"We live in the era of information revolution, where the entire lives of individuals are stored in the cloud. We must recognize that while technology is a useful tool for improving the lives of the people, at the same time, it can also be used to breach that sacred private space of an individual."Former CJI NV Ramana while constituting a committee to investigate the Pegasus case (2021)
Enter, the Jammu & Kashmir Family ID: A proposed identity card, with a unique eight-digit alphanumeric number to identify each family and its members vis-a-vis the head of the family.
The programme, announced by Jammu and Kashmir (J&K) Lt Governor Manoj Sinha in November 2022 as part of the J-K digital vision document, is slated to carry details of all members of the family, including their names, ages, qualifications, employment status, according to media reports.
What's the objective? According to what government officials told The Indian Express, the objective of this is to create an authentic, verified, and reliable database of families in J&K to make sure welfare schemes reach eligible beneficiaries faster and in a more transparent manner.
Why this matters: Other than the ruling Bharatiya Janata Party (BJP), this development has not gone down too well with leaders across the political spectrum.
Former Jammu and Kashmir Chief Minister and PDP Chief Mehbooba Mufti in December 2022 called it "another surveillance tactic to tighten the iron grip" on the lives of Kashmiri people.
Technology and legal experts concur, except they seem to think that there is more to be worried about besides surveillance.
Every Family in J&K To Get Unique ID: 6 Reasons Why Experts Say This Is Worrying
1. How Can This Potentially Lead To Surveillance?
The new card will be linked to the Aadhaar and the bank account of the head of the family.
While Aadhaar includes information about an individual, the family ID card, if implemented, will link details about families including name, age, qualifications, income, employment status and marital status, among other details.
With all of this information, databases of this type end up having a “360 degree view” of residents, according to cyber security expert Anand Venkat.
This is exactly what leads to surveillance, he added.
“Put simply, profiling is surveillance,” Venkat wrote in his blog.
For example, once this programme is implemented, the government, will not only know your religion, but will also know whether or not your entire family is from the same religious community. At the same time, it will know about the neighbourhood you reside in. With the help of the large-scale database, it will be able to piece together the approximate religious profile of your entire neighbourhood.
This can, by and by, lead to targeting of specific neighbourhoods (based on those whole live there) for intensified facial recognition and policing, based on the negative traits attributed to the said population by the authorities, Vikas Saxena, an independent tech & policy researcher, explained in conversation with The Quint.
Expand2. Kashmir Is More Prone To This Because…
Experts also seem to think that Jammu and Kashmir’s precarious socio-political context makes this all the more worrisome and could add to the ever widening trust deficit between the government and people.
“Things are already complicated on the ground in Jammu and Kashmir, the trust between people and the government is very low, so it is understandable why surveillance and privacy concerns from this arise.”
Maansi Verma, Lawyer and founder of civic engagement initiative MaadhyamOn 5 August 2019, Kashmir, which has witnessed decades-long military conflict, lost its semi-autonomous status after the Indian government abrogated Article 370 of the Indian Constitution.
This led to internet blockades for nearly a year and a half after reports of troop deployment and human rights violations.
That’s not all – in 2021, the UT administration reportedly subjected new government employees to a verification process which included monitoring their social media accounts, according to a circular issued by J&K’s General Administration Department (O9JK-GAD).
Expand3. But, There Must Be Legislative Safeguards, Right?
Not quite, say experts.
“With all of these data collection exercises, there is no safeguard in place to ensure that the information is not accessed by someone who should not be accessing it."
Anushka Jain, Policy Counsel (Surveillance & Transparency) at Internet Freedom FoundationKashmir is not the only state with such databases. More recently: Haryana, Tamil Nadu, and Maharashtra, among other states, also introduced similar programs. But none of these states have notified a specific law to integrate databases.
“If you collect data, you collect data to profile your residents, there’s certainly the right of privacy engaged. Once that is the case, the requirement of law becomes absolutely indispensable," Prasanna S, a Delhi-based lawyer who had helped petitioners challenge the Aadhaar Act, told MediaNama in a conversation about integrated databases.
He further pointed out how any data collection exercise leading to a 360 degree profiling of citizens in the absence of a law is a direct violation of the fundamental right to privacy.
“The law is a critical piece there. Because the law will then tell you what purposes you can use it for, to what extent the data can be collected and retained and what you cannot use it for. Otherwise, it’s a database that the state can use for any purpose it wants,” Prasanna added.
Expand4. And Then There Are Potential Data Leaks…
Interestingly, after Kashmir’s family ID program was announced, senior superintendent of police (security) M Y Kichloo told news agency PTI that the risk of “vulnerabilities and possibilities of cyber attacks will remain” when it comes to storage of data in a digital format.
“We will face the same problems in Jammu and Kashmir which are faced across the country viz- a-viz data. The risk of vulnerabilities and possibilities of cyber attacks will remain. In case of data breach, the quantum of punishment would be 10 years which would work as a deterrent."
Senior Superintendent of Police (Security) M Y KichlooA report published by the Netherlands-based cybersecurity firm Surfshark VPN revealed that India ranked sixth among countries vulnerable to digital attacks since such attacks were first recorded in 2004.
Even with Aadhaar – the world’s largest biometric system – there have been data security concerns. The Comptroller and Auditor General (CAG) of India, in its April 2022 report on functioning of the UIDAI, flagged several security concerns with Aadhaar.
And, this becomes seemingly more concerning when you take into consideration that India currently has no data protection law in contrast to the European Union's General Data Protection Regulation (GDPR), which is considered the most stringent framework on data protection and privacy rights in the world.
“Any data collection exercise in the country right now is unregulated. Because there is no data protection law to govern how data is being collected, whether it is being stored only for the purpose it was obtained for, how it is being stored, whether it is being deleted after its use is done: so all of these things need to be considered to ensure that personal data protection rules are abided by in accordance with the right to privacy that we have.”
Anushka Jain, policy counsel (surveillance & transparency) at Internet Freedom FoundationThe Personal Data Protection Bill has still not been passed. Initially introduced in 2018, was withdrawn after strong opposition on the exemption it proposed for the central government and its agencies from its provisions.
Even a new version of it, which is yet to be discussed in parliament, has the potential to give more powers to the government if passed, The Quint had reported in a previous piece.
Expand5. Exclusion, Election Propaganda: What Are Some Other Concerns?
Exclusion from Welfare Schemes
Remember reports about starvation deaths in Jharkhand that are said to have happened as a result of people not being able to link their Aadhaar cards with their ration cards and therefore not avail of promised ration?
Experts fear a similar tragedy could emanate from the Family ID programme too.
“There have been reports of people not being able to get their Aadhaar cards made, for no fault of their own. Which has led them to miss out on schemes. The architecture of the family ID database, which is being pushed for speedy delivery of social schemes could also lead to exclusion in a similar manner.”
Maansi Verma, lawyer and founder of civic engagement initiative MaadhyamElection Propaganda
“With the new Family ID database, you can geographically profile people and get a hold of their economic data and when you can do that you can influence election behaviour. Alternatively, you can also get more votes by demarking geographical boundaries according to your own convenience."
Vikas Saxena, independent tech & policy researcherIn 2021, a petition in the Madras High Court alleged that the Bharatiya Janata Party’s Puducherry unit had misused voter data collected by the UIADIA during its Assembly election campaign.
The Madras High Court, during the hearing, had said there appears to be a “serious breach” in how the party conducted itself and directed the Election Commission to investigate this.
Experts The Quint spoke to, said that with this new initiative, similar misuse of data for electoral gains could become more convenient.
Like Vikas Saxena puts it:
“Hypothetically, these same data points can impact everything from redistricting and policing to accessing essential services like healthcare and education. In practice, once correlated with the Aadhar database, the use cases are potentially endless.”
He adds:
“Ultimately, whether these additional data points can be wielded as a weapon of mass surveillance and division, or to deliver social welfare schemes with speed and ease – only time will tell.”
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)
Expand
How Can This Potentially Lead To Surveillance?
The new card will be linked to the Aadhaar and the bank account of the head of the family.
While Aadhaar includes information about an individual, the family ID card, if implemented, will link details about families including name, age, qualifications, income, employment status and marital status, among other details.
With all of this information, databases of this type end up having a “360 degree view” of residents, according to cyber security expert Anand Venkat.
This is exactly what leads to surveillance, he added.
“Put simply, profiling is surveillance,” Venkat wrote in his blog.
For example, once this programme is implemented, the government, will not only know your religion, but will also know whether or not your entire family is from the same religious community. At the same time, it will know about the neighbourhood you reside in. With the help of the large-scale database, it will be able to piece together the approximate religious profile of your entire neighbourhood.
This can, by and by, lead to targeting of specific neighbourhoods (based on those whole live there) for intensified facial recognition and policing, based on the negative traits attributed to the said population by the authorities, Vikas Saxena, an independent tech & policy researcher, explained in conversation with The Quint.
Kashmir Is More Prone To This Because…
Experts also seem to think that Jammu and Kashmir’s precarious socio-political context makes this all the more worrisome and could add to the ever widening trust deficit between the government and people.
“Things are already complicated on the ground in Jammu and Kashmir, the trust between people and the government is very low, so it is understandable why surveillance and privacy concerns from this arise.”Maansi Verma, Lawyer and founder of civic engagement initiative Maadhyam
On 5 August 2019, Kashmir, which has witnessed decades-long military conflict, lost its semi-autonomous status after the Indian government abrogated Article 370 of the Indian Constitution.
This led to internet blockades for nearly a year and a half after reports of troop deployment and human rights violations.
That’s not all – in 2021, the UT administration reportedly subjected new government employees to a verification process which included monitoring their social media accounts, according to a circular issued by J&K’s General Administration Department (O9JK-GAD).
But, There Must Be Legislative Safeguards, Right?
Not quite, say experts.
“With all of these data collection exercises, there is no safeguard in place to ensure that the information is not accessed by someone who should not be accessing it."Anushka Jain, Policy Counsel (Surveillance & Transparency) at Internet Freedom Foundation
Kashmir is not the only state with such databases. More recently: Haryana, Tamil Nadu, and Maharashtra, among other states, also introduced similar programs. But none of these states have notified a specific law to integrate databases.
“If you collect data, you collect data to profile your residents, there’s certainly the right of privacy engaged. Once that is the case, the requirement of law becomes absolutely indispensable," Prasanna S, a Delhi-based lawyer who had helped petitioners challenge the Aadhaar Act, told MediaNama in a conversation about integrated databases.
He further pointed out how any data collection exercise leading to a 360 degree profiling of citizens in the absence of a law is a direct violation of the fundamental right to privacy.
“The law is a critical piece there. Because the law will then tell you what purposes you can use it for, to what extent the data can be collected and retained and what you cannot use it for. Otherwise, it’s a database that the state can use for any purpose it wants,” Prasanna added.
And Then There Are Potential Data Leaks…
Interestingly, after Kashmir’s family ID program was announced, senior superintendent of police (security) M Y Kichloo told news agency PTI that the risk of “vulnerabilities and possibilities of cyber attacks will remain” when it comes to storage of data in a digital format.
“We will face the same problems in Jammu and Kashmir which are faced across the country viz- a-viz data. The risk of vulnerabilities and possibilities of cyber attacks will remain. In case of data breach, the quantum of punishment would be 10 years which would work as a deterrent."Senior Superintendent of Police (Security) M Y Kichloo
A report published by the Netherlands-based cybersecurity firm Surfshark VPN revealed that India ranked sixth among countries vulnerable to digital attacks since such attacks were first recorded in 2004.
Even with Aadhaar – the world’s largest biometric system – there have been data security concerns. The Comptroller and Auditor General (CAG) of India, in its April 2022 report on functioning of the UIDAI, flagged several security concerns with Aadhaar.
And, this becomes seemingly more concerning when you take into consideration that India currently has no data protection law in contrast to the European Union's General Data Protection Regulation (GDPR), which is considered the most stringent framework on data protection and privacy rights in the world.
“Any data collection exercise in the country right now is unregulated. Because there is no data protection law to govern how data is being collected, whether it is being stored only for the purpose it was obtained for, how it is being stored, whether it is being deleted after its use is done: so all of these things need to be considered to ensure that personal data protection rules are abided by in accordance with the right to privacy that we have.”Anushka Jain, policy counsel (surveillance & transparency) at Internet Freedom Foundation
The Personal Data Protection Bill has still not been passed. Initially introduced in 2018, was withdrawn after strong opposition on the exemption it proposed for the central government and its agencies from its provisions.
Even a new version of it, which is yet to be discussed in parliament, has the potential to give more powers to the government if passed, The Quint had reported in a previous piece.
Exclusion, Election Propaganda: What Are Some Other Concerns?
Exclusion from Welfare Schemes
Remember reports about starvation deaths in Jharkhand that are said to have happened as a result of people not being able to link their Aadhaar cards with their ration cards and therefore not avail of promised ration?
Experts fear a similar tragedy could emanate from the Family ID programme too.
“There have been reports of people not being able to get their Aadhaar cards made, for no fault of their own. Which has led them to miss out on schemes. The architecture of the family ID database, which is being pushed for speedy delivery of social schemes could also lead to exclusion in a similar manner.”Maansi Verma, lawyer and founder of civic engagement initiative Maadhyam
Election Propaganda
“With the new Family ID database, you can geographically profile people and get a hold of their economic data and when you can do that you can influence election behaviour. Alternatively, you can also get more votes by demarking geographical boundaries according to your own convenience."Vikas Saxena, independent tech & policy researcher
In 2021, a petition in the Madras High Court alleged that the Bharatiya Janata Party’s Puducherry unit had misused voter data collected by the UIADIA during its Assembly election campaign.
The Madras High Court, during the hearing, had said there appears to be a “serious breach” in how the party conducted itself and directed the Election Commission to investigate this.
Experts The Quint spoke to, said that with this new initiative, similar misuse of data for electoral gains could become more convenient.
Like Vikas Saxena puts it:
“Hypothetically, these same data points can impact everything from redistricting and policing to accessing essential services like healthcare and education. In practice, once correlated with the Aadhar database, the use cases are potentially endless.”
He adds:
“Ultimately, whether these additional data points can be wielded as a weapon of mass surveillance and division, or to deliver social welfare schemes with speed and ease – only time will tell.”
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)