Aadhaar Platform, Big Data and the Right to Privacy

The Aadhaar programme, launched in 2009 is an initiative of Unique Identification Authority of India (UIDAI) [1] that aims to give universal identity to every Indian resident. This would help government to provide services to intended beneficiaries by assigning them unique identity numbers in form of biometric card called Aadhaar card. [2] Aadhaar is the world’s largest biometric identity platform. As on May 2015, a total 101,39,87,895 Aadhaar numbers [3] have been issued. Now, let us take a look on the technical and legal aspects of Aadhaar.

Technology systems have a major role across the UIDAI infrastructure. The Aadhaar database is stored on a central server. Enrolment of the residents is computerised, and information exchange between Registrars and the Central Identities Data Repository (CIDR) [4] takes place over a network. Authentication of the residents is being done online. The Authority also claims that they put systems in place for the security and safety of information. Aadhaar has some unique ‘data challenges that exhibit all characteristics of Big Data like data volume, data variety and data velocity’. [5] A number of technologies have been used to handle massive parallel processing, streaming data reads, data locality computing, low latency reads, data integrity and challenges of dealing with distributed data. In a nutshell, in this biometric identity platform,

  1. 200 trillion biometric matches per day;
  2. 2 Peta Byte of raw data stored;
  3. 100 million authentication requests per day;
  4. Tera-byte scale data warehouse of 200 million records;
  5. 50 million messages move per day and
  6. 100 million database transactions per day. [6]

After a very short debate, on 11th March 2016, the Lok Sabha i.e. Lower House passed [7] the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, with a voice vote. Aadhaar plan has had controversial presence and it has been challenged before the Supreme Court of India in Justice K. S. Puttaswamy (Retd) Vs Union of India as activists found potential human rights violation mechanism was present within the Aadhaar framework. However, the Attorney General has argued that people have no ‘right to privacy’. As the ‘Bill has been passed with no public consultation about the privacy safeguards necessary for such a database and no provision for public or independent oversight’, activists fear surveillance.[8]  Thus, there are considerable reasons for doubt that the Bill would have enough direct and indirect instruments to curb right to privacy of users. And the rights to liberty and freedom of expression will be violated if the right to privacy is compromised.

On its website the UAIDAI declares, ‘we want to expose all publishable public information via a “Data Portal” where all data is exposed in machine readable formats. This portal allows third party developers to develop Web 2.0 applications based on this data’. [9] Thus, the technology of Aadhaar Platform allows ‘third party developers to develop Web 2.0 applications. Allowing third party to avail residents’ data is a potential risky step. Further, government wants to expose ‘publishable public information’. However, it is not clear about what do authorities mean by ‘publishable public information’? It is not clear what is publishable or not? In terms of the partnership model, it states, ‘the UIDAI approach leverages the existing infrastructure of government and private agencies across India’. [10] Again the UAIDAI is allowing ‘private agencies’ to develop to ‘leverage existing infrastructure of government’. ‘In addition, the Authority will partner with agencies such as central and state departments and private sector agencies, who will be ‘Registrars’ for the UIDAI. Registrars will process Aadhaar applications, and connect to the CIDR to de-duplicate resident information and receive Aadhaar. The Authority will also partner with service providers for authentication of identity’.

The Government intended to use the Aadhaar number to confirm identity for most of the schemes.  Government also prefers Public Private Partnerships (PPP) model wherever feasible to implement e-Governance projects with proper management and strategic control. Though, the Supreme Court ordered that having Aadhaar Card is not mandatory for a citizen. But in practice, it is needed to avail most of the entitlements and other benefits. For example, Aadhaar is mandatory to avail LPG subsidy.

These steps are absolutely fine provided a detail privacy framework is developed and integrated in the whole Aadhaar process – from virtual infrastructure to physical infrastructure.

The UIDAI confirms, ‘The UIDAI will not share resident data’. [11] Further the statement elaborates ‘the Authority also makes sure that they envision a balance between’ privacy and purpose ‘when it comes to the information it collects on residents’. The Authority will also enter into contracts with Registrars to ensure the confidentiality of the information they collect and store’. [12] Here, the statement and the elaboration of the statement are contradictory. Secondly, the question is how the Authority is going to make a balance between ‘privacy and purpose’ that is not clear at all. Further it says, ‘the agencies may store information of the residents they enrol if they are authorised to do so’. So, there is a provision for ‘private agencies’ to access and store the sensitive personal data and information.

Also the government wants to link mobile SIM with the Unique Identification (UID) number or Aadhaar. The main stated objective of linking SIM with Aadhaar Card is to remove fake users and control the misuse of mobile phones for anti-social activities. [13] Since there is no detailed privacy framework, therefore there are possibilities that Authority may use Aadhaar Card data against the citizens. For example, during any protest, law enforcement agencies can record the videos of protesters, scan the iris (eye scan) data, and easily find out all information about protesters. If the authority is wrong on that particular issue, and then they find out everything about the protesters, then the data can give a repressive administration an unfair advantage and protestor can be threatened. [14] Thus, Aadhaar Database can be misused by both Govt. agencies, third parties and via unauthorized access.

So, it is important to take measures to project human rights and freedoms while developing any new technology. So far, the authority has not taken effective measure to protect the privacy of citizens concerning the Aadhaar database. It is also suggested that the authority takes full responsibility for the ill-effects if anything goes wrong in terms of privacy. In spite of several assurances of safety, the authority offered citizens and residents ‘no guarantee of compensation or recompense if its poor choices endanger them’. [15]  Highly sensitive and personal data of more than 100 million Indians are being stored at two locations – Bangalore (Karnataka) and Manesar (Haryana). [16] The crucial question is what would happen even if one of the locations is compromised? It would be a privacy disaster for millions of Indian citizens. Thus, it would have been better to build the ‘trust’ among citizens if the Authority publishes demo of the contract.

The important  question of the hour is that can the government assure us that these initiatives / programmes and data that will be collected under – biometric, biological, iris scan, finger print, Human DNA Structure, personal communications, everything put together – will not be misused as it has been seen in the America’s National Security Agency (NSA) case in the US?” Potentially, biometric data of 100 million+ citizens would give Indian Govt. more invasive and surveillance power than NSA, whose dark secrets were revealed by Edward Snowden in 2013.

The Aadhaar Bill, 2016 contains extensive threats to privacy. This Bill seeks to institutionalise an extensive, pervasive database that links multiple other databases [17] containing personal and sensitive information of Indian residents and / citizens. This Bill has no public consultation about the type of privacy safeguards that are needed for such database [18].

As mentioned in earlier sections that the government is claiming the noble goal of creating such a database is to have a functional Public Distribution System. According to the Section 7 of the Aadhaar Act 2016, ‘The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application’.

On the one hand, we are told that the objective of Aadhaar initiative is smoothly functioning government benefit schemes. However, as understood by analysing the Section 33(2), law enforcement agencies may be given the permission to access the ‘Big Data Bank’ through Aadhaar platform. So, it is not clear why law enforcement agencies or anyone else is given access to the database if the objective is enabling government benefit schemes smoothly?

We are also told that the sensitive personal data in the database is secured and inaccessible for any purpose other than authentication. In the part ‘protection of information’ under the ‘security and confidentiality of information’ in the legislation states, ‘The Authority shall ensure the security of identity information and authentication records of individuals’ [19]. Later, in Section 29(2), the legislation makes significant exceptions and permits the authority to easily dip into Aadhaar data. It says, ‘The identity information, other than core biometric information, collected or created under this Act may be shared only in accordance with the provisions of this Act and in such manner as may be specified by regulations’.

The Section 33 (1) of the Aadhaar Act 2016 says, ‘Nothing  contained  in  sub-section  (2)  or  sub-section  (5)  of  section  28  or sub-section (2) of section 29 shall apply in respect of any disclosure of information, including identity  information  or  authentication  records,  made  pursuant  to  an  order  of  a  court  not inferior to that of a District Judge’.

A prominent legal scholar, Chinmayi Arun, fears that as India has inadequately trained district judges spreading all over the country, and that they are not getting enough support to understand the implications of a database like Aadhaar. ‘District judges have been authorising mass blocking of online content and gag orders’ and now these ‘judges can now authorise access to Aadhaar data without any disclosure or discussion with the citizen affected — only the Aadhaar authority will have the right to contest the order if it is so inclined’. The Act offers no space where the affected party may appeal if his/her rights are affected. Thus, this creates a huge window for access and misuse of the database [20]. Also there is a lack of proper oversight and redress.

The Section 33 (2) of the Act states, ‘nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government One way is if a district judge orders disclosure of information’.

According to this Section, a Joint Secretary authorised by the government can direct disclosure of information “in the interests of national security”. This order will be reviewed by a committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. However, there is enough room for the authority to abuse its power and access the Aadhaar database.

The Aadhaar initiative lack clarity  and  have  faced  several  encounters regarding  use,  storage  and  ownership  of  such  data, the  actors  involved  and  their accountability,  concerns  around  data  security,  privacy,  and  need  for  suitable  regulatory frameworks.

Reference:

  1. See more: Features of the UIDAI Model. Accessed from http://bit.ly/1R7YmDo on 29/04/2016.
  2. Aadhar Bill passed in Lok Sabha, Opposition fears ‘surveillance’. Accessed on 19/03/2016 available at http://bit.ly/1OGxYpO
  3. The real-time statistics gathered at 13:12 (Indian Standard Time) on 15/05/2016. Source: https://uidai.gov.in/
  4. Central Identities Data Repository (CIDR) is a government agency in India that stores and manages data for the country’s Aadhaar project.
  5. ‘Aadhaar – world’s largest biometric identity platform’ Available at http://bit.ly/1ND6xqZ
  6. Ibid
  7. How Parliament played the Aadhaar Bill, 2016. Accessed on 23/04/2016 and accessed from http://www.legallyindia.com/blogs/how-parliament-played-the-aadhaar-bill-2016
  8. C, (2016). Privacy is a fundamental right’ available at http://bit.ly/1TFQevG
  9. ‘Aadhaar Technology ‘. See more at https://uidai.gov.in/aadhaar-technology.html Accessed on 05/05/2016.
  10. Ibid
  11. See more: Features of Aadhaar, Accessed on 05/05/2016 and accessed from https://www.developer.uidai.gov.in/site/
  12. Features of Aadhaar,Accessed on 05/05/2016 and accessed from https://www.developer.uidai.gov.in/site/
  13. See more: Centre to link mobile SIM with Aadhaar number. Accessed on 28/05/2016 and accessed from http://bit.ly/1TGunEp
  14. M, (2016). Aadhaar Card Bill Will Bring Exceptional Benefits; But, Privacy Remains a Concern. Accessed on 29/04/2016 and accessed from http://bit.ly/25aHdGi
  15. C, (2016). Privacy is a fundamental right’ available at http://bit.ly/1TFQevG
  16. Biometric data of 99 crore Indians collected; data encrypted: Government. Accessed on 07/05/2016 and accessed from http://bit.ly/1OycHsO
  17. Like databases for Smart City Mission, Digital India Programme, Central Monitoring System, Human DNA Mapping.
  18. C, (2016). Privacy is a fundamental right’ available at http://bit.ly/1TFQevG
  19. Chapter VI, Protection of Information. Section 28(1) of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016
  20. C, (2016). Privacy is a fundamental right’ available at http://bit.ly/1TFQevG

 

This entry was posted in Big Data, Human Rights and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s