The threat of misuse is more from the government itself than from the private sector

Is fearmongering over open access to Aadhaar-based services by private sector justified
Voices Privacy Thursday, March 17, 2016 - 09:43

By Siddarth Gore

Any person who runs a household with a house-help, cook or a driver knows that the best way to find them is through recommendations. Even when recommendations are good you ask for voter ID or a driver’s license and may keep a photocopy just in case. This due diligence is a good thing because these jobs imply a ready access to the employer’s house and family. But unfortunately we are no experts when it comes to verifying the authenticity of these documents. A company is claiming to use Aadhaar to help in this matter.

Trust is an implicit part of any transaction we conduct from lending money to friends to buying property worth lakhs. There is no way of calculating the exact value of trust in a transaction but it is well known than costs are reduced for both buyer and seller when the trust factor is favorable. A good indication of the trust factor prevalent in a city or locality is provided by deposits that flat owners demand from a renter. More the deposit demanded, lesser is the trust.

Aadhaar was created to solve a specialized case of this problem. It was meant for a transaction between the government and the people in need of aid, as the name very well suggests. But it was designed as an identity platform which can be used to verify the identity of a person in any transaction. The question is that does this breach the privacy of the people involved?

The system does not allow anyone to provide an Aadhaar number and get back the person’s details like phone number or address. It can only match the data and give a yes or no answer. This is similar to when you provide your driver’s license to someone to verify your age or address. Only difference is that the verification is not based on visual inspection but on the real-time interface provided by the UIDAI system. Historically, this important function of a ‘trust broker’ has always been performed by some arm of the government – the state government through driving license, the Election Commission through the voter ID or the Income Tax Department through the PAN Card. The UIDAI is trying to match the technology with the times.

The privacy fears need to be understood from two angles. One is what the government can do with your data and the other is what the private sector can do with it.

The first is a valid concern since there have be a number of instances in history where such data collection has resulted in scary consequences. Enough safeguards need to be in place to make sure that things like ethnic or racial profiling do not happen. In fact, the UIDAI expressly prohibits collection of religion, caste or race data exactly for this reason.

But the fearmongering related to greedy capitalist misusing the poor people’s data is clearly misinformed. The entities accessing the database need to go through the Application Programming Interface (API) defined by the UIDAI. They never have unrestricted access to the information. The regulations make it compulsory to encrypt all user data like address and demographics before sending on the network and forbid their storage. Biometrics can only be collected on authorized devices which encrypt the data right from the sensor. The application has to pass through an audit which makes sure all these features are implemented before they can start authenticating users. This ensures that even the people working for the company will not be able to get their hands on the user’s data. Additionally, there is a provision for up to 3 years’ imprisonment for any violation. A company which adheres to these rules will in no way endanger the privacy or security of the individuals using its service.

Of course no system is foolproof and there will be unscrupulous people trying to break the system. But that is not specific to Aadhaar in particular but can apply to other online transactions like net-banking as well. This needs to be handled in the preview of the IT Act or other such relevant laws.

There are certainly some risks associated with an identity platform the scale of Aadhaar with over 980 million enrollments so far. The Supreme Court has already taken care of one of them. Like a driver’s license is not compulsory if you are not planning to drive, Aadhaar number should not be compulsory if you don’t want to avail the benefit of this service.

The second risk is technical in nature. Any computer system can be the target of hacking. But the rewards for the hacker increase with the size of the database. Since Aadhaar is the world’s biggest database of this kind it will surely be a target for cyber-attacks. This does not immediately render it useless but it means that the security aspect needs to be considered very seriously.

While we are debating the impact of Aadhaar, technology is leaping into completely new and disruptive directions. With technologies like blockchain (used most notably in bitcoin) the traditional role of the government as the trusted intermediary will itself become redundant. The trust will be distributed across the network and no one entity will be powerful enough to subvert that trust.

That might be the future but we have to deal with the present. A system like Aadhaar has great potential for improving the lives of people by reducing inefficiencies and transaction costs. Conservative estimates put opportunity cost of not having an efficient PDS at 30,000 crores annually. This is a cost that we can ill afford to bear. There is no estimate of the savings and increased employment opportunities that this will generate. But we can take a hint from what net-banking and electronic clearance did to the banking sector. There were worries of security breaches and identity thefts but those were placated in time and the convenience that it offers has made electronic transfers surpass paper clearing in a very short span of time.

All concerns related to privacy are exigent but the threat of misuse is more from the government itself than from the private sector and hence the safeguards must be put in place pointing inwards rather than out.

Siddarth Gore is a Research Scholar at the Takshashila Institution and he tweets @siddhya

Show us some love and support our journalism by becoming a TNM Member - Click here.