We need a trust model for Aadhaar
Privacy is a complex topic by any stretch of imagination—be it in a modern Western democracy with an elevated, even entitled sense of individual privacy or an emerging economy like India that is only beginning to grapple with the issues associated with it. So when any overarching technology initiative such as Aadhaar—which deals with the biometric authentication data of over a billion people—begins to come into full force through integration with a lot of services, data privacy concerns among common folk are repeatedly bound to be raised.
A “trust model” can help by directly addressing those concerns. The model should match ordinary people’s expectations in terms of factors such as identity, authentication, service-level agreements and, of course, privacy. The model should also encompass how those factors are dealt with from a people, process and technology perspective. So how what kind of a trust model can we build in the Indian context?
Such a model, I believe, should be based on four substantive principles. One, it should allow an own your own data (OYOD) consent process. Two, it should keep the data confidential. Three, there should be adequate contractual arrangements among the Unique Identity Authority of India (UIDAI—which issues Aadhaar) as the hub and the registrars/enrolment centres in the public and private sector as spokes. And four, it should have robust, end-to-end security, connectivity and access measures among the hub and spokes.
The Aadhaar technology and architecture document (2014) advocated a “minimalistic approach to data” and a “federated model” with one-way linkage. In simple terms, existing identities such as bank account numbers and permanent account numbers were not to be originally captured within Aadhaar. Instead, such identities were to be linked “one-way” to Aadhaar. This would imply precluding the mandatory linking of other non-DBT stuff (DBT, or direct benefit transfer, allows the government to directly transfer money to beneficiary accounts under various subsidy schemes). The exceptions included attendance systems in government institutions (used in Jharkhand, for instance) and opening basic savings deposit (BSBD) accounts under the Prime Minister’s Jan Dhan Yojana, which were DBT-related linkages. Other than that, the Aadhaar linkages should be made voluntary and consensual in nature—such as regular bank accounts, income tax, air/train travel, exam results, medical and employment records and registration of marriage.
Another point is that the Aadhaar Act envisaged UIDAI as both a “custodian” of Aadhaar data and the “measure of last resort” in an emergency response situation for data breaches. This makes UIDAI the data custodian as well as its own regulator. Indeed, in case of a data breach, it is the UIDAI—and not the citizens whose data is breached—that gets notified. The authority then decides how best to proceed in the case. Here, it is pertinent to note that the citizen has little legal recourse, as Section 47 of the Aadhaar Act states that any criminal complaint can only be filed by the UIDAI. Furthermore, the Aadhaar Act grants the UIDAI complete immunity from liability and prosecution of any kind. All this makes the “consent” part of the trust model absent or incomplete.
As Aadhaar data gets linked with banking apps, credit cards, mobile connections and other services, there are transactional data logs associated with authentication. Though passive in nature by way of simple “yes/no” mode of authentication, these transactions nonetheless capture “personal data” as they pertain to one’s day-to-day activity and behaviour. So this “electronic footprint” of transactional data—which comprises people’s lifestyle and consumption patterns—needs to be protected in addition to just the biometric Aadhaar data.
While the UIDAI’s stance is that the linkage to Aadhaar is “one-way”, even the uni-directional linkage cannot prevent encroachment on a person’s privacy by having artificial intelligence (AI) bots run through the interconnected web of databases where all those transactions are captured. Right from its Strategy Overview (2010), the Aadhaar project revealed a preference for building revenue models around data generated during authentication by private entities. While there is nothing wrong with building such an open tech platform and an ecosystem for young Indians to build innovative apps, the data itself—considered the new oil by many—must be safeguarded by adopting “defence in depth” safety principles, to borrow a concept from the nuclear energy business.
As a thumb rule, the more the number of endpoints accessing a database, and the more the methods in which the data can be accessed, the higher is the security risk in the overall system. And when DBT and other services are made available to individual or even entities such as hospitals, telecom companies, e-governance agencies, insurance firms and airports via open application programming interfaces (APIs) and authentication keys—including by start-up portals and mobile apps to provide e-KYC services—there is a cause for concern.
Such concerns are not without precedent. Recently in Jharkhand, unmasked demographic details were revealed—names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme of more than a million citizens. Other concerns relate to illegal storage of Aadhaar biometrics at some service providers’ end, potentially for identity theft and improper access or misuse of transactional authentication logs by fraudsters. Finally, if there is a cyber attack on the encrypted biometric data itself and its concomitant demographic profile (no such evidence of that to date, though it is not unheard of), then one must be reminded that unlike the usual passwords, the biometrics cannot be “reset” or “re-seeded”. And this would constitute an irreversible and immutable loss of privacy to individuals.
In conclusion, even as the Supreme Court has proposed a three-tiered privacy doctrine—what I would term as Indian ingenuity of trying to please all but satisfying none—three aspects should be addressed if indeed this is the path that will be taken. One, within each tier, data should also be “ring-fenced” to disallow conjoint use, that is, opt-out should be the default option. For instance, in the government’s Project Insight, which intends to use data from social media to cross-tabulate citizens, the personal data of citizens ought to be kept away from prying. Two, what sub-elements fall in each tier, and how to distinguish them, could be a cause for litigation, appeal and public confusion. So those sub-elements should be defined as unambiguously as possible. And third, an OYOD-based consent process should be included to allow all individuals to view or “audit” their own data or decide what part of data to share, with whom and for what purpose.
Probir Roy is co-founder of PayMate (India) Pvt. Ltd, an early mover in the fintech space.
Comments are welcome at email@example.com
- Rupee strengthens marginally against US dollar on Asian cues
- Bitcoin drawing some of the world’s fastest traders
- Smog-choked India is giving the filthiest fuel a tax advantage
- Uber data breach shows vulnerability of software code-sharing services
- India’s ‘dirty dozen’ debtors lure big funds to bad loans