‘Smartphones and CCTVS are far bigger privacy risks than Aadhaar’
There has been a stream of negative news surrounding Aadhaar, with wideranging concerns being raised on the security of the system and the potential leakage of Aadhaar numbers by government departments. In an interview, Infosys co-founder and former Unique Identification Authority of India (UIDAI) chairman Nandan Nilekani, the creator of Aadhaar, dispelled most of the concerns surrounding Aadhaar, but conceded there are areas where it could improve. Edited excerpts: with the current narrative is why should Aadhaar be singled out as a reason for the law? The biggest privacy risk that you have is your smartphone. A billion people will have smartphones as we go forward, their conversations will be recorded, their messages will be read, their location can be identified with GPS. The kind of intrusion of privacy that the smartphone does is order of magnitudes higher. Aadhaar is a sporadic thing -- it is episodic, for instance, when I go and open an account, etc.
The second big privacy risk are CCTV cameras -- there doesn’t seem to be a law on these things. Every mall, every ATM, every bus stand, every railway station, every hotel has a CCTV camera.
Thirdly, we have Internet companies and data collection centres. Indians are essentially giving data to companies that are essentially unaccountable to Indian law and that data is often shared with foreign governments.
Then there are drones, or the Internet of Things, with sensors everywhere collecting data on you. So, there is a data tsunami that is coming due to a variety of things -- (it has) nothing to do with Aadhaar as such. We should have a privacy law, which looks at all these phenomena.
But people are acting as if Aadhaar is the only reason why we should have a privacy law. That’s where I have a problem. We have a far bigger risk today from a cellphone than Aadhaar. When you do an Aadhaar authentication, the Aadhaar authentication does not even know for what purpose that authentication has happened. Suppose I use it to do a financial transaction in a bank, the bank knows the financial transaction, but the Aadhaar system does not know. It has been deliberately designed like that. The Aadhaar system is extremely well-designed. It’s not an online system that is exposed to the Internet. When the enrolment happens, the packet is encrypted at source and sent, so that there can’t be a man-in-the-middle attack. And when the authentication happens, that is also encrypted — not compared to the original data, but to a digital minutiae. The the system is very, very secure.
So, if the objection is to centralisation, then you should not have clouds. Clouds are also centralised. Everything today is centralised—otherwise, let’s all go back to pen and paper. One, I agree we need a privacy law, covering everything. Secondly, we need to implement (the concept of) registered devices as soon as possible. The first launch is by June… Also, the Aadhaar law already provides that anyone who uses the Aadhaar number cannot display the number or publish it, so that enforcement has to happen. We have to make sure that any user of this, whether it’s the government or the private sector, follows the law of the protection of the Aadhaar number. I know the government has sent a notice to everyone. If somebody has done it, they ought not to have done it— there’s a law for that.