The government of India came up with a new identification programme in the year 2009: Aadhar. Today it is the largest biometric database in the world. Beyond just our names, phone numbers and address, Aadhar has recorded our fingerprints, photographs and IRIS scan. The data is collected by the Unique Identification Authority of India (UIDAI) under the Ministry of Electronics and Information Technology. The government of India has made Aadhar the most important tool for transferring benefits to the people of India (subsidies and services), but the Supreme Court of India has questioned the extent of government or private sector penetration given the access to such a large pool of consumer data (read consumers). The fundamental right to privacy is the constitutional pillar that the apex court would want to protect with all its might.
When the government came up with the Aadhar program, it was optional to enroll. Only a selected few government schemes required the usage of Aadhar. It primarily aimed to give a documented identity to people who did not have an alternative identity like ration cards or voter IDs required to open bank accounts, participate in the government schemes and avail certain subsidies. But with time, Aadhar became a necessary document for many other Government regulated programs and even areas pertaining to private sector. Now, for even a bank account, Aadhar is mandatory. It is nearly impossible to live in India without having enrolled for Aadhar —Purchasing railway tickets online, filing tax returns, getting school lunch in state-run schools of Uttar Pradesh, accessing public Wi-Fi in some areas, and availing almost all welfare programmes.
A threat to privacy?
The increased range of services and duties that come under the Aadhar compulsory deal has increased privacy concerns. Public Wi-Fi services asking for the consumer’s Aadhar number carries a potential risk of breach of privacy from accessing their phones’ contact lists, viewing files in their laptop, tracking on-line transactions, etc.
There are three types of data that is collected by the UIDAI: biometric, demographic and personal. Biometric includes the photograph, iris scan and fingerprints; demographic includes the name, address, place of birth, telephone number and so on; and personal information would include your browsing history, what you ordered for tonight’s dinner online, who you spoke to this evening and so on. The scary side of the story is that while the first two types of data are formally defined in the Aadhar Act 2016, personal information is not mentioned anywhere in the act . This means that Aadhar’s biggest threat to privacy relates to the third type of information/data i.e. personal information.
Data is the New Oil
Something that has gone without much notice is Section 8 of the final version of the Aadhar Act 2016 . It creates ripe conditions for the business and private players to realize business opportunities associated with Aadhar-enabled data harvesting.
When a consumer purchases a new cell phone, the service provider would now receive the consumer’s demographic data and the Government would get access to the meta-data, which includes the time and date of the purchase, the form of identification used, etc. Section 8 of the Act has a clause that allows sharing consumer information with the ‘requesting entities’ on the consumer;s consent where the requesting entity shall mention the purpose in the consent section. However, it is difficult for any consumer to read the fine print of the terms and conditions.
Such direct possibilities of data being distributed amongst governmental and private players make us, the consumers, vulnerable to business entities— Our consumption pattern would indicate our tastes and preferences, our current choices, and what we might buy in the near future with an income level known to the sellers or the service providers.
The very first thing that the government needs to assure its people of is that individuals’ sensitive information is safe with the government, and that it will do everything to prevent it from being misused. Also, the data collector should be made accountable for collecting, processing, and the use to which data is put. However, several alternate solutions — like the introduction of pin which would require an individual’s conscious cooperation during the identification process — are also possible.
Ultimately, privacy judgment should provide the basic framework for Aadhar.
– Contributed by Kushal Jalan
Picture Credits: trak.in