Activity around Aadhaar, the unique ID program launched by the Indian government in 2009, has reached a furore. It appears as if every other day, another government ministry adds yet another scheme to the list that requires the ID. At the same time, just as many new critics come forth to decry how the Aadhaar is becoming a tool for state control and surveillance.
Opponents of the Aadhaar project are correct that there are multiple concerns around privacy, but by villainising the initiative they are losing an opportunity to address deeper democratic concerns that this program raises. Instead of calling for a total shutdown of Aadhaar, critics ought to call for new laws and reforms to protect privacy and prevent abuses in general, beyond any single program such as Aadhaar.
Opponents express concern that Aadhaar is a means to instil mass surveillance. One refrain on Twitter has been, “Repeat after me: Aadhaar is surveillance technology masquerading as secure authentication technology.” Aadhaar critics seem particularly concerned about additional biometric information (biometrics), the facial image, complete set of fingerprints and iris scans of both eyes, which are collected during the application process. Most discussions of biometrics seem to focus on the fingerprints and iris scans and not on the facial photo that is also collected. Opponents claim that biometrics form the basis for a clandestine surveillance state. However, while biometrics pose a real and dangerous concern when it comes to identity theft (and worrying consequences for authentication), they are unlikely to be used for clandestine surveillance.
Marginal utility for surveillance
Governments already have tremendous surveillance tools without the use of fingerprints and iris scans. Technologically, using fingerprints or iris scans for clandestine mass surveillance would be highly impractical. Depending on the locations where the government would want to track the physical presence of people, it would need to set up biometric sensors to cover all physical spaces in the country. These sensors, essentially cameras, would need to capture a high-resolution image of every person’s fingers or eyes. And since people would most likely be moving about in a crowd, these cameras would need to be of fixed focus and fixed angle. It would take several cameras in a location in order to catch a direct image of fingers or eyes. It would be far easier to use facial recognition technology, which is approaching near total accuracy, with far less stringent constraints. On the other hand, the day that everyone is required to stare directly into a camera or give a finger impression at every site, it will be open and clear that there is an open, not clandestine, surveillance state.
The marginal necessity of Aadhaar for surveillance holds true for online activities and consumption behaviours as well. Online, the government can monitor traffic by capturing data traffic at the Internet service provider level or at interconnection exchanges, those communication hubs where the networks of different providers, such as Airtel and Vodafone, connect to each other. When it comes to consumer behaviour the government can use credit card and online wallet transaction data to see where a person is spending their money without going to all this effort of assigning 1.3 billion IDs. In India a person must furnish ID proof to purchase even a prepaid SIM card, which is already the basis for a comprehensive surveillance system, since mobile phones are constantly giving out their present location. So many commercial activities are also linked to mobile phones, from digital wallet payments and bank transactions to ordering pizza, that the phone number can serve just as well as any unique ID.
Furthermore, Aadhaar cannot penetrate where standard surveillance cannot see. When one shops on Amazon or Flipkart or transfers money through online banking, the communications between the browser or app and the remote site are encrypted. This means that while the government can tell that a person visited the site, it cannot know what they bought or watched, unless the vendor hands that information over. The presence of Aadhaar does not alter this basic equation unless the communications are not encrypted to begin with.
Private sector privacy
On the other hand, the ‘anti- surveillance, therefore anti-Aadhaar’ argument does little to address the concerns posed by private companies. Ironically, most websites that publish articles against Aadhaar host several trackers that collect identifying information on visitors.
Researchers have shown that people inadvertently reveal a great deal about themselves online through the use of private services. It is possible to tell a person’s sexual orientation, religion and political preferences from their social circles. An Amnesty research article says it is even possible to tell a person’s religion from what they listen to on Spotify. Much of this information is collected by third parties, known as data brokers, and sold.
The government too can purchase this information. So, for example, it doesn’t need Aadhaar to tell who belongs to which religious minority, it can just buy that information.
Situations such as this require public debate and legal clarity on what information can be collected and distributed and under what circumstances. Strong laws and vigorous enforcement on what kinds of data are collected, purpose for collection and how they are shared would go much further to prevent tragedy than destroying the Aadhaar.
Some Aadhaar opponents make the argument that Aadhaar makes linking databases together much easier. This is true but any government that is seriously in the surveillance game will not be deterred by the lack of a common ID. There is nothing complicated about linking databases together. All it takes is some common information that ideally also uniquely identifies the records in each database. For years now the government has used name, father’s name and date of birth, but other keys could be mobile numbers, election/ration/PAN card, drivers license or passport. Each new form of identity or service requires a pre-existing one, which is how databases can be daisy-chained. Of course, verification methods are imperfect and some people register themselves multiple times in the same ID database, but that is a minor problem.
Going back to another US example, in November 2002 the New York Times reported on a Department of Defense project called Total Information Awareness that would attempt to gather as much information on potential threats. “If deployed, civil libertarians argue, the computer system would rapidly bring a surveillance state,” the article said. “The system would permit a team of intelligence analysts to gather and view information from databases, pursue links between individuals and groups, respond to automatic alerts, and share information efficiently, all from their individual computers.” After public outcry US Congress decided that this system posed too much of a threat to American citizen’s civil liberties and cancelled the program. The plans for TIA did not include a unique ID assigned to every citizen, indeed it was primarily to target non-citizens. This should dispel the idea that the ID is the linchpin to a surveillance system.
India has its own version of TIA, called Natgrid. Even if the Aadhaar identification project was shut down, it is likely that Natgrid would continue. As this Hindu editorial points out, such a system requires additional protections against government abuse. Another program called Centralised Monitoring System (CMS) is designed to allow the government to listen in on any phone call. The capability to eavesdrop exists with or without the Aadhaar ID.
Legislation is imperative
The ruling majority has so far shunned all calls for a privacy law and the government’s attorney general has argued in the Supreme Court that there is no constitutional right to privacy in India. That needs to change. A full discussion of what constitutes electronic privacy is beyond the scope here, but, in brief, people should be able to use the Internet without intermediaries such as ISPs collecting data on their activities and without remote servers collecting more data than is needed to provide the service. The flow of data between a user’s computer and the other endpoint should be encrypted to prevent third parties, such as governments or cyberspies, from knowing what is being communicated. The government’s authority to collect data also needs to be circumscribed.
Since service providers on the Internet – such as Internet service providers, e-commerce sites, content providers and financial institutions – often legitimately end up collecting detailed information on their visitors, they need to make every effort to protect that information. This can be better achieved by making data security a core function of the company with board-level oversight and responsibility. For example, in recent years Yahoo has suffered multiple data breaches which might have been avoided if the recommendations of the technology department had not been ignored in favour of marketing objectives. Similar high-level responsibility needs to be assigned for government systems as well. Not only do governments owe it to their citizens to protect their data, but even non-classified information can be a matter of national security. If governments inadvertently leak personal information about citizens that is then used against them for fraud, the entire nation suffers.
When breaches do occur, they need to be disclosed and those who are affected need to be informed. Some people may individually make decisions on how to respond, but in other cases security experts can provide guidance to the public, but only if they know what kind of breach occurred and the extent of the damage. For example, if a compromised website was storing user passwords in plain text then everyone affected would need to change their password. On the other hand, if the passwords were stored in encrypted format, then individuals could decide based on whether they had used a unique password for the site or it was a password shared across sites. For this to happen the law must mandate timely and useful disclosure of breaches. Otherwise, fearing a loss of market share or image, too often compromised sites cover up breaches in the hope that they will go undetected.
Finally the government needs to ramp up its ability to investigate cyber crimes, system breaches and bot attacks in order to trace the guilty parties, not just within the country but across borders. That also involves improving working ties and creating networks with law enforcement agencies in other countries. Some of this is already happening but time is of the essence to come fully up to speed.
Aadhaar has brought privacy concerns into focus and leaders across the political spectrum are paying attention. However, focusing on getting rid of Aadhaar, or destroying it, is a waste of gunpowder. The underlying issues of online privacy and civil liberties will still remain. Rather than trying to stop the government from implementing Aadhaar , all stakeholders ought to press for increased privacy protections, board-level responsibility for online data security, breach disclosure laws and strengthening of enforcement of cybercrime laws, due process and civil liberties.
Otherwise, even if the battle against Aadhaar is won and the system is scrapped, the war against surveillance would remain, but it may be hard to mobilise the public again.
Sushil Kambampati (@SKisContent) is the founder of YouRTI.in, where anyone can suggest an RTI query simply and anonymously. He writes about online security and privacy.