ISSN (Online) - 2349-8846
-A A +A

A Fait Accompli

The government and UIDAI are answerable to citizens for the Aadhaar project going dangerously awry.

Each time the Unique Identification Authority of India (UIDAI) is confronted with how unsafe the huge database it has accumulated of the personal information of millions of Indians is, it prefers to bury its head deeper in the sand. Yet again, when a reporter from the Tribune newspaper in Chandigarh wrote about how she managed to purchase access to Aadhaar data by paying an agent a mere ₹ 500, the UIDAI responded by filing a case against the journalist, insisting that no harm had been done, and then introducing another step that citizens must take to keep their own personal data safe. Surely, the time has come to call the UIDAI’s bluff.

Being such a widespread and pervasive system, the Aadhaar project is a vulnerable target. There have been numerous instances of unauthorised access, publication and misuse of data. The most recent case was reported by the Tribune, exposing how unauthorised agents are selling and providing access to demo­graphic data. Earlier, we heard how the Airtel Payments Bank created accounts for mobile subscribers without their consent and diverted the money received via direct benefit transfers from their primary bank accounts to these payment bank accounts. Also, like many other government websites, a Jharkhand government website published the Aadhaar numbers, bank account details, names and addresses of over a million pensioners.

At each instance of public outrage, the UIDAI has reiterated that the biometric data is safe and claimed that “the Aadhaar numbers which were made public on the said websites do not pose any real threat to the people … and mere display of demographic information cannot be misused without biometrics” (UIDAI press release, 20 November 2017). It also stubbornly continues to deny the occurrence of any “breach” of data, dismissing the publication of demographic data as insignificant. It also claims that as it maintains a “complete log” of the facility, “any misuse is traceable.” Yet, it is unable to explain how misuse on the scale reported in the Tribune went unnoticed.

In what appears an afterthought, the UIDAI has firewalled 5,000 officials from accessing the system and introduced a new two-layer security system (Virtual ID and Limited KYC or Know Your Customer). After private operators had already processed millions of Aadhaar applications, the UIDAI decided to hand over this job to government centres, and banks and post offices last year. This habit of taking action after the fact has been a characteristic of the Aadhaar project and the UIDAI from the very beginning, brandishing a fait accompli in our faces at every step. It began with the establishment of the UIDAI and the enrolment and linking process even before a law had been enacted. It went on to the project encompassing almost every aspect of our lives without any law or safeguards for data protection and privacy being in place. Meanwhile, constant and concerted pressure has been exerted on citizens by the government to produce an Aadhaar number for obtaining every conceivable service, from birth certificates to death certificates, and everything in between. In fact, this has reached such absurd proportions that recently the Uttar Pradesh government demanded that the homeless seeking access to night shelters provide their Aadhaar number, prompting the Supreme Court to ask whether those who do not have the Aadhaar “do not exist for the Union of India or the Uttar Pradesh government.”

The legal case challenging the misuse of the Aadhaar beyond what the government had initially stipulated has been pending before the Supreme Court since 2015, with hearings scheduled to begin from 17 January again. The apex court will need to address how and why the Aadhaar project was set up and the way it has proliferated; the glaring gaps with respect to data protection; the denial of services and rights to citizens because of Aadhaar-related issues; the abuse of the principles of informed consent and privacy; and, most importantly, the failure of the UIDAI to deal with these issues. How can an authority such as the UIDAI, which has been unable to adequately protect sensitive demographic data over which it has control, be kept in check? The B N Srikrishna Committee, in its white paper on data protection in India, emphasised among the key principles required of a data protection law that “enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity.” The white paper also noted the many extant international practices and precedents for such an authority. Clearly, it will have to be independent of the UIDAI and with powers to keep it in check.

As we enter the age of data—where one’s identity generates data that is valuable to not just the state, but also to private corporations—the way the Aadhaar project has unravelled in India exposes the cavalier approach of the government to the individual citizen’s right to privacy, a right that only recently has been endorsed by the highest court in the land. One hopes the Supreme Court will reaffirm this right and set right what has gone terribly wrong.

Updated On : 13th Jan, 2018

Comments

(-) Hide

EPW looks forward to your comments. Please note that comments are moderated as per our comments policy. They may take some time to appear. A comment, if suitable, may be selected for publication in the Letters pages of EPW.

Back to Top