Before I begin I would like to quote current Attorney General of India
“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi
What is Aadhar ?
From food rations to marriage certificates, entrance exams to train ticket concessions, mobile phone cards to banking, Indians are now being asked to produce a 12-digit Aadhaar number to access both government and private sector services.
This number is connected to their fingerprint and iris scans that are stored in a centralised database. As of September 2016, this database held the demographic and biometric information of more than 105 crore people – more than 80% of India’s population, and three times the population of the United States.
‘The Unique Identification Authority of India (UIDAI) is a statutory authority established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act 2016”) on 12 July 2016 by the Government of India, under the Ministry of Electronics and Information Technology (MeitY).
Prior to its establishment as a statutory authority, UIDAI was functioning as an attached office of the then Planning Commission (now NITI Aayog) vide its Gazette Notification No.-A-43011/02/2009-Admn.I) dated 28th January, 2009. Later, on 12 September 2015, the Government revised the Allocation of Business Rules to attach the UIDAI to the Department of Electronics & Information Technology (DeitY) of the then Ministry of Communications and Information Technology.
UIDAI was created with the objective to issue Unique Identification numbers (UID), named as “Aadhaar”, to all residents of India that is (a) robust enough to eliminate duplicate and fake identities, and (b) can be verified and authenticated in an easy, cost-effective way. The first UID number was issued on 29 September 2010 to a resident of Nandurbar, Maharashtra. The Authority has so far issued more than 111 crore Aadhaar numbers to the residents of India.
Under the Aadhaar Act 2016, UIDAI is responsible for Aadhaar enrolment and authentication, including operation and management of all stages of Aadhaar life cycle, developing the policy, procedure and system for issuing Aadhaar numbers to individuals and perform authentication and also required to ensure the security of identity information and authentication records of individuals.”
Besides this any individual , who is based in India would have faced the issue of compulsion at the hands of governmental authorities and service providers for supply of Aadhar number for availing even the most basic form of services .
The idea of generating a unique Code number for every citizen seems super innovative for high population country like India.
However for this scheme, in the current scenarios the good part ends with the idea.
The current system is exposed to lot of opportunities of being misused to the seemingly innovative and revolutionary idea of providing national identification for over a billion Indians. Even apparently it violates the right to privacy of an individual.
The way sensitive data has been and is being collected and managed by enrollment agencies, registrars and sub-registrars, and now distributed freely by the government to private players who have no considerate legal liability for any misuse of this data makes it amply clear how vulnerable we all are to a breach. Even government authorities are posting excel sheets containing details of Aadhar related personal information freely on its website.
What further complicates this issue is the fact that once leaked, there is no substitution or cure of the breach. Of course any individual cannot change or alter his or her biometric signatures.
While it takes reasonable effort by a professional counterfeit artist to recreate passports or driving licenses – which have various security features like holograms in an original document. However when we talk about Aadhar – there is no concept of an “original” Aadhaar card . Even a amateur can take a printout of your Aadhaar information if he knows your basic information like Aadhaar number and name), and start submitting in different places where it is demanded.
Government’s insistence on making Aadhar mandatory has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.
Why this hue and cry on privacy?
Very recently representing the government before the Hon’ble Supreme Court of India, Attorney General of India , Mukul Rohatgi said citizens cannot claim “absolute” right over their body parts and refuse to give digital samples of their fingerprints and iris for Aadhaar enrolment. Such a stand by the government has truly heated up the issue of privacy.
As the issue of citizens right to privacy is pending a decision by the constitutional bench of the Hon’ble Supreme Court of India, there is already an increase in the cases of data leakage of Aadhar details of citizens .
Going step by step in to the issues most primary is the fact how agencies are collecting and handling this data.
Is enrolling in Aadhar verified by the agencies?
In recent times militants have been found to carry Aadhar Cards , which establishes , that making Aadhar as a pre condition and as a enabling documents would only enhance the chaos and make it easy for enemies of the state to abuse the procedures. When a militant can get a Aadhar card , how much verifications are done by agencies becomes amply questionable .
How safely the data is handled by the agencies?
As per report of Hindustan times , the personal details over one millions Aadhaar subscribers were leaked on a website run by the Jharkhand Directorate of Social Security. Most of the vulnerable are senior citizens, who are beneficiaries of the state’s old-age pension scheme. Jharkhand has 1.6 million pensioners, among whom 1.4 million have reportedly seeded their Aadhaar cards for direct transfer of the monthly pension into their accounts. In the security violation, personal details such as name and bank account number were revealed for a bulk of these users, deepening the existing worries about safety feature in Aadhaar cards.
While according to Section 29 (4) of the Aadhaar Act, publishing Aadhar numbers of consumers is illegal, though such violations are known to have happened in the recent past.
Earlier this year, cricketer Mahendra Singh Dhoni’s Aadhaar details were inadvertently leaked on social media, which led his wife, Sakshi, to complain to the Union Law and Information and Technology Minister, Ravi Shankar Prasad. In its response, the Unique Identification Authority of India (UIDAI) blacklisted the service provider for 10 years.
It is further interesting to observe that blacklisting of a service provider is really a solution to this problem?
How vulnerable we are and how this issue affects everybody?
With the demonetization citizens at large have been compelled to use digital modes of payments , and with seeding of Aadhar with bank accounts and launch of likes of BHIM app , which enables use of bio metric data like finger print to enable a transaction , it has become much simpler to cheat an individual of his/ her hard earned money. What is further horrifying is the fact that once an individual’s biometric data is in public domain , because of mishandling of the collection or handling agencies , will their be a way of avoiding and / or blocking use of biometric based transactions.
Civil and Criminal Vulnerability
While the authorities across the country are in the process of connecting and linking Aadhar to all the processes related to an individual like property transactions, PAN card, Brith Certificate(s) and Pension etc, with the ease to the users comes the danger of breach and identity theft by the criminal minds. As a lawyer I have come across many cases where instead of a bona fide seller , a impersonator is used to cheat a person of his property, how authentic such transactions will become once false verification of such transaction is done by the conspirators is not at all a rocket science to understand .
Another exposure would be the misuse of an Individuals Aadhar details by Criminals to commit crimes .
Think of a scenario where using an innocent victim’s Aadhar data, criminal or an enemy of the state impersonates as such person and commits a crime. This could be anything ranging from a financial fraud by opening a bogus bank account in a victim’s name, taking a mobile number in such person’s name, to committing a act of terror with the false identity.
With a false Aadhar based verification, and authorities’ approach of believing it to be a fool proof mechanism how difficult it would be for a victim to claim back his properties , prove his or her innocence or that an act has not been done by him or her is a foreseeable happening.
What further adds to such scenario is our enforcement and judicial mechanisms which are already over burdened, and the hyper technicality of such transactions will be an added complication.
Comparing Aadhar to United States Social Security Number
Aadhaar authenticates a person by matching his or her demographics or biometrics with the records in its database while Social Security Number was never intended for authentication purposes and has not been built to do this on a national scale. It matches a name and associated Social Security Number against its records only in limited circumstances, such as before issuing a replacement Social Security Number, or establishing a claims record.
It “does not verify an individual’s identity”, notes the Social Security Administration website, explaining the verification methods.
Aadhaar captures biometrics. The Social Security Number does not.
Aadhaar collects biometrics, which include the scan of all fingerprints, face and the iris of both eyes. Aadhaar Act’s section 2(g) states that “other biological attributes” may be collected in the future, a provision that was intensely debated in Parliament.
In contrast, when the Social Security Number was created in the 1930s, the US government decided not to collect fingerprints. “The use of fingerprints was associated in the public mind with criminal activity, making this approach undesirable,” notes the Social Security Administration website. The Social Security Number is thus printed on a small paper card and does not carry even a photograph.
In recent years too, the Social Security Administration has restrained from collecting biometrics of residents. In 2007, when the Intelligence Reform and Terrorism Prevention Act asked the SSA to improve the security of Social Security Number cards, the SSA considered adding the holder’s photograph or biometrics to the card but eventually decided against it.
“A biometric identifier, such as a fingerprint, can be an effective and highly accurate way to establish the identity of an individual, but it can also facilitate a much higher degree of tracking and profiling than would be appropriate for many transactions,” said Marc Rotenberg, the president of Electronic Privacy Information Center, a research organisation, in a testimony to the House of Representatives.
He added: “The problems that will arise when biometric identifiers are compromised are severe. What will happen at the point that your biometric identifiers no longer identify you?”
The bio metric data and its use for authentication and identification of the individual can cause serious problems. Once the data is compromised then a fraudulent use of data is certainly possible. Such issues have not been aptly addressed by the government agencies and at the current stage there is no mechanism to counter this act. Further there is no process of reversing the damage caused by such data breach. We believe that the use of Aadhar card should be restricted to special cases rather then implementing it to main stream functions like financial transactions and other public services that require greater level of diligence. Before the implementation of such a system a robust legal and technical framework must be implemented to ensure and satisfy the privacy rights as well as proper functioning of the system.