Arshad Shaikh looks at the controversy over the recently withdrawn advisory by the Unique Identification Authority of India (UIDAI). Issues of data privacy and data theft have dogged the UIDAI’s Aadhar cards that carry sensitive biometric data inputs, ever since it became mandatory as an identity document for availing almost all government services. The withdrawal of the advisory signals the ambivalence within the government over the management of risks associated with the Aadhar and the role of citizens in protecting their data privacy. Lack of clarity on this issue could prove hazardous.
The regional office of the Unique Identification Authority of India (UIDAI) in Bengaluru issued an advisory on 27 May saying citizens should share their Aadhaar details only with those institutions, which have a user licence from UIDAI.
The advisory read: “Unlicensed private entities like hotels or film halls are not permitted to collect or keep copies of Aadhaar cards. It is an offence under the Aadhaar Act 2016. If a private entity demands to see your Aadhaar card, or seeks a photocopy of your Aadhaar card, please verify that they have a valid User Licence from the UIDAI.”
The advisory advised that people should utilise the facility of masking their Aadhaar that allows the display of only the last four digits of the Aadhaar number. Then two days later on 29 May, the UIDAI suddenly withdrew the advisory, claiming that there was scope for it to be misunderstood.
A new press release was issued by the Ministry of Electronics and Information Technology (MeitY), the parent body of the UIDAI, saying, “The (earlier) release advised the people not to share photocopy of their Aadhaar with any organisation because it can be misused. Alternatively, a masked Aadhaar, which displays only the last four digits of the Aadhaar number, can be used. However, in view of the possibility of the misinterpretation of the Press Release, the same stands withdrawn with immediate effect.”
This flip-flop invited the ire of critics on social media as well as broad censure in the editorials of the country’s leading dailies. A prominent TV anchor tweeted: “48 hours after issuing advisory on not sharing Aadhar photocopy, GoI withdraws it. Now says just exercise ‘normal prudence’! Wow! First, create panic in system, then claim it is misinterpreted, now withdraw it! Classic yes minister: Does left hand even know what right is doing?”
The ‘one step forwards two steps back’ approach by the government is indeed quite concerning as this ambivalence at the highest level of governance shows the confusion at the top regarding the possibility of misuse of Aadhar data. What should the common citizen do with his Aadhar information if anyone demands it? Is there any standard procedure? Will masked Aadhars be accepted? What are the consequences of not masking Aadhar? How do we track if our Aadhar is being misused? These are some of the questions, which require urgent answers.
MASKING YOUR AADHAR
According to a story in the Indian Express “Behind (withdrawn) Aadhaar advice, a drugs bust in Bengaluru and an arrest” (dated June 4), the advisory was issued after it came to light that some criminals had morphed the Aadhar cards of certain unsuspecting individuals and used them to export drugs and illegal substances. Having received immense flak for not warning the people earlier about this potential misuse and its prevention by using the ‘masking’ facility by UIDAI, the advisory was withdrawn immediately. Masking the Aadhar means keeping the numbers hidden and ensuring that only the last four digits are revealed. This aids the process of securing one’s personal details and preventing it from being misused. The process of masking the Aadhar is as follows: The masked Aadhar card has to be downloaded from the UIDAI website. One should visit the website https://myaadhaar.uidai.gov.in/ and enter one’s Aadhaar card number. Then the option ‘Do you want a masked Aadhaar’ must be selected. After selecting download, one will get a copy of the Aadhaar revealing only the last four digits. Of the 131.68 crore Aadhar cards only a small fraction are currently masked. One reason is the lack of awareness even at the photocopy centres and cyber-cafes where most of the Aadhar pdfs are downloaded. The other reason is the fear that masked Aadhar cards may not be accepted as proof of identity.
STILL A DEFICIENT SYSTEM
The Aadhar was launched in 2010. Within a few years, banks and government service providers started demanding Aadhar as a proof of identity and it eventually became the norm to seek Aadhar data for opening bank accounts, property registration, passport services et al. The 29 May presser from UIDAI says: “Aadhaar identity authentication ecosystem has provided adequate features for protecting and safeguarding the identity and privacy of the Aadhaar holder.”
In a bid to prove a point that the Aadhaar number was safe and secure, the former UIDAI chief RS Sharma revealed his Aadhar number and challenged anyone to demonstrate how this number could be misused to harm him. The UIDAI has repeatedly claimed that without biometric information, a person’s identity will remain unique and it cannot be duplicated and hence that aspect of misuse is ruled out. However, it should be noted that none other than the Comptroller and Auditor General of India (CAG) flagged security issues and risks to privacy related to data collection and management.
The 108-page document titled “Report of the CAG on Functioning of Unique Identification Authority of India” says in its executive summary that “UIDAI is maintaining one of the largest biometric databases in the world; but did not have a data archiving policy, which is considered to be a vital storage management best practice. UIDAI may frame a suitable data archival policy to mitigate the risk of vulnerability to data protection and reduce saturation of valuable data space due to redundant and unwanted data, by continuous weeding out of unwanted data.
“Monitoring of the information system operations of authentication ecosystem partners was deficient to the extent that UIDAI could not confirm compliance to its own regulations. UIDAI may ensure that each of the existing REs (Requesting Entities) and ASAs (Authentication Service Agencies) are audited by them. UIDAI may ensure the implementation of Aadhaar Data Vault process and institute/carry out periodic audits independently, to enhance the security of Aadhaar number storage data by user organisations”.
Many countries in the world have a national ID that contains biometric information of their citizens. However, many are facing security and privacy issues and India is no exception. Storing, monitoring and controlling data of more than a billion people is no mean task. Experts have highlighted various gaps at different times in the Aadhar project; some of which are unstable biometrics, errors in data recording and compilation, sharing of data with non-trustworthy entity, intrusion into database by hackers, duplication and fake identities.
However, the biggest question related to Aadhar has rarely been the topic of public debate and which is the issue of identification without consent. As pointed out by the Centre for Internet and Society “Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication.”
The risks of Aadhar information being misused for surveillance and deprivation of civil rights is a distinct possibility and requires an awareness campaign and educating our citizenry. Someone correctly said: “Data is the pollution problem of the information age and protecting privacy is the environmental challenge.”