Aadhaar Project- Blundering along, dangerously

IN the last seven years, the right to privacy of Indian citizens has been downgraded in several crucial steps. It was argued that Google and Facebook had more information than any other database; and that the voter IDs in several States, with personally identifiable information, were publicly available. Zealous advocates on a techno-utopian mission argued that the trifling matter of privacy would have to give way to the sheer convenience offered by technology. The argument went thus: it is only those who have something to hide who ask for privacy and, conversely, those who have nothing to hide ought not to worry about the loss of privacy. In August 2015, all this was brought to a head when the government categorically told the court that was hearing the unique identification number (UID) cases that the people of this country simply did not have a right to privacy. Significantly, at the same time as the right to privacy was being denied, before another bench of the court, the government was asserting that the offence of defamation in Section 499 of the Indian Penal Code needed to remain on the statute book so as to enable the government to protect the right to privacy. Privacy advocates were disparaged as espousing elite interests, that the poor have no interest in privacy, but only in being able to get their entitlements.

The spate of notifications making it mandatory to “seed” the UID number in a bewildering multiplicity of databases have placed the privacy debate on a wholly different plane. Crucially, they have highlighted concerns that the privacy rights of the poor, far from being an esoteric matter, are literally a matter of life and death for a large section of the population. In the process, the poor, the disadvantaged and the weak are in danger of losing not only their legitimate entitlements but their very dignity.

In September 2010, 17 eminent citizens, including Justice V.R. Krishna Iyer, Prof. Romila Thapar, Prof. Upendra Baxi, administrator S.R. Sankaran , Justice A.P. Shah, film-maker Amar Kanwar, social activists Aruna Roy, Nikhil Dey and Deep Joshi, and advocate K.G. Kannabiran, issued a statement asking for the UID project not to forge ahead without a law, without a feasibility report, and without considering its implications for privacy (see full text of the statement on page 30). Bezwada Wilson, the national president of the Safai Karmachari Andolan, a signatory, explains that the identity project does not seem to understand the principles of identity; what those employed as manual scavengers want, he explains, is to bury their identity, not perpetuate it. The notification making it mandatory to seed the UID number as a prelude to the rehabilitation of a person engaged in manual scavenging is precisely the problem that Wilson has been battling in his opposition to the UID project.

Women rescued from prostitution, bonded labour, victims of the 1984 Bhopal gas disaster, persons who are HIV-positive and needing anti-retroviral therapy (ART), those building toilets with state assistance, persons with disabilities, and children in the mid-day meal scheme are all being compelled to affix their UID numbers to different databases. There is simply no question of consent. Neither is there a provision to opt out. The language of entitlements has been displaced by “benefits”, “subsidies” and “services” in the Aadhaar Act 2016. Notification after notification begin with the bland statement that seeding the UID number “simplifies governmental delivery processes, bringing in transparency and efficiency, and enables beneficiaries to get their entitlements directly in a convenient and seamless manner… obviating the need for producing multiple documents to prove one’s identity”.

With these notifications, the privacy debate has moved onto another level, indeed onto another terrain, where the dignity of a person and the heightened vulnerability of the individual are added to the concerns of convergence, profiling and surveillance. These notifications also make plain the privacy interests of the poor in relation to the UID project.

Private interests, public data

One of the provisions in the Aadhaar Act 2016 which makes it impossible to justify its passage as a Money Bill is Section 57. It permits the “use of the Aadhaar number for establishing the identity of an individual for any purpose, whether by the state or any body corporate or person…”.

Indeed, much before the UID acquired the protection and sanction of the law, the growing cacophony of private companies’ interest in the project was articulated openly by business interests. They enthusiastically welcomed the implementation of the project because the system could be used to “leverage” businesses. In fact, when the Aadhaar Bill was being debated in the Rajya Sabha, parliamentarians cited the instance of TrustID, which advertised itself as “India’s 1st Aadhaar-based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone instantly”. This is a business model in which the UID authentication is used as the foundation on which profiles are built.

BetterPlace offers “multipoint verification and safety capabilities through a combination of sources—location-based data analytics, digital footprint of an individual and Aadhaar information”.

In February 2017, OnGrid caused outrage when it tweeted an image with the photograph of a young man across which read:

Aadhaar Number: 8625-xxxx-7706

Name: Kxxxxx Sxxxxx

Mobile: xxxxxxxxxx

DoB: xx xx 1986

Gender: x

Aadhaar address: xxxx

Current address: xxxx

Police verification: xxxx

On the screen was “indiastack.org/ekyc”.

The website carried the description, “Aadhaar-enabled Trust Bureau of India”. “OnGrid is a trust bureau that modernises verification and background checks in India by linking an individual’s data, documents and incidents to his/her 12-digit aadhaar number for a faster and cleaner access to true identity and background.”

BetterPlace advertises itself as “leveraging multiple data sources, including Aadhaar—the massive database of biometric and demographic data of the entire country. BetterPlace has in place and continues to create a unique profile of every citizen with accurate and comprehensive personal, professional and social information.”

Data gathering about individuals, and profiling, are the business model of these UID-based companies, even as data emerge as the new property.

A closed circuit of interests

In 2013, a grouping of technology entrepreneurs got together as iSpirt—Indian Software Product Industry Roundtable. Nandan Nilekani is their mentor. Two others who stepped down from the Unique Identification Authority of India (UIDAI)—Pramod Varma, who was Chief Technology Architect of Aadhaar, and Sanjay Jain, who was Chief Product Manager—are volunteers with iSpirt and work on creating India Stack, which is a stack of applications being built on the UID platform. Their paid employment is with Ek Step, a philanthropy established by Rohini and Nandan Nilekani. They work on the stack, and, as Nilekani says in his book Rebooting India, evangelise it to the government. Some of the components of the stack were created and adopted when Nilekani was still Chairperson of the UIDAI. In 2009, even before the first enrolment, the Aadhaar Auth API (Aadhaar Authentication Application Programming Interface) was launched. In 2011 the National Payments Corporation of India (NPCI) launched the Aadhaar Payments Bridge and Aadhaar Enabled Payments System. The “National” and “India” in NPCI are misleading; established in December 2008 with N.R. Narayana Murthy as its first Chairperson, it is a company registered under the Companies Act as a non-profit, and Nandan Nilekani and Pramod Varma are honorary consultants telling the NPCI how to adopt the UID number in its working. In 2012 eKYC was launched. Then a hiatus, after which in 2015, eSign. In 2016, the Unified Payments Interface (UPI) was launched, as was the DigiLocker.

A technology-based structure is being evangelised to the government which will give a leg-up to fintech companies. In the Credit Suisse India Financials Report 2016, Nilekani candidly sets out the ambitions: India will go from being a data poor country to becoming a data rich country in two to three years. “Digital footprints” will form part of this data. “And as data becomes the new currency, financial institutions will be willing to forgo transaction fees to get rich digital information on their customers.”

The “go cashless” brigade’s zeal, in much evidence after demonetisation, is not confined to the innocent dream of replacing cash with more modern payment systems. In reality, cashless is the next big pitch to convert personal data of the mass of Indian citizens into tangible—and profitable—business opportunities.

Bungling with biometrics

The use of fingerprint authentication has proved to be a major hurdle for large sections of people in accessing rations across the country. In Rajasthan, for instance, government records show that up to 30 per cent of the households have not been able to avail themselves of rations using their fingerprints to authenticate. That means that in these households, nobody had fingerprints that work; in the rest, there is at least one person whose fingerprints work. Since 2011, reports from various parts of the country, including Andhra Pradesh, Karnataka and Jharkhand, have confirmed this phenomenon of mass-scale denial. Connectivity problems and quality of PoS (point of sale) devices add to the travails of the poor in a system that appears to be geared to deny what is their due. The Wattal Committee (December 2016) recognises the latter two, but makes no mention of biometric failure rates, when it asks that eKYC in the digital economy should not be made to work with biometrics. Instead, it suggests that the two-factor authentication could be a One Time Password (OTP) that is sent to a registered mobile number or email address.

In a case that the UIDAI has been fighting with the Central Bureau of Investigation since 2013, the CBI asked for the biometric database of all persons enrolled in Goa, and later narrowed its request to running sets of fingerprints across the UID database in connection with the investigation relating to the rape of a seven-year-old child in a school toilet. The UIDAI refused on grounds of protecting privacy and because the database is incapable of being used for forensics. Initially, in March 2014, the Supreme Court ordered that biometrics were not to be used except with the consent of the individual; but, in August 2015 the court changed its order, making an exception when a court directs that it be used in the course of a criminal investigation.

Around then, the UBCC was introduced to the UIDAI website. That is, the UIDAI Biometric Centre of Competence. The “mission” of the UBCC was “to design (a) biometrics system that enables India to achieve uniqueness in the national registry. The endeavour of designing such a system is an ongoing quest to innovate biometrics technology appropriate for the Indian conditions.” The way they saw it, the “nature and diversity of India’s working population adds another challenge to achieving uniqueness through biometric features”. It is therefore no surprise that fingerprints do not work in rural areas, or for the working classes.

In this context, the 2016 version of the “Strategy Overview” paper says: “Fingerprint: This is the most commonly used biometric attribute across the world but the large variation of quality of fingerprint in India may pose challenge to implementation of a reliable solution.”

In December 2016, Hussain Dalwai asked an unstarred question in Parliament: “ (a) Whether it is a fact that UIDAI has set up a Unique Biometric Competency Centre (UBCC); (b) if so, whether UBCC has been established to address the biometric challenges faced by UIDAI, if so, what are these challenges.” P.P. Chaudhary, Minister of State for Electronics and Information Technology, responded with: “(a): No, Sir.” And, “(b): Does not arise.”

Why was the Minister denying its existence? What happened to the UBCC?

The Aadhaar Act 2016 now protects the biometric database from scrutiny. It is not accessible where there are national security demands, or where a court orders it, and even the person whose biometrics are stored cannot view it—in the interests of protecting our privacy!

Insecurities in the UID system

Two recent episodes have exposed the insecurities in the use of biometrics in the UID system.

In February 2017, the UIDAI lodged a first information report (FIR) with the Delhi Police Cyber Cell against Axis Bank, which has partnered in the UID project from early on; Suvidhaa Infoserve, the bank’s business correspondent; and eMudhra, the eSign provider. The UIDAI complained that the three entities had illegally stored biometric data and performed unauthorised Aadhaar authentication. They were accused of performing repeated transactions through “replay” of biometrics that had been stored on their devices, which amounts to attempting unauthorised authentication and impersonation by illegally accessing stored UID data. The UIDAI noticed the infraction when, between July 14, 2016, and February 19, 2017, it was observed that 397 biometric transactions had been performed by one individual. It is reported that 194 of these transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve. The three parties explained that this occurred when the system was being tested and that no actual transactions had taken place. Axis Bank has said that while there have been no breaches, they had suspended the services of Suvidhaa Infoserve.

Sameer Kochhar, an entrepreneur, publishes a magazine, Inclusion. On February 11, 2017, he published an article titled “Is a deep state at work to steal digital India?” A video accompanied the article, which showed how stored biometrics could be used to “replay” transactions much in the same manner as they did in the Axis Bank episode. The immediate reaction from the UIDAI was denial. Ajay Bhushan Pandey, the UIDAI’s CEO, tweeted, “Video is fake. No evidence of connection with Aadhaar server.” An FIR was lodged against Kochhar for making a false claim. In turn, Kochhar tweeted a letter from the UIDAI to a registered authentication user agency about multiple concurrent transactions on one date, January 11, using stored biometrics. The letter also referred to a “licence key” that had been illegally used by a firm to perform an eKYC function.

In a recent interview to CNBC-TV18, Pandey asserted that there was “not a single case of data leak from the UIDAI, data breach from UIDAI, not a single case of identity theft or financial loss has been reported to us”. He then went on to explain: “There are two parts of this whole problem. One is, as you know, the database which is inside the UIDAI and as I mentioned, no breach has happened and we are quite vigilant about it, because we can never say that we are 100 per cent and absolutely secure. In the security world, there is nothing called fully secure and absolute security.”

In another incident, a reporter with CNN News 18, along with a cameraperson, enrolled in two different enrolment stations, using two different names, Debayan Roy and Raj Kishore Roy, demonstrating the porosity of the enrolment process. The episode was telecast. There was little to doubt the incident was not to cheat the system, but to expose its weaknesses. The UIDAI filed an FIR against the reporter for impersonation and fabrication of documents. The two enrolments would have been detected during de-duplication and it is not that he would have got two UID numbers; nor was the operation secret and hidden, it was telecast. In 2014, Cobrapost had done an exercise which too demonstrated the ease with which anyone could enrol, with no documents and at a price.

In January 2012, the Home Ministry had threatened to withdraw from the UID process citing as a reason the manner of enrolment; that within three weeks, the Prime Minister had produced a compromise where the UIDAI shared enrolment 50:50 with the National Population Register being prepared by the Registrar General of India is one of the unanswered mysteries surrounding this project. The Intelligence Bureau too had complained in 2012. So, this is not the first time these questions have been raised. It is, however, the first time it has gone public since the Aadhaar Act 2016 was passed. This manner of use of the Act could have a chilling effect on those who see flaws in the system and who may refrain from letting the public know what they learn. Given that the UID number is being seeded, and used, in multiple sensitive places, including in financial transactions, this enforced silence could end up costing us very dearly.

Usha Ramanathan works on the jurisprudence of law, poverty and rights.

http://www.frontline.in/cover-story/blundering-along-dangerously/article9629188.ece