Time to Fix Aadhaar
In spite of high-decibel promotion, Aadhaar has several loopholes that can impact national security and invade people’s privacy
In spite of high-decibel promotion, Aadhaar has several loopholes that can impact national security and invade people’s privacy
T here has seldom been so much fog and noise around a programme as we have around Aadhaar.
First conceived under the Vajpayee government as a national ID Card, it was taken up by the UPA as the watered down but heavily hyped Aadhaar. The narratives around this through the entire UPA term were about the miracles of technology and what it would do to transform governance – the broad-brush, sweeping characterisation of the benefit of technology without much thought about how it would be used. As one of the earliest critics of its watered down specs, I jokingly referred to it as a solution looking for a cause way back in 2012.
But the few voices like mine that did point out the obvious mistakes in its design and concept were brushed aside by the tidal wave of PR that was unleashed. The Unique Identification Authority of India ( UIDAI) had even hired a journalist as its full-time PR. There was no parliamentary debate or scrutiny except for one in the Standing Committee of Finance, which was blunt in its critique of it – possibly the reason why there was a conscious effort to duck Parliament for the rest of the UPA term. Despite the lack of public scrutiny, thousands of crores were spent on collecting and building the database that is known today as the Aadhaar DB.
Fast forward to 2014 and the NDA government had two options – to shelve it or to fix it and move ahead. I was among those who felt that the money spent should not be wasted and it could still be used to deliver subsidies better. It is to this government’s credit that it did not just junk this project. This government, from its first day, was invested in the vision of technology enabling the transformation of governance. Hence, we have come across Digital India and Transform India! Aadhaar, with all its flaws, can still be used to implement this vision.
Aadhaar was subjected to Parliamentary scrutiny and given legislative backing by the Aadhaar Act passed in 2016. The government addressed the issue of lack of verification and fake entries by making the UIDAI statutorily responsible under Section 3(3) of the Act, for verifying the entries. So if there is a fake entry, the officials of the UIDAI will be responsible. But the problem is: Prior to the law being passed, over 100 crore enrolments had already happened.
It was widely known that in the run-up to 2014 elections, the Congress and then UIDAI Chairman, who was also contesting, were in a race to enrol large numbers for Aadhaar. Because of the strange (or maybe deliberate) loose verification process of using small, often flyby-night enrolment agencies, many fakes were being reported. In the absence of any audit and reverification/clean-up, this made the Aadhaar DB an unverified or poorly verified database.
Fast forward to now and a recent case highlights the risks. Two Pakistani spies were found with Aadhaars under fake names but with their own biometric data. A new definition of fake is now standard where biometrics are real but the identity is fake. There are thousands of reports highlighting such incidents, caused by the casual and almost criminally negligent pre-enrolment verification process during the UPA regime. This should give us cause for worry at a time when there are attempts (often without knowing its implications) to expand the use of Aadhaar into a full identification system – for accessing airports, opening bank accounts and so on. It is causing worry as terrorists may use fake Aadhaars to enter the financial system or carry out money laundering. Who will be responsible if a fake Aadhaar (fake ID with real biometrics) is used by terrorists/foreigners to get into the fi-
The authenticity issue impacts the larger issues of national security and financial sector integrity and risk
Provisions regarding privacy and data protection under Aadhaar and IT Acts are skewed in favour of those who hold our data
nancial system or obtain a passport or get a voter identity card? What protections exist to ensure that the 110 crore Aadhaar entries do not have any such entry among them?
This authenticity issue is seen as a victimless flaw because it does not seem to impact any person. But it impacts the larger issues of national security and financial sector integrity and risk. These are legitimate issues to be dealt with by institutions like the Reserve Bank of India ( RBI) and the National Security Council/Home Ministry, but they have been behind the curve and seem to have unquestioningly bought into the narrative of a technological miracle that had been peddled for several years.
Thankfully, and as I had predicted way back, issues like data security and privacy have come to the fore and people are now focusing on Aadhaar. The debate and scrutiny have become mainstream, moving away from a few MPs and activists to consumers and citizens. As the use of Aadhaar is expanding, more and more concerns about its design, operation and misuse have surfaced. Moreover, it is common knowledge that there have been data breaches, exposing sensitive personal information of millions of citizens, including Aadhaar numbers.
Who is responsible for ensuring that data and information pertaining to each member is not made public and not misused? What is the method of adjudicating and getting damages if such a thing happens?
Who is responsible for ensuring that databases are managed securely against hackers and data breaches? What kind of accountability exists in those organisations that manage and control this data?
Unfortunately, the Aadhaar Act and regulations place no reciprocal accountability on the UIDAI to protect the database of personal information provided by citizens and are silent on the liability of the UIDAI and its personnel in case of non-compliance with the provisions of Section 3 and Chapter VI that require verification and protection of such data. The UIDAI has maintained a studied silence about these breaches because it is not required to report such cases. This must be fixed and reporting all data breaches should be made mandatory.
Many of these issues were raised long ago by some people and I was one of them. But they were dismissed or subsumed in the tidal wave of PR that Aadhaar had unleashed. There was even an epic article in which the Chairman of UIDAI claimed that the design of Aadhar had privacy built into it. A few years and many data breaches later, the song that is being sung now is about the need for a privacy law – precisely what was argued by me several years ago.
The current provisions regarding privacy and data protection under the Aadhaar and the Information Technology Acts are skewed in favour of those who hold our data and place an extraordinary burden on the individual to get justice. The issue of privacy is a broader issue that goes beyond Aadhaar. It raises legitimate questions about the roles and responsibilities of the State and other private agencies that are custodians of our digital footprints at the time of rapid digitisation of our lives and economy. It is a significant issue and I would encourage the government to take the lead. Concerns among citizens can be addressed only if the government articulates clear and public safeguards to prevent misuse and breaches. Technology solutions and even databases like Aadhaar are only going to improve governance and use of public money. But that must not blind us to their design flaws and Aadhaar is one that needs to be fixed. ~