Recently, a breach of Aadhar data was reported after the UIDAI sent a notice to three firms for possible unauthorized authentication attempt and storing of biometric data. The notice it had served was shared widely on social media and questions were raised over the safety of Aadhar data.
Aadhar and security of data
Several negative reports on Aadhar database have widened scope for widespread data leakage. Though UIDAI has denied that there is a breach of Aadhar data or creation of parallel data bases and the government has assured that data with UIDAI is secured and there is no use of Aadhar biometrics leading to identity theft or financial loss, the threat of data breach will remain owing to ever-evolving technology and its hackers.
Is Aadhar data safe?
It is not about data being safe or not because any collection or compilation of large amount of data with individual identity is always vulnerable due to increasing technical vulnerabilities of state and non-state actors. It was demonstrated when Russian backed hackers publicly disclosed the Turkish identities which had a UID similar to Aadhar. The ability of hackers based out of China and Russia who may be state or non-state actors, who at will can hack US government, is known.
When the recent incidences took place, UIDAI was immediately able to pin point, particularly a case involving private bank that, somebody was using the same system to access authentication from multiple sources at same time which should not be possible given the safeguards.
It is reassuring as they could detect the problem. However, despite the technical capabilities, when there is a large database, it is a worry to keep it secure.
Thus, whoever is at the helm of monitoring the database needs to be completely at the top of the game about security of the data base.
Problems with Aadhar
With regards to current reports of data security breach, it is to be known if these violations are part of larger pattern or one isolated incident. There was a rumour going about that data of 1 lakh people can be available that for 15000 rs. UIDAI is aware of such incidences but when there was RTI on UIDAI on disclosing the data breach, they did not answer.
Along with it, there are other concerns such as privacy, denial of entitlements to people, forcing of Aadhar on schemes.
Two aspects
Legal- if any individual data is compromised, then as per law there is no law that he can directly go to court. Only UIDAI can. As per sec 43 of IT Act, corporate body is responsible for information. Now here if UIDAI is responsible, there is no provision in Aadhar Act which say that they are liable for protection of data and for breach of data they will be criminally prosecuted.
No provisions for compensation- Western countries’ digital models are being followed but compensation provisions are not being adapted here.
Is such database required?
For first time, India has been able to create such a great database in centralized location. It speaks volumes of its credibility and capability to procure such data.
Earlier when there was a debate for a multi-purpose national identity card, numerous studies were undertaken. It was found that means of procuring data such as how to register the citizens, how to know how many people can avail subsidies, how many people aware of government schemes was minimal. That way credit should go to government agencies that have been able to procure such data and keep it safely.
Government has saved 49000 crore in past two and half years through DBT. This will evolve and safety measures will also evolve.
Such databases are required to unearth black money information, fictitious identities, fake names taking benefits of schemes etc. But care should be taken that it does not breach the privacy limit.
Data security laws
Do the benefits outweigh the risks? The debate on Aadhar if it is good or bad or its need for access to schemes is a separate debate.
In terms of cost, the precaution taken to keep the data safe is the key. In case of Aadhar, India lost a big opportunity to pass data protection laws similar to that of UK and USA which maintain such large databases.
Aadhar and privacy
There is lot of misconception about right to privacy. What is in SC is about fundamental right to privacy. There is already right to privacy in IT laws. Aadhar act may not have privacy provision but IT Act has it under sec 43. It talks about data protection of sensitive personal data.
3 problems with Aadhar Act are:
Compensation and data protection provisions not included in Aadhar act
Aadhar was passed as money bill so it is not giving corporate entity status to UIDAI and their other agencies which can be held liable and prosecuted.
Even if right to privacy is not a fundamental right, there is still right to privacy. Once aadhar data is compromised it cant be changed like ATM or bank password/details. Once compromised, there is no other way even if the companies are blacklisted, denotified or delisted. Unless they are prosecuted for the breach of data, the companies will not be cautious enough.
The government is aware of the problems. But assurances to protect data are vague generalizations. Citizens want more categorical assurance.
Importance of privacy
Right to privacy is not linked to just Aadhar. It is much larger societal debate. It was lost because there is no societal consensus or understanding of privacy. How common is the notion of privacy? How many Indian languages have a word for privacy? What is the societal value of privacy? Such crucial aspects of privacy are missing. And hence, just because there is so little value on privacy, government has not yet been forced by the citizens to have it.
In India, privacy comes at cost of transparency. RTI laws have given sweeping powers on gathering information from public authorities on a range of subject- healthcare, education, political information etc. Somewhere, every society has to decide on what is the balance between privacy and RTI. If the UK privacy laws are introduced in India, it would hamper the accountability. Thus this is a debatable portion of balance between privacy and transparency.
No government has done anything to assure citizens of their rights to privacy. Instead of going to courts on it, parliamentary committee should have looked into it and recommended act on privacy. If such breaches were happening as earlier, the citizens would have recourse of direct compensation and criminal proceedings and actions, launched not on their behalf by UIDAI but as a direct remedy as available in other countries.
Way forward
Government has to establish the right regulatory environment in country to prevent privacy breaches.
In India, Payment has been linked with Aadhar as 4.5 crores bank accounts have been opened through Aadhar. So it is important that sensitive personal data is protected and miscreants and irresponsible are punished. Not only Aadhar but other data bases should also be protected.
For people to trust the government and support the idea of a digital India, the government has to bring stringent laws promoting the safety and security of digital platform to the best possible extent.
Connecting the dots:
Aadhar data is prone to cyber attacks and can be misused. In light of this statement, examine the possibilities of a robust digital platform.