Jan. 28, 2018, 4:58 a.m.
How should you think of Aadhaar? What are the issues at stake?
This article is triggered by a WhatsApp discussion with my college mates, and a desire to move the discussion beyond the notion that anybody who questions Aadhaar is either “with-us-or-against-us”.
Aadhaar is an issue that goes beyond political parties or the government—its impact will be felt on our future generations and especially on those who are silent today—on India Three— our fellow Indians who subsist, don’t know their rights and don’t even find out when and how their rights are abused.
To start with, let’s break the thinking about Aadhar into three buckets—its potential use, misuse and abuse.
Each bucket needs close inspection and scenario-painting before we rush headlong into arriving at any conclusions.
As you read ahead, I urge you to grapple mentally with two ideas that may sound contradictory: Aadhaar is good and Aadhaar is bad.
There is a chance I may be off-base on some of the points. I’m happy to be corrected/enlightened. But if you simply reject the idea of Aadhaar, then consider this troll bait. Bite it. Please.
Is it useful to have a unique identity for every Indian?
Given the deficiencies of our infrastructure and gaps in healthcare, education, and distribution of welfare, can an identity system help cut the massive frictions the vast majority of our population face in accessing public services? Can a secure, reliable identity platform increase trust and make daily life simpler?
Can it be used for the good of society—to cut corruption, crime and leakages?
Let’s face it, our public services and resources don’t fully reach the intended recipients. Can you imagine the drag this has on the economy? If we don’t trickle down our wealth and public services, and cut corruption, we will forever remain a lopsided economy. Three countries in one, which never meet. Aadhaar (and the digital ecosystem it gives birth to) can be used to cut the ropes that hold us down. It can cut the arbitrage and rent that corruption creates. It can cut down crime by creating transparency and traceability.
Does such an identity system have flaws, both technical and practical?
Any exercise of this scale will have challenges, especially given the level of literacy and awareness among our not-so-privileged citizens. Every such shift in India goes through many twists and turns as we navigate the gaps between the ideal and the practical. Two steps forward and one step back…well, that’s us!
An example: It took us several years to dematerialise our stock markets fully and we did it at a time when the US market still operated using paper. Today we have one of the most solid, transparent equity markets in the world, on the back of this digitisation.
Does technology exist to overcome these flaws? Does it offer alternative paths in cases where the system fails to respond?
The operating context in India is complex—networks fail, Aadhaar agents can be compromised and the users may be unaware. We need creative use of technology and workflows in case the system fails to identify a citizen. If the Aadhaar database is not able to confirm your identity, then we need to find alternative workarounds.
Some of these are already provided for.
Aadhaar is based on biometrics, which in the absence of good birth and death records in the country, probably offers the most optimal way to establish the uniqueness of an individual. However, there are citizens without biometrics (no fingers, no iris) and the system, being probabilistic, will throw up false positives and false negatives, which need to be dealt with.
Aadhaar offers other ways to authenticate—through one time password (OTP), for those who have connected their mobile numbers to Aadhaar, or via facial recognition which was recently announced by the Unique Identification Authority of India (UIDAI).
Clearly, for the system to be accepted as fail-safe and robust, it will need multiple options for authentication, much as we have multiple reliable ways to make an online payment today—money doesn’t just disappear from your bank account. The Reserve Bank of India has ensured that.
By linking databases, can the system be used for profiling citizens?
A concern is that if Aadhaar is used by you to authenticate all your transactions, the database ends up developing a full profile for you and your family.
However, at present there isn’t one big database with all the data. The risk of a breach, and potential harm, depends on which data we are talking about.
The Aadhaar database itself collects minimal biometric information and follows the principle of optimal ignorance. When it receives an authentication request, it can only say Yes or No. The biometric data never leaves the system and UIDAI wouldn’t know the purpose of the transactions.
Though, there is a risk that someone might hack into other databases that have Aadhaar numbers and use that as a primary key to profile citizens. Anyone with access to these databases can use them for surveillance and profiling, provided they have access to multiple databases. Give that the vast majority of our voters are not so literate and not privileged, this profiling can be misused for a variety of purposes, including vote wars. Thus in a sense, the risk lies in how Aadhaar is collected and used.
Can it be used to deny services to a citizen?
Another fear is that every service that depends on Aadhaar authentication can be denied to you—this includes your family too, since your kids’ schooling, your bank account, insurance account et al. are linked to your Aadhaar profile.
However, there’s a crucial difference between linking and authenticating.
Linking Aadhaar number to your kids’ school does not mean the school will ask them to authenticate every time they enter the classroom. Similarly, linking Aadhaar number to your bank account does not mean that you have to do Aadhaar authentication every time you draw money from an ATM. You can continue to do this even if your Aadhaar number is deleted. Consider this example described in The Wire: UIDAI deleted the Aadhaar number from the Central Identities Data Repository (CIDR), but that did not stop the user from making banking transactions. Also keep in mind, if the bank wanted to deny services, it only had to freeze the account—with or without Aadhaar.
Does it open up avenues for misuse by criminals to hoodwink the unsuspecting and illiterate masses of India?
We are already seeing several cases of misuse. Once again, like any software platform it will have bugs and clever individuals will find ways to use the system for their own gain. The more powerful the system is, the higher the incentive for criminals to break in.
I can see two levels of misuse:
1. Identity theft: Where citizens are misled into giving away their Aadhaar authentication to crooks who then misuse it to avail services or even blackmail people. We live in a world where SIM cards can be cloned and OTP messages intercepted.
2. Data breach: It is Aadhaar vs the hackers—a cat and mouse game. Any large-scale breach is a threat to our national security. On a more immediate level, the data passes many hands in the extended Aadhaar network and that poses a risk.
Remember that Aadhaar authentication is not common—even in places where it should be the norm. (The security at the airport entrance should demand Aadhaar authentication because, unlike popular perception, the Aadhaar card itself has no security feature. Anyone can print the card with any name and any random number and the security guard will let him through.)
Can a government employee in collusion use his/her privileged access to the system for wrongdoing?
We live with a huge government, we live with few checks and balances and we live with a very high penetration of low-grade corruption. And we know that a system that gives widespread access to government is open to misuse for a small under-the-table gift. This is the unfortunate, practical reality of our nation. Of course, this creates a new layer of risk.
Can the state abuse its powers?
Humans have a strange relationship with power—and the relationship with governments is even stranger. The Constitution is there to protect us, but it puts the onus on the citizen to prevent abuse of their rights. Aadhaar, if misused, can become a digital weapon in the hands of the powerful.
A note here: While we talk about Aadhaar misuse we also have to remember that many state governments maintain their own databases—State Resident Data Hubs—which have all the information that UIDAI has plus something more. Not much attention has been paid to these databases, and we have not had enough debate on the laws and regulations that govern these. They need to be brought into the ambit on the debate on abuse.
Does the system fundamentally alter both the scale and speed with which the state can move?
Very simply, the fear projected is that if a department puts you on an Aadhaar blacklist on a Friday evening at 8 pm, you cease to have rights at that very moment. You can be denied access to your money, travel—everything that needs Aadhar authentication. And courts open on Monday—assuming you get a hearing.
This assumes that every transaction we do needs authentication. Clearly that is not the case. Most activities don’t depend on KYC or authentication. Further, this assertion assumes that Aadhaar will be the only way to authenticate. That’s not the case either.
Note: Like I mentioned, you don’t need to use Aadhaar authentication at an ATM. That, of course, does not mean you are free from state abuse. The state can still freeze your accounts or your passports even in a non-Aadhaar world. Aadhaar just makes it faster and easier—but ONLY if Aadhaar authentication is required everywhere. Connecting Aadhaar to a service does not mean that service will require you to authenticate every time. It might be using it only for deduplication, where Aadhaar number is just an entry in the database.
If the databases are linked, can your entire life be frozen by an order to blacklist you?
Refer to the point above. Linking is not the same as authenticating every transaction.
That said, with or without Aadhaar, we must realise that we have entered a new digital age. We leave a digital trail wherever we go. We have consciously given more and more power to our governments because we expect them to take care of our security. After all, no one wants another Mumbai attack. When we have empowered the government, we also have to be aware that the state can use its power against its own people. It’s not easy to find balance—and we need to be careful, and aware of how any government uses Aadhaar and be fully informed as citizens.
The balance of power cannot shift from citizens to government, under the guise of digitisation.
Do citizens have constitutional and judicial protection if the state issues a “denial of service” or blacklist order against you?
Imagine an India without its courts and you will imagine a different India. Our judicial backbone has kept us a functioning democracy. That said, and given that Indian courts have a backlog of over 30 million cases, justice takes time to be delivered. So, in case a citizen is at the receiving end of abuse, access to a good lawyer and a sympathetic court will be expensive and time-consuming, especially when you can be locked out from accessing your own resources (e.g. your bank account is frozen).
The slow rate at which our law moves creates a natural and abiding incentive for abuse and corruption. This is the bane of our nation and it is something our future generations will hold against us.
What about personal data “leaks” to your mobile companies? Is it the same level of threat as your entire data being available to the state?
Every bit of your data is being used by over 5,000 global adtech companies to target you. Of course, your phone and your desktop can be hacked and your entire life can be hijacked. But these companies are relatively harmless—they don’t “authenticate” your existence. You don’t cease to exist if they have a bug in their system or someone takes a decision to delete your data. Your life doesn’t come to standstill.
Remember, those are private corporations with a profit motive and can be compelled to act under the rule of the state and law. But what about the state itself?
Do we need to fundamentally rethink the balance between using technology, and banning it?
This is a much larger issue. Technology the world over is morphing faster than regulators and goverments can get their heads around it. Look at Bitcoin. Its primary use case seems to be that it has suddenly increased the velocity with which one can transfer money in near-anonymity across borders. Guess who wanted to be paid in Bitcoin? The guys who rolled out ransomware across the globe. Indian courts and regulators will have to grapple with these complexities every day. That doesn’t mean we stay backward. It just means that we stay alert and aware.
Can the system be only an identity system?
Maybe at this stage Aadhaar is not ready to become an “authentication” system but stay an identity verification system—till we have full accountability on how it will be used. We need to debate the merits here. And we need to create suitable bypasses in case of systemic failure. Lives cannot be lost to a technical glitch!
Should the database linkage be banned?
No state official should be able to view your transactions across the spectrum. This should be a basic requirement—independent, non-linkable databases, which are scrambled. There is no need to pool the data at one place, and then worry about misuse and abuse. In any case, it creates a point of vulnerability for the enemies of our state to exploit.
Any transaction will leave a digital footprint, but no one should be able to see where you’ve been going or what you have been doing, unless you are under criminal investigation or a threat to the public.
Even for criminal investigation, we need the judiciary to create several tests before the database linkages can be constructed. We have a poor record of protecting citizens’ rights. We cannot handover a remote digital taser to every politician and bureaucrat.
Should the system ever be used for denial of services?
Again, would you as a citizen like to be at the receiving end of an Aadhaar blacklist? This needs to be at the core of the law around digital privacy and Aadhar. Unless you are proven guilty, by strict tests, you cannot be denied access.
Should you be worried about the state knowing more about you?
Of course you must. But remember, with or without Aadhaar, the state can and does all this. India runs at least five programmes that are explicitly for surveillance. Heard of Natgrid or Central Monitoring System? Similarly, it will be naive to assume that if a government agency needs to invade your privacy, it won’t be able to do that without Aadhaar.
So, it might be wrong to imagine that the data available to mobile companies is not available to the state.
The question then is whether Aadhaar provides the state one more door to get into our private lives. Yes, it does. Which is why we should put the pressure on the state to strengthen laws around data protection, and impose a better supervisory structure over our intelligence agencies. With or without Aadhaar.
Should the judiciary set up special systems that can react at the speed of the state whenever this system is used?
Yes! We need special courts that work 24x7 to protect us against digital technology that can be weaponised 24x7. We need this for every kind of cyber-abuse. As long as our laws are behind the times, there will be scope for abuse.
Should we be in such a hurry to implement it?
There are several matters to be thought through—issues around informed consent, penalties for misuse, mechanisms for recourse, simple things like what happens if someone loses their mobile phone or goes off-grid. These need time, testing and introspection—we probably need to create Aadhaar 2.0 which is more robust and reliable.
However, going beyond technology and work-arounds, the biggest issues in my mind is education. We need awareness—not only among the unsuspecting and illiterate masses, but also among the educated lot about the best practices and security features available in Aadhaar. Basic hygiene principles like not giving just anyone your Aadhaar number, let alone letting them scan your fingerprints or iris without knowing their credentials and quizzing them about the purpose and so on. Similarly, keep your phone number and email ID updated on the Aadhaar site, so you get notifications every time your Aadhaar number is used. Aadhaar already provides for biometric lock. It has also announced virtual Aadhaar, which to a large extent brings down the risk of a third party linking databases using your Aadhaar number. Till every citizen understands what he or she has signed up for, we carry risk.
Of course, there are technical, infrastructure and in-use problems within Aadhaar. They can be resolved.
The real problems are outside Aadhar—on how it can be abused by the stakeholders. That’s what our learned judges need to address. And that’s what citizens like you and me need to think about—what kind of India do we want for our next generation.
In the past few years Aadhaar has forced the nation to confront important questions such as whether privacy is a fundamental right. One can even argue that the data protection laws being framed under Justice Srikrishna is happening mainly on account of the intense debate around Aadhaar. The privacy judgement and our data protection laws will have impact that reaches far beyond the domain of Aadhaar, and a whole range of companies including Facebook, Uber, Google and Amazon will feel the effects. Similarly, let us hope that Aadhaar will bring to surface the leakages, cracks, and lack of accountability in the government system. We should not wait for something drastic to happen. We should start examining it today.
As we move rapidly into a digital era, we should not think just in terms of judiciary providing a balance to the potential abuse of the system. Instead, we have to start thinking in terms of how the system itself can have enough internal checks and balances. Fighting misuse and hacking will be an everyday affair. As we digitise India, there is no hiding from that responsibility and the best technology minds of our country need to be deployed to protect us.
There is already much research in autopoiesis systems—that are capable of maintaining themselves. Some of the best legal minds across the world are thinking of building legal frameworks for a world that will be run by artificial intelligence and algorithms.
Why is it important? The same checks and balances we put on these systems to make sure that we are protected from the potential harms that could be caused, can also save us from the harms that government can cause us. Recourse and penalty, both, need to be enshrined in new laws that govern data usage.
Aadhaar is like a surgeon’s scalpel. It needs to be handled carefully, by those who have trained in its use for years. In the hands of someone with bad intentions or someone who is not sufficiently trained it can cause irreversible harm. But in the hands of a well-trained surgeon, it can save lives. It needs security, it needs regulations. But let’s not throw the baby out with the proverbial bathwater.
Moving slowly and thoughtfully may be the solution. If the system has gaps and is hackable, we need to put the safety pin back in. Calibrate its usage and impact as we evolve a version that works.
I may have missed many questions above. This is a debate on what probably is one of the most important decisions we face as citizens. Write in below.
PS: My stand: I love Aadhaar (and its companion IndiaStack). Much like I love our fully digitised stock market, our online passport and motor license offices or our land registries. They make things transparent and work for the citizen. So, instead of banning Aadhaar, we should make sure we use it, stop its misuse and absolutely ban its abuse, and create the right conditions for its evolution.
The motor vehicle transformed humanity, but you don’t hand over the keys of your car to a 10-year-old, and a death due to drunken driving leads to a charge of first degree murder in some countries. We need to think the same way about Aadhaar. It can transform our nation, but equally the collateral damage from a shoddy implementation will be lethal.
(With inputs from NS Ramnath)