Aadhaar is a civil liberties issue: What India can learn from countries that resisted biometric databases

Despite several concerns over the Aadhaar database, the Government is increasingly making the card a necessity for the daily lives of Indians. There is little choice for citizens who want to avoid giving their biometric data to the Government. Applying for a PAN card, filing income tax returns, getting a drivers license, and using a SIM card will all soon require an Aadhaar card.

The security concerns are over the creation of the largest centralised database with biometric information in the world. As of March 2017, there are 113 crore people with Aadhaar numbers. The Government has created a honeypot, a high value target especially for state sponsored hackers. On 5 March 2017, the UIDAI assured the people that the Aadhaar database was safe following an attempt at multiple fraudulent transactions using the same biometrics.

On 28 March 2017, cricketer MS Dhoni's personal details were leaked by an enthusiastic employee at an Aadhaar enrollment center. The IT Minister Ravi Shankar Prasad said that the Aadhaar database is secure, and that harsh action would be taken against the agency. The collection center was banned for 10 years. Referring to the same incident, Minister of State for Electronics and IT P P Chaudhary, in the Lok Sabha, said, "I would like to inform that there is no question of leakage of Aadhaar data from the Aadhaar system. There is no leakage and it cannot be."

In an interview with CNBC TV18, Ajay Bhushan Panday, CEO of UIDAI acknowledged that the database can potentially be breached, saying "there is nothing called fully secure and absolutely security". However, Bhushan pointed out the flawless record of the Aadhaar database so far. Arun Jaitley responded to concerns over data breaches by saying that the possibility of hacking is no reason to not use new technologies. "If firewalls can be broken, and hacking can be done, it will be done whether Aadhaar is there or not. Don’t say it is due to Aadhaar", Jaitley said in the Rajya Sabha.

Arun Jaitley

Jaitley said "If technology can be breached, doesn’t mean we shouldn’t use technology."

If there is no Aadhaar database, it cannot be hacked. The security concerns are only part of the problem with a centralised biometric database. The other problem is a matter of privacy. The database is there with the government, and can potentially be used or abused in new and inventive ways. The potential for surveillance is chilling and enormous. The government is collecting intimate details about the bodies of the people, which can easily be put to use for purposes other than why it was handed over to the government.

A Goa court ordered the UIDAI to share details of all individuals enrolled in the Aadhaar scheme with the Central Bureau of Investigation. The ruling was despite a clause in the Aadhaar act that only allows the biometric information to be used after the individual has given consent for such use. Biometrics systems are not absolutely foolproof, and the UIDAI themselves showed that there was a 0.057 percent possibility of a false positive. The lack of dedicated privacy and database security laws in India exacerbate the problem.

An operator arranges the Unique Identification (UID) documents submitted by people for their enrolment in the desert Indian state of Rajasthan. Image: Reuters/Mansi Thapliyal

An operator arranges the Unique Identification (UID) documents submitted by people for their enrolment in the desert Indian state of Rajasthan. Image: Reuters/Mansi Thapliyal

For security and privacy reasons, there has been fierce opposition to centralised biometric databases by countries, which is the reason many developed economies do not have a system that is similar to Aadhaar. National identity databases with biometric data has been fiercely opposed in the United Kingdom, United States, Canada, France and Australia.

United Kingdom: In 2006, the United Kingdom passed the National Identity Card Act. The act introduced a mandatory identification card, and collected biometric data in the National Identity Register. After five years, the act was repealed, and the National Identity Register was destroyed. Over 500 hard disks were shredded and incinerated. Home Office minister Damian Green, who helped shred the hard disks, said "Laying ID cards to rest demonstrates the government’s commitment to scale back the power of the state and restore civil liberties."

United States: Following the 9/11 terrorist attacks in the United States, there was a proposal for a national identity card linked to a biometric database, a system that some believe could have prevented the deadly attacks. The American Civil Liberties Union (ACLU) opposed the proposal, pointing out that such a card would be quickly adopted for other authentication procedures and purposes, placing the government in the centre of the daily lives of citizens.

A broad coalition urged the then President Barack Obama and the Congress against the implementation of a national ID that collected biometric information in a single database. ACLU was supported by the Center for Digital Democracy, Consumer Federation of America, Electronic Frontier Foundation, Privacy International and the World Privacy Forum, among others.

Canada: There were efforts to introduce a national identity card for Canada as well, following the 9/11 attacks in the United States. The Office of the Privacy Commissioner of Canada opposed the move saying that the database would contain more information than necessary for verification and authentication purposes. A centralised database could also potentially harm the relationship between the state and its citizens. The project was ultimately shelved because of the high costs involved in creating and maintaining the systems and database.

Ghewar Ram (R), 55, and his wife Champa Devi, 54, display their Unique Identification (UID) cards. Image: Reuters/Mansi Thapliyal

Ghewar Ram (R), 55, and his wife Champa Devi, 54, display their Unique Identification (UID) cards. Image: Reuters/Mansi Thapliyal

One of the main concerns was that a national identity card system was not enough to curb terrorism, and that the database itself would have been an attractive target for cyber terrorists. In cases of identity theft, it would have been difficult for the compromised parties to prove that theirs is the real identity. The Office of the Privacy Commissioner of Canada was opposed to using data analysis of vast databases of transactions to identify terrorism linked activities, as such a system would be highly invasive and contrary to established protections for civil liberties.

Australia: Australia has managed to repeatedly avoid efforts by the government to implement invasive multi purpose national identity programs. The Australian Privacy Foundation maintains a list of all the previous times this has taken place. Following the London bombings in mid 2005, there were renewed efforts at introducing a national identity card for Australians. The Government took stock of the benefits of such a project, and decided against a national identity card because the disadvantages were found to be many, with few advantages.

France: In France, there were efforts to link a national identity system with biometric passports, creating a central database with the biometric information of over 60 million French nationals. The move was an effort to reduce instances of documentary fraud. The attempt was considered outdated, and disrespectful towards the rights and freedoms of the citizens of France.

The Conseil national du numérique, a body that advises on the official use of digital technologies opposed the move by the Government, noting that the very existence of a centralised database invites use for other purposes than originally intended. The opposition for the creation of the database was strong, as such a database would end up being a high value target for adversaries. There were alternatives available, that prevented fraud and impersonation, and at the same time maintained the privacy of individuals without putting their sensitive information at risk.

Aadhaar enrollment. Image: Reuters

Aadhaar enrollment. Image: Reuters

The Electronic Frontier Foundation advises public opposition to any government that attempts to set up a centralised database with biometric data. The Foundation points out that geolocation tracking, facial recognition, and mass video surveillance networks linked to national biometric databases can potentially lead to pervasive surveillance systems. The authorities issuing such cards automatically have more power to curtail civil liberties. The Foundation condemns the use of biometric data for e-governance services, law enforcement and private sector activities.

The citizens of the country are being forced to use Aadhaar, whether they trust it or not. The way Aadhaar has been set up, using a fingerprint scanner to authenticate a transaction is as good as giving out your banking password to the seller. There is a transfer of power from the population to the state with the creation of the Aadhaar database.

The privacy situation is getting increasingly worrying, as the Government is creating a system that can is capable of mass surveillance, which can be used against the people. The UIDAI cannot dodge the responsibility for a broken Aadhaar ecosystem by repeatedly and constantly maintaining that the central database is safe.


Published Date: Apr 10, 2017 01:35 pm | Updated Date: Apr 10, 2017 01:35 pm