At the very top of the list of objections to UID are concerns about data privacy and potential misuse. However, there are a range of views from supporters as well as detractors on what exactly privacy means in a country like India and how they would like the government to address the protection of personal information in the hands of public and private agencies.
At one end of the spectrum is the view that the government can never be trusted; the country is not ready; UID could be used to target minorities; and hence the project should be abandoned on privacy grounds:
“…privacy will be breached…it gives room for abuse of the power…the information never goes away, even when life moves on. So if a person is dyslexic some time in life, is a troubled adolescent, has taken psychiatric help…was married but is now divorced…all of this is an open book, forever, to the agency that has access to the data base.” ("Implications of registering, tracking, profiling' Usha Ramanathan, The Hindu, Apr 4, 2010)
“The UID is a dangerous thing. I'm shocked minorities and other communities are not boycotting it.” (Aruna Roy, TNN, Oct 17, 2011)
At the other end of the spectrum are those who think that in a country where millions of poor are yet to be recognized by government benefits, the concept of data privacy simply does not hold. This is best illustrated by this anecdote:
“Indeed, Kiran…actively wants the government to have a record of her and her children. She’s a bit mystified when I ask if the idea worries her. If you’ve never read a newspaper, let alone fretted over your Facebook privacy settings, the question of whether the government might abuse your digital data must seem pretty abstract—especially when you compare it with the benefits the government is offering.” (Vince Beiser, WIRED magazine, Aug 19, 2011)
Fear-mongering aside, it is a good thing that the UID project has been a catalyst for a serious debate on data privacy and protection. So, let us take a look at what the UIDAI has already committed to on this important issue:
- The UID database is limited to only four fields of data (name, gender, age and address). Any additional data desired by the states to manage their welfare programs (e.g. SC/ST, family assets, etc.) are not mandatory to enrol in Aadhaar.
- The encryption of data collected and transmitted from the field to the CIDR (Central Information Data Repository) makes it virtually impossible for anyone to use the data in transit. And CIDR itself is surrounded by multiple layers of protection, which are described elsewhere.
- No information from CIDR can be revealed to anyone, except as a ‘Yes’ or ‘No’ answer to queries; and exceptions can be made only for national security, under the approval of a Joint Secretary of the central government. (NPR has made a commitment that its database will be available only to government agencies.)
- The UIDAI’s authentication protocol is still in trial stages and there will be opportunities for concerns to be recorded on that score, as we better understand its implications -- e.g. what will be in the archived authentication records, how long will it be retained and for what purpose, etc.
- Private parties, including foreign agencies, involved in the project will have no access to any usable data: As described elsewhere, biometric data packets are isolated from demographic data, such as name and address; so even in the remote chance of data leakage, the data can’t be of use to anyone.
- The recently passed IT Rules of 2011 (“Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011”), which cover personal data in possession of private entities in India, have recognized key international data privacy norms, which should also apply to any UID data handled by such organizations.
Certainly, the UIDAI could do more to reassure those who are still concerned about data privacy, especially in the absence of a comprehensive data privacy regime in the country. For example, it could: 1. Promise not to mandate Aadhaar for those who do not intend to benefit from public subsidies -- at least until we have a national privacy law; 2. Consider the possibility that when a person reaches 15 to 18 years of age, he/she will have the option to get a new Aadhaar number, leaving behind any sensitive learning or health related records from childhood; and, 3. Make a commitment that all parties who have access to Aadhaar data, public or private, shall adhere to internationally accepted privacy norms (see box), which include a provision for an enrollee to ‘opt out’ of the system at any time -- obviously, with sufficient safety provisions to prevent misuse.
Civil Society too has an important role to play in the larger privacy debate, as it holds the key to how we can balance the nascent Right to Information regime with a new, potentially conflicting, Right to Privacy regime.
Differing perceptions are already emerging on this balance: For instance, Dr. R. Ramakumar of Tata Institute of Social Sciences avers, “…the demand to trade-off one freedom for another (say the ‘invasive loss’ of privacy for ‘development’) is an untenable demand,” (‘Identity Crisis’ Frontline, Dec 2, 2011), while Venkatesh Nayak of the Commonwealth Human Rights Initiative seems to take the opposite tack, “…there is an urgent need to ensure that the regime of transparency established by the Right to Information Act…is not rolled back in the name of protecting privacy and personal data. The benchmarks for protecting personal data adopted in advanced democracies may not be ideally suited to the Indian ethos.” (The Hoot, Aug 2010)
Activists like Aruna Roy, who have actively worked for years on right to information, but now seem worried about data privacy, may have to seriously rethink their own past position, which has resulted in the government publicly and regularly exposing large amounts of personal information, in an effort to demonstrate greater transparency and reduce corruption (e.g. MGNREGS muster rolls, electoral lists, the coming NPR lists, etc.) If they don’t, they will certainly be open to criticism that they have a different yardstick when it comes to the privacy of the poor vs. that of the middle class!
Add to this mix, 1. the all-powerful, if subterranean, voice of the politician-mafia nexus, who may see the RTP movement as a godsend to counter RTI and the future Lokpal; and 2. potential turf battles among ministries, some of whom already seem to demur on the need for a comprehensive data privacy law – and it is clear that this debate is not going to be over any time soon to give us a national data privacy and protection law.
Under the circumstances, the reasonably sounding suggestion that the UID project should be put off until there is a national privacy law is, in our view, can only be seen as a tactical move to stall the project. And it is unfortunate that even a Parliamentary Standing Committee seems to countenance such a call.
With all due respect, that suggestion makes as much sense as stopping all government contracting until we have a Lokpal law; or suspending the MGNREGS program until the government can find ways to stem the massive leakage of funds; or, for that matter, shelving the RTI Act until we can guarantee that no RTI activists are murdered on its account!
These are not zero sum games and life must go on: The task of better managing our welfare services and empowering the ID-less can’t wait. Quite the contrary, the progress of UID over the next couple of years, in of itself, will provide a great deal of insight into how we can craft a law that can balance privacy with purpose and work for the Indian context.
It is also useful to keep in mind that mobile telephony is already ubiquitous in the country, and both public and private agencies hold vastly more sensitive personal information compared to the UID database. While we do occasionally read about use of mobile data in civil and criminal cases and a few well-publicized examples of harassment of activists, had the nightmare scenarios of massive misuse of personal data against ordinary citizens any basis, we should have already seen ample evidence of that.
Do you have any innovative thoughts on how UID’s data protection and privacy objectives can be furthered without compromising the fundamental mission of Aadhaar to better manage welfare services? Let us hear it.