The wild chase for a lost Aadhaar, documented by Vyom Anil and Jean Dreze (‘Wild chase for identity’, IE, July 5), admittedly exposes a flaw in its application, if not architecture. The authors are spot on that the only record many people have of their Aadhaar number is their Aadhaar Card. So, what if they lose the card? Pushed by privacy vigilantes, a fallacious view has developed that the Aadhaar number should be treated as a secret or confidential number, making its retrieval an uphill task.
The number is the key to Aadhaar, a digital ID provided by the state on demand to all residents of India. Losing it is as inconvenient and problematic as losing the key to a lock. In the financial world, the loss of a payment card, it is argued, is less painful than the loss of cash, which is irretrievable. Similarly, the loss of a paper card is less than losing a smart card. That is one reason the Unique Identification Authority of India (UIDAI) preferred the paper form factor over a plastic one.
At the drawing board, the UIDAI was acutely aware of the possibility of an individual losing the so-called Aadhaar card and the short longevity of a paper one. The initial strategy paper describes Aadhaar as a number and not a card, easy to retrieve, download, and print with no original, copy, or duplicate concept.
Another built-in mitigation was the anticipated ubiquity of the number across domains, particularly for the poor, like Reena, who draws multiple social welfare benefits. Reena would not have been desperate to retrieve her Aadhaar number and obtain a new card when Anil and Dreze met her, had her ration card, job card, bank account and widow pension, among other benefits, carried it as planned. However, these cards do not print the Aadhaar number on the same fallacious premise that Aadhaar is to be treated as something confidential. The publication argument is taken to its extreme.
Subscriber Only Stories
As per the Aadhaar Act, “An Aadhaar number shall be a random number and bear no relation to the attributes or identity of the Aadhaar number holder.” It is neither secret nor confidential. For this reason, the IT Act also does not classify the Aadhaar number as sensitive personal information.
Under the IT Act, the biometric information collected by the UIDAI for uniqueness is sensitive personal data. Understandably, confronted by an aggressive privacy lobby, the UIDAI is cagey about allowing individuals to leverage their biometrics to retrieve lost Aadhaar numbers. Searching a database of billion-plus residents without biometrics may be challenging for the likes of Reena without other unique identifiers like email and phone numbers.
Individuals provide Aadhaar in paper form, with the number printed on it, to various agencies like railways, airlines, telcos, financial institutions and government departments. Section 29(4) of the Aadhaar Act prohibits the publication of Aadhaar numbers except for purposes specified by regulations. The purpose of these restrictions is that while the Aadhaar number is not confidential, its publication in various records will make it easy to collate information. The collation of data in the digital world is easy even otherwise. The movement of society into the digital world and the internet — not Aadhaar — heighten sensitivity to privacy and security.
Section 4 (b) of the RTI Act obligates public authorities to publish all information in their possession in the digital form of beneficiaries of their subsidy programmes. Section 8 exemptions do not cover the publication of Aadhaar numbers. There is a play of privacy versus transparency at stake, but the assertion that the publication of Aadhaar numbers constitutes a data breach or data leak is far from the truth.
In his paper, “Analysis of Major Concerns about Aadhaar privacy and security” Professor Maninder Agrawal of IIT Kanpur convincingly refutes that the Aadhaar number is vulnerable to surveillance attacks by the state, forgery attacks by miscreants, or database attacks by hackers. In simple terms, it says that getting access to somebody’s Aadhaar number does not increase the digital vulnerability of the owner. A simple antidote to the woes arising from the loss of the Aadhaar number is to lift the restrictions and secrecy on its usage. Retrieving it will then be as easy as unlocking a device with multiple keys.
There is a compelling case for the UIDAI to promote the widespread use of Aadhaar. The number is neither secret nor confidential. One of the co-authors of this article put his Aadhaar number in the public domain a couple of years ago without harming himself. It is still out there! Given that the Aadhaar number is not an ID or a password and is devoid of any intelligence, a convincing argument about how a random number is a privacy risk eludes common sense and comprehension.
Dreze and Anil make a compelling case to simplify the retrieval of lost Aadhaar numbers. A lucid policy for recovery and easy to access support services, online and offline, is required. Recalling demographic data submitted to the Authority will suffice to retrieve lost numbers. The use of biometrics as a measure of last resort will, however, need to be permitted. Reena’s case highlights the limitations of the currently available options. The UIDAI needs to act with urgency to end the woes of the less well-versed.
Simultaneously, UIDAI should vigorously promote the adoption of Aadhaar as a public utility not just by the government but the nation. A pioneering achievement of India, Aadhaar must be seen as an instrument to empower people across domains to realise their rights and place in the digital world rather than be closeted due to misplaced reservations.
This column first appeared in the print edition on July 15, 2021 under the title ‘Number, no privacy threat’. Sharma is the Founding DG of UIDAI and currently CEO, National Health Authority. Singh is former member, Postal Services Board. Views are personal
📣 Join our Telegram channel (The Indian Express) for the latest news and updates
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.