The world’s largest biometric ID programme is a privacy nightmare waiting to happen

See no evil.
See no evil.
Image: EPA/Harish Tyagi
We may earn a commission from links on this page.

At its heart, the ongoing tussle over Aadhaar is all about information.

How much of it should a government collect? Where is it stored and under what safeguards? Who gets to use it and how? And what happens when someone screws up?

When the Unique Identification Authority of India (UIDAI) was established in 2009 under the Manmohan Singh-led Congress government, a 12-digit unique identification number—or the Aadhaar—was touted as a magic bullet that would help fix India’s leaky subsidy system.

In return for their biometric information, ordinary citizens were promised a much-improved delivery process, where subsidies would get to the intended individual. Fake, ghost, fraudulent, and other such shifty beneficiaries would be weeded out. So, with former Infosys CEO Nandan Nilekani at the helm, the UIDAI got to work, building what is now arguably the world’s largest biometric identity system.

But Aadhaar wasn’t supposed to be mandatory to avail any government benefit, something the supreme court of India made clear in 2013. The court reiterated the voluntary nature of Aadhaar in 2014 and 2015.

So what’s the problem?

Nonetheless, not everyone was convinced—not the least Narendra Modi. A day after voting began in the 2014 general elections, which would eventually sweep him into power in New Delhi, the then Gujarat chief minister made his misgivings clear.

Three years later, Modi has emerged as an outright champion of the platform he once so openly derided. Since January this year, the government has made Aadhaar mandatory for at least 22 schemes, according to some estimates, including certain scholarships, maternity benefits, and even the midday-meal programme. Without question, Aadhaar is now at the centre of Modi’s governance blueprint (pdf).

To provide the legal backbone for this push, the government muscled through the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016. The legislation wasn’t debated rigorously in parliament as it ought to have been. Instead, it was passed as a money bill, so the Rajya Sabha (where the ruling Bharatiya Janta Party lacks a majority) couldn’t shoot it down. The legislation, many contended, wasn’t fit to be a money bill, with Congress leader Jairam Ramesh moving court against the government.

The Modi government again took the money bill route this March. In the Finance Bill, 2017, it included a provision to make Aadhaar compulsory to file income-tax returns. Finance minister Arun Jaitley, lamenting India’s meagre tax-payer population, argued that the move was necessary to stop tax evasion and fraud. The opposition in the Rajya Sabha could do little other than walking out.

In one fell swoop, then, Aadhaar was all but mandatory for every tax-paying Indian.

What’s wrong with Aadhaar everywhere?

The government’s move flies in the face of what the supreme court has said more than once: Nobody can be denied any benefits just because he or she doesn’t have an Aadhaar. Although reports suggest that the apex court on March 27 allowed making Aadhaar compulsory for non-welfare schemes, there has been no such order.

The court is slated to settle the matter of Aadhaar’s constitutional validity in the coming month or so. The matter goes to back to 2012 when former justice KS Puttaswamy filed a writ petition arguing that it violated a citizen’s right to privacy, which flows from the fundamental right to life under Article 21 of the constitution. In a 2013 interview, Puttaswamy, a retired Karnataka high court judge, explained: “We are required to part with biometric information, iris, and fingerprints, and there is no system to ensure that all this data will be safe and not misused.”

The government, in its defence, has maintained that citizens have no such fundamental right to privacy. However, there have been persistent concerns over the safety of Aadhaar-linked data.

In recent weeks, for instance, multiple data sets have emerged where identity details of several thousand individuals and their Aadhaar numbers were made publicly available on the internet. Under the Aadhaar Act 2016, the UIDAI can provide such information (other than biometric) to agencies for a fee. The concern is that once this data is out of the UIDAI’s hands, it may not be secure, as recent instances have shown, and can be potentially used indiscriminately. Beyond a point, researchers point out, there is little clarity on data management and security protocols followed by the UIDAI and related agencies. Neither does the UIDAI provide information on data breaches that its systems may have suffered.

In effect, it isn’t quite understood how the data of millions of Indians is maintained, shared, and secured, though the government wants to use it for access to everything, from paying taxes to procuring a driving licence.

The trouble with Aadhaar is that it doesn’t quite operate in a silo. Since the government is now pushing to link it with multiple databases, the number has to be used within a completely secure ecosystem. But that sort of an environment doesn’t exist across India’s public and private agencies, which remain vulnerable to breaches. But it does give the government a powerful set of tools with which to track individuals, their movements, and activity.

In case someone wants to delist from Aadhaar and remove all of one’s biometric information, there seems to be no provision for it. But the UIDAI can deactivate Aadhaar numbers under certain circumstances; all you’ll get is a text message in return.