The largest democracy in the world is on the path to allocate a single bio-metric identity to 1.3 billion Indians, which may become their only identity on Earth. However, the absence of privacy laws and a digital regulator casts a shadow on the security of the world’s largest biometric database.
Foreigners living in India are fretting over the Indian Government’s recent ruling, where all residents must obtain a unique identification (UID) number for filing income tax returns. The UID involves handing over biometric details (all ten fingerprints and iris scan) to the state, which gives each applicant an Aadhaar number. The primary concern is mishandling, storage and securitisation of sensitive data; after all, an online password, if hacked, can be changed with a stronger one, but if an individual’s biometric data gets hacked… the ramifications of such a breach are not fully realised.
The new ruling is set to commence in July 2017, whereby all Indian citizens and residents living in India for more than 182 days in aggregate in the past 12 months – must quote their Aadhaar number or unique identification number while filing tax returns in the country.
Aadhaar, which means ‘foundation’ in Hindi, is a unique, biometrically verifiable identification program which was launched in India in 2010. The program is considered to be the largest biometric identification program in the world. More than 200 million Indians or 98 percent of adult Indians have already enrolled and received their unique identification or Aadhaar number.
The program in the initial phase was touted as a mechanism for plugging pilferage in social welfare schemes. Initially, enrolment in Aadhaar was voluntary, and did not impact eligibility for receiving social benefits like free rations, subsidised cooking gas, employment guarantee etc., though, citizens were encouraged to apply for the Aadhaar number. With the success of Aadhaar in bringing transparency in the delivery system of social welfare schemes, the Indian government broadened its application by linking the UID to other areas like filing tax returns, in Permanent Account Number applications, pension claims, banking and other financial transactions.
The Government’s argument for the UID is centred on minimising corruption, fraud and terrorism, whereby a compulsory UID creates a digital trail of every penny going into and out of the financial system. With rising incidents of global terrorism, the government also intends to step up its security apparatus in the country by linking Aadhaar with all the platforms which seeks an individual’s identity, such as booking train or air flight tickets, marriage certificates, passport applications, mobile purchase and connections, school enrolments etc. The Government’s two-stage transition approach is gradually making the UID as the only legitimate and compulsory proof of identity of all residents in the country.
The World Bank has taken note of the reliability and success of a biometrics-based Aadhaar in curbing fraud around social welfare schemes and has encouraged other countries like Morocco, Algeria, and Tunisia to adopt the system. Some countries like USA, Canada, and Australia, who are currently using biometrics in areas like immigration and border checks, have resisted storing the data as the only proof of identity, considering the potential consequences in cases of identity-theft or loss.
The Unique Identification Authority of India (UIDAI) which collects demographic and biometric data for processing and allocating UIDs argues the demographic and biometric data saved in its servers are completely safe. UIDAI claims that the Aadhaar related data in its records is tamper-proof, encrypted at source, and maintains confidentiality. It adds that the core data is so sacrosanct that no one, even the owner of the data can allow sharing of the information with a third party. Under current legislation, anyone found guilty of sharing information related to anyone’s Aadhaar number can face imprisonment of up to three years.
As India widens its linkage of the unique identification number with the role and responsibilities of common citizens, strong resistance has erupted regarding assurances of data protection and privacy laws, both of which are markedly absent. The central argument being a single identifier as the only legitimate way of proving identity is highly problematic when privacy laws and digital regulations are not currently ‘iron-clad’. Even though the UIDAI boasts of offering a secure-proof mechanism for storing Aadhaar related demographic and biometric data, the reported breach of UIDAI’s data server in March earlier this year being passed off as a ‘one-off incident’ is not taken lightly by UID detractors. Other reports of ‘stray incidents’ of fake Aadhaar cards generated by rouge operators, are sufficient to raise concerns on the current reliability of data security.