Why Nandan Nilekani’s sales pitch for Aadhaar is hard to buy?

In his Indian Express op-ed piece, former Unique Identification Authority of India (UIDAI) Chairman Nandan Nilekani makes his latest pitch for Aadhaar and calls for an appeal against the Supreme Court’s interim judgment dated August 11, 2015.

Replacing Jesus with the Mahatma, Nilekani opens with the classic evangelical trope: “What would Jesus do?” Quoting an unrelated snippet from history, he concludes that Gandhi would have supported getting fingerprinted and thus in the court of the Mahatma’s morality the Supreme Court would fail.

The fact is when the Boer regime of South Africa proposed a new law seeking to create a fingerprint database of all Indian males above the age of eight, Gandhi chose jail over getting fingerprinted.

Like those opposing Aadhaar as a matter of principle today, Mahatma Gandhi too refused to get fingerprinted — not because he had something to hide, but because fingerprinting legal citizens is disrespectful and a violation of civil liberty that sets the stage for a police state.

Sifting through the op-ed’s verbiage, one finds Nilekani reiterating the old claims of the biometric lobby that Aadhaar will effectively eliminate leaks in the welfare schemes, which is bleeding the country’s economy.

In addition, Nilekani says:

  1. He’s okay with Aadhaar being declared voluntary by the SC but not okay with the SC limiting Aadhaar usage to only cooking gas and public distribution system (PDS) benefits
  1. Aadhaar database is “ignorant” (meaning neutral) about how it is used
  1. Aadhaar’s system is federated and secure, and privacy-respecting by design

First, in prioritising the need to plumb leaks in welfare subsidies, Nilekani, like most business czars of this country, lays bare his obsession with policing the poor and schemes that benefit the most vulnerable.

Satyam Infotech until the exposé stood alongside Tata Consultancy Services, Infosys and Wipro in the much-vaunted pantheon of Indian IT companies. Under the personal direction of once poster boy B Ramalinga Raju, Satyam scammed the public exchequer of a staggering Rs 9,756.02 crore. That figure is Rs 1,756 crore more than the total kerosene subsidy of India.

The 2G scam was led by information and communication technology companies riding the internet boom. The valuation of the scam stands at Rs 30,984.55 crore. Less than half that amount (Rs 14,063.5 crore) is what will go into paying wages under the Mahatma Gandhi National Rural Employment Guarantee Act for FY15-16.

Surely, Nilekani with his superb record as an Infotech-titan-turned-visionary-politician would have seen which leaks are bigger and bleeding to death the Indian economy — which he poetically calls “the unleashed aspirations of a billion people”. How does he and his Aadhaar propose to plug these leaks?

Second, Chhattisgarh, Tamil Nadu and Bihar have shown that leaks in the PDS can be plugged using non-tech methods like colouring food-grain trucks bright yellow or low-tech methods like sending one-time passwords to mobile phones.

So, from the welfare perspective, other than being an employment guarantee scheme for the recession-hit IT/BPO sector, there is no apparent need for the multi-million dollar biometric Aadhaar database.

But all of the above is an old debate.

Coming to the new, the SC has always said Aadhaar is voluntary and on that count the UIDAI, the banks and the LPG distributor companies have continually been in contempt of court. Irrespective of what the SC said, no effort has been spared in ensuring that Aadhaar stays voluntary on paper but becomes de facto compulsory in every sphere of real life.

Not stopping at PDS and LPG, Aadhaar enrolment has been demanded for marriage registrations, student scholarships and even payment of salaries. The UIDAI has been hitting the lower- and middle-class people where it hurts them the most — their humble purses.

In a bid to neutralise their ploy, the court has now directed UIDAI to advertise the non-compulsory nature of Aadhaar.

It’s been over a month since the order, so now is a good time to ask Nilekani to show us which newspapers, radio and television channels, SMS campaigns have carried advertisements saying Aadhaar is not compulsory. Would he care to show us a comparison of the money spent in advertising Aadhaar enrolment versus the amount spent telling people Aadhaar is not compulsory?

Nilekani says the SC is wrong in limiting the scope of Aadhaar to only LPG and PDS and rues the fact that the election commission and other government agencies aren’t going to use the Aadhaar database.

His frustration with the SC for not taking his claims as gospel truth is clear in paragraph five where he asks why bother making just PDS and LPG Aadhaar-linked and not go the whole hog?

One wonders what Nilekani really expects from the Supreme Court, Parliament and the people of this country.

Would Infosys hire a random person solely on the basis of his claims about what he can do without verifying things for themselves? Would they hand over charge of crucial business processes without seeing demonstrable proof of merit and evidence of past work?

Why does he expect the same to be done for him and his pet project? Why will agencies across the board blindly accept Aadhaar as the central dictator in processes crucial to the Indian public life?

Aadhaar has proven itself nowhere. Biometric databases in general have been dumped the world over as unreliable technology that cost way more than they are worth.

By his own admission, Nilekani has said biometric measurements like iris scans are “not a mature technology”. R S Sharma who now heads the UIDAI has himself said that fingerprints that lie at the core of this database can have seriously high margins of error in India where huge sections of society are involved in manual labour and their fingers are damaged.

The fact is the Aadhaar database is so unreliable that even the banks who enrolled people don’t use it!

Nilekani claims “the UIDAI system is completely ignorant of the usage” — meaning it does not know or judge who uses the Aadhaar data, for what purpose and with what intent.

This is, at best, feigned ignorance.

First, the UIDAI website declares that agencies who wish to use the database will have to declare purpose and nature of business.

So if UIDAI knows Corporation X is a payment processing agency, when Corporation X does a Know Your Customer (KYC) call, the UDIAI system knows a payment was processed on behalf of the citizen whose data was queried.

And because Aadhaar wants to become the one-stop identity shop for all types of work from clinics to banks, employment, crime, voting and so on, it’s trivial to connect the dots of individual KYC calls made for a certain individual and build up a complete surveillance image of that person.

Second, the revenue generated by simply renting out e-KYC access licences is peanuts compared to the millions that can be made from mining and selling such data.

We see, then, that it is not the UIDAI’s ignorance Nilekani is counting on, but that of the general public outside the UIDAI.

His other claim is that Aadhaar data is federated and, therefore, secure and privacy-respecting by design. Reality couldn’t be further from the truth.

Decentralisation of data, which he calls federation, is a time-tested security measure. But the Central Identities Data Repository (CIDR) is anything but decentralised.

The CIDR stores both the demographic and the biometric data all in one place — that’s how Aadhaar is designed and does its KYC. So anybody who has (or gains) access to that one point has access to all of the data. Keeping so much data in one place is a recipe for disaster.

In the post-Erich Schmidt and post-Zuckerberg world, no right thinking person would take private corporations’ and their CEOs’ word on respecting privacy. Closed black-box systems rot at the heart and sunlight is the only disinfectant.

If the UIDAI wishes to gain credibility in the eyes of the public, it will need to submit itself to open verification and public scrutiny. Scrutiny, not just of its technology and security by pro civil-liberty hackers, but also of the business agreements it has made with partners like Mongo DB, contractors like Accenture and solution providers like L1 Identity Systems. They must not seek immunity under terms like trade secrets.