Dear Centre & UIDAI, Please Stop Misdirecting Us on Aadhaar
Senior Advocate Rakesh Dwivedi, representing the UIDAI before a five judge bench deciding on the constitutional challenge to the Aadhaar Act, assured the judges that the UIDAI has simple matching algorithms and not Artificial Intelligence or “learning” algorithms that could misuse Aadhaar data.
The government and UIDAI have provided false assurances regarding Aadhaar. The role of UIDAI and Aadhaar is simply to tag a person with a number that serves as a key for other databases that use it to profile Aadhaar holders. This creates a constant key across all databases so that they can be merged indefinitely to create increasingly detailed profiles of Aadhaar holders.
For example, a profiling business acquires data related to credit, school children and hospital records. This information can be used for targeting. However, it isn’t the same as the UIDAI’s dismissive claim that profiling on the basis of data happens anyway and Aadhaar doesn’t change anything. Aadhaar does change a lot of things.
In the above example, the databases are quite unrelated and on their own offer limited and basic insight. If all the data sets were linked with Aadhaar, they could be merged using the Aadhaar as a key.
So, you would have a single database with information from all of them, allowing for more complex targeting like say… someone with a good credit score, with children in secondary class (parents Aadhaars on record), and no health problems in the past year. Or, someone older, with long hospital stays and no loans to their name. Targeting of individuals would be possible by finding their Aadhaar number and then getting extensive information about them from multiple databases. Aadhaar provides this common factor that can link completely unrelated records into a 360 degree view.
Here are three intended and current uses of Aadhaar that the government and UIDAI did not tell the Supreme Court about, even as they did all they could to create a perception that these exact things were not possible.
Also Read: The Gazette Of India and The Aadhaar Paradox
Report of Task Force on Artificial Intelligence by the Ministry of Commerce and Industry
This report is quite open about the digitisation of data of individuals for purposes of Artificial Intelligence applications. It is particularly eager about the big data of Aadhaar holders as follows (this is a direct quote):
- All-out effort for recording, digitisation and collection, validation and archiving of data in all sectors, which as a labour intensive activity will also create employment just like other infrastructure projects do;
- Provision of incentives for provision of reliable data;
- Come up with Indian data formats for all the sectors/sub sectors for AI applications, by drawing upon the available relevant International standards.
And what are they planning to do with such data?
Here is a screenshot of the summary of recommendations. “Digital data banks, marketplaces and exchanges to ensure availability of cross industry data and information for AI applications” does not exactly sound like there is neither AI nor the possibility of Aadhaar making data aggregation and profiling possible, is it?
Advocate Dwivedi probably did not use this report in his submissions to the Supreme Court.
At a talk, Deputy Governor of the RBI, Dr Viral Acharya, on 4 July 2017, described the need for a public registry that would be based on Aadhaar for individuals, and CIN for companies, in order to create a 360 degree view of individuals that is currently not available. On 23 October 2017, he constituted a task force to research its formation. The task force was to deliver its report on 4 April 2018. When the report was not placed in the public domain, this author filed an RTI to request a copy of the report and was refused under Sections 8 (1) (a) and 8 (1) (e) of the RTI Act, even though the response says that the report was submitted to the RBI.
The implications of a credit registry connected with Aadhaar are enormous. Apart from the usual concerns of poor data security practices and profiling, a credit registry based on Aadhaar will, in effect, serve to make Aadhaar mandatory for anyone who requires credit, which is in contempt of the Supreme Court and a purpose irrelevant to the welfare delivery claimed as the core purpose of the Aadhaar Act.
Such a registry will inherently involve aggregation of data of Aadhaar holders across different financial organisations, to create a profile. Those who refuse to link their Aadhaar with their financial information will be at a disadvantage when it comes to procuring credit. Thus, the registry will not only make Aadhaar mandatory, it will force the individual to “voluntarily” share their data if they want credit.
Private credit score providers like CIBIL and Equifax already use Aadhaar to provide such a credit rating service to several banks in India. How safe is consumer data with Equifax? Here is a quick recap by John Oliver in the wake of their data being breached putting sensitive information of 143 million “consumers” at risk.
While the video is humorous, the information provided is verifiable, and a lot of the risks of Equifax will apply to any service that collects such information.
The Central Government and UIDAI have both denied that Aadhaar information is provided to the government or police. There is no notification to provide Aadhaar details to the police. However, police everywhere are arbitrarily demanding Aadhaar cards from residents and aggregating them in databases that can be accessed via apps.
An example here is the e-Petty app, which allows the police of Telangana to book cases for petty crimes in real time. The app allows for registering the cases, collecting photo and video evidence and creating a chargesheet based on the case information entered. But, the app also records the accused by linking with their Aadhaar number, allowing the app to provide a history of cases filed against individuals.
In a country where the policeman on the street makes and imposes laws on whim, this is a very dangerous power to have without oversight and can have tremendous implications for disadvantaged groups which suffer from police prejudice and are represented disproportionately higher in arrests, abuse or targeting.
The Telangana police is using Aadhaar to take profiling to a whole new level, where a traffic violation can bring an entire family under surveillance. The police are creating family trees and tracing relationships using multiple databases, including a door to door household survey and using Aadhaar as the identifier for the data and even social media profiles.
When a traffic violation requires the Aadhaar information of the violators family as well, the implications to civil rights and freedoms are staggering.
To make a long story short, the UIDAI does not have the capabilities for detailed profiling, because that is not its task. Its task is to provide a key that allows an individual to be tracked across any database it is linked with and it is those applications that already have considerable profiling capabilities and there are government backed and funded plans to create even more effective profiling.
The claim of the government and the UIDAI thus amounts to misdirection.
(The author is a blogger, socio-political commentator, who also writes on tech policy and runs the website Aadhar FAIL. She tweets @Vidyut. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit Send.)
(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit the Subscribe button.)