Aadhaar system has been stuck in a cauldron of debates and deliberations since its inception in 2009. Centre’s flagship Aadhaar scheme was advocated as a tool to initiate and improvise on welfare administration scheme while eliminating corruption. However, many also saw it as a means of creating a “surveillance state” and thereby “invasion of privacy”. With the new verdict passed by the Supreme Court of India on September 26, 2018, Aadhaar project has been declared as constitutionally valid, but with conditions attached. This has set the ball rolling for a new set of argument.
During the Aadhaar registration process, individuals are required to authenticate their fingerprints and iris on a machine that determines their identity. This sole identity gives them access to their “entitlements”. The verification process for instance in the case of public distribution system (PDS) also requires electricity, internet and connectivity for accessing the centralised database, in addition to the fact that biometric details of an individual should match during availing of services. In case the fingerprints fail to match at the time of availing of facilities like ration, a person may be denied the same.
Absolute faith on the biometric system is based on a misplaced assumption that human body parts do not age. Testing by International Biometric Group highlights that “over time, many biometric systems are prone to incorrectly rejecting a substantial percentage of users. Verifying a user immediately after enrolment is not highly challenging to biometric systems. However, after six weeks, testing shows that some systems' error rates increase ten-fold.”2
Similarly, it is mandatory to link Aadhaar number to the registry number in the public distribution database, otherwise amenities provided by the government stands cancelled. Many such incidents where individuals were denied welfare or pension services have come to limelight, especially people suffering from leprosy, engaged in manual labour and those who are genetically predisposed to not having fingerprints. There were reports that alternate means of identification are being done to accommodate the ones who lack proper biometrics.3 Like facial recognitions or iris scanners.4 However, it is still not clear how such alternatives are being operationalised. For instance, leprosy patients are now being exempted from linking Aadhaar card. But then question arises, can all verification facilities vouch to have in place the required technical infrastructure that allows other means of verification? If yes, then what are they? Even if it is a process of offline verification, same has not been clearly laid down.
Despite Supreme Court’s laudable verdict, there still are issues that need to be addressed. Of particular concern are issues pertaining to data protection, limitations of biometric identification, and personal data mining. In the absence of a clear framework, there is also the lingering fear of state’s ability to access databases to map the data of an individual at the backend and create a “digital image”. Linking of Aadhaar card actually brings together different aspects of life like travel accounts, personal information, employment history, bank accounts, etc. Thus, integrating disjointed data silos enable tracking and profiling, i.e., invading privacy in many ways.
Initially with Section 57 in place, Aadhaar was seen as a project conflating state power and corporate power at the cost of citizen’s privacy. The situation was grave as it facilitated corporate surveillance to go hand in hand with state surveillance. This would have enabled targeted advertising and profit reaping. Now with the invalidation of Section 57, the question that remains is what happens to the data of individuals already registered? Though the government has issued orders to several telecom companies to submit plans to delink Aadhaar data associated with user profiles,6 but then would there be a mechanism of verification that the data was deleted and no backups were taken in the process?
Another aspect that has not been clearly brought out is the credibility of alternate procedures of verification. What if they are more cumbersome for people who do not have an Aadhaar card? Convenience over security would definitely be a dilemma. However, government has started taking stringent measures to ensure security. For instance, masking Aadhaar number while authenticating for a third party.7 This is done by generating Aadhaar Virtual ID, a 16-digit random number, which is mapped to a person’s real Aadhaar number and can be used whenever authentication or KYC services are performed. It remains to be seen how many people would actually adopt the “Virtual ID” or understand its significance.
Another issue that came to the forefront was that of ghost or fake ration cards. Many a time the link between Aadhaar number and the ration card could not be validated. In such scenarios, the individual was denied basic amenities. Government claimed successfully tracing fake ration cards but many a time there were genuine cases of exclusion passed off as savings due to Aadhaar. This has also led to cases of death due to starvation.8 Corrective measures in this regard are yet to take course. When talking about corruption the quantity fraud is not being factored in. Quantity fraud translates that a person may be forced to sign on something that he/she might not have received of the same quantity that the person is entitled to. However, one cannot also ignore the fact that in many places Aadhaar has actually replaced the middlemen.9
The Supreme Court verdict, in response to petitions filed against the ‘draconian’ nature of Aadhaar, has been a mixed bag. Concerns around the Aadhaar project have broadly been centred on “welfare and privacy”. These have included questions of “surveillance, access to basic rights, liberty and data commercialisation.” The most welcome part of the verdict is the scrapping of Section 57 of the Aadhaar Act, which allowed private entities to use Aadhaar for verification purposes. Far too many people have been duped into opening accounts in mobile phone payment banks while being forced to conduct an e-KYC procedure with Aadhaar for their SIM (subscriber identity module) cards.
However, the verdict has still left many open-ended questions. For the state to be able to build trust among the citizens and ensure that individuals have the sole control of the data and no misuse could take place, it is pertinent to push for a system that protects people and their data and does not exclude the most vulnerable.
Biometrics via Aadhaar is an untested territory. Biometrics as a foundation for Aadhaar, without addressing the security concerns raised by people, paves the way for more doubts and fear. Securing identity systems is particularly challenging as the number of data breaches across the world are on the rise. Identity data in the modern world and particularly as governments come to require it so much more often, becomes the key to perpetrate fraud and undertake surveillance. Adequate norms thus need to be laid down from collection to retention of biometric data, in addition to formulating strong data protection and privacy laws.
Aadhaar could become a “one stop solution” if implemented in a more accommodative manner. One understands that long term benefits of Aadhaar actually outweighs many concerns. However, the government needs to work towards plugging the loopholes and taking prompt action in addressing the genuine concerns and grievances of the people.
It will take time to make Aadhaar more foolproof. After all, Rome was not built in a day!
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.