Updating Aadhaar for better privacy

Each authorised user of the system would get a longer number that is generated to be unique, but based on the base UID number.

To its proponents, Unique Identification (UID, branded Aadhaar) is the solution to citizen empowerment. To its opponents, UID is a violation of not only citizen privacy but even citizen rights. In reality, like any programme or project, it can be anything we design it to be. It is only through purposeful design that we can ensure that risks and unintended consequences are kept under control. The government passed the Aadhaar Bill giving statutory rights for the programme, but this still leaves privacy as a specific challenge. However, this can be addressed.

Stated goal of UID

Privacy with Aadhaar isn’t just an abstract issue, but related to the fundamental view of how data are to be accessed and used. Leaders of the UID project stated in past discussions that privacy was not only paramount, but easily handled because the UID system would only be a yes or no identification system (relying, of course, on the accuracy of underlying registration). The system can be queried to verify if a person is who she claims to be based on the registration. Per design, the UID system would not know or care whether the person was Above Poverty Line or Below Poverty Line — such things would be the prerogative of the users of the system such as banks, service providers, or development schemes (here, users are not the citizens but system users like listed).

At one level, this sounds appealing. But the problem is precisely the use of UID beyond the intended and appealing aspects, by its partners and systems providers. As Henry Wadsworth Longfellow wrote poetically if not prophetically, “I shot an arrow into the air, It fell to earth I know not where.” Instead of UID being agnostic to how the system gets used by others, UID’s design should assume the worst, and try to prevent linking of databases by third parties, or unintended usage. Otherwise, these could lead to not only an abstract violation of privacy but also very specific and troubling asymmetries in commercial transactions and citizen empowerment/rights, including through profiling. We have already seen advertisements of private entities offering to use the Aadhaar database for commercial/private uses.

Who has rights to the data? This needs clarity. The problem with rights to access is the possibility of unintended access. One thing we can learn from other large IT systems is that the boundary matters — just worrying about outsider hackers is wrong for IT systems since most IT security breaches involve an insider (and also mistakes). Similarly, UID’s privacy cannot be viewed simply from an internal database and its security perspective but rather the ecosystem of users of UID. UID is only as secure as its weakest link. This is where segregation of data can help.

We must ensure that the UID database is not used in a manner that can hurt the citizens either accidentally or through mission creep with unintended consequences. It’s worth thinking about what could go wrong.

The solution

What if we could have a UID that was never inter-linkable across users, but yet at the same time uniquely linked to the person through biometrics? The answer is we can, through the use of not a single UID, but a base UID (like we have today) plus modifications per user (if not per use). Instead of, say, MNREGA using the 12-digit number like today, each authorised user of the system (such as MNREGA, a bank, and so on) would get a modified (longer) number that is cryptographically generated to be unique but based on the base UID number in such a way that it could be proven to be functionally the same. Technologically, this would use a one-way hash that would be irreversible so that the longer number or code couldn’t reveal the base UID number.

The benefits of this would be twofold. First, a corporation or other user could not create a linked database for profiling — they would all have different UID+ numbers. Second, to even get the UID+, the cryptographic process could be restricted to authorised users. This way, we could prevent the UID becoming a casual identifier. For instance, in the U.S., the social security number morphs into something required by the cable TV operator when you raise a service complaint! Of course, in India we risk a similar link/identifier — our mobile number.

This same concept of separation applies to security from an Indian government-citizen perspective. Given that Indian and global private technology companies are inevitably involved, breaking up the data (analogous to the UID versus UID+), where it’s stored, broken up, and so on can improve security.

From UID to UID+

One has to get the technology right for any programme, but its long-term success depends on people wanting it. Even if due to misinformation, perceptions matter. Recall how the U.S. nuclear power industry was effectively stalled even before the Three Mile Island accident due to a combination of secrecy, arrogance, and “trust us” instead of engagement and communication.

The proposed update of UID to a UID+ system can address many of the concerns, and its roll-out need not be viewed as a failure of the original system but simply an update. The next step should be an analysis of how it can be done without disrupting the existing UID database(s).

The good news is almost anything is feasible, computationally. We simply need to update our mindset of a Unique ID — there can be many such unique numbers, just like many people now have multiple and even disposable email addresses. There will be a small overhead for such designs, including one-time update costs for those who are already using the current UID number, but this is a worthwhile investment for something meant to last more than a citizen’s lifetime.