Suman Sharma was aghast at what she saw on the laptop screen of a local mobile connection vendor. She was asked to give her fingerprint and Aadhaar number for authentication to get a Reliance Jio connection. The moment the fingerprint was scanned, all her details, information she had thought was confidential, were on the screen. She could not help wondering what if they misused the data. Reliance could probably add all her call and data history and create a database of its own, she thought. “And who knows, tomorrow they might share it with their subsidiary company, say Reliance Retail, to create a more specific profile,” said the professor at a private business school in Delhi.
Sharma's concern is not misplaced considering the bitter experience Delhiite Suresh Nair recently had. After hunting for a house for long, Nair and his wife chose one at Lajpat Nagar. The house was big, semi-furnished and in a good neighbourhood. Though the Nairs agreed on the Rs 25,000-a-month rent, the landlord asked for their Aadhaar numbers and told them he would let them know in two days. Later, he told them the house was not available. He had found out from an online database that the Nairs' annual family income was less than Rs 10 lakh, and he did not consider them eligible for the posh locality.
Yes, there are databases that can read out people's profiles like horoscopes. And, Aadhaar has made their job a lot easier. Ongrid, one such database, culls information from different sources and puts them together on the site. Peeyush Peshwani, founder of Ongrid, argued that Aadhaar-holders could delete the data anytime they wanted. But that is hardly a justification for collecting private information.
Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India, which administers Aadhaar, said the law was that Aadhaar number can be used only for the purpose for which it was taken. “Fingerprint is encrypted, so it is not available with anyone. The law says that the data should not be shared with anyone else. Sharing it is a criminal offence and strong provisions have been built in the Aadhaar Act to tackle that,” he said.
There are, however, many concerns about UIDAI's information security policy. “As a central repository, have they built in enough safeguards so that the data cannot be misused? One does not know whether they have conducted any investigation on these authentication agencies. There has not been any CAG audit on Aadhaar and the way it is being run. There are many missing links,” said Ramanjit Singh Chima, global policy director at Access Now, an organisation that defends digital rights of individuals.
Pandey ruled out any misuse of Aadhaar saying that consent was built in and, for any usage, one had to first get the Aadhaar-holder to agree. “Nothing can be done without Aadhaar-holder's consent,” he said.
The problem is, meaningful consent is often a myth, and in most cases, individuals do not know what they are getting into. There is a high chance that the poor and gullible would not even know how their data is going to be used. “Consent has largely been left to the service provider,” said Apar Gupta, a technology lawyer. “The A.P. Shah Committee on privacy laws has specific recommendation on how consent has to be taken. The Aadhaar Act has completely ignored it.”
With the government now seeding Aadhaar into a host of services from banks and pensions to MGNREGA payments, the problem gets all the more worse. Some activists believe that it is akin to tracking individuals. Activist Usha Ramanathan, a well-known critic of the Aadhaar project, said it would be dangerous because it could become agenda-driven. “They might even get to know about voter behaviour and target their programmes accordingly,” she said.
While Aadhaar being opened to the private sector has been questioned since the beginning, what is more discomforting are the applications that are getting built on Aadhaar. IndiaStack, a paperless service delivery system formed by the think tank iSPIRT, offers a host of such applications. A spokesperson for iSPIRT said it was a wrong notion that large amounts of personal data was exposed. “It is the same amount as provided when you provide a photocopy of identity documents to a service provider,” he said. He said the responsibility to protect this data lay with the service provider, and was governed by the agreement between the service provider and the customer. The catch here is, there is no way for the customer to ensure that his data is private.
Also, there is an inherent case of conflict of interest between IndiaStack and the Aadhaar programme. Nandan Nilekani, who was the first chairman of UIDAI, is part of the core team that built IndiaStack. Pramod Varma and Sanjay Jain, who were associated with Aadhaar, are also part of the team.
Another worrying feature of Aadhaar is the use of biometrics itself. Because the government is pushing for cashless transactions through Aadhaar, the security concerns raised on biometrics become all the more important. “Biometrics is inherently a very insecure system,” said J.T. D’Souza, a security expert. “Your fingerprints and iris can be spoofed very easily. Unlike a card which you can block if it is stolen, you cannot do anything if your iris or fingerprint is spoofed.”
Pandey, however, said there was a strong case for Aadhaar-linked financial transactions because it would bring down verification costs. “Authentication has a cost which I am told comes to a couple of hundred rupees. E-KYC [verifying customer credentials through Aadhaar] makes the process very simple and convenient from a people’s point of view,” he said.
Verification cost matters, especially for small accounts and small loans. “We have been able to do small loans in a matter of minutes, thanks to Aadhaar and e-sign. We do not need to physically verify that person,” said Rohan Angrish, chief technology officer of the lender Capital Float. He, however, agreed that there should be stronger norms on consent. “There is some work going on, on developing informed consent,” he said.
A lot of privacy is already compromised thanks to the social networking sites and search engines. But they at least give an option not to disclose or share the data. Aadhaar, on the other hand, is mandatory. And, as industrialist Mukesh Ambani said “data is the new oil”. Aadhaar, it seems, will keep many engines running.
