Mistaken Identityhttps://indianexpress.com/article/opinion/editorials/mistaken-identity-4640984/

Mistaken Identity

By disparaging legitimate data security concerns, government could devalue Aadhaar and its promised efficiencies

Finally, the government has admitted that almost 3.5 crore Aadhaar identities have found their way into the public domain, having been inadvertently published on government websites. Nevertheless, the state counsel arguing against a clutch of PILs in the Supreme Court insists that it is currently the “most foolproof method”. He has had the humility to concede that the picture could be different 20 years later, but not the wisdom to acknowledge that it could happen tomorrow. Over the years, the Aadhaar establishment has brushed off security and privacy concerns by insisting that the system is technologically foolproof. However, humans make technology, and it can be cracked by other humans. Data can only be secured by punitive privacy law, not technology alone.

Aadhaar was presented as a very tiny pinhole, through which only the reply to a single query could emerge: Is the person interfacing with the system who he or she claims to be? Nothing else, certainly not the contents of the database on which the query runs, was supposed to come out into the public domain. However, it now appears that the pinhole is about as wide as India Gate, and open for traffic. Did the Aadhaar technology fail? Of course not, the state counsel has protested, and he was right. Yet the fact remains that the system failed. One of the first principles of hacking is that the weakest link is not in the machine. It is the human sitting at the keyboard. Hackers prefer to target people rather than systems, counting on them to give unauthorised access to systems out of ignorance or carelessness.

The “leak” of Aadhaar data owed to the ignorance of government departments about data security. They published data which was never supposed to be let out of information silos. Of all the scenarios anticipated by the naysayers, this is the worst. If this is normalised, then lesser concerns must seem trivial, like the misuse of data for marketing by private agencies involved in the Aadhaar chain. That alone would have brought people out on the streets in a mature information society. Yet the attorney general has dismissed such concerns as “bogus”. And there is no willingness to reconcile the legal status of Aadhaar, which is voluntary, with the fact that it is compulsory in practice. Aadhaar is an ambitious project which can bring valuable efficiencies to government spending. The government should not devalue it by disparaging the completely legitimate security concerns of citizens, or by forcing it upon them by ignoring the letter and spirit of the law. That would be a truly “bogus” policy.