Privacy, security and legality Concerns with Aadhaar

Aadhaar was born in July 2009, using modern technology and management expertise.  The biometric based unique identification system was built and led by a team of technologists and innovators.  It was designed to enable subsidies and social spends reach the needy people of the country.

Aadhaar is a 12-digit unique identity number issued to the residents of India by the Unique Identification Authority of India (UIDAI). The 12 digit number is a random number issued by UIDAI. UIDAI defines Aadhaar as a strategic policy tool that may be used as a primary identifier for social and financial inclusion and to roll out public-sector welfare schemes and programmes.

The objective of issuing Aadhaar is to establish the unique identity of the person.  The Aadhaar number ensures that the intended beneficiary who is entitled for various subsidies that include food grains, Fuel, Fertilizers and services including health, financial and insurance from Central as well as State Governments which they keep launching from time to time, is able to get it without any hassle.

It acts as proof of residence but does not grant any right of citizenship or domicile in India. Irrespective of age and gender, an Indian resident can voluntarily enrol to obtain Aadhaar for free of cost, by providing minimal demographic and biometric information as set by the Authority.

Aadhaar facilitates convenience and promotes hassle-free people-centric governance. Despite being the world’s largest biometric ID system, Aadhaar is devoid of any intelligence and, therefore, does not profile people based on their caste, religion, health and geography.

Till today around 1290 million or 129 Crore Aadhaar Unique Identity Numbers have been issued by the UIDAI.

About UIDAI

Unique Identification Authority of India (UIDAI) is a statutory body established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The Government of India brought UIDAI into force on 12 July 2016 under the Ministry of Electronics and Information Technology (MeitY).

UIDAI, before its establishment as a statutory authority, used to function as an attached office of the then Planning Commission (now NITI Aayog). Later, on 12 September 2015, Government of India revised the Allocation of Business Rules to attach the UIDAI to the Department of Electronics and Information Technology (DeitY) of the then Ministry of Electronics and Information Technology(MeitY).

The UIDAI was created to issue Unique Identification numbers (UID), named as “Aadhaar”, that will be:

  1. robust enough to eliminate duplicate and fake identities.
  2. verifiable and authenticable in an easy, cost-effective way.

From Aadhaar enrolment and authentication, UIDAI administers operation and management of all stages of Aadhaar life cycle, including

  • policy, procedures and system development for issuing Aadhaar
  • authentication and security of identity information
  • compliance of Aadhaar Act by all individuals and agencies
  • regulations and rules formulation consistent with the Aadhaar Act

Kindly visit www.uidai.gov.in for more information on UIDAI.

Data captured under Aadhaar

Aadhaar captures mainly two types of information–demographic and biometric.

Demographic information refers to an individual’s name, date of birth (verified) or age (declared), gender, address. Mobile number and email id are optional.

Biometric information refers to facial photograph, ten fingerprints and two iris scans. It’s also specified in UIDAI that biometric information may also extend to “other biological attributes of an individual.”

The Aadhaar Model

There are multiple entities involved in Aadhaar and their inter dependencies give rise to various privacy and security concerns.

The Aadhaar authentication and identity verification systems comprises the following entities:

  • The UIDAI is responsible for providing the basic identification and authentication services. It provides a unique identifier (Aadhaar Number) to each resident and maintains their demographic and biometric data in a Central Identities Data Repository(CIDR).  The UIDAI manages the CIDR and provides identification and authentication services with yes/no answers.
  • An Enrolment Station, which is collection of field devices used by enrolment agencies appointed by UIDAI to enrol people into the Aadhaar database and capture their demographic and biometric particulars.
  • An Authentication User Agency(AUA) who provides services to users that are successfully authenticated. Thus an AUA connects to the CIDR and uses Aadhaar authentication to validate a user and enable its services.
  • The various AUAs are banks, various state and central government ministries providing services such as the Public Distribution System(PDS), Mahatma Gandhi National Rural Employment Guarantee Scheme(MGNREGA).
  • The responsibility of logistics of service delivery rests with the AUAs. In this federated model an AUA may choose only Aadhaar identification, or also authentication in conjunction with their own legacy identification and authentication system.
  • An AUA is required to enter into a formal contract with UIDAI to be able to use Aadhaar authentication services.
  • An Authentication Service Agency(ASA) is an entity that has a secure leased line connectivity with the CIDR. ASA transmits authentication requests to CIDR on behalf of one or more AUAs.  An ASA also enters into a formal contract with UIDAI.
  • The user, the residents of the country, who enrol themselves with UIDAI and are issued unique identification numbers (Aadhaar Numbers). A user has to present this number as the basic identification to an AUA for availing Aadhaar authentication services.
  • The Aadhaar number for a user is common across all AUAs and services domains.
  • The Point of Sale (POS) device, also known as an authentication device which collects personal identity data from Aadhaar holders, prepares the information for transmission, transmits the authentication packets for authentication and receives the authentication results in the form of Yes/No from the CIDR repository.

Privacy and security Concerns in Aadhaar

Aadhaar’s main privacy concern is the confidentiality of the Central Identities Data Repository (CIDR), which should be inaccessible except for biometric authentication but, on the contrary, a framework put in place by the Aadhaar Act 2016 makes CIDR information open to sharing with “requesting entities”.

Private information of an individual generally comprises biometric information, identity information and personal information. In the Aadhaar Act, the first two types have been defined and protected to some extent, but threat issues lie with the third type which covers a broader scope of information specific to an individual, such as browsing activity, location data, employment details, etc. The Aadhaar Act lacks safeguards in this respect.

Privacy Concerns

The privacy concerns in Aadhaar arise from our the following assumptions which we believe are fundamental in nature

  • Authentication without consent should never be possible under any circumstances. Identification without consent should also not be possible except in some special situations like disaster management, identification of accident victims, law enforcements etc. It should be noted that providing one’s identity for obtaining services in any local context is always with consent.
  • Unapproved Profiling, tracking and surveillance of individuals should not be possible. There should be sufficiently strong technical measures to prevent such breaches in privacy with users verifiable of the same data breach.
  • The technical implementation of privacy and security must be correct with respect to the legal and regulatory framework. The legal framework must be accordingly made stringent and suitably enhanced with special provisions to protect the privacy of individuals in technologically advanced society.

Security Concerns

The concerns around data leak and identity theft are the main issues that need to be addressed by UIDAI.  Since there is an exponential growth in the increase in the allotment of Aadhaar Number, it is of concern that this unique ID number will be a unifying factor across multiple databases for the user.  This Aadhaar number will become the common number that will be linking all those different databases together.

  • There is a gap in the legal framework for security and protection of personal data being collected by various government and private agencies while establishing identity through Aadhaar authentication.
  • That there is an urgent requirement to enact a robust legal and regulatory framework cannot be far from truth. There are multiple concerns that are arising due to lack of data protection laws e.g. data loss, unauthorised access and misuse of data, fraud, identity theft resulting in loss of reputation, financial loss due to cybercrimes and frauds being committed on the compromised identity, compromised data through wrongful exclusion and denial of services, and unlawful and undesirable use of personal data for profiling, tracking, geo-location tagging and violation of privacy rights.

If Aadhaar is made compulsory for buying a sim card or booking a railway ticket–or any such services for that matter, like school records, income-tax records—then any organisation including government as well as private can get access to the consumer’s relevant records and possibly integrate the different databases, which is not prevented in the Aadhaar Act. Also, since the Aadhaar Act does not identify such data as “identity information”, those organisations can collect and collate all sorts of personal information with unlimited restrictions and the personal data can be misused as well as abused in multiple forms.

Let’s take the example of Reliance Jio for illustration of Aadhaar misuse by a private company. Jio owns over 100 million Indian’s identity information, which it has harvested from the CIDR, for users need to authenticate themselves to purchase a Jio SIM card. Since the Aadhaar Act 2016  lacks a clear set of restrictions imposed on the use of this database, Jio’s ambition for big data can take endless forms.

Misuse of Aadhaar

It’s a classic case in which the Authenticate User Agency (AUA as per UIDAI), has violated the UIDAI 2016 Act.  In 2017, a massive misuse case of Aadhaar surfaced with Airtel routing LPG subsidies worth Rs 190 crore of 31 lakh users to bank accounts of Airtel Payment Bank instead of beneficiaries’ original bank accounts. Many customers were not aware of the change in bank account and thought that the Government had stopped paying subsidies on LPG.

Bank accounts under Airtel Payment Bank, with Aadhaar numbers force-seeded, were opened without obtaining the consent of its mobile subscribers. Airtel allegedly misused the eKYC license which is used by third parties, like a bank or telecom company, to authenticate the identities of Aadhaar holders as a means of complying with “know-your-customer” regulations. Airtel Payments Bank was penalised Rs 2.5 crore and its eKYC license was suspended. UIDAI restricted Airtel eKYC & authentication service only for re-verification and issuance of SIM cards.

Sources:

Legal Concerns over Aadhaar

Justice K.S. Puttaswamy, a retired judge of the Karnataka High Court, challenged the Aadhaar scheme before the Supreme Court in 2012, claiming that Aadhaar infringed upon fundamental rights guaranteed by the Constitution. His objections entailed the government’s inadequate privacy safeguards and unchecked power of government over the collected biometric data.

Tug of war

Ever since the union and state governments began to make Aadhaar not only mandatory to avail slew of services–including opening bank accounts, buying cell phone services, to name a few–but also on turning it into the de-facto national identity, many a privacy advocate started running to court to file petitions concerning the usefulness of Aadhaar.

Mandatory Vs Voluntary

The first sign of Aadhaar becoming compulsory came to light in 2012, with Indian Oil, Bharat Petroleum and Hindustan Petroleum testing tech pilot project that required LPG refills linked to the ID. Soon after it, the trend hit the banks in 2013, making Aadhaar compulsory for providing services, including LPG subsidies.

In September 2013, the Supreme Court started hearing petitions regarding the usefulness of the Aadhaar. The court ruled that the lack of Aadhaar Number could not be the grounds for depriving citizens of benefits and services. However, the Minister of Petroleum and Natural Gas, continued the Aadhaar-linked Direct Benefit Transfer (DBT), saying the government would move the apex court for a ‘correction’ in the order. In October, the union cabinet stamped the bill cleared, giving statutory authority to UIDAI.

The Supreme Court subsequently issued a directive to withdraw any and all instructions that made Aadhaar mandatory. It forbade UIDAI from sharing data with other agencies.

The new government in 2014, too tried keeping the Aadhaar firm and in fashion, making it compulsory for issuing a passport, vehicle registration, PAN card and Jan Dhan account verification (A scheme launched by the Government for the poor to get their bank account opened without any reference.  The Aadhaar card was used as a verification tool to open their bank accounts, among other services).

In 2015, the country saw a lengthy back and forth between the Supreme Court and the Government on the Aadhaar matter related to whether it can be made mandatory for those government benefits and services that citizens are entitled to under law.

Hence, in 2015, the Supreme Court passed some interim orders stating that:

  • Aadhaar cannot be made mandatory for providing citizens with benefits and entitlements as provided by the Government.
  • It can only be used for seven schemes including PDS distribution of food grains and kerosene, LPG distribution scheme, MGNREGA wage payments, and Prime Minister’s Jan Dhan Yojana.

Linking Aadhaar with PAN

In 2017, after Parliament made Aadhaar mandatory for filing of tax returns and applying for PAN under the Income Tax Act, 1961, fresh petitions were filed in the Supreme Court.  The new provision stated that if a person failed to link their PAN with the Aadhaar number by a date notified by the Central Government, their PAN will be invalidated.

The government said that this will decrease the problem of multiple PAN Cards obtained under fictitious names and consequent tax fraud and tax evasion, because Aadhaar will ensure proper identification of the person since it is an unique identification number allotted to the individual.  However, the petitioners argued that this may interfere with a person’s fundamental rights such as their right to practice any profession, trade or business and right to equality.

However, the Supreme Court in its judgement on the constitutional validity of Aadhaar, has upheld the Government’s decision to link PAN with Aadhaar. It has also made it mandatory to furnish Aadhaar for filing Income Tax Returns (ITR).

Money Bill

On March 3, 2016, the government introduced the controversial Aadhaar bill as Money Bill in Lok Sabha. A Money Bill needs to be passed only by Lok Sabha.  Rajya Sabha can only make non-binding recommendations to it.  However, the non-binding recommendations made by Rajya Sabha were rejected by Lok Sabha.  The bill was enacted to provide legislative backing to the project. It was introduced by the then Minister of Finance, who while addressing the bill, reiterated privacy as not an ‘absolute’ right.  You can read and download the Aadhaar Act 2016 and its amendments brought in 2019 at www.datasecure.ind.in under Resources in Privacy Regulations and Frameworks.

On 24 August 2017, a historic judgement was passed by the Supreme court of India that declared the right to privacy to be a part of fundamental rights that was protected by the Indian Constitution.  The Supreme Court declared that the right to privacy stems from the fundamental right to life and liberty as stated in Article 21 of the Constitution of India. Emboldened by it, the Supreme Court set up a 5-judge bench in the Fall of 2017 to hear all petitions on the Aadhaar programme.

On 26th September 2018, the Court announced its verdict. It upheld the Aadhaar Act as constitutionally valid but struck down some of its provisions including its linking with bank accounts, mobile phones and school admissions. The Court ruled that the Act empowers disenfranchised sections of society by availing them better access to fundamental entitlements, like State subsidies.

In a landmark move, Rajya Sabha passed the Aadhaar and Other Laws (Amendment) Bill, 2019 on 8th July 2019. The amended bill re-established Aadhaar as a valid identity proof for services and benefits.

Comparison of Aadhaar with SSN

Social Security Number (SSN) is widely used by US government agencies for delivering various government services. Compared to India’s decade-old Aadhaar, SSN has its origins in the years of the Great Depression (August 1929 — March 1933). It is a nine-digit number, which is often put parallel to India’s unique identity project. How the two compares, let’s understand the key aspects:

  • Identification Document: SSN doesn’t serve as a personal identification document. By contrast, Aadhaar can be used to authenticate Indian residency.
  • Eligibility: Anyone who has lived for at least 182 days in India can enrol for Aadhaar. SSN is for only US citizens and those who are authorised to work in the US.
  • Authentication: Aadhaar authenticates a person and prevents identity fraud. SSN does not verify an individual’s identity.
  • Data: SSN does not store biometrics and photographs, unlike Aadhaar which has biometric information rooted in its programme.
  • Database linking: The key concern that makes Aadhaar notorious is its linking with multiple databases. Aadhaar links to bank records, ration lists, educational records, etc. In contrast, there is no seeding done using the Social security Number.
  • Purpose: SSN was created as a number record-keeping scheme for government services. In contrast, Aadhaar was created as a biometric-based authenticator and a single unique proof of identity.

Significance & Benefits of Aadhaar

Aadhaar is a big leap towards digitising India. It facilitates convenience, eases life and promotes hassle-free people-centric governance. It reduces the stress with quick identity and residence verification, filing income tax return (ITR), passport application, new mobile connection, booking railways tickets, pension pay-outs, opening bank and investment accounts, provident fund disbursement, availing government subsidies, etc.

Here are the possible use cases of Aadhaar (some of which are already in action and some may come into the role as time unfolds):

Identity deduplication

The uniqueness of Aadhaar numbers and linked information helps with the de-duplication of identities. No two people share the same Aadhaar number. In the case of identity theft, Aadhaar can be used to verify the authenticity of the person of interest.

Control of corruption

An utmost benefit of Aadhaar linking with bank accounts and PAN cards is that money laundering activities can be controlled. Black money issues can always be targeted with Aadhaar by side.

Public distribution system

State, central or private bodies availing subsidies and income support can track social welfare benefit-leveraging population and curb duplicitous transactions. Conducting surveys that would otherwise consume additional resources and planning will get dissected with Aadhaar.

Undisputed elections

Encouraging good governance, by linking the Aadhaar with voter ID, it’s possible to help the government with the elimination of bogus voters. Not only elections become fair and transparent, but an individual’s right to vote also stays intact.

For downloading the latest version of various data privacy laws, kindly visit the Resources page under www.datasecure.ind.in

For any Privacy Management Solutions or Privacy Traing, kindly write to us at info@datasecure.ind.in

Leave a Reply

Your email address will not be published. Required fields are marked *