It can be unnerving when you’re supposed to give your biometric data and personal information to the State. It’s scarier when you’re not certain how secure your information really is in the world’s largest such database. More so, when the government could technically be allowed to sell your data to private companies.

None of this is far-fetched. In fact, one can argue that the last of the three scenarios is backed by law – the Aadhaar Act of 2016. Take, for instance, the government’s move to make Aadhaar mandatory to file tax returns. This was done by amendments to the Finance Act last month. When opposition parties questioned the Finance Minister in the lower house on whether the government was making a voluntary programme like Aadhaar mandatory, he replied, “Yes, we are.” If that’s not disconcerting enough, the Attorney General of India, while arguing in the Aadhaar case in 2015, had denied that Indians have a right to privacy under the Indian Constitution.

Usha Ramanathan, who has been tracking Aadhaar since 2009, has vehemently opposed some of its provisions surrounding privacy and security. An independent law researcher and an advocate at the Supreme Court, Ramanathan spoke to BloombergQuint about how private companies are using the Aadhaar database by “seeding”, and how she feels there’s very little that Indians can do about it.

BloombergQuint reached out to the UIDAI on email and by phone, but received no response to queries.

Edited excerpts of the conversation with Ramanathan…

How are commercial users/private companies linked to the Aadhaar interface?

There are many ways. One, as suppliers of various services to the UIDAI, including the hardware, the software, the programmes. The biometric providers who have to be pre-qualified. There is Section 57 of the Aadhaar Act 2016, which, among other things, makes it clear as the blue sky on a cloudless day that the Aadhaar Act could never have been a Money Bill. It allows private companies to use the UID database for ‘establishing the identity of an individual for any purpose’.

What has been challenged right from the start is the engagement of companies like L-1 Identity Solutions, MongodB, Accenture, Ernst Young and their respective roles in the project. A video put out by biometric solutions company Safran, on its YouTube page encapsulates the access private players have to the data base.

These are the people who are holding all our data. Sometimes, I wonder if it is because they already have the data with them that there is no known case of hacking or data breach from the UID database?

Also, do remember the companies who are with iSPIRT and are being asked to find a “WhatsApp moment” again by creating businesses and monopolies and winner-takes-all opportunities provided by the ID platform.

Former UIDAI Chairman Nandan M Nilekani speaks to a reporter. (Photographer: Amit Bhargava/Bloomberg News)
Former UIDAI Chairman Nandan M Nilekani speaks to a reporter. (Photographer: Amit Bhargava/Bloomberg News)

Then there is India Stack, with Nandan Nilekani as its mentor, ‘evangelising’ (their language) to the government what they want done with the UID database. And India Stack, which is quite literally intended to be just that – creating a stack of applications that will stack up data about all of us for their commercial use.

 

Why do you think the UIDAI can’t ensure that one’s personal data isn’t misused by these private companies?

There are all kinds of data exposures and blacklisting figures floating around. Various departments of the state and central governments have displayed full details in various databases on the web. Personal information about children, pensioners, PDS (public distribution system) beneficiaries, those on the drinking water and sanitation department’s list, and the list seems to be expanding real fast. Once it is out, there is no question of reining it in – whoever has downloaded it has it, that’s it. It is the UIDAI that, under the law, has to take action. Maybe they will, but these are government departments, so maybe they won’t. And anyway, the data has already been breached.

Now, in the middle of all these data leaks, the UIDAI keeps saying there is no problem with the data because their database is secure, and hasn’t been breached or hacked so far. Even if that is so, when will they start acknowledging that UID studded databases are a real risk? And that the UID project has spurred the idea of putting all manner of information on various databases. For instance, see what the Kerala leak produced.

In Parliament, the Minister said that more than 34,000 persons in the system have been blacklisted, like they did in the Dhoni episode. That’s a staggering number, but everyone seems sanguine about it. And here I am thinking, who got enrolled by them? Whose data did they collect? Why were they blacklisted? There is no requirement of a notice of breach that is to be given, so no one knows what all this means.

Seems this could be why they felt the need to deny the right to privacy for the people of this country. They knew they would be violating it in all these colourful ways.

What are your concerns with the procedure that a private operator, like a bank, follows to get empanelled on the eKYC API?

There is a 2016 Strategy Overview document that indicates how it can get empanelled. That is, by an MoU. It is a loose method, leaving a lot to the UIDAI. And since scalability is their priority, a lot of the reliance will be on encryption and access control and audits; only we will know nothing about it. It is amazing how non-transparent the UIDAI has become, especially since 2012. That was the last time they put out a report, even internally generated and without any names of authors (no scientific study is published without telling you who did the study). Since the biometric failures started, for instance, there has been no report.

Although the e-KYC process is based on a user’s consent, how does UIDAI ensure one’s personal data/biometrics are not misused by private operators?

What has happened so far suggests that they are trying to learn as they go along. So, when biometric recall got exposed, they filed an FIR against the whistleblower, and then said that the PoS (point of sale) devices will hereon be encrypted. When other problems get aired, presumably they will do something that will paper it over. I must confess that this is not very reassuring.

Consent, by the way, is the biggest sham in this project. It is the “mandatory-voluntary game” again. If the UID number has to be seeded everywhere, for any service or subsidy, what consent are we talking about? Compulsion is the only route, so I think we should stop pretending there is any choice and consent in this project.

The UIDAI has created a “seeding ecosystem”, which ostensibly adds one’s UID to the database of beneficiaries. Why do you view “seeding” as a concern?

Nowhere does the Aadhaar Act permit ‘seeding’ of the number. But, as we know, seeding is the main activity for every person in this country today; to get a UID number, and then put it into every database that we can find. Or else, it will find us. So, private companies too are allowed not just to authenticate, but also to retain our numbers.

In doing eKYC, the information on the UIDAI database is passed on to the entity requesting the information. All except core biometrics; which exception, I must confess, doesn’t mean much because the private entity can always take biometrics separately from that collected for authentication. There is no prohibition in law. More recently, I am told, not only demographic information but a copy of the letter/card is also sent to the private entity. It should worry us that we don’t even know what is being passed on from the database.

People wait in queue at an Aadhaar camp in Agra, India. (Source: Twitter/ @UIDAI)
People wait in queue at an Aadhaar camp in Agra, India. (Source: Twitter/ @UIDAI)

In the contracts that were partially obtained through RTI, companies such as L-1 and MongodB and Safran would have two-year contracts, but the contract would say that they can hold and deal with that data for a seven-year period. These contracts really need to be up for public scrutiny, and hiding behind commercial interest and confidentiality is a sign of how non-transparent this project is.

Generally, there is no time limit on how long companies can retain our data. Privacy is not a mere matter of gossip, you know, like it has been made out to be. There are principles of what data can be collected, its accuracy maintained, when it is to be destroyed. When anyone says we have no right to privacy, what they are saying is that they do not need to heed any of these principles.

How exactly can seeding become a problem for Indians?

Whole businesses are being set up only to do profiling of people using the UID database and exploiting the seeding of number to make it ubiquitous. So they get authentication services from UIDAI, look at public databases to see what stories they tell about the person, and when they transact with that data, there is little that the UIDAI is going to be able to do about it. From the way the law has been made, and given the involvement of private players like Mr Nilekani and others — who left the UIDAI and now work with him — and considering their control over what happens to the project, it seems improbable that law, policy or practice, will challenge what they do.

Based on your research, what kind of fees does the UIDAI charge private entities for the use of its data?

The fees haven’t been fixed as yet, from what I know, and the decision about scale of fees has been deferred to the end of 2017. When changes have to be made to the database, then there is a certain fee, something in the range of about Rs 15. But then, no one really knows. So, those managing the machines more or less decide. Ask people trying to enroll, and you will see that in many places enrollers charge people for enrollment. That is illegal. But, then, what about this project has followed the law?

What kind of grievance redressal mechanism does a citizen have in the event that his biometric data or Aadhaar number has been compromised? Is there any remedy (other than intimating the UIDAI) that a citizen can avail in such a case?

None that anyone knows of. The regulations should have set out the mechanism, but plainly nothing has been established. Which explains why those not receiving rations because their fingerprints do not work find themselves without recourse. It is significant that in a case in the Delhi High Court, it is the UIDAI and not the Food and Civil Supplies (Department) that files in court when the complaint is that people are being turned away without rations because their biometrics do not work. But, there is no grievance redressal for people getting excluded due to failing fingerprints.

The project has never admitted to its wrongs and failures. They claim all problems are just teething troubles and people shouldn’t complain but be patient, everything will be alright at the end. It is just a matter of faith at this time of technology, they say.

https://www.bloombergquint.com/law-and-policy/2017/04/30/project-aadhaar-is-all-about-compulsion-not-consent-usha-ramanathan