Aadhaar Act needs a relook from the security and privacy aspect, to avoid mistakes made with the IT Act
By Pavan Duggal
Indian authorities and agencies have been collecting information much before Aadhaar came into the picture. But most of the time, the information has been located in silos. For instance, the passport agency will only have your data for passport-related purposes, the local RTO will have your driving license information for their own need and so on. For the first time, we are coming across Aadhaar which is providing an interconnected ecosystem. That, from a consumer standpoint, is going to present a huge amount of data privacy issues.
Aadhaar is an executive order which only got legalised last year in the form of an Aadhaar Act. Also the Aadhaar Act does not do adequate justice to the issue of privacy. There are no distinctive provisions and safeguards that the consumer expects. It is weak when it comes to data privacy and personal privacy. Further, issues pertaining to cybersecurity have not been clearly addressed in the Aadhaar Act. So the perception that Aadhaar is safe is not completely true.
Where does the buck stop with the Aadhaar database
Take the fact that Aadhaar databases are getting increasingly compromised. You cannot bisect Aadhaar between the central registry and the ecosystem. So in a case where you ecosystem is getting compromised, you cannot say that your central registry is safe, but the issue is with the third party agencies who store Aadhaar data locally. That argument does not fly. Far more needs to be done as far as cybersecurity is concerned, than what is currently available.
Unfortunately, a lot of people are defending Aadhaar for the sake of defending it. For instance, last month UIDAI lodged complaints against Axis Bank Ltd, business correspondent Suvidhaa Inforserve and e-sign provider eMudhra, stating that they had allegedly attempted unauthorised authentication and impersonation by means of illegally storing Aadhaar biometrics. Similarly, last week there was a report which talked about how Aadhaar numbers were searchable on Google. So the Aadhaar numbers are floating in the open, which does not augur very well when it comes to increasing the confidence of the populace. If you have the Aadhaar number easily available with a Google search, the chances of potentially misusing it do exist.
The fears pertaining to misuse of Aadhaar data are real, because the concerns have not been adequately addressed. Another factor to consider is that since the Aadhaar Act was passed, there have been massive developments that have taken place in the field of cybersecurity. And we constantly need to relook at Aadhaar from the perspective of evolving the cybersecurity paradigm.
More significantly, Aadhaar constitutes a critical information infrastructure of our country. Aadhaar is linked to many services. So all it needs for criminals or non-state actors is to destabilise Aadhaar data and everything associated with it comes crumbling down.
Aadhaar is part of your life now, whether you like it or not
We have to accept the fact that Aadhaar is now a part of our life, so there is no point avoiding it. There are over 110 crore verified Aadhaar accounts. But at the same time, the information contained with Aadhaar isn’t regular information, but biometric information. The other thing to take into consideration is that a lot of these third-party service providers are now retaining a lot of your personal data, biometric data on their own systems, under the garb of Aadhaar authentication. Couple of these third party service providers are exploiting some loopholes in the Aadhaar Act 2016, and storing biometric information on their private systems. Once that happens, it will be a huge blow to the credibility of Aadhaar. This will also start eroding people’s confidence.
Aadhaar Act does not touch concretely on issues pertaining to data privacy, personal privacy. Consequently India does not even have a law on privacy. Under the current circumstances, if your Aadhaar information is misused, the law is very clear – you are the person who is responsible if you don’t report the issue. Now say if you are not aware that your Aadhaar data is being misused or wake up only after it is too late – according to the law, you are still liable as you have not reported the issue.
Interfacing with the IT Act
There is definite need to strengthen the Aadhar ecosystem. The concept of Aadhaar is very good, and good work is being done with benefits transfer for instance, no doubt about that. But at the same time, there is no clarity about how Aadhaar complies with the IT Act, because at the end of the day Aadhaar via the UIDAI has become an intermediary.
Everybody is harping on the central repository. But the repository is not Aadhaar, but just a core kernel of the Aadhaar ecosystem. The entire ecosystem needs to be more safe and secure and there isn’t any effective protection as such. So if your Aadhaar is compromised today, you don’t have effective remedies as a consumer. The offences under Aadhaar can only be registered after UIDAI reports. So people have been rendered remedy-less.
For instance, if you are one of those thousand people whose Aadhaar number is visible on Google, what option do you have? There is no effective remedy. Users want concrete effective remedies, which the Aadhaar Act does not provide.
It’s time we acknowledged the shortcomings in Aadhaar and work towards creating an effective framework around Aadhaar rather than saying it is the best. We need to adopt a more proactive approach. The law never envisaged that private parties are going to create their own databases of user data, under the garb of Aadhaar verification. So there are huge problems we need to acknowledge.
We need to revisit the Aadhaar Act 2016. The interplay between the IT Act and Aadhaar Act is a huge grey area. Aadhaar Act is only a subset of the IT Act, which is the mother legislation. There are many kinds of cybercrimes that have emerged post demonetisation, that need to be taken into account in the Aadhaar Act. The linking of Aadhaar with various government schemes without having done the legal homework could land India into a huge e-governance disaster. We should work on strengthening the ecosystem.
Need to avoid a repeat of the mistakes with IT Act
The current state of affairs shows a conflict between the executive and judiciary, which could go into a confrontational approach, which should be avoided. The Supreme Court had reiterated the order that Aadhaar should not be made mandatory after the notification of the Aadhaar Act.
Making it mandatory can effectively deprive people of their fundamental rights and could ultimately be unconstitutional. When you make Aadhaar mandatory, you are making a distinction between those who have it and those who don’t. This amounts to violation of rights to equality.
We should learn from the mistakes we did with the formulating and later amending the IT Act. It was first launched in 2000, and for years the government said that it was adequate. But eventually, we had to make a lot of amendments to it.Tags: #AadhaarAct, #RTO, privacy, security