The article by Jean Dreze, ‘Know your Aadhaar’, (IE, May 8) seeks to raise four privacy concerns arising from the threat of hacking of core biometrics, leakage of Aadhaar number and sharing of demographic information with service providers and finally, state surveillance. With due respect, these concerns are wholly unfounded.
The fear of a threat to privacy because of the use of core biometrics (fingerprints and iris) in Aadhaar is exaggerated because biometrics are not secret information like PIN or password. People must know that even the theft of biometrics in a rare eventuality will not put one to the same level of risk as the leakage of a password. Critics try to raise an unnecessary fear about biometrics and use it to attack Aadhaar. They forget that we use thumbprints for many purposes such as registration of documents, passports, driving licence, affidavits, etc. Similarly, physical signatures too fall into the category of biometrics. We all widely use our physical signatures to authenticate documents and transactions. Have the critics shunned the use of physical thumb prints and signatures? We continue to use them because there are additional checks in the system. For example, when I issue a high-value cheque, my bank calls me to confirm whether I signed it. Similar due diligence needs to be followed for Aadhaar verification.
Critics also try to raise an alarm about biometric information being leaked from the Aadhaar database. As explained above, even though the biometric information is not a secret information and its leakage might have relatively limited damage potential, UIDAI has taken and will continue to take measures to ensure that its database remains secure. During the last eight years, there has not been a single instance of a biometric data breach from the Central Identities Data Repository (CIDR). But to say that because somebody may possibly hack the CIDR and, therefore, as a nation, we should not use biometrics is a manifestation of extreme paranoia.
Critics are under the incorrect impression that Aadhaar is a confidential number and term any publication thereof a security breach. There exists a distinction between a secret number and sensitive personal information (SPI) and, also, that SPI is not secret information. Aadhaar, just like a bank account number or PAN, is not secret. It is a piece of SPI whose unauthorised public disclosure is prohibited under the law to protect overall privacy. However, it is also an identity number which needs to be freely shared as and when required. Bank account numbers and signatures are on every cheque. Can somebody hack into someone’s bank account just by knowing his account number or Aadhaar number alone? One would need a password, OTP, PIN, fingerprints etc.
The article also asserts that UIDAI has a weak consent clause, which it uses to freely share people’s data with service providers. Drawing a parallel with Facebook and Cambridge Analytica and referring to Aadhaar being “a drill to new oil”, demonstrates a complete lack of understanding. Critics must first know what personal data UIDAI stores and then question the so-called danger of sharing or data mining. Contrary to the massive real-time personal data which social media companies amass, UIDAI keeps minimal data of a person — name, address, date of birth, photo (which are publicly available in telephone directories, voter lists, etc.) and biometrics. UIDAI does not collect or keep personal details such as one’s assets, bank details, call records, caste, religion, family tree, friends’ list, health information, likes and dislikes etc. Even though one links Aadhaar with telecom, banks, passport, etc, UIDAI under the Aadhaar Act is prohibited from seeking the purpose and/or the location of any transactions. If one were to accept Dreze’s fear about data mining through such minimal data, then the first casualty will be the publication of voters’ list, which has far greater demographic details.
Critics also accuse Aadhaar of creating an unprecedented infrastructure of state surveillance. They need to ask themselves whether mandatory usage of Social Security Number (SSN) in the United States in areas such as food stamps, bank accounts, financial aid, subsidised housing, birth registrations, death certificates, healthcare benefits has turned that country into a surveillance state. One may argue that there are safeguards in the US which prevent data aggregation. Similarly, India as the world’s largest democracy has a strong legislature, independent judiciary and free press which prevent any such attempt or overreach by the executive. The Parliament brought in the Aadhaar Act in 2016 with strong safeguards to eliminate the possibility of any state surveillance. The Aadhaar Act is based on the principle of privacy by design — minimal data, federated databases and optimal ignorance — which in turn ensure that no agency, UIDAI, government or private, is able to aggregate Aadhaar information from various sources to track or profile any individual. Bill Gates has rightly commented that Aadhaar in itself does not pose any privacy issue because it is just a bio-ID verification scheme.
Finally, the above concerns raised by the conscientious objectors of Aadhaar remind us of the arguments that the Luddites gave while opposing Industrial Revolution. We must realise that we are moving towards a digital society where technology will have a far greater role than before. What is needed is mitigation of risk, if any, rather than an abrogation of technology, otherwise, as a nation, we will be the big loser. We were left out of Industrial Revolution because our country was not independent then, but we would not like to miss the bus this time.