Nandan Nilekani | Aadhaar an evolving endeavour, UIDAI responsive to public concerns4 min read . Updated: 18 Jan 2018, 08:45 AM IST
The UIDAI doesn't know where you've linked your Aadhaar, and why, says UIDAI's former chairman Nandan Nilekani
You can’t have your cake and eat it too. Economists call this maxim a “trade-off". You are always balancing between opposing forces, having it all is not an option. In the late 1800s, you could either take a carriage and ride slowly but comfortably or ride faster, but solo (and uncomfortably), on horseback. That was the case, until it changed in 1912, thanks to Henry Ford. You could now travel both comfortably and fast. This is why new technology has always been lauded in society, because it changes the nature of these trade-offs entirely.
As the usage of Aadhaar grows, there has been concern from some about the ‘linking’ of Aadhaar to various services. The concern was that a unique identifier such as Aadhaar being seeded in multiple databases opens up the possibility of deep profiling and tracking. Images of 1984 and the birth of a “panopticon" have been conjured up. These fears are over-hyped and baseless.
For a moment, consider another unique identifier, your mobile number. A typical urban, young Airtel user has probably “linked" her mobile number to Ola for booking cabs, Zomato for ordering food and WhatsApp for messaging. Yet, one cannot say that by doing so, Airtel knows where she goes, what she eats or whom she talks to. This is because “linking" is a one-way process. Ola knows your Airtel number, but Airtel doesn’t get data from Ola. The same is the case with Aadhaar. The Unique Identification Authority of India (UIDAI) doesn’t know where you’ve linked your Aadhaar, and why.
Even then, in the rare case, if Ola, Zomato and WhatsApp were to collude and share your data, they could “link" the data using your mobile number. With current technology, you could get multiple SIM cards and handsets for summoning a cab, ordering food or sending a message but that is impractical.
The answer to this trade-off is tokenization technology.
Basically, tokenization in our example would mean a different mobile number is automatically assigned for every Zomato, Ola and WhatsApp you link to. Moreover, you can create your own virtual mobile number if you want. UIDAI had originally considered tokenization in the early days of Aadhaar in 2010, but it was an idea then ahead of its time.
Now that tokenization has been announced, it has changed the nature of the trade-off itself, increasing privacy and security, without compromising usability. There are three new features which have been launched.
First, the new limited e-KYC (know your customer) will not give away your Aadhaar number, unless the law requires it. Second, every organization using Aadhaar will necessarily get a token, i.e. an ID number, that no one else in the world will have. This token cannot be used to reveal your Aadhaar number, nor can two colluding organizations “link" your records. This is a guaranteed tokenization on the back end, with no action required from the user. Your privacy is protected as a default.
Third, if you’re still not satisfied with the UIDAI’s tokenization, you can optionally generate your own 16-digit virtual ID. This virtual ID is a pseudo-Aadhaar number and will be usable everywhere an Aadhaar number is. More importantly, UIDAI recognizes that this service should be available to all, so you do not need a laptop or a smartphone to get or replace a virtual ID.
In fact, this sort of inclusion by design has been a feature of Aadhaar from the very beginning. Even the homeless could get an Aadhaar, without a valid proof of address, by the introducer system. The UIDAI team knew that the introducer system has challenges, but the trade-off was to exclude people from getting an Aadhaar because of a lack of documentation. I’m glad the UIDAI chose inclusivity. The recent move to enable facial recognition as another way of Aadhaar authentication is one more step in the interest of inclusivity.
I’m glad that news headlines are dedicated to important technological challenges such as protecting user privacy, but unfortunately, the quality of the debate leaves a lot to be desired. While Aadhaar took centre stage in the debate, it was a distraction from all the other real issues that are detrimental to an Indian’s privacy. From my example above on linking, you may have realized that your mobile number creates the same privacy issues as Aadhaar did before tokenization. In fact, a recent article in The New York Times quoted a Federal Bureau of Investigation (FBI) agent as saying that a mobile number is more dangerous than a social security number because it is in 10x more databases; it is the exact same for every service, it is connected to a device that is always on you, and can even track your location.
What delights me the most though is that the Aadhaar architecture is flexible, fast, constantly innovating. It is not just able to introduce new features, but also manage their transition at scale. Systems are not born through Immaculate Conception, they get there through constant improvements. We should applaud the UIDAI for being responsive to the concerns of the public. We need to recognize that providing a unique, secure identification, with instant authentication anywhere, to 1.3 billion Indians is an evolving endeavour. What India has accomplished in less than nine years is nothing short of a revolution!
Nandan Nilekani is former chairman of the Unique Identification Authority of India and is currently chairman of Infosys Ltd. The views expressed are personal.