In an age rife with digital innovation, India has made two meaningful contributions: The number “zero” and Aadhaar. Okay, I cheated a little bit with the first one, given its pre-digital age origins, but let’s not allow petty details to get in the way. Aadhaar is a monumental IT project and a monumental vision for inclusion. Aadhaar, as a concept, lays the very foundation of trust in the digital age. And it does so regardless of caste, Facebook status or creed, across a billion people. Unfortunately, this also means that Aadhaar is a treasure trove of personal data on a billion people; therein lurks a parallel potential for widespread mischief. A journalist writing for The Tribune suggests that, indeed, such mischief can be pulled off rather easily.
The Tribune reported it had bought key user details by paying an “agent”, which allowed them to enter any Aadhaar number into the Unique Identification Authority of India (UIDAI) website. An additional Rs 300 helps print an Aadhaar card. This has, of course, led to calls to ditch Aadhaar, the UIDAI has dutifully denied everything and, to make its point a bit more forcefully, has also filed an FIR against the journalist. To lend some global fizz to the story, Edward Snowden, the world’s most notorious whistleblower-at-large, has jumped in, taking common cause with the whistleblowing journalist. To lend some local Bhojpuri fizz, Shatrughan Sinha has joined the fray — as to why, you will need to ask him.
The Aadhaar breach story is, however, much larger than whistleblowing and politics. It is also, sadly, not new. Security concerns have dogged the system. Aadhaar is “a readily available single target for cyber criminals,” according to an October 2017 Reserve Bank of India research paper. The latest revival of the story is a perfect wake-up call that the year 2018 is here, and will be a turning point in the way we, as a global digital citizenry, will be re-drawing the line between digital dependence and digital distrust. While there are as many mobile phone subscriptions as people on the planet, 2 billion check Facebook every month, and over 3.5 billion searches hit Google every day, our trust in the security, privacy and believability of the digital mesh has been severely challenged in recent years. 2017 was the perfect storm.
Instead of pulling up the drawbridges and retreating into a defensive crouch, the guardians of Aadhaar may find it enlightening to get with the times: The next wave of digital innovations will be in winning the consumers’ digital trust, without sacrificing benefits. If done right, this would be an opportunity to add to India’s slender list of digital innovations.
The guardians of Aadhaar will sense that 2018 is a turning point by just observing how some of the other gargantuan treasuries of personal data have rung in the new year. Facebook’s Mark Zuckerberg has committed 2018 to “working to fix our issues together”. With Russian election meddling, Facebook’s impact on user health and the flood of fake news, there are many “issues” ripe for fixing. Silicon Valley neighbour, Google, led off the new year by blocking websites that mask their country of origin on Google News. Microsoft, whose older operating systems were a significant entry point for the WannaCry ransomware breaches in India and elsewhere, anticipates a “sea change” in standards-setting security.
The guardians of Aadhaar may note that 2018 will be a banner year for bureaucrats implementing their own sea change. The European Union’s sweeping General Data Protection Regulation (GDPR) goes live on May 25. The regulation will affect every organisation, regardless of where it is based, that handles personal data for EU residents. Having Europe test-drive new regulation will, no doubt, inform data protection laws elsewhere.
Now, the guardians of Aadhaar might say these new year’s resolutions may be fine and dandy for American companies and European regulators; “first-world problems” of privacy, security and believability are less important for developing nations. They may argue that the Americans are in a lather over the fact that they elected someone described as an idiot, a moron, an (expletive deleted) idiot — just by those reporting to him or supporting him — or about massive data breaches across Equifax, Uber and Yahoo, all thanks to the manipulation of the digital system. They may cite European complacency and a panic-led regulatory response as politicians covering their behinds.
The guardians of Aadhaar would remind us that people in developing nations want mobile phones, bank accounts, insurance policies, shopping. Look at the Chinese, the developing nation beats all the first-worlders in their energetic embrace of the digital age, with no care for their data. After all, everyone knows that China’s biggest data treasuries, Baidu, Alibaba and Tencent, are simply carrying on the tradition of the Communist Party’s system of renshi dangan — maintaining personal files on people and groups.
That narrative is evolving. The guardians of Aadhaar should check the recent news out of China. While Chinese digital consumers have been among the most trusting and tolerant in the world — according to research that my colleagues and I and Mastercard have done of digital trust globally — with increasing sophistication, this outlook is changing. Baidu has been sued by the Jiangsu Provincial Consumers Association for failing to warn consumers that its apps enable it to monitor users’ phones. Tencent had to publicly deny that it collects user chat history after it was openly challenged. Alibaba’s Ant Financial apologised to users of its mobile-payment service for automatically enrolling them in its social-credit scoring service.
This should be a signpost for the guardians of Aadhaar. If the Chinese consumer is getting cranky about personal data today — and this, mind you, is a consumer used to constant surveillance and limited freedoms — the Indian consumer will not be too far behind. By stonewalling and avoiding innovation in building trust, the good folks of Aadhaar may end up in a lonely place.
To be fair, the guardians of Aadhaar have proposed many positive changes — issuing virtual IDs, limiting KYC rules, eliminating the need for agencies to store biometric ID and limiting the number of agencies that can access and store Aadhaar data. However, the country needs more systematic and systemic policy innovations in enhancing data privacy, security and believability. The Modi administration should abandon its natural tendency for heavy-handedness in tying Aadhaar to multiple services. The UIDAI can be less prickly and more proactive. The courts need to make judgements with a keen awareness that much of digital trust-building is still uncharted territory.
India’s unique ID is a unique opportunity. Aadhaar has inspired other countries — 20 countries have shown interest in studying it. India could lead the world, if it gets this right. If not, then India’s two meaningful contributions to the digital age would collapse into a single one. Aadhaar could end up becoming just a big zero.