Can something like UID be created without compromising privacy beyond acceptable limits? If so, how should the Aadhaar Bill have been written? What are its specific and avoidable weaknesses?
Tweet using: #AadhaarBill
Early critics of Aadhaar had argued that a comprehensive data privacy law must be enacted before Aadhaar came into existence. I strongly differed from that view, as any realistic effort to define boundaries of data privacy can only grow out of people’s actual experiences in our fast-changing tech-world. If the rush by the urban middle class to get Aadhaar numbers for a few hundred rupees in LPG subsidies is any indication, most Indians appear to be a lot less concerned about the safety of their personal data in the government’s hands than privacy advocates would have us believe. People seem willing to push the privacy boundary farther away than we could have ever imagined just a few years back, even with private agencies, in return for day-to-day conveniences.
Be that as it may, with the explosive growth in e-Commerce and mobile telephony, and over five years of on-the-ground experience with Aadhaar, I believe that India is now in a much better position to take on the challenge of creating a comprehensive data security/data privacy law. Perhaps, the Aadhaar Law can serve as a starting point for such an exercise. If we move decisively in that direction, there is no reason why Aadhaar can’t be implemented more widely without unduly compromising privacy.
As for the Aadhaar Law, some commentators have noted that it has stronger privacy provisions than the original draft of 2010 by the UPA (United Progressive Alliance) government, while others have noted that the Law is not specific enough in some areas to address privacy concerns. My own view is that greater care could have been taken to ensure that the language in the Law did not leave room for second-guessing the government’s intent or to give credence to certain nightmare scenarios.
- The catchall phrase “…or such other biological attributes of an individual as may be specified by regulations,” has understandably raised alarm that it could allow collection of DNA data in the future without the consent of the Parliament.
Perhaps, this is only a provision for adopting better biometrics in the future as technology evolves. And the government might argue that there is no reason for alarm as any addition to the scope of data collection would have to be covered by Aadhaar Regulations, which would have to be placed in front of the Parliament anyway. But would it not have been wiser to explicitly prohibit the collection of DNA under the Law to head off such a serious privacy concern?
- The last part of the clause “The Authority shall respond to an authentication query with a positive, negative or any other appropriate response…” is seen by some as walking-back from UIDAI’s oft-stated “black box” explanation that the only response to authentication requests will be a Yes or No.
If the intent behind “any other appropriate response” were to allow for other responses, say, OTP (One time Password), or qualifiers to a ‘No’ response, etc., then UIDAI would do well to explain such intent clearly in the upcoming Aadhaar Regulations.
- The clause “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority…” has raised some questions about potential conflict of interest.
It seems to me that this clause pertains only to crimes as defined in the Aadhaar Law, such as data breaches, impersonations, etc., and it does not seem to preclude legal recourse to a resident on other matters pertaining to UIDAI and Aadhaar. If so, the government would do well to clear the air on this legitimate concern.
Let me conclude by referring to the debate on the clause in the Aadhaar Law that refers to the use of Aadhaar by private agencies: example, a write-up in The Hindu posited that this clause contradicts the stated objectives of the Law. Far from it, I believe that the boundaries between government and private agencies are becoming increasingly blurred even in the matter of managing government subsidies, and the incremental benefits of Aadhaar especially to the middle class is much more likely to come from various applications being developed by the private sector. So, it is only appropriate that the Law does not limit the use of Aadhaar just to government agencies. However, this only makes the matter of a comprehensive data security/protection legislation, covering both the government and the private sector, that much more urgent.
Some alternatives would be worth discussing. For instance, Aadhaar could be rebooted in a voluntary mode, compatible with the Supreme Court orders. Even better, it could be turned into an optional identification card, with biometric authentication shelved (biometrics could still be used to de-duplicate the list of Aadhaar cards). This would, indeed, be a valuable document for many residents. If biometric verifiability is deemed essential, people’s biometrics could perhaps be stored on the card, rather than in a centralised database – some countries have identity cards of this sort.
About the Aadhaar Bill, most of the amendments proposed by the Rajya Sabha were very reasonable. Unfortunately, the government pre-empted any discussion of these amendments by cross-dressing the Aadhaar Bill as a money bill. This undemocratic process reinforces the case for worrying about Aadhaar.
The main issue is whether Aadhaar should be used for anything other than the delivery of subsidies and welfare services. In India, high-value financial transactions and property purchases require tax identification number (PAN). Privacy is eroded for the greater good of combating tax evasion. Aadhaar could be a more efficient mechanism than PAN. Such examples apart, the risks of a surveillance State grow with applications of Aadhaar.
Clause 57 of the Act explicitly allows the use of Aadhaar for any purpose and by anybody. So we need a data privacy law that prevents service providers from profiling users and from sharing the data.
The main amendments I would like to see are (a) removal of the exemption clause for national security when UID is for delivery of subsidies (b) to ring-fence the other applications of UID to principally tax evasion and money transfers and (c) a data privacy act before other applications are permitted.
The discussion on Aadhaar begins with an implicit assumption that it is good, or even necessary, for better implementation of welfare programmes. This is just not true - welfare needs Aadhaar like a fish needs a bicycle.
We need limits on the use of Aadhaar – by whom and when can the number be requested; when should biometric authentication be required and so on. There are several privacy groups which are better qualified to answer this question.