Since the past seven years, I have been a consistent critic of Aadhaar, drawing attention to several issues and concerns relating to flaws in Aadhaar and its weak architecture. These concerns and issues are coming true today.
It is however, important to acknowledge the sharp difference in the approach of the current Government vis-à-vis the UPA Government. The latter spent thousands of crores on Aadhaar with no debate inside or outside Parliament, with no legislative backing and, most importantly, without any legal accountability for the authenticity of this biometric database. As a result, thousands of crores were spent on creating a poorly verified biometric database with no details on citizenship. The only time Aadhaar was scrutinized was by the Standing Committee of Finance – of which I was a member – that concluded that Aadhaar would be ineffective even for the purpose of directing subsidies and recommended its merger with the National Population Register.
This Government, instead of rejecting Aadhaar and wasting public money, has moved to address its shortcomings. It has subjected Aadhaar to parliamentary scrutiny and has developed a strategy to use Aadhaar as a sharp attack on the vexed and cursed problem of leakages and fraudulent claims to public subsidies. It has addressed the issue of lack of verification and fake entries by making the UIDAI statutorily responsible under section 3(3) of the Act, for verifying the entries.
But, there remain a few important issues for the government to consider.
The first issue is the use of Aadhaar as a broader identification while it remains an unverified database. Until 2016, 100 crore entries were created with little or no verification. The Government needs to answer how such poorly verified Aadhaar entries, that can be forged for Rs. 40 at Palika Bazar cab be used to access airports and as KYC for opening non-JDY bank accounts. This issue of rampant fake Aadhaar entries is real and there has been no disclosure or audit conducted to show the steps taken by the Unique Identification Authority of India (UIDAI) to ensure that it has complied with the direction of section 3(3) of the Aadhaar Act to verify all entries created before the Act was passed. As a result, Aadhaar remains an unverified database containing crores of entries with no certification that the name against the biometric is correct.
There is a simple rule for databases – they are only as good as what you put in it. However, sections 3(3) and 4(3) create the perception that the UIDAI guarantees the authenticity of all Aadhaar information, basis which various government departments are now requiring Aadhaar as identity proof, unaware or unconcerned that the Aadhaar database is plagued with fake and ghost entries.
The Hon’ble Minister for Law and Justice and for Information Technology has given an assurance on the floor of the Parliament, that the Government is sure of the authenticity of the data collected from 2010 to 2016. He has assured the House that the system created by the UIDAI is robust, safe and secure with no data leaks and no systematic problems. He has assured the House that the UIDAI is accountable to him; and through him and along with him it is also accountable to Parliament. However, there have been numerous previous incidents of fake Aadhaar entries, including the recent case where Pakistani spies obtained Aadhaar cards under fake names but with their biometrics. If this results in a terror attack, who should the victims approach? The UIDAI? To truly deliver on the directions of sections 3(3) and 4(3) the UIDAI must immediately audit, cleanup and re-verify the database to weed out fake and ghost entries. Ignoring this requirement is unacceptable in view of the national interest.
Another issue is the debate on “mandatory” and “non-mandatory” use of Aadhaar for better delivery of subsidies. This debate is misplaced. It is really an issue of “exclusion” and “non-exclusion”. Aadhaar must be developed as the gateway for the delivery of subsidies because leakages in subsidies ultimately harm the poor and needy and hence. But Aadhaar should be made mandatory only after ensuring that it will not lead to the exclusion of the poor and needy.
The confusion between the “mandatory” and “non-mandatory” nature of Aadhaar is being created by vague regulations being made by the UIDAI, specifically Regulation 12 of the Enrolment and Update Regulations that seems to encourage a breach of Section 7 of the Act. This is a result of lack of proper oversight of the UIDAI. The UIDAI needs to be made subject to stringent oversight possibly through a Parliamentary Standing Committee on the issue of national identity.
The third issue is the issue of data integrity and the broader issue of privacy. As more and more people have become aware of Aadhaar and its expansion to new areas, more and more concerns about its design, operation and misuse have surfaced. There are fears that such data shall be misused for surveillance. While some concerns are legitimate, many are caused by a lack of understanding and a lack of communication and transparency by the UIDAI. Such fears shall be misplaced if the Government articulates clear safeguards to prevent such misuse.
This is an issue regarding the lack of reciprocal accountability on the part of those who collect, store and provide access to sensitive personal data of citizens. The Act and the regulations place no accountability on the UIDAI to protect the database of personal information provided by citizens. They are silent on the liability of the UIDAI and its personnel in case of non-compliance with the provisions of Section 3 and Chapter VI that require verification and protection of such data. How can this database be the gold-standard for identity if its entries are unverified, fake or fraudulent? Who is responsible? The recent fiasco of the storage and reuse of e-KYC data without permission is also widely known.
The issue of Privacy is a broader and more fundamental issue that goes beyond Aadhaar. It raises legitimate questions about the role and responsibilities of the State and other entities that are the custodians of our digital footprints at a time of rapid digitization of our lives. The Hon’ble Minister of Finance himself stated during the debate on the Aadhaar Bill that Privacy is a Fundamental Right, echoing my position in a PIL to which I am a party. The current provisions regarding privacy and data protection under the Aadhaar and the Information Technology Act are skewed in favour of those who hold our data and places an extraordinary burden on the individual to get justice.
As the world’s largest democracy and soon to be its largest digital democracy, we should lead the world in taking an enlightened approach to balancing our citizens’ right to privacy with our national security considerations. The Hon’ble Minister of Law and of Information Technology has stated that there are enough safeguards in the Aadhaar and Information Technology Acts. With great respect, he is wrong. I would encourage the government to initiate a discussion on this and not take a rigid position. It is better for the government to take the lead rather than having the courts step in.
Constant change is normal in the digital world. The risks outlined here are real and need to be addressed. There is a real need to be adaptive and changing, especially in the case of evolving Aadhaar from an unverified biometric database into a robust, reliable and authentic National Identify Platform.
This article appeared in Financial Express on April 14, 2017