Privacy in peril VIEWPOINT
Anew tech start-up recently launched a home page with one of the more frightening images on the internet. At first glance it is a wide-angle street scene shot in black & white at a busy market. But some individuals in that tableau are singled. Target boxes underneath their faces list their Aadhaar numbers, names, mobile numbers, emails, residential addresses, dates of birth, etc, with some salient details blanked out.
The start-up calls itself a “trust bureau”. It is a private B2B concern, which offers to verify employees and clients for its customers. It says it can do ID checks, verify PAN, check police records, employment history, registered vehicles, etc., by linking individuals’ data, documents and “incidents” to their 12-digit Aadhaar numbers. These checks would be consent-based: The target employee/applicant would sign a form allowing data verification and also input one-time passwords (delivered to registered mobiles) to the UIDAI database for authentication.
Such a service is a natural commercial spin-off from the new e-KYC (Know Your Customer) procedure leveraging Aadhaar. Aadhaar is increasingly used for opening bank accounts, buying new mobile SIMs, etc. It saves the hassle of submitting tonnes of photocopies. The verification can be done on the spot. The target can simply authenticate and authorise UIDAI to share the Aadhaar data in electronic, secure (encrypted and digitally signed) fashion.
Anybody can enrol as an agent verifying e-KYC. The Application Programming Interface or API for the Aadhaar e-KYC service is publicly available from the UIDAI and enrolment as an agent is simple. The eKYC process allows agencies (KYC User Agencies and KYC Service Agencies as they are known) to access Aadhaar data (after taking the concerned individual’s consent).
The data available include the above details, plus photographs encoded and stored in base-64 digital format. Given excellent facial recognition programs and off-the-shelf image converters, a digital photo can be instantly converted and compared to databases of base-64 images. The KYC agency can also do a physical visual comparison.
In theory, the Aadhaar database returns only “yes/no” responses to queries. In practice, the individual who gives his or her consent for such a verification is asked to submit the data, along with a digital snapshot, (and perhaps, a little more data such as her mother’s maiden name) for verification. The agency then queries the UIDAI to verify that all the data submitted checks out.
The agency then owns a parallel, verified database tied to the Aadhaar number. Eventually it will have a large database. It’s possible that an agency will pool a parallel database with other parallel databases put together by other agencies. Then such an agency will be able to trawl public pictures downloaded from wherever, and recognise random people and tie mugshots to Aadhaar data.
Given access to location information (mobile service providers have this 24x7 real-time) or credit card information (banks, credit card providers have this), more detail may be added. Given location and credit card information (the IRCTC has both), and medical information (health care services have this too), even more detail is possible.
Mobile service providers, banks, etc., have KYC data for hundreds of millions. Building really huge parallel databases tied to Aadhaar is very feasible. Off the record, it is whispered that such databases are already available.
That information can be used and misused for a large range of activities. Arguably, it is not even illegal to create such a database (though specific uses may be criminal). There is no specific privacy law, or data privacy law in India to stop such data being traded, or used. Location is not even recognised as personal data under Indian law.
The government has even argued in the Supreme Court that individuals don’t have a fundamental right to privacy. In 1984, George Orwell dreamt up the concept of a dictatorship that worked on surveillance. But Orwell was a tech-incompetent. The dystopian reality of 2017 goes a long way beyond everything that he imagined, way back in 1948.