Aadhaar card privacy for public good

There are a number of PILs pending before the Supreme Court challenging Aadhaar on various grounds, including privacy. The issue being argued is whether privacy is a fundamental right or not.

Unlike many countries, India doesn’t have a law on privacy. The then-chairman of the Unique Identification Authority of India (UIDAI), Nandan Nilekani, had written to PM Manmohan Singh in May 2010, suggesting that there was a need to have a data protection and privacy law. The law has since been in the making. It only shows that the UIDAI was very much alive to the concerns. Many of them were addressed through the design principles.

Aadhaar has been primarily designed as a tool to streamline the delivery system. Many people can’t access government benefits as they do not have documentary proof of their identity. Aadhaar has been designed to be inclusive so as to solve this problem. It has also been designed to ensure delivery of benefits directly to the people.

Studies estimate leakage in the range of 10-30%, mostly due to ghost and duplicate beneficiaries. By ensuring the uniqueness of identities, it eliminates these ghosts and duplicates, saving thousands of crores of rupees. It can also eliminate benami transactions that cause huge tax evasion, resulting in the creation of black money.

While creating an identity infrastructure, the UIDAI decided only to collect the minimum data sufficient to establish identity: name, gender, age and communication address. The inclusion of a photograph, iris image and fingerprints in the biometric set was to establish uniqueness. The proposal to add ‘place of birth’ was rejected since it may be used to profile individuals. Why biometrics then? Precisely to ensure uniqueness. That was the mandate for establishing the UIDAI. Biometrics alone can ensure authentication — you can authenticate your identity online from anywhere, anytime. The operative word is ‘you’.

During a biometric-based authentication, it is the individual who has to participate in the process, typically at the service delivery point to prove his identity. It facilitates residents in getting a service in a paperless way. As no information is divulged to any agency without the consent of the concerned individual, it can’t violate any privacy. Such authentication ensures that documents cannot be misused. On the other hand, physical documents furnished to avail services — opening a bank account, checking into a hotel or getting a subscriber identity module (SIM) — are liable to misuse.

There have been instances of multiple SIMs being issued using documents whose owner is not even aware of such fraud. Electronic know your customer (KYC), on the other hand, ensures that the document cannot be used for any other transaction. The UIDAI also has built a facility wherein you can ‘lock’ your Aadhaar and disable it from any type of authentication for a period of your choice.

When a physical document is misused in a transaction, there is no way the owner comes to know of it. But the UIDAI sends a message and an email to the concerned person the moment authentication happens. It ensures additional protection against any misuse.

The second design principle was to issue random numbers with no intelligence — to protect privacy by ensuring that the number does not disclose anything about the person. What is more, the UIDAI does not permit data download. Search is not allowed and no data can ever be accessed just by the Aadhaar number. There is no question of sharing biometric details.

Besides the minimal data, the UIDAI does not keep anything except the logs of authentication. It does not know the purpose of authentication. It only knows the date and time and the agency through which it was done. The transaction details remain with the concerned agency. The model ensures that each data-owner shares the responsibility of confidentiality and security.

So, Aadhaar protects privacy by design. It also provides end-to-end encryption of data that is impossible to break should the data fall into wrong hands. The public position of UIDAI on privacy has been that it will comply with every law, principle, doctrine and standards of privacy adopted in India. The problem is that it is being put to random tests with the expectation of being compliant with anything and everything on privacy.

As we have built the world’s largest next-generation digital identity infrastructure, we should focus on leveraging it for service delivery with security and without violating privacy. Whether fundamental or not, the right to privacy is something that India must guard all the time.