It’s no mean task to convince two such different thinking governments of the need for a biometric-based resident identification program. But despite the political smarts, Nandan Nilekani, the first chairman of the Unique Identification Authority of India, today spends much time defending Aadhaar – the identification number program his team founded, commissioned by the United Progressive Alliance government, in 2009.
Privacy activists accuse Aadhaar of enabling ‘big brother’ type surveillance. Security activists fear large-scale data violation and the irrevocability of biometrics.
Nilekani’s cause is not helped by the now frequent, and illegal, disclosure of Aadhaar numbers and related data, by enrolment agencies and central and state government websites. Enough for some news sites to maintain leak lists.
Yet, according to the UIDAI website, as of 15 April 2017, 113.9 crore Indians, 88.8 percent of the total population, have an Aadhaar number. That’s incredible scale achieved over just eight years.
Interestingly, the law enabling Aadhaar – The Aadhaar (Targeted Delivery Of Financial And Other Subsidies, Benefits And Services) Act, 2016 – was passed just last year. And depending on who you speak to, the Aadhaar Act is perceived to be strong or lacking in adequate safeguards.
But the Aadhaar Act is just one problem. Privacy experts cite the lack of strong data privacy and security laws as another. Also at the root of much opposition is the use of biometrics.
Why Use Biometric Data Despite The Security Concerns?
In 2010, the British government scrapped its biometric data-based national identity card system. Then Home Secretary, Theresa May said, “This bill is the first step of many that this government is taking to reduce the control of the state over decent, law-abiding people and hand power back to them.”
To be sure, the cards were scrapped for many reasons – costs, efficiency of technology and privacy, security concerns surrounding the use of biometric data.
Also it's not as if other countries don't use biometrics. Many like the US, Australia, Canada and Japan use fingerprint identification for entry into their country. Others like the UK, France and the Netherlands issue biometric passports.
Finland, among others, issues biometric resident permit cards and uniquely New Zealand’s Inland Revenue Department uses voice-based identification that has reportedly over a million sign-ups and saves 15,000 hours of phone time every year. Increasingly, offices around the world are using fingerprint scanners at access points to identify employees.
But as Aadhaar is linked to more services, government and private, the security of the biometric data is a top concern.
If my password is hacked I can replace it. How do I replace the biometrics?Shyam Divan, Senior Advocate, Arguing Against Mandatory Linkage Of Aadhaar To PAN
Nilekani argues that an identification number was the only way to make government spending on citizen welfare “more efficient” and ensure the benefits reach the “right people”. And that the best way to ensure no duplication was to link the number to biometric data.
What If Fingerprint Data Is Stolen?
The UIDAI is barred from revealing personal information in the Aadhaar database. “The only response permitted is yes or no to requests to verify an identity,” says its website. The same applies when a private agency uses an Aadhaar number for identity authentication, ensuring that no one besides UIDAI has access to the biometrics.
But despite the best intended security, data breaches are common across the world. In 2015, hackers stole fingerprint data of 56 lakh workers, contractors and job applicants from the US government’s Office of Personnel Management’s computer. Less sophisticated methods may include deception in data collection at the time of enrollment itself.
As more non-government entities start using Aadhaar for authentication, fears abound around the possibility of storing and copying fingerprint data off readers used at points of sale.
This month PP Chaudhary, the Minister of State for Electronics and Information Technology, informed Parliament that “an incidence has come to the notice where authentication was performed by one Aadhaar Number Holder using his stored biometrics. Formal First Information Report (FIR) has been lodged and investigation in the matter is in progress. So far, no financial loss has been reported”.
The more common violation is that of wrongful disclosure of data and several instances of that have already popped up in the recent past, with government departments falling foul of the law.
The Aadhaar Act, 2016 provides for a penalty ranging from Rs 10,000 to Rs 1 lakh and imprisonment of up to three years. Data theft could result in a minimum Rs 10 lakh fine and up to three years in jail.
Nilekani insists the legal provisions are deterrent enough.
The Use Of Aadhaar By Private Services
So far, 350 private entities are using Aadhaar’s authentication service and over 270 are using its eKYC service, as per data on the UIDAI website.
Curiously, the object of the Aadhaar Act makes no mention of private use.
An Act to provide for, as a good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals and for matters connected therewith or incidental thereto.
In direct contrast to that is Section 57 – it permits anybody to use Aadhaar for establishing the identity of an individual provided they follow the procedures in the law.
57. Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:
As a result, now banks, telecommunication companies, payment systems and why, even messaging apps are adopting Aadhaar-based authentication. Nilekani says Aadhaar was always meant to be used widely.
What About Aadhaar Failure Rates?
A recent report by The Mint newspaper says the Telangana government recorded an Aadhaar biometric authentication failure rate as high as 36 percent in the rural job guarantee scheme.
Nilekani points to Andhra Pradesh that recently rolled out Aadhaar in 29,000 public food distribution system (PDS) locations, and claims 100 percent success.
The Desperate Need For Stronger Data Security And Privacy Laws
Not even Nilekani denies the need for this.
(This story was originally published on BloombergQuint)