Anil, 26, works in my neighbourhood gym as a sweeper and cleaner. His 10-hour job involves wiping off the exercise machines, mopping the floors and washing out the shower stalls and the toilet. He’s among a team of others who clean up after the well-heeled members at the gym use its facilities. He’s on a contract that has no benefits such as medical or accident insurance or any form of job security. Each month he makes around Rs 8000, a sum of money that doesn’t travel far in Gurgaon. He bunks with eight other young men in a room that they rent in a nearby slum. Eight thousand rupees is what it roughly costs a month for a membership at the gym and ironically that’s what Anil and his colleagues who form the “housekeeping” team there make in a month. I asked Anil whether he has an Aadhaar number. He said, yes, he did. I asked him whether he thought it was of help. He thought for a while and then his eyes lit up as he told me how it had helped him get a subsidised cylinder of LPG that he and his room-mates now use to cook their simple meals instead of the kerosene stove that would smoke up their tiny room, hurt their eyes and make breathing difficult.
Aadhaar, India’s ambitious Unique Identification (UID) system, based on biometrics, and introduced in 2010, has enrolled around 1.19 billion Indians. That’s nearly everybody in India. In the beginning, the idea behind Aaadhar was that it would be a fool proof mechanism to check benefits fraud. Government subsidies and other benefits in a country as populous and poor as India are routinely siphoned out by layers of unscrupulous middle-men who take advantage of the lack of awareness and education, particularly among those who are underprivileged.
Aadhaar, introduced by the Unique Identification Authority of India (UIDAI) then headed by technocrat Nandan Nilekani, was aimed at righting those wrongs. And it did quite a bit of that—in India’s rural employment guarantee schemes, in disbursements of other government subsidies, and in detection of anomalies. Aadhaar seeding weeded out over 8.5 million fake ration cards in India’s massive public distribution system, which serves millions as a source of food but is riddled with inefficiencies and leakages. In another instance, Aadhaar verification led to the uncovering of a massive scam in India’s higher education system—it found that a tenth or nearly 130,000 college teachers actually did not exist.
The fact that a system such as Aadhaar, which relies on nearly fraud-proof biometrics to establish an individual’s identity has its benefits is undeniable and millions of people such as Anil, the gym worker, have benefited from it. But in country with a population nudging 1.3 billion, its implementation is fraught with risks. One such risk came to light at the very beginning of 2018. The New Year opened with a rude jolt for UIDAI. In a sting operation, Tribune, an Indian newspaper, claimed that it bought details of registered users on the biometric identification system from an agent who, for a piffling sum of five hundred rupees, offered access to the Unique Identification Authority of India’s database. The so-called agent also offered additional services such as printing out any Aadhaar card for an extra charge. This was serious. It meant that the Aadhaar system can be hacked and its “fool proof” security breached at will.
Curiously, the UIDAI while admitting the breach of security maintained that the biometric data of Aadhaar registered persons was still safe and that its technology made it impervious to hacking. If anyone can, at will, print out Aadhaar cards—which are prima facie the crucial document one needs to do things like opening a bank account, filing tax returns or claiming social welfare benefits—that defence by the authority is inexplicable and, in effect, quite meaningless. The debate over Aadhaar has many dimensions. The main opposition to it is that by compiling a database of personal details of its citizens, the government can access, use (and misuse) such data, thereby, infringing their right to privacy, a right that has been deemed by the apex court of India as being a fundamental one. Aadhaar began as a voluntary scheme. An individual was free to decide whether he/she wanted to provide biometric details such as iris recognition and finger-prints to get an Aadhaar number. However, more recently, the government made it mandatory for individuals to link or provide their Aadhaar numbers if they wanted to file their tax returns, open bank accounts, use their mobile phones, and even buy tickets to travel on the government’s railway network.
This has led to vociferous opposition to such directives and litigation. The government is faced with cases that challenge its mandatory orders and some of those key ones will come up for hearing in February. The Tribune’s revelations, however, come as a massive blow before those are heard and the judicial system decides on them. But the key lessons that the authorities need to learn are the following. Few will dispute the professed benefits of Aadhaar: to prevent fraud and ensure fair access to things such as pension schemes, and provident funds for employees; to ensure opening or operation of fake bank accounts; to minimise or eliminate siphoning away of government subsidies from those who they are intended for; and so on. The problem is in its implementation. The Tribune’s expose was not the first instance of a breach of security in the system. Data breaches have occurred over the past year in banking, telecoms and other services. In Delhi, for example, it is estimated that more Aadhaar numbers have been issued than the official census ratified population of the city state.
The objective of having a fool proof authentication of identity is not what should be disputed. Several developed countries have (equally many do not) a centralised system of identification but to work fairly and non-intrusively, they have strong privacy protection safeguards. In the aftermath of the recent breach of its system, UIDAI may brazenly claim that its core biometric database is secure but if more instances such as the Tribune expose surface–and they could–those claims will seem hollow. The only course of action that could redeem UID’s objective and put it back on the rails would be to completely overhaul its infrastructure, plug all its vulnerabilities, address valid concerns about privacy violations, and then re-boot it once again.