Interview with Anupam Saraph, an expert on governance and informatics.

AN expert on complex systems, governance and informatics, Anupam Saraph advises governments and businesses across the world. A teacher and former IT Adviser to Goa Chief Minister Manohar Parrikar, he challenged Aadhaar as part of the Nagrik Chetna Manch. In the wake of the Supreme Court judgment, he spoke to Frontline on its implications. Excerpts from the interview.

How will the Supreme Court verdict affect companies such as Paytm that require Aadhaar for authentication?

Companies that use Aadhaar for authentication are now saved from the mistaken belief that Aadhaar authentication is more secure than traditional username and password challenges. Unlike Aadhaar biometrics which are neither certified nor controlled by the person to whom they belong, passwords are in the control of users. Unlike biometrics, which can’t be changed if compromised, passwords can be reset.

Aadhaar biometrics are not certified by the UIDAI [Unique Identification Authority of India] as belonging to the person who is being authenticated. The biometrics associated with an Aadhaar number can be changed by processes (both legitimate and illegitimate) outside the control of fintech companies. They, therefore, had no way of guaranteeing risk-free outcomes with Aadhaar.

These companies will now be required to shift back to a more robust non-Aadhaar KYC [know your customer] that reduces significantly the risk of benami, or proxy, bank and wallet accounts using Aadhaar.

This is a win for fintech companies that want to prevent money laundering and financial terrorism. This is a win for the RBI, which prior to 2011 had clearly indicated that the use of Aadhaar in banking was not only against its own extant guidelines but also against the Prevention of Money Laundering Act, the Basel Standards and the government’s concerns about financing terrorism. It had highlighted that nowhere in the world are third-party identification systems used in banking.

While the Supreme Court verdict does not make Aadhaar compulsory, it still needs to be linked to PAN. Bank accounts need PAN and some other places also recognise PAN authentication. Can there be leakages through the PAN route?

The UIDAI’s affidavit to the Supreme Court indicates that more than 51 per cent of the Aadhaar numbers have never been used for biometric or iris authentication anywhere. So, it is obvious that most of them are likely to be ghosts or duplicates. Section 139AA of the Income Tax Act, which requires the linking of Aadhaar to PAN for income tax purposes, if upheld, will continue to generate fake PAN through fake Aadhaar. This will continue to generate benami bank accounts that are Aadhaar-enabled with these fake PAN numbers.

The concern is not about public exposure of Aadhaar numbers. It is about treating these uncertified, unverified and unaudited numbers as identity and enabling money transfers to benami bank accounts created through such Aadhaar numbers.

Can companies and banks that have collected Aadhaar data destroy the data now or will they still be stored somewhere? Also how do users know that the data have been deleted?

Delinking Aadhaar, while an essential process for financial and other institutions to reduce risks, is not sufficient to protect an individual or those institutions. Financial institutions need to run a campaign now to cleanse themselves of the Aadhaar virus to protect themselves from financial scams and unprecedented risks, which are outside their ability to contain. Aadhaar is not KYC.

A person’s safety cannot be guaranteed by just delinking his/her Aadhaar number. As long as uncertified, unverified and unaudited Aadhaar is treated as identity, it will expose one to identity fraud. As long as Aadhaar numbers, or any identity document based on Aadhaar numbers, are used to make Aadhaar-enabled payments, they will continue to enable money transfers to benami bank accounts created through Aadhaar.

In order to protect against harm from Aadhaar, the RBI needs to ensure two things. First, that banks revert to keeping a person’s identification documents for KYC, as long as they are not generated using that person’s Aadhaar and, unlike the Aadhaar, are certified, verified or audited by some government agency. Second, the National Payments Corporation of India’s [NPCI] Aadhaar-enabled payments should be delicensed, and no money transfers with Aadhaar or documents derived from Aadhaar should be allowed.

Aadhaar was also linked to the Prime Minister’s Digital India programme. Now that the court has ruled that private companies cannot use Aadhaar, what happens to the Aadhaar-enabled infrastructure that was created?

The UIDAI has stated, in response to an RTI [Right to Information] query, that it is not responsible to certify the biometric or demographic data, or even the use of this data. It does not certify the identity, address or date of birth of anyone. It has also stated that it cannot retrieve a unique record with a biometric. It has no idea of the number of unique biometrics in its database. It has also stated, under RTI, that it does not identify anyone. It merely authenticated the biometric or demographic data associated with an Aadhaar number. The UIDAI has also reiterated, under RTI, that it is not responsible for any transactions undertaken with Aadhaar.

The Aadhaar data, in legal terms, are completely useless. Those monetising Aadhaar recognised its unprecedented power to create ghost, proxy or benami transactions, including financial transactions, property transactions, and for delivering subsidies, benefits or services. That is precisely why, driven by Aadhaar, exclusion, identity frauds and associated crime have grown the black economy exponentially.

It is unlikely that this interest will wane without banning the use of any uncertified ID for any legal transactions, banning authentication in place of identification, and destroying the Aadhaar data.

As Justice D.Y. Chandrachud said in his dissenting judgment that there was no institutional accountability for Aadhaar. What happens when there is fraud or data breach? Also, can we then believe the statistics rolled out by the UIDAI, such as its claim that Aadhaar saved Rs.90,000 crore?

Justice Chandrachud is absolutely correct in pointing out that there is no institutional accountability for Aadhaar. This is true in more ways than just being accountable to another body. The UIDAI has no accountability in either the issue or the use of Aadhaar. It takes no responsibility to the legal validity of any Aadhaar number or the data associated with it. It takes no responsibility to the use or the consequences of the use of any Aadhaar number.

The real worry is the UIDAI’s lack of accountability to the creating and usurping of identities. The real worry is about the UIDAI’s lack of accountability to the use of these identities to exclude, cause civil death, siphon subsidies, benefits and services and commit frauds. Since the UIDAI is unable to state how many unique biometrics or persons exist in its database, there is no possibility that it can identify ghosts in its own or other beneficiary databases. Asked under the RTI, neither the Ministry of Finance nor any other Ministry has been able to indicate the existence of beneficiary databases for various government benefits, subsidies or services. They do not even know who the custodians of beneficiary databases are. There is no possibility that they can claim to have weeded out duplicates from databases whose existence they are unaware of. It is an insult to the intelligence of Indians to claim that Aadhaar has plugged any leakage or saved any money.

You say Aadhaar does not authenticate or identify a person. Can you explain why biometrics are not a good metric for identification?

It is like a lock authenticating the key that tries to unlock it. It cannot identify the person holding the key. The biometric is the key authenticated by the record associated with an Aadhaar number. It cannot identify whose biometric it is. Not only can the biometric associated with an Aadhaar number be changed by gaining access to the record through legitimate or illegitimate means, but the stored biometric can also be one of the means of anyone being authenticated using Aadhaar. When Aadhaar authenticates, there is no identification.

Identification requires the persons identifying to be co-present. It requires them to take responsibility for the consequences of (mis)identification. The UIDAI is not co-present and takes no responsibility of identification.

The UIDAI does not certify the identity, address or date of birth of anyone. This destroys the possibility of relying on the data associated with the Aadhaar number to identify anyone. The UIDAI does not even know the primary documents used as proof of identity and proof of address to issue any Aadhaar number. This means that it is not possible to challenge an authentication with the primary documents to verify the identity of a person.

It has admitted that the Aadhaar Act defines authentication, not identification. This removes any ambiguity that Aadhaar, with or without biometric, is useless to identify any person.

We hear a lot about how big businesses use data. Could you please explain how they monetise it and also address the fears around its misuse?

Businesses can use data to address the needs of their customers better. This is how businesses interested in serving their customers monetise their data legitimately.

Data is misused when third parties, in the name of innovation and digital economy, gain access to transaction data a person generates in his/her relationships with governments or service providers and exploit them. Aadhaar is the handle that enables these third parties to generate transactions that one did not undertake. These transactions are indistinguishable from those one makes. Third parties with access to Aadhaar data are also able to generate transactions of ghost and duplicate Aadhaar numbers that are proxy to those laundering money or committing crimes. Such misuse hurts not only individuals but also financial and governance institutions.