The Main Problem With Aadhaar is Still Not Being Addressed

Day 29 of the Aadhaar hearings, which took place on Tuesday, has been widely reported for Justice Chandrachud’s question on whether Aadhaar data can be used to influence elections. He also looked into the allegation from the UIDAI that Google and other tech companies oppose Aadhaar as it would affect their business (data). However, a sober reading of the court proceedings is in order.

As the UIDAI’s Counsel Rakesh Dwivedi pointed out, the Aadhaar data held by the UIDAI cannot help in influencing elections. This is because the data held by the UIDAI does not contain anything other than biometrics and authentication requests. These authentication requests are also anonymised to the extent that the purpose of verification is not known to the UIDAI. However, the other question posed by Justice Chandrachud should cause citizens to worry about Aadhaar – whether sections 8(3) and 29(3) of the Aadhaar Act can be misused by authenticating agencies.

Section 8(3) of the Aadhaar Act places a duty on the requesting agencies to inform individuals the nature of the information that may be shared upon authentication, the uses the information may be put to by the requesting entity, and alternative identity documentation that the entity accepts. The legalese apart, a requesting entity can be an internet service provider, a hospital or a car dealership, among others. Therefore, this particular provision, apart from placing a duty on the requesting entity to ensure the informed consent of individuals, also confirms that a requesting entity can store the information. Informing the customer that the information will be used to improve services is a broad concept. It can be argued that a car dealership sharing the information with vehicle insurance companies also falls within this ‘purpose’. Section 29(3) supports the provisions of section 8(3) to the extent that the information shared by the requesting entity cannot be used for any purpose other than agreed and consented to by the individual. This information is more valuable to corporates than the name and date of birth of an individual. The companies do not even need this information, the information can be learned from the nature of services the verification is required for.

This particular aspect was contended by Senior Counsel Rakesh Dwivedi on the grounds that the UIDAI comes under Article 32, meaning that a petition for enforcing fundamental rights can come against them. He then referred to section 57 of the Act and stated that private entities that discharge government functions on contract can also be brought to book under the Constitution. Section 57 states that the Aadhaar number can be used for establishing an individual’s identity for any purpose, irrespective of whether by the government, a person, or a company. This, of course, is on the condition that the authentication is required by law, and it must follow the procedure in Section 8.

Dwivedi further made a reference to Sections 7 and 57 of the Act stating that the former expands the scope of the Act, while the latter restricts it. Section 7 empowers the government to notify for which schemes Aadhaar verification is necessary. However, the argument of the Senior Counsel appears strange since section 57 also authorises private entities to seek Aadhaar from individuals. On this note, Dwivedi conceded that the Aadhaar is good for the public distribution system, even though it may not hold much ground under the Prevention of Money Laundering Act.

The startling revelation that many have been harping on – that tech companies want to scuttle Aadhaar – is based on the submission that the Central Identities Data Repository (CIDR) is not linked to the internet. It has been reported that the tech companies want to make use of the metadata to drive up their profits, and hence proposals for Aadhaar to be scaled down to a ‘smart card’ system which can be swiped have been suggested. This line is merely another ‘foreign hand’ argument. Tech companies already have access to more information than Aadhaar can offer. Ola, for example, knows which cities a person frequents as well as what class of vehicle the person prefers. Food delivery apps and sites know which restaurants a person frequents as well as how often a person goes out. Google, of course, has access to all of this since most smartphone users in India run on Google’s Android system. What more could Aadhaar provide?

The Senior Counsel referred to the Information Technology Act, 2000, stating that the CIDR database is protected by the Act. Hacking or unauthorised access apart, the problem is not the biometrics or the use of Aadhaar as much as the verification process. The Aadhaar project was initially mooted as a panacea based on biometric authentication. The problem is that in a country with poor IT infrastructure – think cell phone and internet connectivity – this is not actually feasible unless the infrastructure is built. Therefore, the Aadhaar Act provides that the Aadhaar number can be used, as well as, is the proof of possessing or having applied for an Aadhaar. This change of tack has severely weakened the security infrastructure of the entire project. The reason is that Aadhaar, unlike a driving license or the new voter IDs, is printed on a piece of paper and can be reprinted multiple times, let alone edited –with photoshop or MS Paint for example. This is, however, digressing from the fact that the Aadhaar number is now the ‘proof’ of identity. Consider the Bhim App, one has to link their Aadhaar with their bank account to use it. However, with this information, a person can change the number the account is linked to. Hence, a person can carry out transactions using another person’s bank account and Aadhaar number. This information can be easily obtained by simple ‘social engineering’ where the fraudster pretends to be calling from the bank and is then able to fool those unfamiliar with technology – the aged and the illiterate.