Depending on your point of view, Aadhaar is either a convenience or a curse, an instrument of change or a tool for mass surveillance.

Misinformation mixed with fears, rational or otherwise, has led to a distorted picture of what the service is about.

Data collection

The premise of Aadhaar is that it’s a centralised database of citizens’ information. This includes identity information (photograph, name, etc.), demographic information (address, contact details, etc.) and core biometric information (fingerprint scan, iris scan, etc.). The database is supposed to help streamline the functioning of various services and bring India into the digital age by enabling paperless transactions and authentication.

A pilgrim displaying his passport to the press: Reuters
A pilgrim displaying his passport to the press: Reuters

All of this data is stored on a secure, centralised database that can only be accessed by authorised entities. Of course, that data is only secure until it isn’t, and that hasn’t happened yet.

Data security is the biggest issue surrounding Aadhaar, and plenty has already been said about it. But for the moment, let’s assume that Aadhaar is secure and look at the other issues.

While there are a number of concerns around this data collection aspect of Aadhaar, it must be noted that the government already has much of this data in the first place. When you apply for a passport, you give biometric data as well as identity and address proof. This includes bank statements, electricity bills, details of your education, and more.

Barring core biometric data, you hand out these details to your bank; the Motor Vehicles Department took the same data for issuing your license, you gave it a credit card department for a new card and so on.

It’s also true that we have a rather cavalier attitude to our personal information. How many times have you given out your name, age, marital status and contact details when filling out a feedback form at a restaurant or applying for that department store membership programme that you know you’ll never use? You’ve given out this information in polls, lucky draws, at airline counters, to the taxi service of your choosing, and more.

We do all of this with little thought or hesitation.

Clearly, the mere fact that Aadhaar is collecting your personal information shouldn’t be an issue.

Data access and privacy concerns

Aadhaar works best only when the stored data can be accessed. We’ve all seen those ads that say that you can open a bank account or apply for a new SIM-card with just your Aadhaar number. This is only possible when a bank or telecom operator has access to your information. A bank still needs to know your residential address and contact details, after all.

So how does this happen?

It’s simple, really. The Aadhaar Act 2016 specifies that any entity interested in accessing the information stored in Aadhaar database must jump through a few hoops in the name of privacy.

Image: Christoph Scholz

First, the entity will need to register with the UIDAI. When it registers, it will need to specify the type of information it needs access to, why it needs that information and what it intends to do with that information.

Second, the entity will need to have a mechanism in place to ensure that the Authority can audit the entity’s handling of the shared information. There are “severe” penalties in place for situations where the data is mishandled.

Being registered still does not open the floodgates to all your personal information, however. No third party — within the limits of the law at least — can access your information from the Aadhaar database without your explicit permission.

Say you’re opening a bank account. You apply for opening an account and submit your Aadhaar details. The bank uses these details to request your identity information (name, address, photograph, PAN card, etc.).

When the UIDAI servers receive this request, you will need to approve it via on OTP sent to your registered mobile number or via biometrics. Only then does the bank have access to this information.

As far as the quality of the shared data is concerned, this is exactly the same data that you would have had to hand over in document form when opening the account.

Section 8 of the Aadhaar Act allows for this kind of data sharing.

The unanswered questions surrounding Aadhaar

Purportedly, Aadhaar is in itself innocuous. Any data that is collected in the name of Aadhaar, the government and any number of unknown entities likely already have access to.

All Aadhaar claims to be doing is linking all your disparate government-issued documents to one ID and number, streamlining the document handling and identification processes. Creating an Aadhaar ecosystem so to speak, which is the reason it’s being looked at with caution.

The real problem with Aadhaar is three-fold. First, as secure as the Aadhaar database itself is claimed to be, the recent leaks of data have shown that the government entities haven’t adequately trained their employees or third parties on the handling of the private data that they collect. Why else would government organisations leave excel sheets filled to the brim with personal data just lying around?

The most recent example is the time when Indian cricketer MS Dhoni was getting himself registered for Aadhaar. The agency handling his application process tweeted out a photo of Dhoni’s application page. His wife Sakshi Dhoni was naturally annoyed and brought this to the notice of Union Minister Ravi Shankar Prasad, who promptly blacklisted the agency for 10 years. Dhoni is a popular personality. But what happens if someone like you or me has their data put out on a public platform like this?

Payment Authentication through biometric scanning. Image: Narendra Bhooshan Twitter: @nbhooshan
Payment Authentication through biometric scanning. Image: Narendra Bhooshan
Twitter: @nbhooshan

Knee-jerk reactions stating that such organisations will be banned or penalised are completely pointless. Educating the people responsible is more important than scaring the life out of them.

The second problem is that there’s still no clarity on the secondary information that may or may not be tied to Aadhaar, and whether that information will be shared.

Secondary information can include your financial transactions, the history of your bill payments, your income tax returns, your credit history, and more. All of this data can be used to profile a user.

Worse still, if Aadhaar is indeed collecting this data, the Aadhaar act allows for the sharing of this data with third-parties.

Reuters
Reuters

Last but not least, the biggest problem with Aadhaar is the lack of clarity on the control that you have over your own data.

Think of it this way, when you install, say, a game on your Android phone, why does it need to have access to your photos, your contacts, call history, email and more? Android now gives you control over this by giving you sharing options. By the same token, why does a restaurant need access to your home address and PAN card details?

Image: Google Developers
Image: Google Developers

Does Aadhaar give you that control? Can you, as a citizen, log into some Aadhaar portal, get an overview of where and how your data is shared and rescind permission as necessary?

Just to be clear, the Aadhaar Act specifies that nobody will have access to data they didn’t ask for. This also raises another question. Is there some oversight on the entities that are approved for Aadhaar data access? Who do we hold accountable if that data is misused or if the approval is given without due diligence? According to cyberlaw expert Pavan Duggal, there are no remedial solutions in place yet, if you discover that your Aadhaar data has been put up on public platforms.

Aadhaar can be a convenience if it’s implemented properly, but clearly, there are still too many questions surrounding the service to trust it implicitly. Sadly, we’re being forced into accepting it, whether we want it or not.

Publish date: April 4, 2017 3:03 pm| Modified date: April 4, 2017 3:03 pm

Tags: , , , , , , , ,