Decoding The Aadhaar Debate: Do The Risks Outweigh The Benefits?

What does an Austrian thought experiment from 1935 and India’s 12-digit unique identification number, called Aadhaar, have in common?

Just ask the Indian Twittersphere. On 26 March, “Aadhaar memes” began to trend, leaving confused Twitter users and fiery arguments in its wake. A recurring meme represented Aadhaar as Schrodinger’s Cat – compulsory and voluntary at the same time.

The meme onslaught was sparked by announcements, making Aadhaar mandatory for a slew of welfare services – including filing income tax returns, getting a PAN number and employee’s pension fund benefits. But what’s exactly at stake here?

What are the advantages of mandatorily linking Aadhaar with other services? And what are the problems with it? The Quint decodes the Aadhaar debate and its context, exploring the pros and cons along the way.

Is Aadhaar Optional or Compulsory?

Aadhaar was introduced as an optional 12-digit identification tool for Indian citizens in January 2009. The optional nature of the Aadhaar came up for discussion when the National Identification Authority of India Bill, 2010 was introduced in the Parliament by UPA-II.

The Lok Sabha Standing Committee on Finance report on the Bill had given the United Kingdom’s example to raise concerns over Aadhaar’s security. (Incidentally, the UK had abandoned its ID project due to “high cost, unsafe, untested technology and the changing relationship between the state and the citizen.”)

In reply to the Committee, the government had stated:

“The statutory framework envisaged made it mandatory to have the UK ID card. Aadhaar number is not mandatory”.

Also Read: How Safe Is Your Biometric Data? The Potential Pitfalls of Aadhaar

Furthermore, the government clarified that the main aim of Aadhaar is “to enhance the delivery of welfare benefits and services.”

Fast forward to October 2015, when the Supreme Court (SC) stated that it is “not mandatory for a citizen to obtain an Aadhaar card.” “The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen,” the court said.

(Photo: Maanvi/The Quint)

The “Aadhaar is not mandatory” status was reaffirmed by the SC again in 2016. Therefore, the government’s decision to make Aadhaar mandatory for welfare schemes last week has caused an uproar in opposition and on social media.

As per the amendments to the Finance Bill, 2017, an Aadhaar number is necessary for filing tax returns. So, those who don’t have Aadhaar effectively become “criminals” in the eyes of the law and are left with no choice but to enroll in Unique Identification (UID).

Made voluntary by the court and mandatory by the government. Remember Schrodinger’s cat?

But wait, what are the benefits of the Aadhaar? Deputy Director-General of the Unique Identification of Authority of India (UIDAI), Ashok Pal Singh, told The Quint that a single ID makes it “accessible and convenient” for a citizen to avail welfare benefits. He says:

A PAN card is not a unique identification, but an Aadhaar is a unique ID. Even if you have scribbled a number somewhere, that’s all you need. All services can be used with one ID.

On the other hand, net neutrality activist and founder of Medianama.com, Nikhil Pahwa argues that the government’s move to make Aadhaar mandatory is a violation of the SC order. It “unfairly expands the scope of Aadhaar” and “leaves with citizens with no choice” to not enroll, he says.

With Aadhaar being made mandatory, different databases are getting linked by a common ID, making them vulnerable to hacking. Effectively, this means that all my personal data is being compromised. Through a single number, the government is taking control of my life.

This brings us to the following question: Aadhaar may have many benefits, but why make it mandatory?

Ashok Pal Singh answers, “Until now, there are 99 percent people who I can say have adopted Aadhaar voluntary. If people aren’t coerced into taking a PAN card, then why can’t take Aadhaar? If you want a benefit like an LPG subsidy, you have the option to either take it or not.”

But isn’t an LPG subsidy different from filing an Income Tax return? Not availing of an LPG subsidy doesn’t make me a criminal in Indian law; failing to file a return does. If Aadhaar is voluntary, why should it be forced? Singh responds: “If you want to travel, you need a passport. You can travel without a passport also no?”

Also Read: Aadhaar’s Backdoor Entry Into I-T Law and Its Implications

The Privacy Issue: Is the Aadhar Database Safe?

Is the UIDAI database vulnerable to hacking? Demographic and biometric data points are used to create a unique identity of a citizen for authentication. But can the Aadhaar database be used to create a profile of a person, including his or her activities?

No, says Ashok Pal Singh.

Ashok Pal Singh, Deputy Director-General, UIDA UID doesn’t collect information on where or why Aadhaar is being used to verify identity of an Aadhaar-card holder. The UID database has no information on the reason or location of authentication.

As per the UIDAI, apart from the moment of authentication, no other information is recorded. And those who have worked with the founding team of the Aadhaar say that as per its design principle, Aadhaar “doesn’t keep anything except the logs of authentication.”

Also Read: It Is Ill-Conceived to Blame Aadhaar for Invasion of Privacy

But does the same argument hold true when Aadhaar is being used as a common ID for verification across different services? For instance, if I use my Aadhaar card to apply for a PAN, is there a danger of my bank details being combined with my biometrics?

Taking the analogy of a ‘common password for all email addresses’, Nikhil Pahwa says: “Everything which gets linked to Aadhaar is connected to a single database, which is hackable. There’s no protection of my privacy”.

Also Read: UIDAI Blacklists Centre That Leaked MS Dhoni’s Aadhaar Details

(Photo: The Quint/Maanvi)

Does Aadhaar create a larger database with a minefield of information with the government?

Sunil Abraham, Executive Director of Centre for Internet and Society explains

If I am a bank, and if I have Aadhaar numbers of all my customers, it’s possible that I can combine bank account details of my customers with their biometrics. Using Aadhar to verify identity of a citizen for services, whether it be MGNREGA or KYC, creates an opportunity for someone to combine two databases.

An Aadhaar user gives his number and biometrics for verification. These are then sent to the UIDAI for cross-checking. While the UIDAI database is encrypted, it’s unclear whether the same level of encryption exists during authentication.

So, there’s no clarity on whether the UIDAI database only stores authentication logs or there’s other, specific and personal information in the metadata which is also stored.

Aadhaar, the technological design, is different from Aadhaar Act, the legislation, which is responsible for implementing the technology. While they are intertwined inextricably, much of the privacy and surveillance concerns stem from the Act.

Despite the design and the legislation being interlinked, recent opinions appear to have failed to address this central distinction.

Who Has Access to the Aadhar Database? Big Brother?

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, colloquially known as Aadhaar Act, 2016, states that information will not be disclosed except “in interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government.” But there is no specific definition of ‘national security’ in the Act.

Effectively, the Act gives the government the power to reveal information in the Aadhaar database in the name of ‘national security’. Does the lack of clarity in how the Aadhaar data will be used endangers the privacy of Indian citizens and exposes them to surveillance? Nikhil Pahwa says:

Definitions of national security could be misused to make journalists, opposition parties vulnerable. Linking Aadhaar to mid-day meal and other services gives the government a large amount of data which it can use in the name of ‘national security’; without any judicial oversight.

(Photo: The Quint/Maanvi)

The UIDAI database stores transactional data for a period of seven years; online for two years and five years in the offline archive. An Aadhaar card-holder can access this database for two years. But security agencies can access the database for all of the seven years with a judge’s permission.

Is it possible for an Indian to opt out of Aadhaar? No. As per the UIDAI website, there is no provision to opt out of Aadhaar nor is it possible to purge the citizen’s information from the database.

Interestingly, the website clearly specifies that: “the resident has the option in the first instance not to enroll for Aadhaar at all.” Just like the SC’s order in 2016. Except with more services being mandatorily linked to Aadhaar, it’s a choice fraught with preserving one’s privacy and Schrodinger’s Aadhaar. 

(Join us on WhatsApp. Type “JOIN” and send to 9910181818.)