Insights into Editorial: We need Aadhaar, not just for phones
India’s Unique Identification project is the world’s largest biometrics-based identity programme. Initially, the project had a limited aim – to stop theft and pilferage from India’s social welfare programmes by correctly identifying the beneficiaries using their biometrics.
But now, the use of Aadhaar is expanding into newer areas, including business applications.
From food rations to marriage certificates, entrance exams to train ticket concessions, mobile phone cards to banking, Indians are now being asked to produce a 12-digit Aadhaar number to access both government and private sector services.
Aadhaar was designed as a digital identity platform which is inclusive, unique and can be authenticated to participate in any digital transaction. This has transformed the service delivery in our country, conveniencing residents and reducing leakages. Direct benefit transfer, subscription to various services and authentication at the point of service delivery are some of the benefits which have accrued.
Aadhaar: an safe digital platform?
In the lecture on ‘Technology for Transformation’ organised by NITI Aayog, Gates had said that Aadhaar is something that had never been done by any government before, not even in a rich country.
More than a billion people in India have enrolled in Aadhaar, the world’s largest biometric ID system. The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established in January 2009 by the Government of India.
Aadhaar does not pose any privacy risks and the Bill and Melinda Gates Foundation has funded the World Bank to implement this system in other countries as it is worth emulating, Microsoft founder Bill Gates has said.
How privacy is ensured in Aadhar?
- Aadhaar followed the principle of incorporating privacy by design, a concept which states that IT projects should be designed with privacy in mind.
- Aadhar collects only minimal data, just sufficient to establish identity. This irreducible set contained only four elements: name, gender, age and communication address of the resident.
- Under the scheme, random numbers with no intelligence are issued. This ensures that no profiling can be done as the number does not disclose anything about the person.
- The Aadhaar Act also has clear restrictions on data sharing. No data download is permitted, search is not allowed and the only response which UIDAI gives to an authentication request is ‘yes’ or ‘no’. No personal information is divulged.
- Besides the minimal data which UIDAI has about a person, it does not keep any data except the logs of authentication. It does not know the purpose of authentication. The transaction details remain with the concerned agency and not with UIDAI.
- UIDAI has also built a facility wherein one can ‘lock’ the Aadhaar number and disable it from any type of authentication for a period of one’s choice, guarding against any potential misuse.
Most recognise that the fact that Aadhaar biometrics being unique has ensured the 50%+ levels of theft in PDS rations has all but been eliminated.
It is true there have been cases of people whose fingerprints are not getting captured and who are being denied ration benefits, but the solution to this is not eliminating a system that is working, but to use iris scans or facial recognition to fix this problem. In the case of LPG, similarly, using the Aadhaar de-duplication software helped eliminate those with more than one LPG connection.
UIDAI is continuously updating its security parameters and looking at the new threats in cyber space. It has also decided to have registered devices for capturing biometrics data and ensure that such biometrics will be encrypted at the point of capture itself.
The Government needs to assure its citizens that right regulatory environment exists in the country which will prevent these kind of data breaches because the moment people give their personal details, they are making themselves vulnerable in the cyber world.
As an alternative to the collection of biometric information few experts have suggested shifting to smart cards. How will this help?
- Biometrics allows for identification of citizens even when they don’t want to be identified. Smart cards which require pins on the other hand require the citizens’ conscious cooperation during the identification process.
- Once smart cards are disposed nobody can use them to identify. Consent is baked into the design of the technology.
- If the UIDAI adopts smart cards, the centralized database of biometrics can be destroyed just like the UK government did in 2010. This would completely eliminate the risk of foreign government, criminals and terrorists using the breached biometric database to remotely, covertly and non-consensually identify Indians.
- Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminates the need for a centralized transaction database.
Mandating Aadhaar for all government schemes and subsidies, and allowing it as a tool to prevent money laundering and terrorism are the most logical places to draw that line.
Restricting Aadhaar usage to just the payment of subsidies and other such transfers for the poor is always an option but it robs the country of the ability to use the robust properties of Aadhaar.
And, lighting the fire under the government to quickly enact a comprehensive national data privacy law, which enshrines internationally accepted principles of privacy, must be the citizens’ insurance policy to prevent mass surveillance and other excessive use of Aadhaar, like in the case of the SSN – should be the next immediate action.
Therefore, we need to take a level-headed approach and ensure that ample safeguards are put in place for data protection and privacy. The government should recognise both the need for Aadhaar and the need for stringent rules concerning access to and security of citizens’ biometric data, in order to preserve their privacy.
Aadhaar Card is an important document to make Government’s Policies and Schemes more Transparent and Responsible for General Public. The need is to curb the Loopholes for proper functioning of the Scheme.
Government has to establish the right regulatory environment in country to prevent privacy breaches.
For people to trust the government and support the idea of a digital India, the government has to bring stringent laws promoting the safety and security of digital platform to the best possible extent.
- If the Indian government sees Aadhaar as a gateway to its services or entitlement schemes, it should move immediately to designate UID as critical infrastructure and set up a dedicated Computer Emergency Response Team to monitor attacks or intrusions on the database.
- Crafting an encryption policy that specifically addresses encryption for Aadhaar-enabled apps
- Security testing of all Aadhaar-enabled applications
- Encouraging device-level encryption for mobile phones and laptop computers
- Creating a Computer Emergency Response Team to monitor attacks on Aadhaar
- Working with the private sector at forums like the International Electronic and Electrical Engineers (IEEE) and the Internet Engineering Task Force to create interoperable security standards for platforms relying on national identity databases.
A strong data protection law and privacy laws should come soon to bring an accountable structure for the use and misuse of citizen data. It is essential to deal with issues of duplication, less disruptive methods than Aadhaar such as food coupons, smart cards, and last-mile tracking can be used to produce the same effectiveness with far less administrative burden.
In India, Payment has been linked with Aadhaar as 5 crores bank accounts have been opened through Aadhaar. So it is important that sensitive personal data is protected and miscreants and irresponsible are punished. Not only Aadhaar but other data bases should also be protected.