Opinion

Which comes first: identity or privacy?

SV Divvaakar | Updated on January 23, 2018 Published on August 18, 2015

Khazanova/shutterstock.com

The Aadhaar debate has frontpaged this fundamental question, but the answer seems obvious

With the Supreme Court’s interim order last week over the use of Aadhaar cards to access benefit schemes, the Centre finds itself in the corner once again.

The order has four significant parts. One, the government must give wide publicity in the media that it is not mandatory for a citizen to obtain an Aadhaar card. Two, production of an Aadhaar card shall not be made a condition for obtaining any benefits otherwise due to a citizen. Three, the government must undertake that the Aadhaar card will not be used for any purpose other than the public distribution system (PDS) , particularly for distribution of foodgrain and cooking fuel such as kerosene, and LPG subsidy; and even in availing these, the Aadhaar card will not be made mandatory. Four, any personal information obtained by the Unique Identification Authority of India (UIDAI) for issue of Aadhaar card should not be used for any other purpose, except as directed by a court for criminal investigation.

What’s proscribed

This interim order will be in force until the constitutionality of the biometric identity-based Aadhaar and its violation of the right to privacy are finally decided by a constitutional bench.

The Supreme Court has reaffirmed its September 2013 order, noting with ire that the Aadhaar has been increasingly pushed as a de facto requirement in a number of public services, including property and marriage registrations.

However, the court has not frozen Aadhaar registrations per se. The court’s position that “no person should be denied any benefits or ‘suffer’ for not having the Aadhaar card’’ actually approves its continuance on a consensual basis. What is proscribed is the seeding of Aadhaar information on any government schemes except PDS for foodgrain and kerosene, and LPG subsidy, although the order does not justify why Aadhaar linkage has been allowed for these two schemes.

The immediate casualty of this judgment are the big ticket direct benefit transfer (DBT) projects in the pipeline, especially MNREGA, which has been progressing ambitiously towards its coverage of almost 300 million beneficiaries. Also unclear is the fate of several State-level schemes for education and so on.

Although the Aadhaar petition is rooted in privacy rights under the Constitution, the underlying concerns relate to data security, surveillance, and potential misuse of the personal information captured in the Aadhaar enrolment process, especially in private and even foreign hands. India does not yet have a privacy Bill nor a definition of sensitive personal information.

Major concern

The prime concern of privacy advocates is that anyone approved by the UIDAI can use (and thus potentially misuse) the KYC API (application programme interface). But those conversant with the technology know that authentication queries on the Aadhaar payments bridge are answered in the ‘True’ or ‘False’ format without sharing any underlying information; thus there is no danger of misuse or data theft. In this regard, the fourth part of the court order is ambiguous in two key respects: one, what if a citizen chooses to share his Aadhaar key information with service providers; and two, is the prohibition on using Aadhaar data only in sharing the data with others, or does it apply even when used internally for authentication? If the court’s intent was only to prevent sharing, the eKYC is already fully compliant. If the intention was to prevent even internal use — even in a dehumanised authentication programme — then it might be a tad overreaching. These scenarios need to be considered for a clarification of the order, especially as the judges have accepted the utility and necessity of having a unique identifier to prevent leakages and duplications in beneficiaries.

There is too much at stake for India to pause its Aadhaar-enabled DBT programme only on privacy concerns. The ‘right to privacy’ argument against Aadhaar does not pass muster, as the security of an encrypted biometrics database is no different from that of hundreds of millions of passport files in the home ministry, or the five hundred million bank accounts on core banking systems. Banks store and share far more commercially sensitive, and personal, financial information than DBT flows. Given these realities, the Supreme Court might have exercised more leniency for the government to continue with Aadhaar seeding of its schemes while insisting on the warrantees as to data security, which the attorney-general has already furnished.

Lack of legal status

The real issue with Aadhaar is not its security but the UIDAI’s lack of legal/statutory status, which can only come about with the passing of the National Identity Authority Bill along with its charter, SOPs and public accountability, including responsibilities and liabilities of data security. As for fundamental rights, can a right to privacy be considered in isolation of the right to an independently verifiable identity?

Before I exercise my right to privacy, must I not have to prove independently, absolutely and beyond doubt who I am in the first place? A unique biometric identity distinguishes a person objectively from seven billion others on earth, without relying on others vouching through references, testimonies and sworn affidavits. Thus, is the right to a unique identity not fundamental to all other rights?

The writer is a fellow at the Indicus Centre for Financial Inclusion

Published on August 18, 2015
null
This article is closed for comments.
Please Email the Editor