Business Standard

Privacy in peril VIEWPOINT


Anew tech start-up recently launched a home page with one of the more frightenin­g images on the internet. At first glance it is a wide-angle street scene shot in black & white at a busy market. But some individual­s in that tableau are singled. Target boxes underneath their faces list their Aadhaar numbers, names, mobile numbers, emails, residentia­l addresses, dates of birth, etc, with some salient details blanked out.

The start-up calls itself a “trust bureau”. It is a private B2B concern, which offers to verify employees and clients for its customers. It says it can do ID checks, verify PAN, check police records, employment history, registered vehicles, etc., by linking individual­s’ data, documents and “incidents” to their 12-digit Aadhaar numbers. These checks would be consent-based: The target employee/applicant would sign a form allowing data verificati­on and also input one-time passwords (delivered to registered mobiles) to the UIDAI database for authentica­tion.

Such a service is a natural commercial spin-off from the new e-KYC (Know Your Customer) procedure leveraging Aadhaar. Aadhaar is increasing­ly used for opening bank accounts, buying new mobile SIMs, etc. It saves the hassle of submitting tonnes of photocopie­s. The verificati­on can be done on the spot. The target can simply authentica­te and authorise UIDAI to share the Aadhaar data in electronic, secure (encrypted and digitally signed) fashion.

Anybody can enrol as an agent verifying e-KYC. The Applicatio­n Programmin­g Interface or API for the Aadhaar e-KYC service is publicly available from the UIDAI and enrolment as an agent is simple. The eKYC process allows agencies (KYC User Agencies and KYC Service Agencies as they are known) to access Aadhaar data (after taking the concerned individual’s consent).

The data available include the above details, plus photograph­s encoded and stored in base-64 digital format. Given excellent facial recognitio­n programs and off-the-shelf image converters, a digital photo can be instantly converted and compared to databases of base-64 images. The KYC agency can also do a physical visual comparison.

In theory, the Aadhaar database returns only “yes/no” responses to queries. In practice, the individual who gives his or her consent for such a verificati­on is asked to submit the data, along with a digital snapshot, (and perhaps, a little more data such as her mother’s maiden name) for verificati­on. The agency then queries the UIDAI to verify that all the data submitted checks out.

The agency then owns a parallel, verified database tied to the Aadhaar number. Eventually it will have a large database. It’s possible that an agency will pool a parallel database with other parallel databases put together by other agencies. Then such an agency will be able to trawl public pictures downloaded from wherever, and recognise random people and tie mugshots to Aadhaar data.

Given access to location informatio­n (mobile service providers have this 24x7 real-time) or credit card informatio­n (banks, credit card providers have this), more detail may be added. Given location and credit card informatio­n (the IRCTC has both), and medical informatio­n (health care services have this too), even more detail is possible.

Mobile service providers, banks, etc., have KYC data for hundreds of millions. Building really huge parallel databases tied to Aadhaar is very feasible. Off the record, it is whispered that such databases are already available.

That informatio­n can be used and misused for a large range of activities. Arguably, it is not even illegal to create such a database (though specific uses may be criminal). There is no specific privacy law, or data privacy law in India to stop such data being traded, or used. Location is not even recognised as personal data under Indian law.

The government has even argued in the Supreme Court that individual­s don’t have a fundamenta­l right to privacy. In 1984, George Orwell dreamt up the concept of a dictatorsh­ip that worked on surveillan­ce. But Orwell was a tech-incompeten­t. The dystopian reality of 2017 goes a long way beyond everything that he imagined, way back in 1948.

 ??  ??

Newspapers in English

Newspapers from India