, what most of us overlook is the fact that if one intends to collate all these responses, one can actually create a 360 degree profile of the person.
For instance, I seeded my PAN with my Aadhaar and have also linked it with all my bank accounts. I am using the same 12-digit number to get a new SIM card and am being asked to link my existing numbers with it. I could show it at the airport to prove my identity and use it for Skype verification. At a simple click of a button, a person who has the knowledge of my Aadhaar number can easily collate my details and track me anywhere and everywhere on a real-time basis. Now, if this does not scare you, I don’t know what would.
As long as federal agencies collect the fingerprints in bulk, biometrics cannot be private and hence, never truly secure | File
The UIDAI allows private companies to use its database for ‘establishing the identity of an individual for any purpose’. Yes, ‘any purpose’.
The spookiness quotient increases if the government resorts to targeted surveillance. For instance, if I am a suspect in a case, the best way to zero in on me is to trace my location and freeze all my bank accounts. The authorities can instantly restrict me, even before I realise it. Sounds like a great idea to hunt down a terrorist or maybe, even a Vijay Mallya. But what if I’m just a suspect based on preliminary evidence?
Of course, the UIDAI website says that the government does not indulge in tracking or profiling individuals. So was the case with making it mandatory. Back in 2010, making Aadhaar seeding mandatory for availing benefits or services was not in the cards. Rather, Aadhaar came into existence as a voluntary service.
That’s not so now. In that context, there is little surety that the government would not resort to surveillance in future. After all, no entity openly admits that it is tracking others.
What are the provisions that guarantee protection from such incidents? None, as of now.
On the contrary, here is a country that is debating on its right to privacy in the apex court, with the conclusion that the right is not absolute.
In a move to defend the state’s right to collect and store data from its citizens, the Supreme Court on Thursday yet again posed a question, which has been though, answered ever since the privacy debate on Aadhaar began. The apex court wondered if the citizens had no problem sharing personal information with private players (like Google and Facebook), why were they reluctant to do so with the state.
With private players, users do have the option to get the data removed or deactivated or else to sue these companies. But that’s not with the Aadhaar. Forget about asking the government to remove or delete the information collected, citizens are not even empowered to go to a court in case the information (read identity) is stolen/revealed. A citizen can just report the incident with the UIDAI whereas only the government can file a case in such a situation.
In addition, the recent security lapses prompting Aadhaar information leaks bring forth the larger issue here to the forefront. For instance, various departments of the state and central governments have, over different periods of time, made public the full details of persons enrolled under the Aadhaar on the web.
In April, it was reported that a technical glitch revealed the names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme. Also, it has not been even a fortnight since the consumer details of the Reliance Jio customers including email id, first name, last name, Reliance Jio mobile number, activation date for the SIM along with the activation circle and in certain cases, even the Aadhaar number, were published by a website named magicapk.com.
[File photo] Cases are aplenty from across India where the Aadhaar has eliminated the ghosts as well as the living | PTI
There might have been questions of conflict of interests on the team, led by Nandan Nilekani, who worked for the Aadhaar; but reportedly there’s no doubt in the technical expertise of the team. However, repeated incidents of breaches and alleged attempts to hack private databases storing Aadhaar numbers is a strong cause to overshadow the aforementioned expertise.
As long as federal agencies collect the fingerprints in bulk, biometrics cannot be private and hence, never truly secure. While it is widely believed that biometrics are the most tamper-proof identities, a simple Google search is enough to shatter this trust factor. Biometrics are also susceptible to bypassing and duplications. The trickier it is to bypass something, the higher is the risk factor associated with it once it is leaked or duplicated.
For instance, stealing or duplicating my biometric identity is not as easy as faking my voter ID or PAN. But it is much easier to track down the latter case. In case of a password hack, a change of password is an instant solution. However, you cannot change your biometric in case of an identity theft/hack.
While the Union Minister for Law, Justice and IT Ravi Shankar Prasad and UIDAI CEO Ajay Bhushan Pandey have reiterated that the database is secure, unfortunately, these have remained mere statements without any solid explanations on how the security is ensured. And so far, the government has taken the route of learning as they find the way, which is far from reassuring.
I do or do I?
The functional domain issue surrounding consent increases the suspicious character of Aadhaar. Notes Nandan Nilekani and Viral Shah in ‘Rebooting India: Realising A Billion Aspirations’, the book they co-authored on Aadhaar: “Features like explicit consent, biometric verification and digital signatures make the eKYC process robust and tamper-proof, and resistant to identity theft.”
Where is the informed consent coming into picture in the current system? Moreover, with the entry of mandatory seeding, the rhetoric has definitely shifted to being that of imposed consent.
The question is, are we informed about the agencies who collect the data, who has access to these or how and where all could it be used? Not yet.
An individual who has enrolled for the Aadhaar, also entrusts her/his demographic information with the government agency. But in case someone gets access to it, what next? How can you contemplate lodging a complaint when you might not even know that such a theft has happened at first place?
From enabler to denial of rights
Over the past eight years, the image of the UID has tarnished to a great extent. The Aadhaar changed its role from being a rights enabler to that of an authority denying rights. Contemporary media is flush with reports of alleged biometric failures, where rightful beneficiaries are denied benefits because of system or enrollment errors. Cases are also aplenty from across India where the Aadhaar has eliminated the ghosts as well as the living.
It is imperative that the Centre address all such doubts and fears associated with the Aadhaar. With increased digitalisation, there’s no doubt that a data privacy policy is imminent in India. Rather than hounding citizen-centric movements and whistle-blowers, the Centre must make room for participative governance, get past archaic legislations and embrace newer policies in tandem with changing times.
If a constitutional assurance pertaining to privacy issues is not in cards, the next question definitely is if we need such a system in India putting citizens’ privacy at stake. Or is it wiser to tread the path that countries like the United Kingdom, Germany, Australia and Hungary, embraced? These countries placed citizens’ privacy over the necessity for a personal identification number and scrapped the whole system.
