Questions about the security of India‘s giant biometric database continue to be raised by privacy advocates
By Mahima Kaul / 11 April, 2014
(Image: Sergey Nivens/Shutterstock)
Established in 2009 by executive order, the Unique Identification Number Authority of India (UIDAI) has taken on the monumental challenge of issuing each resident of the country with a Unique Identification Number (UID), more commonly known as the Aadhaar card. The driving idea behind the card was to ensure that residents could have a singular identification card that can eliminate duplicate and fake identities and also can be verified in a cost effective manner. Biometrics are the primary method for identification, while other details such as addresses, family, and even bank accounts are linked to the card.
Recently, the UIDAI was in the news as it challenged an order by the Goa High Court to share biometric details of all enrolled Goa residents with India’s Central Bureau of Investigation in order to solve an investigation. The Supreme Court of India ruled that UIDAI did not need to share its data with any agency of the government without the consent of those in its database. In his blog, the former Chairman of UIDAI (and currently running for a seat in India’s hotly contested national elections)Nandan Nilekani wrote: “We have always stated that the data collected from residents would remain private, and not be shared with other agencies.”
An audible sigh of relief was heard in the media from privacy activists who were concerned that the data collected by the UIDAI would be easily accessed by any government agency once it was in the system. This concern for privacy and data protection isn’t completely unfounded. Indian media has reported on grave gaps in the data collection process. In March 2013, a Mumbai paper reported that data collected from residents in 2011 was still lying around in cupboards in a suburb, despite the area residents repeatedly reminding the authorities to take away the information. The same state had, in 2013, “admitted the loss of personal data of about 3 lakh [100,000] applicants for Aadhaar card”, an error that sparked concerns over possible misuse of the data, not to mention the trouble of having to register personal data all over again. According to the report, the data had been lost while uploading from the state information technology department to the UIDAI central server in Bangalore, Karnataka. Government officials tried to assure the public that the data was highly encrypted and could not be misused. However, this incident wasn’t unprecedented. Just the year before, veteran journalist P. Sainath of the Hindu had highlighted this issue in a talk, saying that: “You can buy that data on the streets of Mumbai. It’s already made its way there. What sort of national security will you have when your biometric data is up for grabs all around the planet? You outsourced it to subcontractors who have subcontracted it to further people. It’s now available on the streets of Mumbai, biometric data.”
Given that the government has spent Rs 3800 crore (around $600 million) on the project already, it is interesting to note that India has not yet passed a privacy law, a comprehensive data protection law and nor did the parliament pass the National Identification Authority of India Bill, which was rejected by a parliamentary standing committee on finance in 2011. As was reported at the time, the standing committee rejected the report on the grounds that the scheme had “no clarity of purpose and leaving many things to be sorted out during the course of its implementation; and is being implemented in a directionless way with a lot of confusion”. It also went on to raise concerns about privacy, identity theft, misuse, security of data and duplication during the implementation of the UID scheme, and cited global examples of similar schemes that were rejected.
However, it is useful to see the guiding principles behind the implementation of the scheme that made it so attractive to the Congress-led UPA II government. The spirit of UID seems to lie in two guiding principles; using Public-Private Partnerships (PPPs) to make government more effective, and entering the data game. In a recent interview to the Economic Times, Shrikant Nadhamuni, who headed technology for UIDAI is quoted as saying: “We wanted to move the ID game—from a state where some people had no ID and others had paper ID to something beyond even what Singapore had, in the form of smart cards, to online. Like biometric. Which is the future.”
The basis of the design of what was to become the UID was also laid out in the Report of the Technology Advisory Group for Unique Projects, submitted to the Ministry of Finance in 2011, headed by Nandan Nilekani, a respected figure in Indian business and later to become CEO of UIDAI. Others involved with the report were the chairman of the Security and Exchange Bureau of India (SEBI), the secretary, Department of Telecommunications of the Government of India, the chairman of the privately owned IFMR trust which seeks to ensure that every individual and enterprise has access to financial services, and a few other experts on the subject. Many government officers constituted the secretariat. The report put out some revolutionary ideas about how to integrate private expertise into the public sector. It deduces that “the most important lesson that needs to be acted upon is that business change’ should drive the design and implementation of these projects”.
This was to be done by implementing a National Information Utility (NIU), which would be private companies with a public purpose: profit-making, not-profit maximising. The NIU would be flexible in its functioning, and the government would keep strategic control over the project. Private ownership of the project should be at least 51% and the government’s share at least 26%. Once the NIU is to become steady, the government would become a paying customer and would be free to take its business elsewhere. However, the report also admits that given the massive investments in building the NIUs, they would essentially be set up to be natural monopolies. At the time, the report had looked at the following schemes of the Indian government: Goods and Services Tax (GST), Tax Information Network (TIN), Expenditure Information Network (EIN), National Treasury Management Agency (NTMA) and New Pension System (NPS). The first Unique Project to take off, however, was the UIDAI.
This strategy raised red flags as well. Usha Ramanathan, an academic activist, wrote in Moneylife that: “In this set-up, we are witnessing the emergence of an information infrastructure, which the government helps — by financing and facilitating the ‘start-up’, and by the use of coercion to get people on to the database — which it will then hand over to corporate interests when it reaches a ‘steady state’.” She continues in the same piece that: “The NIU was not explained to parliament, and no one seems to have raised any questions about what it is. This, then, is the story of how the ownership of governmental data by private entities is silently slipping into the system.”
Controversies surround the Aadhar project. Nilekani, who was appointed Chairperson of UIDAI in 2009 by the current UPA government, and simultaneously given the rank of a cabinet minister, is increasingly in the news because rumours are swirling in India that a new government might choose to shelve the project. The card, that was envisioned to become an almost one-stop-shop in the future years regarding the delivery of welfare schemes and subsidies, is no longer mandatory to avail some of these, according to India’s Supreme Court. This is a setback to the government that considered the Aadhar card a method to plug “leaks” in the government delivery systems. Despite this, reports of data leakage, and even stories of fake Aadhar cards making their way into the news, the current establishment seems hopeful. The deputy chairman of India’s Planning Commission, Montek Ahluwalia, made a statement that the card did not require a legal basis to be used for transferring benefits to citizens, much in the same way citizens are not legally required to hold degrees to gain jobs.
The UIDAI project remains complex – a herculean task. The UK government shelved its identity card project because it was untested and the technology not secure, and because of the risks to the safety and security of citizens. With India in the midst of an election, it remains to be seen what will happen when a new government is formed, and whether the country can succeed in this task.