Recast the security architecture of Aadhaar
A strong data protection law must be enacted and irresponsible handling and leakage of data penalised
APART FROM A LIMITED NUMBER OF GOVERNMENT DEPARTMENTS (POLICE, TAX AND PASSPORTS, FOR INSTANCE) NO PUBLIC OR PRIVATE ENTITY SHOULD BE ALLOWED TO ASK FOR OR RETAIN AADHAAR NUMBERS
Let me start with full disclosure: the Nilekanis were among the earliest donors of the institution of which I am a co-founder. The proposals in this article are entirely my own and they have neither sought nor had any influence in the writing of it.
Much of the ongoing national heartburn over Aadhaar is due to the profound change in “the use case” between that of the UPA government which initiated it and the Modi government which seeks to proliferate it.
We thus have a governance framework that was meant for a voluntary instrument to avail of government entitlements, while Aadhaar itself became effectively a mandatory ID for a whole range of public and private services. Under the Modi government, the governance framework is playing catch-up even as use cases are sprinting far ahead into areas such as eKYC, digital payments and so on.
The governance gap has led to unscrupulous behaviour by service providers and enrolment agencies. It has also led to odd scenarios such as the email I received from my bank, requiring me to link my Aadhaar to my credit card account under money laundering prevention laws, and informing me that I will be doing this voluntarily under Aadhaar regulations.
This doesn’t mean we should undo Aadhaar. Rather, it means we must close the gap between what Aadhaar can be used for and the rules governing how it is used. There are five high-level changes that have to be made in the governance of Aadhaar.
First, Aadhaar must not be mandatory for any purpose. Indeed, given the reports of how some very vulnerable people are being denied public services, prudence demands that Aadhaar must not be the sole requirement even to avail rations and pensions. Letting different modes of identification to coexist will allow the people of this diverse country to make the transition towards an all-digital system. Of course, where Aadhaar can genuinely speed things up, it is only fair that those who provide Aadhaar enjoy expedited services.
Second, Aadhaar should move away from being a single number to a one-time token based system. Apart from a limited number of government departments (police, tax and passports, for instance) no public or private entity should be allowed to ask for or retain Aadhaar numbers. Instead, all authentication should be done on the basis of one-time tokens. Instead of offering the personal Aadhaar number, the user will give a one-time token that is freshly generated for every new authentication.
This will ensure that no two service providers — public or private — will have the same number on their records, making mass profiling extremely difficult. Yes, there will be technical challenges in getting the entire population to use one-time tokens, but these are not insurmountable and will get easier with time.
Third, users should be allowed to replace or cancel their Aadhaar numbers. Like in the case of a lost credit card, if my Aadhaar number has been leaked, I should be able to ask UIDAI to cancel it and give me a new one. The UIDAI itself can issue new Aadhaar numbers to people if it determines that the privacy of their numbers is compromised.
Further, there might be some who no longer want an Aadhaar. Allowing people to cancel their Aadhaar, together with expunging of the accompanying biometric data, will be respectful of the individual’s liberty.
Fourth, a strong data protection law must be enacted to prohibit the collection and storage of Aadhaar numbers, and impose penalties on irresponsible handling and leakage of private data.
The prohibition and penalties must apply both to government and private entities, including to UIDAI itself, while allowing aggrieved citizens to register complaints with the police.
Finally, the regulatory architecture must be recast to reflect the vastly different use Aadhaar is being put to now. The UIDAI cannot be the service provider, regulator, enforcement agency and adjudicator. Each of these roles must be structurally separated from the other.
We can reap the benefits of Aadhaar while addressing concerns over equity, liberty and privacy. A good, constitutional balance is possible. Of course it won’t be easy. But that is what we should demand of our technocrats and policymakers.