By Phoebe Seers. 10 January 2018.
The Indian government’s efforts to integrate identification numbers with all aspects of daily life are being undone by concerns over individual privacy.
Lawsuit after lawsuit has been filed against the Aadhaar identification scheme, and the latest apparent data breach, involving personal information on more than 1 billion citizens, is doing little to ease deep mistrust among Indians in what many consider to be little more than an enormous surveillance system.
On Jan. 3, Chandigarh-based daily paper The Tribune reported that one of its journalists had purchased, for 500 rupees ($8), “a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.”
By entering any Aadhaar number in the portal, the reporter gained access to the name, address, postcode, photo, phone number and email address of the corresponding citizen, the report said.
Aadhaar is a 12-digit, unique identification number issued to all Indian residents based on their biometrics — including fingerprints and iris scans — and demographic data. The data is collected by the Unique Identification Authority of India, or UIDAI.
Aadhaar links with every aspect of an individual’s life, from train ticket bookings and marriage registration to enrolment at schools and colleges.
It is used as a prerequisite for the payment of taxes, indirectly ensuring that all those who fail to sign up for it could be held criminally liable for non-payment, effectively making the system mandatory.
The government now wants to mandate connecting the identification number to bank accounts and mobile phones, something finance minister Arun Jaitley calls the “1 billion-1 billion-1 billion vision."
He says: "That is 1 billion unique Aadhaar numbers linked to 1 billion bank accounts and 1 billion mobile phones. Once that is done, all of India can become part of the financial and digital mainstream."
That ambitious plan, however, is being challenged in the Supreme Court. Last week, the court ruled that the deadline for linking Aadhaar with bank accounts and phones must be extended until the end of March.
The Tribune report prompted, unsurprisingly, a fresh avalanche of criticism aimed at Aadhaar and UIDAI. But it is not the first time Aadhaar’s security systems have come under fire.
A Supreme Court ruling last year that Indian citizens could expect the government to uphold certain fundamental privacy rights stems from complaints dating back to 2012 that Aadhaar, which mandates the mass collection of personal data, yet lacks any corresponding system to ensure the data is safe, was violating people's privacy rights.
UIDAI is sticking to its guns, insisting that there was no breach this time around. It says the Tribune report is “a case of misreporting,” and that “there has absolutely been no breach of [the] Aadhaar biometric database in any manner whatsoever.”
The wider public, however, remains unconvinced, and has reason to be concerned. The system suffered a leak of 137 million records last May. IT minister Ravi Shankar Prasad admitted in parliament last April that 34,000 Aadhaar operators had been blacklisted or canceled since the start of the project. It seems credible that at least one such operator is selling the Aadhaar data that the Tribune was able to purchase.
Given that India is the world’s second-largest Internet market, with more than 1 million new subscribers going online for the first time each week, the world’s largest user of Facebook, and the world’s second-biggest smartphone market, its citizens’ personal data is a goldmine for businesses able to make use of it. Access to that data is highly prized, and clearly in some cases, fair game to be obtained by whatever means necessary.
Since April 2017, the number of rogue operators tasked with collecting the biometrics of 1.3 billion Indians has reached 49,000, according to reports.
On Jan. 17, the Supreme Court’s hearing into Aadhaar’s legality is scheduled to commence. What is clear is that regardless of the outcome, concerned Indian citizens will continue filing complaints in the courts, online and to the press.
So far, the Supreme Court, which is well regarded both domestically and internationally, seems to have sided with the people over the government, and its ruling on privacy last year is likely to hasten the enactment of a data protection law.
An expert committee tasked with introducing the law recently put out a consultation on data protection for India, which is open till Jan. 31, and will hold consultation meetings throughout this month.
That should provide ample opportunity for frustrated citizens, other parties and privacy experts to voice their concerns to the government ahead of the enactment of any law, and will hopefully pre-empt a fresh raft of claims against New Delhi.
Nevertheless, the government needs to reassure its citizens that it takes their personal data seriously and is doing its best to protect it.
Naming the Tribune reporter who exposed the breach in a criminal complaint, as UIDAI did over the weekend, has hardly won that government their confidence.