Tuesday, August 1, 2017

The Aadhaar / Privacy case in SC.

The SC is currently considering cases pertaining to Privacy issues surrounding Aadhaar. A few aspects that are relevant to this discussion, have not been brought up prominently so far:

1) Many countries have citizen databases, which include confidential information about citizens. Aadhaar is probably the ONLY example in the world where the Govt actually GIVES OUT information in its database to private parties. (I have not been able to find any other example of a country where the Govt shares information in its database with private entities). This is quite remarkable. Perhaps the Privacy arguments need to focus around whether the Govt can give out citizen data, instead of focusing on whether Govt can collect citizen data.

Some may point out (correctly) that data is given out only after user consent. However, we know that in most cases citizens barely read the consent fine print. Secondly, it is always possible to word the consent in a manner that is deliberately vague, and enables usage of the same data for other purposes.

Perhaps there is a reason why no other country actually GIVES OUT data from citizen databases.


2) The early implementations at UIDAI required the individual to furnish his/her information to the receiving entity, and the receiving entity could only verify that information with a YES / NO response from UIDAI. It was up to the individual to decide what pieces of personal information s/he wanted to share with a particular receiving entity. Today, a receiving entity can fetch ALL pieces of client information in the UIDAI database (except bio-metrics).


3) Collection of bio-metrics is being "normalized". Under the guise of eKYC, so many organizations have begun asking for bio-metrics, that we no longer find it unusual. Recently, there was news that air-travelers would be allowed to fly only after they had authenticated themselves at the airports with their fingerprints. It would be interesting to see how people react when this actually happens.

Sharing your bio-metrics is like sharing your password - except, this is a "password" that you can never change even if its compromised.

A recent news said that almost 93 cr (i.e. 930 million) people had done bio-metric eKYC during July 17, and presented this as a 'proof' that residents were OK with sharing their bio-metrics. The fact is that in most cases, residents are denied service if they decline. A poor person agreeing to provide bio-metrics to get his PDS ration hardly constitutes 'proof'.


4) A citizen has no way to easily ascertain whether a particular device recording his fingerprints is compliant with UIDAI guidelines. Because of 3) above, it is easy for fraudulent entities to trick people into giving their fingerprints on non-UIDAI devices. While Govt bears no direct responsibility for such fraudulent acts, surely its the Govt that is responsible for 3) above.


The Govt may want to consider reverting back to its earlier YES/NO verification system instead of sharing UIDAI data. It may also want to define the circumstances / purposes for which biometrics of citizens can be captured.