Excerpt: Growing worries about Aadhaar and the misuse of personal data
Today, the use of Aadhaar has been extended beyond the PDS and the delivery of subsidised benefits.
Aadhaar, the brainchild of the UPA government, was envisioned to be a technology solution. It was intended to ensure that subsidies granted to the poor and marginalised reached targeted beneficiaries of the Public Distribution System (PDS) and that such benefits were not siphoned off. The unique Aadhaar number was to prevent leakages in the system. It was sought to be made mandatory under Section 57 of the Targeted Delivery of Financial and Other Subsidies, Benefits and Services Act, 2016 (also known as Aadhaar Act) which was passed and notified by the NDA government in 2016, even in respect of transactions that are unrelated to subsidies.
Today, the use of Aadhaar has been extended beyond the PDS and the delivery of subsidised benefits. Private enterprises are, as a matter of law, entitled to insist on an individual’s identification through Aadhaar with respect to transactions that are purely private in nature. These include opening a bank account, buying a mobile phone, taking a flight from one destination to another and even for a railway journey. An employer is empowered by law to insist for Aadhaar identification. Therefore, biometric and iris data today is not just confined to the PDS, but is available with other government departments, non-government institutions and the private sector. That data is required for fertilizer subsidies and by telecom operators, banks and other entities for providing services. Serious concerns have been raised about the leakage of this Unique Identification Number (UIN), which has implications for our fundamental freedom.
Personal information, including Aadhaar identification, has been hacked and has reached the hands of those not entitled to access it. In the case of banks, if a customer’s Aadhaar number is hacked, then it is possible to hack the individual’s bank account, making the recovery of hacked money impossible. The hacker is incognito and hidden behind layers of secrecy which is cumbersome to unveil. In an investigation by the Tribune in January 2018, a correspondent, by paying merely '500 to an anonymous person on WhatsApp, was able to gain instant access to the Aadhaar data, including addresses, phone numbers, photographs and e-mail IDs, of individuals.
A person is born with her or his biometrics. The data in relation thereto is at the heart of the right to privacy, now recognised as a fundamental right. Such data, in the context of the right to privacy, should not be disclosed without the consent of the individual. That consent, if and when given, should be informed consent. Once Aadhaar is made mandatory, the concept of consent is given the go-by in respect of the biometrics of a person, which is his or her personal property.
Challenges in Implementation
The process of implementation of the Aadhaar scheme has also thrown up issues that need to be addressed seriously. The first issue relates to the potential misuse of the data collected by the State data which is mandatory to share not only for subsidies for which money flows from the Consolidated Fund of India, but also in reference to private transactions.
Why should the State, in the context of “metadata” collected under this act, get to know when and in which bank I opened an account; which flight I took on which airline and when; which ticket I bought for a journey and at which railway station?
In the digital world, data is property. Information about an individual is central to targeting her or him commercially or otherwise depending on the use to which data is put. An individual’s choice for a particular product amongst the range of products offered is a choice personal to the customer. The exercise of that choice is known to the platform on which it is exercised. A range of individual choices made in the context of these platforms in dealing with commercial transactions gives a window of opportunity to enhance user experience in order to lure the customer. Since that choice is personal to the customer, any information related to it should be protected from third parties. However, there are some digital platforms, especially Facebook, where individuals share information about themselves in multifarious ways. That amounts to voluntarily sharing information with third parties, not necessarily known to the individual.
Rupa Publications pp 247; Rs 595
Once data is in the public domain, we cannot retrieve it. The largest multinationals in the world Facebook, Google, Amazon and Uber own no physical assets. They only manipulate data. It is the most powerful tool today, and like any other technology, can be misused. Corporations collect and use data, which in turn, can be leaked or sold. We have seen how Cambridge Analytica harvested data for electoral benefit. There have been charges that Russians sought to interfere in the 2016 US presidential election. Data can be a threat to democracy, especially in the hands of a government. This is an affront to the fundamental values of democracy.
So, the question that we must ask ourselves is: Should we allow this data to be stored in the hands of the State? Then there is the issue of those receiving biometrics. In the process of taking biometrics, the concerned entity can store biometrics without the knowledge of the individual concerned. Thereafter, that information can be used or misused if and when it enters the public domain. The use of an individual’s biometrics without her or his knowledge could mean that a benefit intended for a particular individual could be diverted to someone not entitled to it.
Over and above, there is the problem of change in biometrics on account of ageing, injury, illness or manual labour. A large part of the Indian population is involved in manual labour women working in tea plantations, people employed in brick kilns, quarrying and farming. The multifarious ways in which manual labourers use their hands to earn a daily wage impacts their biometrics. These beneficiaries, therefore, are suffering as Aadhaar has been made mandatory for availing benefits. Many people, it is reported, have died because of their inability to receive benefits to which they were entitled. Imagine a widow being deprived of her pensionary benefits, vital for her survival.
This is also true of the entitlement to food grains for the marginalized.
The government insists that if a person seeks an entitlement in the form of subsidy by the State, the said person is required in law to part with data relating to his or her biometrics. The fallacy in the argument lies in the fact that a person’s entitlement has no relationship to her or his biometrics, but relates to her or his status to receive that entitlement. A widow is entitled to pension because she is a widow. Similarly, a person living below the poverty line is entitled to subsidized foodgrains because of that person’s economic status. This has nothing to do with a person’s biometric data. This logic applies equally to subsidised LPG and other benefits. The question then is, why prescribe only one form of identity for entitlement to such benefits when entitlements relate to the social or economic status of individuals? It would be unreasonable not to allow the person entitled to such benefits a proof of identity other than Aadhaar.
The act, which recognizes no other form of identification other than Aadhaar, makes for a highly iniquitous, discriminatory framework.
The Constitution recognises only one identity that of a citizen of India. But a passport of a person, even though it is the most authentic document proving a person’s status as a citizen, is not recognized under the Aadhaar Act as an appropriate document for establishing identity.
Since the name of a person who is not a citizen of India cannot be included in the electoral roll, therefore, ideally, a voter’s identity card should be an acceptable document for establishing identity. That, too, is not recognized by the Aadhaar Act. This makes the functioning of the Aadhaar Act oppressive and, in a sense, disenfranchises those entitled to subsidies even though they are citizens of India.
Given the track record of this government, my worry about Aadhaar is that data generated will be used for electoral purposes. Data regarding Aadhaar is collected by both private players as well as government agencies. We have witnessed very disturbing instances of vital data being leaked, with individuals and entities willing to part with it for commercial or other reasons. This is worrisome because the whole concept of Aadhaar is based on improving the quality of services, subject to the constitutional right to privacy. Technology and advanced computing open the gateway to collecting and collating data for public good. Use of such data may also subvert democracy. Agencies may use this data for political purposes.
The National Population Register does not indicate the caste or religion of individuals. But that is not difficult to determine given that the names belonging to certain castes and associated with certain religions can easily be identified and targeted during elections. Data and metadata collected through Aadhaar can, and is likely to, be misused. It can benefit political parties who are in power both at the Centre and the states. This should worry us all.