Are Your Biometrics Safe And Is Your Privacy Intact With Aadhaar?
Aadhaar data leakage must fall under real-time disclosure and a speedy redressal mechanism, writes Shankkar Aiyar.
This is an exclusive excerpt from Aadhaar: A Biometric History of India’s 12-Digit Revolution by senior journalist Shankkar Aiyar. (Westland, July 2017)
The biometric and demographic data of over one billion Indians are in the vaults of the Central Identities Data Repository (CIDR). There are two issues at play here – the security of the core biometric and demographic data in CIDR and the security of data with the government, with various departments, which is characterised as personal identifiable information.
How safe is the biometric data? How safe is CIDR from hacking? Both the UPA and now the NDA governments have consistently maintained that data in the CDIR vaults is safe. Nandan Nilekani asserts there is no question of the data being hacked. ‘Show me even one instance of data theft. Aadhaar is very, very secure,’ he says confidently. This confidence stems from the technical aspects of encryption. The biometric data, UIDAI claims on its website, is encrypted using the ‘highest available public key cryptography encryption (PKI-2048 and AES-256) with each data record having a built-in mechanism to detect any tampering’.
And how good is that? Bruce Schneier, author of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World and fellow at the Berkman Center for Internet & Society at Harvard Law School and an expert on computer security and cryptography says, ‘The algorithms are fine. They are excellent choices.’ Cryptography algorithms, he adds, ‘are, by far, the strongest link in any security chain’.
He cautions that an attack against a system is more likely to exploit vulnerable areas – in the software, or the implementation, or the underlying computer or user interface. In short, one can never be too sure given the speed at which technology is evolving – particularly in computing power and in artificial intelligence. Threat perceptions are fluid. In 2016, the US National Security Agency shifted to, and recommended, a higher level of encryption (RSA 3072 with AES 256). Eternal vigilance is the price for digital convenience, just as it is with democracy.
The question which people want an answer for is: who does one go to if personal identifiable information is leaked, if biometrics are compromised?
In a signed article titled ‘The Aadhaar We Deserve’, Rajeev Chandrashekhar points out, ‘Unfortunately the Aadhaar Act and accompanying regulations place no accountability on UIDAI to protect the database of citizens’ personal information and are silent on the liability of the UIDAI and its personnel in case of non-compliance.’
Vrinda Bhandari, an advocate and Renuka Sane, a researcher at the Indian Statistical Institute, found in their analysis ‘Is Aadhaar grounded in adequate law and regulations?’ that while notifying the regulations, multiple aspects were left to be ‘specified by authority’. ‘Through the four substantive regulations, the phrase specified by the Authority has been used 51 times.’
The fog on accountability must be cleared. Section 47 of the Aadhaar Act 2016 says, ‘No court shall take cognisance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.’
Does this mean the individual has no power even to initiate proceedings and has to depend on the Authority to initiate criminal proceedings? Is the provision to file a regular First Information Report under the Indian Penal Code enough?
The road ahead must be cleared by recognising the right of the sovereign, the people, to seek redressal. Justice cannot be hostage to systemic flaws and apathy. Perhaps Section 47 was framed as a transitory measure as UIDAI transitioned from executive to statutory status. It is necessary for government to review this provision and restore the right to seek justice.
The law must specify who is to be accountable, where the buck stops.
Furthermore, data leakage and identity theft must fall under real-time disclosure and a mechanism for a speedy redressal system and options for compensation must be enshrined in law. And what if biometrics is indeed stolen? Life cannot grind to a halt. There is a need to work on Plan B – either an option to opt out or an alternate mechanism.
The Right To Privacy
The primary question that arises in the digital trail of Aadhaar is that of the right to privacy. There clearly is a need for a law in India that safeguards the privacy of individuals. Apart from the discourse about the Orwellian state – those who lived through the Emergency years know a bit about that – there is also a sense of vulnerability as individuals are drawn, even pushed, into the connected world, into digitisation.
The preamble of the Aadhaar Act of 2016 describes it as ‘An act to provide for, as a good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals and for matters connected therewith or incidental thereto.’ Arguably any activity of the government paid for from the Consolidated Fund of India – ranging from supply of subsidised grains and LPG, to use of roads and civic amenities, and even, at a stretch, rebates to tax payers – could come under such an umbrella.
The Attorney General has asked in the Supreme Court whether privacy is a fundamental right. The government’s chief lawyer has also stated that ‘The concept of absolute right over one’s body was a myth and there were various laws which put restrictions on such a right’. The contention is borne out by previous judgements, as also by some laws that impinge on the concept of absolute right over the body. But the question remains: of the safety of roughly 3 MB of human biometrics and about the privacy rights of the person who is identified by it.
Preceding and following the fears of data protection, and in the absence of a privacy law, is an unstated question:
And a possible counter question:
The views expressed here are those of the author’s and do not necessarily represent the views of BloombergQuint or its editorial team.