The recent article by Tribune on the data breach of Aadhaar and the subsequent decision by UIDAI to file an FIR on the journalist has led to questions about the safety of Aadhaar data. The ethical boundaries of journalism in this case are open for debate. But the concerns over security of the Aadhaar data and the system are real.
There are many serious problems in the Aadhaar project and the Aadhaar Act. I would like to lay down three facts related to Aadhaar in front of the reader. I shall explain the problems that arise/may arise during the implementation of Aadhaar system and Aadhaar Act because of these facts.
Fact 1 : Bio-metrics are not secure. They can be easily stolen, stored permanently and misused.
It’s an old cliché of security researchers: fingerprints might appear more secure than passwords. But if your password gets stolen, you can change it to a new one; what happens when your fingerprint gets copied? – Hacker fakes German minister’s fingerprints using photos of her hands
Most of you may not have heard about the sensational story of German defence minister Ursula von der Leyen whose fingerprints were stolen at a press conference. The hacker used high definition images of her fingerprints and reverse engineered her fingerprints using a software called VeriFinger. The article rightly points out the major flaw in using bio-metrics as passwords
“Biometrics are not secrets… Ideally, they’re unique to each individual, but that’s not the same thing as being a secret.”
Problem 1: Many advocates of Aadhaar say that it will lead to end of corruption and think of saving the poor people. The Prime Minister has also spoken of the savings due to targeted delivery of services. But it is not foolproof.
Fingerprints can be stolen once and saved forever. In the age of gadgets, one can procure a machine to record and store fingerprints of gullible poor who come to fair price shops. The finger prints stored can then be used to steal PDS grains forever. The same can happen to almost any government scheme. This would institutionalize corruption under the guise of transparency. Even if someone is stealing subsidies in the name of the poor, nobody will know.
As they say, the road to hell is paved with good intentions.
Fact 2 : Aadhaar Act allows information of a person to be shared only in two circumstances
Cases when information may be revealed: Aadhar information can be revealed only in two situations. They are :
1) In the interest of national security, a Joint Secretary in the central government may issue a direction for revealing : (i) Aadhaar number, (ii) bio-metric information (iris scan, finger print and other biological attributes specified by regulations), (iii) demographic information, and (iv) photograph.
Such a decision will be reviewed by an Oversight Committee (comprising Cabinet Secretary, Secretaries of Legal Affairs and Electronics and Information Technology) and will be valid for six months.
2) On the order of a court,
(i) an individual’s Aadhaar number, (ii) photograph, and (iii) demographic information, may be revealed.
Problem 2 : There is wide scope of available to the government to interpret the phrase ‘national security’ under the law. Those who underestimate this vague phrase should read about emergency declared by Indira Gandhi in 1975. She misused the phrase ‘internal disturbance’ in the constitution. Undefined vague terms are always open for misuse. In addition to this, the Parliament can always bring in a legislation to widen the cases where the data can be revealed by UIDAI.
Hence this provision in the law is a threat to civil liberties of all citizens in future. Ideally bio-metrics of citizens should not be collected in the first place. The USA is able to deliver services to citizens without collecting bio-metrics through the social security card.
Fact 3 : Only the UIDAI is allowed to complain about the unauthorized leak of information
Common citizen is not allowed to complain or file cases under the Aadhaar Act . :
47. (1) No court shall take cognizance of any offence punishable under this Act, save
on a complaint made by the Authority or any officer or person authorised by it. – Aadhaar Act
Problem 3: This means , that the citizen , if he comes to know that his information by a person inside UIDAI has sold or leaked information without his/her consent, he/she can’t file a complaint. The potential offender holds complete discretion to file any complaint. This is absurd.
Poorly Conceived by Congress, Blindly Followed by BJP
The Aadhaar project, from the beginning, disregarded privacy and possible misuse of the citizens’ data. Worse still, the process of collecting data was given to franchisees without adequate safeguards and laws. Those having information can do anything with the information they have. The franchisees who collected data of citizens are not under the full control of government machinery.
There was no legal framework for the Aadhaar project. The first card was issued in September 2010. By November 2014 , 70 crore Aadhaar cards had already been issued and the 100 crore mark was reached swiftly in April 2016. The Aadhaar Bill was passed in Lok Sabha as late as March 2016. The card was given to anyone residing in India without distinguishing illegal migrants, refugees and citizens of India.
Compare this to the social security card given by the US government. The social security card is issued only to citizens of USA. And, it does not collect any bio-metric data of the citizen. The government could have studied other models and optimized them for Indian scenario.
The mess was started by Congress-led UPA government. The blame for flawed model of issuing the Aadhaar cards, without legislative backing goes entirely to the Congress. The mistake of hurriedly taking forward this project without proper study and analysis was committed by the BJP-led NDA government. The third mistake of asking citizens to link Aadhaar to bank accounts , PAN, IT returns , LPG and many other services without a foolproof data protection law belongs to NDA .
The government started framing the data protection law as late as August 2017. This was just three weeks prior to the historic Supreme court judgement which declared privacy as a fundamental right. The committee framing the law has called for public consultations for the first time on 5th January 2018.
The only hope is that the upcoming data protection law is fool-proof and effective in addressing the privacy concerns of citizens while ensuring effective delivery of services. One can only hope that the data with UIDAI is secure from unauthorized use in future. It is essential to quote the line from The Guardian article again at the end of this article.
“Biometrics are not secrets… Ideally, they’re unique to each individual, but that’s not the same thing as being a secret.”
