In September, 2010, India quietly set out on a herculean journey. A journey the world would later recognize as the largest citizen identification project. A journey to provide each of its billion citizens a unique identification number. The 12 digit unique ID came to be known as Aadhaar. Just five and a half years later, in April, 2016, one billion Indians were successfully registered on the Aadhaar platform covering 93 percent of Indian adults.
The vision and revolutionary ambition of Aadhaar is commendable. That Aadhaar enrolled over a billion Indians within budget and well ahead of time is, in itself no mean feat. Unifying access to public and private services with one unique ID has a lot of advantages. However, Aadhaar has faced a lot of backlash in the recent past, especially with matters regarding security and privacy and more importantly its legal standing. Each argument in the debate holds water and is thought provoking.
Aadhaar is purely a form of authentication – authenticating the individual is who s/he says s/he is, as per the Aadhaar Bill, 2016. It is not legal proof of residence or even citizenship. Even with authentication, the opportunities and innovation potential with Aadhaar are endless. In its current form, Aadhaar has been passed by the Lok Sabha as a money bill, intended to provide targeted delivery of financial and other subsidies, benefits and services. For by itself, a 12 digit unique number is of no value. If one ponders about the potential scope of Aadhaar when integrated with services, imagination is the only limit.
The power of accessing basic public facilities like healthcare, education, financial services and utilities with one 12 digit number is immense. Opening a new bank account or an insurance policy, for instance, can be done in under 10 minutes with Aadhaar’s eKYC. This can result in reduced KYC costs from ~INR 200 to INR 10 per individual. Beneficiaries of government subsidies, pension and provident funds can enjoy direct transfers to Aadhaar linked bank accounts without any pilferage to middlemen. Private Businesses can easily verify identities of white and blue collar labour using Aadhaar’s eKYC feature. Salaries as well can be transferred directly to true beneficiaries via Aadhaar linked bank accounts. While making digital payments at a merchant or withdrawing money from an ATM, one can just scan their fingerprint and authenticate themselves and the transaction, no 4 or 6 digit PIN needed. Demographic data coupled with economic indicators can aid the government in data driven policy formulation and direct benefit subsidies. From exams to marriage certificates, food rations to train ticket concessions, land registrations to mobile phone cards, Aadhaar can make public life simple and seamless. Aadhaar integrated with public and private services benefits all – the higher and middle income groups and importantly the economically weaker sections of society.
Aadhaar is built on an open technology platform – technology that opens up access to its underlying data via open standards and API’s. This powerful open technology can be leveraged by anyone – startups, large businesses, financial institutions and the government, Indian or international. Anyone that needs to authenticate its customers or users can connect to Aadhaar and achieve just that – all online, in seconds, using inexpensive ways. But therein lies the catch: how secure is the central database of personally identifiable data? Who audits and approves the applications that access this central database? How can citizens protect their privacy or deny access to their identifiable data? And many more… There are a lot of questions regarding Aadhaar’s security, privacy and legal framework that still have no answers.
Around the world, hackers have already hacked & leaked personally identifiable information on hundreds of millions of citizens from USA, South Korea, Singapore, Phillipines, Turkey, Israel etc. India’s very own Aadhaar is a hack waiting to happen. But this hack will be unique – it has biometric data. Somewhere, some hacker is probably attempting a hack on Aadhaar. May even be purely for bragging rights – “The world’s largest biometric citizen database: hacked”. The hacker would gain some serious cred on the dark web. Once hacked, that information is traded on the dark web for a pittance or just uploaded in plaintext on a remote server. The problem with biometric data i.e. fingerprint & iris, is that it cannot be edited, modified or deleted. Misuse of personally identifiable data cannot be stopped from there on. Identity theft is a serious concern with Aadhaar. With the current open technology platform that Aadhaar is built on, a hacker need not even attempt to penetrate the central database. Just a hack on an application connected to Aadhaar, add some script to automatically pull as much data as permissible (API limits) and one can still get biometric data. There have been several reports of hacks already being carried out e.g. Jio eKYC sign ups fraud (Feb-2017), Microsoft Skype Lite Aadhaar integration (Feb-2017), Axis Bank Storing Aadhaar Data (Mar-2017), Simple online search (Mar-2017) and more. Another major concern around Aadhaar is the individual citizen’s consent. Currently, no consent is required from an Individual to grant or deny access to any data of that individual. While, through the IndiaStack, a “Consent Layer” is under development, it may be too little too late if not launched immediately.
Data Accuracy for biometric data is another concern. Digital biometric authentication provides the probability of accuracy (probable value between 0 to 1) and not a binary value (value 0 or 1). By UIDAI’s own admission, in a 2014 Supreme Court hearing of a Goa gang rape case, Aadhaar can provide a false positive identification rate of 0.057%. That means for every 10 Lacs authentications, 570 cases could be erroneous. However, reality on the ground is a far cry from the reported statistics. Analysis on data from Telangana Government’s website suggests the authentication failure rate is much higher at ~36%.
The legal framework for Aadhaar, as per the Aadhaar Bill, 2016, is further wrought with issues. There is little to no information on the measures taken by the government to safeguard the data from hackers or what happens if there is a security breach. Moreover, the only body that can register an FIR for fraud or misuse of Aadhaar is Unique Identification Authority of India (UIDAI) – the Aadhaar issuing body itself. No citizen can register an FIR against any enrolment agency, business or UIDAI. A citizen can file a grievance complaint with UIDAI and UIDAI can choose to take action or not. UIDAI can also revoke or deactivate your Aadhaar number anytime, without notice. Having a sound legal framework is crucial to Aadhaar being a true public good.
In the midst of solving for more crucial aspects of Aadhaar as highlighted, the current government has made Aadhaar mandatory to access public subsidies, services and benefits. Making Aadhaar mandatory to disburse public welfare schemes is against a citizen’s right to privacy and in contravention of a Supreme Court ruling (Mar-2017) that Aadhaar is voluntary.
In our opinion, the “IndiaStack” is an ambitious public software infrastructure project. The long term benefits for a developing country like India with a foundation like the IndiaStack, is immense. However, Aadhaar is just one, developed and functional layer of the IndiaStack. If Aadhaar can truly be the digital highway to a flourishing economy, Indians have a lot to gain. But Aadhaar even with widespread acceptance, by itself is of no value. Especially without a sound legal framework protecting security and privacy of citizens. Aadhaar will continue to face backlash, to its own merit, from an increasingly vocal group of concerned citizens, activists and media outlets. Aadhaar, in its current form is rough around the edges. Legitimate concerns on privacy, security and legality need to be addressed and resolved for any public benefit to arise out of Aadhaar for the long term. The concerns are serious and must be resolved before mandating widespread acceptance for public welfare schemes. Aadhaar is our first step towards achieving true public development. We have many more steps to take as a nation.
What are your thoughts on Aadhaar and the “India Stack”? Is Aadhaar truly for public benefit? Let me know your thoughts via comments below or via email