India is by far the only country which has taken biometric registration of its entire population to near completion. As of 15th August 2017, nearly 1.2 billion Aadhar enrollments have happened which translates into somewhere 87-90% saturation/ population coverage. The uniqueness of Aadhar is that it not only captures basic/ demographic details but also biometrics including Iris scan & fingerprints.
The GoI is now slowly pushing Aadhar as the unique ID for a person with capability to track everything through one ID. Hence, we have seen, PAN, Bank A/c#, EPFO#, Mobile # already being already mapped or in process of being mapped to Aadhar. The latest update is that the Driving license is also going to get mapped to Aadhar. The IDs that are left with are Passport and the Voter ID. Many countries have gone for biometric passports and hence India may also follow suit sooner or later. The easiest way will be to compulsorily map Aadhar to Passport as the earlier already has the necessary biometrics captured. Once that process is complete, only Voter ID will be left. Mapping of Voter ID with Aadhar has its own political challenges but a few countries have already taken that path to eradicate bogus voters. So, if you are an individual, following aspects of you are already or in process of getting tagged to Aadhar:
- Your basic identity details including address & photo
- Your biometric identity (Iris & fingerprint)
- Your financial status/ records/ transactions/ tax records/ provident funds etc. With more transactions happening through digital channels (e.g. your travel tickets, marketplace purchases, movies, hospital bills etc.); more information/ tracking of you can be done through this single ID
- Your mobile details (SC ruling, all mobile numbers to be mapped to Aadhar by Feb 2018). With mobiles, mostly smart phones, it may translate into wider access of information about you.
- Your driving records (include your traffic fines/ violations)
The above means that with Aadhar, now you/ I can possibly be tracked for what we buy, where we travel, whom we speak and many more by federal/ government agencies, if they really want to. While one may argue that in today’s generation the prevalence of social media makes such information anyway easily available, but that argument does not hold true as in social media, it is the choice of the person to share or not to share, who can see or even decide not to be an active participant. Unfortunately, that right to make own choice would no longer be valid under Aadhar led surveillance, if that becomes a reality. While stating that, the intent is not to belittle the stated objectives / benefits of such a unique ID.
The stated intent of Aadhar is not bad despite that eerie feeling that you may have after having realized that everything you do can be looked at by ‘big brother’. Let’s look at some of the benefits use case:
- Curbing black money/ tax evasion: Aadhar PAN linking have helped identifying cases of duplicate PAN. Duplicate PAN is often used for tax evasion & black money purpose. As per a written reply at Rajya Sabha by MoS for Finance, more than 1.14 Million PAN had been deleted/ deactivated. Similarly, UIDAI has deactivated 8.1 Million Aadhar numbers
- Minimize subsidy leakage/ effective benefit distribution: Along with Jan Dhan accounts and increasing reach of digital, GoI aims to leverage the JAM trinity (Jan Dhan, Aaadhar, Mobile) to facilitate direct transfer to beneficiary accounts and thus minimize leakage of subsidy. Consider the fact that total subsidy amounts to more than 4% of country GDP and hence any minimization leveraging Aadhar & available technology can yield significant savings & efficient allocation. Aadhar payments bridge (APB) facilitates this seamless transfer of all welfare scheme payments to beneficiary residents
- Aid in Digital proliferation: Aadhar enabled payment systems (AEPS) allows banking transaction at micro ATM by online authentication of Aadhar through fingerprints. Currently there is also a discussion to extend this at POS transaction where any Aadhar holder can make payment through Aadhar authentication (biometric match) instead of using debit cards.
- Usage in criminal identification: This is a controversial use case. The biometric database can be leveraged to identify a criminal based on biometric match. But there is a huge controversy as UIDAI itself has asked SC to put a ban on such usage as it goes against the original intent of Aadhar of ‘civilian use and for non-forensic purpose’. Also, there can be false match which can put an innocent person at risk.
Clearly going by the first 3 stated benefit use case, there is a logical reason and need for a unique ID for the population. The challenge lie in 3 key aspects of such data:
- Data Privacy: Are you as a law-abiding citizen comfortable with such a comprehensive set of information being available? What are the potential misuse of such data falling into wrong hands?
- Data Security: How strong is the security mechanism guarding these data? How does one ensure no leakage with so many stakeholder (beside UIDAI) in the usage of these data? (starting from enrollment agencies, banks, Gov. agencies, Tax departments etc.)
- Citizen rights/ recourse in case of data compromise: Are the laws strong enough to ensure that citizen interest is safeguarded/compensated in case of a breach/ compromise of the data?
These concerns are quite valid and there are no easy answers. A few countries like Brazil, Mexico, Bulgaria, Chile, Kenya have initiated the process of creating biometric IDs for their citizens but a few other countries had to roll back such initiatives under protests/ opposition.
- UK tried to implement a national identity register & ID Card system which would have captured extensive personal information & biometric details. The program led to huge protests and the government ultimately scrapped the plan
- Kuwait tried invoking something similar in 2015 which even included DNA profiling but had to finally leave it under severe protests and opposition from the emir himself
- Israel also tried to put something similar in place in 2009. They ran a pilot which was successful but later for some reasons has delayed the rollout and fingerprints may no longer be necessary
The privacy & security aspects have become very important today as incidents of breach/ frauds in this era of digital have increased significantly. The additional challenge is that in such circumstances the impacted citizen/ individual is generally most vulnerable and least strong to fight the odds.
A few recent incidents of personal data breaches highlight the risk at large.
Three aspects/ concerns come out very clearly:
- Massive data breaches incidents are happening quite frequently and remains a formidable risk
- Citizen recourse/ rights post such breaches remains a key concern/ area of lacunae
- Biometric data breach poses a graver risk as it may lead to identity theft and because of the permanency of the breached data (impacted individual can change password/ credit cards but not his iris scan or fingerprints)
For example, so many debit / credit card frauds are being reported daily where people have been misled to share their card details and same has been misused for fraudulent transactions causing loss of a few thousands to a few millions. Now what happens, that due to a data breach, card/ bank details come into hand of unscrupulous people/ criminals? The 2nd factor authentication (OTP/ Visa Verified etc.) can save you to certain extent but SIM cloning etc. have now also led to a few cases where even 2nd factor authentication has not helped. Also for international transaction, such 2nd factor authentication is not required and hence the misuse can be more. Now add to this your biometric data. Someone gets hold of your fingerprint and fakes your fingerprint at a AEPS (Aadhar enabled payment system) enabled POS / ATM to defraud you? In a card fraud, you could have changed your card and start afresh but in a biometric fraud, your data once compromised is always compromised as biometric markers are permanent!
Hence strong privacy & data security laws are very critical for any country which has developed centralized database on their people. Laws & regulations are very critical as left to itself, the ecosystem generally does not self-correct/ self-evolve towards a more protected & regulated environment. This is reflected in the Equifax breach; the company took 6 weeks to report and customers are still clueless on what all can happen with the breached data! Security has a cost to it and without regulations, companies/ organizations may not invest enough to secure their ecosystem and a strong penalization for such breaches can work wonders.
In India, the problem lies that we are miles away from having a proper data governance/ data privacy framework/ regulations. Recently in a landmark judgement, Supreme Court has voted for ‘Right to Privacy’ but citizens will need supporting legal framework to realize that right!
Let us consider a few countries and their privacy laws to illustrate the kind of framework we are talking about.
The key takeaway from the measures taken is that it addresses all the 3 key challenges we highlighted earlier:
- Data Privacy: Right to Access, Right to Forget, Right to Choose (no disclosure without consent, explicit Opt-In for sensitive personal information etc.). For some, it is a Fundamental Right!
- Data Security: Accountability; Defined entities (data controllers) who will remain accountable to ensure that regulations are adhered and necessary safeguards are in place. Clear laws putting the onus on data controllers to establish & maintain necessary measures for security.
- Citizen rights: Remedial measures including administrative and civil actions, penalties for organization involved in processing or storing personal data, clear timelines for informing designated authorities post data breach
India is trying to advance into a digital economy very fast. There is a strong focus on digital banking, digitalization of records & processes, digital delivery of benefits; all forming part of the overall ‘Digital India’ initiative. While digital has its own advantages in terms of greater transparency, faster delivery, curbing leakages/ corruption, lower cost of administration but also opens the ecosystem to risk of cyber fraud/ espionage/ hacking/ malwares and other forms of unauthorized access & usage with the intent of fraudulent gains & causing damage to individuals & institutions.
Pushing the acceleration on ‘Digital India’ without similar thrust on data security & citizen privacy can cause significant damage. Benefits of digitalization will be lost and may be found regressive if more efforts are not given to develop a strong data governance framework and robust laws on privacy.
These are our guidelines to all the key stakeholders:
- Government: Bring in proper ‘privacy & data security’ laws to govern the storage & usage of personal information, rights of citizen, accountability of the controllers & processors of data, penalties for infringements and remedial measures. Focus on creating more awareness!
- Organizations/ Companies: ‘Design for data security/ privacy’ while building your Information Technology framework rather than looking at half-baked patches. They should also have strong internal data governance framework to ensure that access is need based, usage is under consent (except under law enforcement or other defined exceptional conditions) and individuals have right to make a choice on what they share and how it is used
- Citizens/ Individuals: Know your rights, be more cautious as data breaches are becoming quite common and losses are real!
Let us understand that the challenge is humongous and so are the implications. For example, Aadhar data being seeded to so many schemes, bank a/c, IDs and other programs means the entire ecosystem must have similar strong security setup as leakage and hacking can happen at the weakest point of the chain. Without proper laws & regulations to define accountability and the rights of citizens, such a huge database of personal information being available digitally is a huge risk. This is very more important for a country like India, where laws can change at random depending on political compulsions!
We need to get our act very soon as rights and safety of citizens should not get compromised for lack of political will. We have already seen Supreme Court ruling on privacy and the need of the hour is for the executive pillar of the governance to be more proactive on framing these laws rather than aggrieved citizens being forced to knock on the judiciary!