Joseph Goebbels, the famed guru of Nazi propaganda, is supposed to have once said: “If you repeat a lie often enough, it becomes the truth.”
Goebbels appears to have found a devoted disciple in the UIDAI (Unique Identification Authority of India) and its head honcho, Ajay Bhushan Pandey, who’ve been relentlessly arguing that Aadhaar is one of the most secure systems ever. And that there’ve been no data breaches till date.
Nothing could be further from the truth. Even since its inception, the Aadhaar ecosystem has been characterised by some of the most egregious breaches ever. An undercover investigation by The Tribune demonstrated how Aadhaar details of more than a billion Indians could be accessed for a paltry sum of Rs 500! All thanks to the carelessly cultured regime of Aadhaar enrollment agencies (comprising village-level operators and the like) who were offered wanton access to the database by the “authority”.
A later breach involving an entrepreneurial engineer, Abhinav Srivastava, demonstrated how unauthorised private parties (such as Srivastava) could conduct Aadhaar authentications on their own. All thanks to the sheer callousness of government agencies such as National Informatics Centre (NIC) in opening up their applications (in this case, “e-hospitals”) to surreptitious spoofing. Till date, there has been no known action taken against NIC.
More recently, two cybersecurity experts, Srinivas Kodali and Karan Saini found that a government website effectively permitted unauthorised third parties to access Aadhaar style authentication services. There are countless other horror stories doing the rounds.
And yet, the authority and its creative chairman continually claim that there has been no “breach”. They even go to the extent of branding those that complain against Aadhaar as tech “luddites”.
So consistent has been their stand that that they repeated the same claim in the Supreme Court… on oath! Funnily enough, they even contended that a five-feet thick wall would ensure the perpetual security of Aadhaar data. One wonders who the Luddites really are.
The claims of UIDAI are nothing more than a deliberate attempt to obfuscate and mislead. Worryingly, they also demonstrate an irksome ignorance of basic privacy tenets; not to mention the express provisions of the Aadhaar Act, under whose benevolent umbrella, the chairman and others at UIDAI draw their authority.
Section 28 of the Aadhaar Act makes clear that the UIDAI has to ensure the security and confidentiality of all “identity information” held by it, either directly or through its various partners/affiliates. In fact, so strict is the obligation that the authority has to even protect against the “accidental destruction or loss” of data.
Importantly, protectable data under the Act has been defined to include not only “biometric” data, but also an individual’s Aadhaar number and demographic information (address, telephone number etc).
The Tribune breach more than amply demonstrated that all of the above was compromised: for a paltry Rs 500, one could enter any Aadhaar number and get access to the corresponding demographic information and even biometric data (defined under the Act to include a “photograph”).
I have recounted all of this meticulously in a writ petition filed before the Delhi court, where I’ve sought to make the government accountable for these various breaches; and claimed damages from them for violating my right to privacy.
A right that has now been affirmed by a nine-judge bench of the Supreme Court of India in the Puttuswamy case to merit the highest level of protection under the law of our land; namely as a “fundamental” constitutional right.
Unfortunately however, the Aadhaar Act engenders a classic conflict of interest-type situation, in that it relies on the “authority” to take action against itself! As John Perry Barlow, the founding father of internet freedom, famously said: “Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.”
Fortunately, however, not all is lost. The Information Technology (IT) Act as well as common law doctrines enable the common man to directly sue the authority and its various affiliates and hold them accountable for privacy lapses. Unfortunately, while the remedy under section 43 of the IT Act for a privacy breach is constitutionally suspect, in that it permits a government-appointed person to unilaterally adjudicate upon what is essentially a legal dispute, the various common law doctrines to protect privacy (deriving from an area of law called tort law) are more robust.
I have highlighted all of this in the writ petition mentioned earlier and requested the court to appoint an expert committee that would investigate these various breaches and the level of compliance with reasonable security/privacy policies by the Aadhaar authority. Given the obfuscatory claims around the breaches, such a neutral investigative report would go a long way in helping us understand the true extent of the breaches and the damage(s) caused to privacy interests.
Interestingly, in The Indian Express piece referred to earlier, the pugilistic Pandey attempts to draw a disingenuous distinction between “secrecy” and “privacy”; claiming that Aadhaar numbers are not “secret” and, therefore, need not be protected.
He is wrong on the law, and wrong on the underlying concept. While privacy and secrecy are no doubt inter-related, the right to privacy does not depend on something being an absolute “secret”. Rather, privacy is about the level of control that one has over information pertaining to oneself. I decide how much information I want to give out and to whom. Merely because I dole out my Aadhaar number to a couple of service providers does not mean that other service providers are entitled to access this number without my permission.
The same with my telephone number, email ID and so on. Privacy ultimately is about self-determination and my ability to control my public persona. Even otherwise, the terms of the Aadhaar Act and the IT Act make amply clear that one’s Aadhaar number operates as a “password” and is to be protected as such.
It bears noting that the “Aadhaar” project was never designed with privacy in mind. Much like a number of other programmes in India, it began with one set of objectives, namely to eliminate identity fraud whilst providing for government benefits. This quickly morphed into another set of objectives once its potential for private gain was realised. Indeed, at the heart of the Aadhaar debate today is not just government control over data subjects. But the ability of private corporations to exploit our data (the new “oil”) for their own commercial gain.
Section 57 of the Aadhaar Act enables such private enterprises to ride on the backbone of Aadhaar authentication architecture. Little wonder then that an entire ecosystem of private enterprises have developed around Aadhaar. One such enterprise is iSPIRT, that has the blessings of Nandan Nilekani, the technocratic mastermind behind Aadhaar.
In a now deleted tweet, a colleague of Nilekani’s recounted a dinner conversation where he allegedly quipped that the best way to roll out new projects in India is to “Make it too big to reverse”.
The Aadhaar enterprise is no doubt a “big” one today. But bigger things have been reversed by our courts in the past.
Indeed, the “bigness” of an enterprise should be no consideration for courts that adjudicate on critical issues of civil liberties. Liberties that foster our autonomy and help us blossom to our fullest potential. For in the end, these are what define us as humans and distinguish us from machines, artificially intelligent or otherwise.