Aadhaar-related Privacy Concerns

Aadhaar-related privacy concerns tend to get confused and mixed up. The main concerns are as outlined in this post.

Reminder: Under the Aadhaar Act, “identity information” consists of Aadhaar number, biometric information and demographic information. “Biometric information”, as of now, consists of fingerprints, iris scan and photograph, but its scope can be expanded at UIDAI’s discretion. “Demographic information” refers to demographic details (name, date of birth, address etc.) collected at the time of Aadhaar enrolment. The term “personal information”, not used in the Aadhaar Act (except in Section 30) can be understood in more general terms as any information of a private nature.

Confidentiality of “core biometrics”

The core biometrics (as of now, fingerprints and iris scan) are supposed to be safely stored in the Central Identities Data Repository (CIDR) and not shared with anyone. Some IT experts, however, believe that it is only a matter of time until the CIDR is hacked. That would be a serious breach: if your biometrics are stolen, you would be vulnerable to identity fraud for life. Further, fingerprints are easy to clone or steal outside the CIDR (as Nandan Nilekani himself said put it to a Financial Times reporter, “I can steal your fingerprint off your glass”). That, too presents a threat of identity fraud, given the numerous uses of biometrics in the proposed Aadhaar ecosystem.

Confidentiality of Aadhaar numbers

Aadhaar numbers are not supposed to be “displayed or posted publicly” (Aadhaar Act, Section 29(4)). However, this has happened many times, and keeps happening. When Aadhaar numbers are displayed along with other sensitive information such as bank account numbers, it makes the victims vulnerable to various types of fraud.

Wide sharing of demographic information

In the draft of the Aadhaar Act (the “NIDAI Bill 2010”), demographic information collected at the time of Aadhaar enrolment was supposed to be confidential – authentication only consisted of a “yes/no” response to a query whether a person’s biometrics matched the Aadhaar number being submitted. The Aadhaar Act, however, now allows demographic information to be shared with the requesting entity (Section 8). Further, there is very little protection against this information being shared or misused by the requesting entity, except for a weak “consent” clause whereby this entity is supposed to use that information only for the purpose to which the person has consented at the time of authentication. This is just a cosmetic safeguard. In effect, demographic information is up for grabs. The wide dissemination of demographic information will facilitate large-scale mining of personal information by private businesses. It is well known that private businesses already thrive on this type of information for numerous purposes, from targeted advertisement and credit rating to manipulating elections (the recent Cambridge-Analytica and Facebook affairs are just the tip of that mountain). Aadhaar is likely to take the mining of personal information – not just demographic information – to new levels. As someone put it in an insightful tweet, “data is the new oil and Aadhaar is the drill”.

Help us help you

State surveillance

By the same token, Aadhaar creates a powerful infrastructure of state surveillance. Aadhaar-enabled access to personal information will be even wider for the state than for private entities, because the state has access to numerous Aadhaar-linked databases including the Aadhaar numbers (not accessible, in principle, to private entities). For instance, the state can easily use Aadhaar to link our bank account details with travel details and phone records. Some state governments are already on the job under the State Resident Data Hub (SRDH) project, which “integrates all the departmental databases and links them with Aadhaar number”, according to the SRDH websites. Intelligence agencies, quite likely, are not far behind. To this, the UIDAI responds that the UIDAI is “blind” by design and confines its work to authentication without collecting or collating personal data. This is neither here nor there: the danger of surveillance comes from the government, not the UIDAI specifically.

All this would be easier to swallow if the UIDAI had shown some sense of responsibility and accountability. Instead, it constantly denies the issues, hounds the whistle-blowers, and tries to confuse matters through relentless propaganda. The Aadhaar Act makes the UIDAI a law unto itself. An entire chapter of the NIDAI Bill, aimed at ensuring independent oversight of UIDAI by a high-powered “Identity Review Committee”, was dropped – how and why one wonders - in the final version of the Act. And of course, under Section 47, no court is allowed to take cognizance of any offence under the Act except on a complaint made by UIDAI. The unaccountable nature of the UIDAI, an authority of immense powers, reinforces and magnifies all the privacy concerns.

This is an guest post by Jean Dreze, which formed the basis of an article published in the Indian Express: Know your Aadhaar / 8th May 2018

Featured image sourced from the Indian Express article / credit: CR Sasikumar

Engage with us on Twitter: