Commentary
Right to Privacy vs the State and Private Interests
The Aadhar Bill and Big Data:

MOST of us have seen some or the other family member, friend, colleague, or neighbor bustle about getting an Aadhar Card for the whole family. Mass camps were conducted where we live to have everyone come in and give biometric data to become identifiably unique on some server somewhere, controlled now by the State, but always at risk of being willingly or accidentally shared with other State authorities or private parties.

All this had been happening without a legitimately passed bill, or without any other legal framework mandating such large scale collection of data. Since 2009. However, the newly tabled Targeted Delivery of Financial and Other Subsidies, Benefits and Services Bill, a. k. a. the Aadhar Bill was passed in the Lok Sabha on 11 March 2016. Before this, the Aadhar Bill of 2010 had been rejected by a Parliamentary Committee headed by Yashwant Sinha of the BJP, after the bill had languished for nearly three years, citing, among others, precisely those privacy concerns which have now effectively been shoved under the carpet.

Here are some reasons why we should worry about the decision around getting or not getting an Aadhar card:

First, the way in which this bill was passed is cause for concern. It was tabled as a Money Bill, which means that it can be tabled and passed without the approval of the Rajya Sabha. Critics have pointed out that this provision was used because the BJP does not have a majority in the RS, and that this in itself is wrong. This is a move that also sets a dubious precedent for any other bill that the government in power may wish to pass in haste by eliminating the possibility of the airing of concrete arguments against it in the upper house. Moreover, there has been no public consultation on the bill, it was passed on a Friday when attendance at the Lok Sabha was minimal, and according to sources, only 73 of the 545 members were present.

Second, privacy is a serious concern when such large masses of biometric data are collected for a given population. So far, there is no privacy or data protection legislation in India. This has serious implications for the protection of the data that has been collected. This concern centers around the following questions: does the bill make it mandatory for everyone to have an Aadhar number, what are the provisions under this very bill for the protection of the data, and for the protection of individuals about whom data has been collected, whether the authority collecting and housing collected data is allowed to share it with anyone else and on what grounds, whether the individual about whom data has been collected has access to any kind of redressal should there be a breach of information. Let us look at them closely:

Even after the Supreme Court issued several orders in 2014 and 2015 that no government can make an Aadhar card mandatory for availing of services or subsidies or any other form of assistance from the government, this bill makes it mandatory for everyone to be covered under this project. It does so duplicitously – by not saying that an Aadhar number is not mandatory. This is not just bad legal drafting, this is keeping the space open for making this kind of biometric identification mandatory. Here’s how: if a service provider asks for Aadhar numbers as prerequisites to the provision of a service or commodity, then citizens are compelled to enroll for the Aadhar number. In not making the non-mandatory nature of such unique identification clear, the bill aids such misdirection by private parties. We will see in a moment why this is not mere oversight, but a conscious decision to leave the field open for the distortion of information and the right of citizens to choose between forms of identification. The new Aadhar Bill does not leave the choice to citizens to opt out.

Parliamentarians keen that the bill be passed have been misguiding everyone by reassuring them that the bill makes provisions for the protection of privacy. They have been telling everyone that some of these privacy concerns are in fact taken care of by IT laws in the country. However, the Information Technology Rules that came into effect in 2011 have a far too limited description of what can be understood under ‘privacy’ or ‘personal data’ and therefore any argument that says that some of these concerns are easily covered by the IT law is false.

Moreover, in the absence of strong legislation on questions of privacy, particularly in the area of sensitive (and biometric) data, a bill not making strict provisions for the same is simply dangerous, leaving data vulnerable and open to misuse. While the bill does state that biometric data will be protected, it makes provisions under other clauses for the sharing of data under authorization by Joint Secretaries should this be required in connection with the protection of national security. Given how the terms ‘nation’, ‘nationalism’, and ‘security’ have been sharp tools used by the present government against progressive social movements as well as individuals critical of government, this broad brushstroke mention of ‘national security’ as a ground to go back on the bill’s own promise to protect data must necessarily cause alarm bells to ring.

Under the pretext of ‘national security’ this bill effectively grants some rather blanket powers to those who can sanction surveillance of individuals. Some of these powers in fact stand in conflict with other principles of communications surveillance. In the case of provisions under this bill, initially your data can be made available to allow surveillance for three months, extension subject to any number of renewals. So you could be surveilled for your entire life without being told about it. There are no provisions for individual scrutiny, and in that this bill in fact worsens maladies such as phone tapping, remedies against which are already very weak under Indian law, and there are no strong provisions of redressal in cases of breach of information.

When we take this together with other aspects of the UID project itself, mounting anxiety around the Aadhar number becomes more than justified. The argument given to justify the continuation of the project in the absence of an adequate legal framework since 2009 (and the massive fund allocations for the purpose) is that this will aid in the removal of barriers (read widely prevalent corrupt practices) to the smooth and transparent disbursal of benefits and subsidies to the poor. However, it must be noted that is not individual beneficiaries who are scamming identities, but it is the corrupt practices of those in government entrusted with the disbursal of benefits and services that is the hurdle. Moreover, recent data has revealed that 99.97% of all Aadhar numbers issued till April last year had been issued to people who had other forms of identification, and that only 0.03% were issued to those lacking any identity proof. This makes mud of the above claim. One does also wonder why, in an age when the number of those covered under the social security net is decreasing – not because fewer people need it, in fact, to the contrary ever more do, but because the State is receding – why the passing of this bill under the pretext of ensuring the disbursal of benefits and subsidies is so urgent.

One other facet of the UID project that can help raise sharp questions particularly about the sharing of data is the fact that CIA-backed US corporations are involved in it. Accenture and L1 Identity Solutions are among the companies that have been recruited to design and maintain software enabling data collection. Not only have these companies (with L1 boasting of former CIA men on its board) been implicated in fraud, but even their core competences, namely, identification technology, have been exposed as flawed and open to manipulation. This does make you want to sit up and ask, a. why the hurry, b. what are foreign intelligence agencies doing with our data, c. will private parties then have access to data given the deliberately broad terms of the drafting of this bill?

In fact, Nandan Nilekani, who headed the UIDAI (Unique Identification Authority of India), addressed hundreds of developers who were gathered together at a ‘UID conference’, where he said that UID was a platform built by government which should really ‘create a thriving application ecosystem around the platform’ so that more apps around it could be created by public and private players. In June 2015, there was an Aadhar Application Hackathon, the objective of which was to encourage and promote the development of applications that utilize the open Aadhar APIs (Application Programming Interfaces). In fact, over the past several years, this has spawned a range of corporate efforts that seek to exploit Aadhar to provide services that help users centralize their banking transactions, enable cashless/paperless payments to vendors, in the area of healthcare, in the area of consumer goods.

It should be clear then, that that little (and badly designed) rectangle of white inside shiny lamination is not a mere identity card. It is your receipt with no thank you for the precise and intimate information you surrendered to the state that renders you vulnerable – to surveillance by the State and to corporate greed. And you cannot even check out of this pervasive system. Ever.

Liberation Archive