Pri­vacy in peril VIEWPOINT

Business Standard - - OPINION - DEVANGSHU DATTA

Anew tech start-up re­cently launched a home page with one of the more fright­en­ing images on the in­ter­net. At first glance it is a wide-an­gle street scene shot in black & white at a busy mar­ket. But some in­di­vid­u­als in that tableau are sin­gled. Tar­get boxes un­der­neath their faces list their Aad­haar num­bers, names, mo­bile num­bers, emails, res­i­den­tial ad­dresses, dates of birth, etc, with some salient de­tails blanked out.

The start-up calls it­self a “trust bu­reau”. It is a pri­vate B2B con­cern, which of­fers to ver­ify em­ploy­ees and clients for its cus­tomers. It says it can do ID checks, ver­ify PAN, check po­lice records, em­ploy­ment his­tory, reg­is­tered ve­hi­cles, etc., by link­ing in­di­vid­u­als’ data, doc­u­ments and “in­ci­dents” to their 12-digit Aad­haar num­bers. Th­ese checks would be con­sent-based: The tar­get em­ployee/ap­pli­cant would sign a form al­low­ing data ver­i­fi­ca­tion and also in­put one-time pass­words (de­liv­ered to reg­is­tered mo­biles) to the UIDAI data­base for au­then­ti­ca­tion.

Such a ser­vice is a nat­u­ral com­mer­cial spin-off from the new e-KYC (Know Your Cus­tomer) pro­ce­dure lever­ag­ing Aad­haar. Aad­haar is in­creas­ingly used for open­ing bank ac­counts, buy­ing new mo­bile SIMs, etc. It saves the has­sle of sub­mit­ting tonnes of pho­to­copies. The ver­i­fi­ca­tion can be done on the spot. The tar­get can sim­ply au­then­ti­cate and au­tho­rise UIDAI to share the Aad­haar data in elec­tronic, se­cure (en­crypted and dig­i­tally signed) fash­ion.

Any­body can en­rol as an agent ver­i­fy­ing e-KYC. The Ap­pli­ca­tion Pro­gram­ming In­ter­face or API for the Aad­haar e-KYC ser­vice is pub­licly avail­able from the UIDAI and en­rol­ment as an agent is sim­ple. The eKYC process al­lows agen­cies (KYC User Agen­cies and KYC Ser­vice Agen­cies as they are known) to ac­cess Aad­haar data (af­ter tak­ing the con­cerned in­di­vid­ual’s con­sent).

The data avail­able in­clude the above de­tails, plus pho­to­graphs en­coded and stored in base-64 dig­i­tal for­mat. Given ex­cel­lent fa­cial recog­ni­tion pro­grams and off-the-shelf im­age con­vert­ers, a dig­i­tal photo can be in­stantly con­verted and com­pared to data­bases of base-64 images. The KYC agency can also do a phys­i­cal vis­ual com­par­i­son.

In the­ory, the Aad­haar data­base re­turns only “yes/no” re­sponses to queries. In prac­tice, the in­di­vid­ual who gives his or her con­sent for such a ver­i­fi­ca­tion is asked to sub­mit the data, along with a dig­i­tal snap­shot, (and per­haps, a lit­tle more data such as her mother’s maiden name) for ver­i­fi­ca­tion. The agency then queries the UIDAI to ver­ify that all the data sub­mit­ted checks out.

The agency then owns a par­al­lel, ver­i­fied data­base tied to the Aad­haar num­ber. Even­tu­ally it will have a large data­base. It’s pos­si­ble that an agency will pool a par­al­lel data­base with other par­al­lel data­bases put to­gether by other agen­cies. Then such an agency will be able to trawl pub­lic pic­tures down­loaded from wher­ever, and recog­nise ran­dom peo­ple and tie mugshots to Aad­haar data.

Given ac­cess to lo­ca­tion in­for­ma­tion (mo­bile ser­vice providers have this 24x7 real-time) or credit card in­for­ma­tion (banks, credit card providers have this), more de­tail may be added. Given lo­ca­tion and credit card in­for­ma­tion (the IRCTC has both), and med­i­cal in­for­ma­tion (health care ser­vices have this too), even more de­tail is pos­si­ble.

Mo­bile ser­vice providers, banks, etc., have KYC data for hun­dreds of mil­lions. Build­ing re­ally huge par­al­lel data­bases tied to Aad­haar is very fea­si­ble. Off the record, it is whis­pered that such data­bases are al­ready avail­able.

That in­for­ma­tion can be used and mis­used for a large range of ac­tiv­i­ties. Ar­guably, it is not even il­le­gal to cre­ate such a data­base (though spe­cific uses may be crim­i­nal). There is no spe­cific pri­vacy law, or data pri­vacy law in In­dia to stop such data be­ing traded, or used. Lo­ca­tion is not even recog­nised as per­sonal data un­der In­dian law.

The gov­ern­ment has even ar­gued in the Supreme Court that in­di­vid­u­als don’t have a fun­da­men­tal right to pri­vacy. In 1984, Ge­orge Or­well dreamt up the con­cept of a dic­ta­tor­ship that worked on sur­veil­lance. But Or­well was a tech-in­com­pe­tent. The dystopian re­al­ity of 2017 goes a long way be­yond ev­ery­thing that he imag­ined, way back in 1948.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.