Revisiting Aadhaar System: Post the Supreme Court Verdict

Aadhaar system has been stuck in a cauldron of debates and deliberations since its inception in 2009. Centre’s flagship Aadhaar scheme was advocated as a tool to initiate and improvise on welfare administration scheme while eliminating corruption. However, many also saw it as a means of creating a “surveillance state” and thereby “invasion of privacy”. With the new verdict passed by the Supreme Court of India on September 26, 2018, Aadhaar project has been declared as constitutionally valid, but with conditions attached. This has set the ball rolling for a new set of argument.

Decoding the verdict

  • Aadhaar card is must for availing welfare schemes and government subsidies. Staunch supporters of Aadhaar see it as a means of empowering the poor and marginalised sections of the country while eliminating corruption. On the contrary, many analysts are of the opinion that Aadhaar has also become a major reason for the “exclusion” of citizens to the basic government provided amenities.1 Though such exclusions are in no way targeted or deliberate, but loopholes in the Aadhaar system often create such scenarios.

    During the Aadhaar registration process, individuals are required to authenticate their fingerprints and iris on a machine that determines their identity. This sole identity gives them access to their “entitlements”. The verification process for instance in the case of public distribution system (PDS) also requires electricity, internet and connectivity for accessing the centralised database, in addition to the fact that biometric details of an individual should match during availing of services. In case the fingerprints fail to match at the time of availing of facilities like ration, a person may be denied the same.

    Absolute faith on the biometric system is based on a misplaced assumption that human body parts do not age. Testing by International Biometric Group highlights that “over time, many biometric systems are prone to incorrectly rejecting a substantial percentage of users. Verifying a user immediately after enrolment is not highly challenging to biometric systems. However, after six weeks, testing shows that some systems’ error rates increase ten-fold.”2

    Similarly, it is mandatory to link Aadhaar number to the registry number in the public distribution database, otherwise amenities provided by the government stands cancelled. Many such incidents where individuals were denied welfare or pension services have come to limelight, especially people suffering from leprosy, engaged in manual labour and those who are genetically predisposed to not having fingerprints. There were reports that alternate means of identification are being done to accommodate the ones who lack proper biometrics.3 Like facial recognitions or iris scanners.4 However, it is still not clear how such alternatives are being operationalised. For instance, leprosy patients are now being exempted from linking Aadhaar card. But then question arises, can all verification facilities vouch to have in place the required technical infrastructure that allows other means of verification? If yes, then what are they? Even if it is a process of offline verification, same has not been clearly laid down.

  • Aadhaar card is mandatory for ITR and allotment of PAN. According to the recent verdict, Aadhaar is no more mandatory for opening a bank account but linking the Permanent Account Number (PAN) to Aadhaar remains vital to filing the Income Tax Return (ITR).
  • Schools and entrance exams like NEET, CBSE, UGC do not require Aadhaar card. There were also concerns that Aadhaar was preventing many students from applying and receiving scholarships. Though the Supreme Court verdict has eliminated the need of Aadhaar for above purposes, there is persistent skepticism that in the absence of Aadhaar card the admission process may become more cumbersome, such that the individual might end up taking an Aadhaar.
  • Section 57 of Aadhaar Act permitting private entities to use Aadhaar data for verification purposes struck down as unconstitutional. This basically means that no company or private entity can anymore seek Aadhaar details. Commercial banks, e-wallets (such as Paytm, Mobikwik, etc.) and payments bank can no longer insist on Know Your Customer (KYC) verification using Aadhaar. The telecom service providers too cannot seek Aadhaar details for verification purposes. This is significant in the wake of increasing cases of financial crime, especially due to Aadhaar’s expanding tentacles in the telecom and other cellular and payment related sectors. One such recent incident was the way Airtel’s payment bank routed approximately Rs. 190 crores to its payment bank accounts, wherein some accounts were opened and force-seeded with Aadhaar without the informed consent of the customers.5 There was a lot of speculation about the corporate use of Aadhaar as it was seen to be opening up doors for data mining, data misuse and profit making.
  • Section 47 of Aadhaar Act stating criminal complaints for data breach can be filed only by UIDAI struck down as unconstitutional. Initially, the Unique Identification Authority of India (UIDAI) was the sole authority that could initiate action in case of misuse of Aadhaar or data breach, and the individuals had to reach out to UIDAI to file a complaint. Striking the section down means an individual could directly book a complaint with the concerned authority rather than approaching UIDAI and waiting for it to take action.

Much ado about something

Despite Supreme Court’s laudable verdict, there still are issues that need to be addressed. Of particular concern are issues pertaining to data protection, limitations of biometric identification, and personal data mining. In the absence of a clear framework, there is also the lingering fear of state’s ability to access databases to map the data of an individual at the backend and create a “digital image”. Linking of Aadhaar card actually brings together different aspects of life like travel accounts, personal information, employment history, bank accounts, etc. Thus, integrating disjointed data silos enable tracking and profiling, i.e., invading privacy in many ways.

Initially with Section 57 in place, Aadhaar was seen as a project conflating state power and corporate power at the cost of citizen’s privacy. The situation was grave as it facilitated corporate surveillance to go hand in hand with state surveillance. This would have enabled targeted advertising and profit reaping. Now with the invalidation of Section 57, the question that remains is what happens to the data of individuals already registered? Though the government has issued orders to several telecom companies to submit plans to delink Aadhaar data associated with user profiles,6 but then would there be a mechanism of verification that the data was deleted and no backups were taken in the process?

Another aspect that has not been clearly brought out is the credibility of alternate procedures of verification. What if they are more cumbersome for people who do not have an Aadhaar card? Convenience over security would definitely be a dilemma. However, government has started taking stringent measures to ensure security. For instance, masking Aadhaar number while authenticating for a third party.7 This is done by generating Aadhaar Virtual ID, a 16-digit random number, which is mapped to a person’s real Aadhaar number and can be used whenever authentication or KYC services are performed. It remains to be seen how many people would actually adopt the “Virtual ID” or understand its significance.

Another issue that came to the forefront was that of ghost or fake ration cards. Many a time the link between Aadhaar number and the ration card could not be validated. In such scenarios, the individual was denied basic amenities. Government claimed successfully tracing fake ration cards but many a time there were genuine cases of exclusion passed off as savings due to Aadhaar. This has also led to cases of death due to starvation.8 Corrective measures in this regard are yet to take course. When talking about corruption the quantity fraud is not being factored in. Quantity fraud translates that a person may be forced to sign on something that he/she might not have received of the same quantity that the person is entitled to. However, one cannot also ignore the fact that in many places Aadhaar has actually replaced the middlemen.9

A long way to go

The Supreme Court verdict, in response to petitions filed against the ‘draconian’ nature of Aadhaar, has been a mixed bag. Concerns around the Aadhaar project have broadly been centred on “welfare and privacy”. These have included questions of “surveillance, access to basic rights, liberty and data commercialisation.” The most welcome part of the verdict is the scrapping of Section 57 of the Aadhaar Act, which allowed private entities to use Aadhaar for verification purposes. Far too many people have been duped into opening accounts in mobile phone payment banks while being forced to conduct an e-KYC procedure with Aadhaar for their SIM (subscriber identity module) cards.

However, the verdict has still left many open-ended questions. For the state to be able to build trust among the citizens and ensure that individuals have the sole control of the data and no misuse could take place, it is pertinent to push for a system that protects people and their data and does not exclude the most vulnerable.

Biometrics via Aadhaar is an untested territory. Biometrics as a foundation for Aadhaar, without addressing the security concerns raised by people, paves the way for more doubts and fear. Securing identity systems is particularly challenging as the number of data breaches across the world are on the rise. Identity data in the modern world and particularly as governments come to require it so much more often, becomes the key to perpetrate fraud and undertake surveillance. Adequate norms thus need to be laid down from collection to retention of biometric data, in addition to formulating strong data protection and privacy laws.

Aadhaar could become a “one stop solution” if implemented in a more accommodative manner. One understands that long term benefits of Aadhaar actually outweighs many concerns. However, the government needs to work towards plugging the loopholes and taking prompt action in addressing the genuine concerns and grievances of the people.

It will take time to make Aadhaar more foolproof. After all, Rome was not built in a day!

Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.

Keywords: Cyber Security