Answering the Aadhaar Questions Raised by YourStory Article
I am answering questions raised by Ritesh Dwivedy on YourStory in a blog post titled 5 questions for the anti-Aadhaar brigade. It's also available on UIDAI website. Readers may want to read that post first. Also everyone is welcome to share or republish my answers under CCBYSA.
Same or similar questions have been asked and answered before at many venues. You probably didn't get a chance to read them. Hence I am answering them here. I will try to keep it short and to the point. Also title of your article is misleading. Your article is not a question paper like the title suggests. It's more like a "Guide book to cracking IIT/JEE". It has frequently asked questions and canned answers by author. Maybe it's time for the guidebook authors to look for not-so-frequently asked questions. That would make everyone think. May be....
Let's start with the introduction
And yet, we hear so much anti-Aadhaar news. So why would anyone oppose Aadhaar? There are people with vested interests or extreme ideology – they do not want corruption to go away, they are middlemen who have been making crores through corrupt practices, or they believe in extreme anti-state ideologies.
I started reading your article thinking it would lead to a good discussion about tech, policy, privacy, social impact etc. But if someone starts an introduction with blaming the opposition. Calling them supporters of corruption, middle men, extreme even before laying out questions. Then it doesn't instill confidence about the quality of questions. I was kind of disappointed with the questions. But then I choose to answer because it can help.
Q1: How many more years do you want India to remain a ‘developing’ nation?
ANS: I want India to be developed country from tomorrow. There you have my answer.
Now in your canned answer you say - we can't become a developed country without taking everyone along with us. I agree. You also suggest DBT makes 100% of "aid" to reach the right person. But you conveniently forgot not every "aid" can be delivered to a bank account. Let's take one simple example of PDS. How will Aadhaar make sure the person who is under PDS+Aadhaar gets 100% of the rice he is promised and the quality he is promised. At most Aadhaar can make sure right person signed up or was present at the delivery spot. It can't guarantee anything else. It can't guarantee timeliness, quantity, quality or absence of bribery. Sorry the only reason you gave is not completely applicable. To burst your bubble just a unique identity is not going to make India developed.
Q2: Why are you silent on all the benefits we are seeing as a result of Aadhaar?
We do recognize the benefits but with eye for detail.
In the canned answer you give examples how the Aadhaar is beneficial. You didn't link them to the source. Here are a few links with a counter view.
- How private companies are using Aadhaar to try to deliver better services (but there's a catch)
- By making Aadhaar mandatory, Delhi’s government schools are shutting their doors to migrant children
- Aadhaar trouble: How a woman's wages under MGNREGA were transferred to someone else's account
- Dissent and Aadhaar
There are literally hundreds. Just Google.
Not sure how you came to this conclusion. We agree there are benefits from a unique identity and hence from Aadhaar too. We also know benefits always come with the cost. I like to see both and then make an informed decision.
Q3: Why are you misleading the Indian public about Aadhaar through fear-mongering and sensationalism?
No we aren't.
In your canned answer you call "dataleaks" as data disclosures and also make a claim that "In fact, people’s digital identity remains secure!".
Since you have not gone into details. I will do that. Let's take an example from the report Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information, Website of Chandranna Bima Scheme by Govt. of Andhra Pradesh, the website publishes Partial Aadhaar Numbers, Name, Father’s/Husband’s Name, age, caste, mobile number, gender, partially masked bank account number, IFSC Code, Bank Name and details of the nominee etc.
I was especially disappointed with this question because you also head an online start up. Talk to your security team and see how much information they think is enough to conduct an effective Social Engineering attack. Many transactions can be done with just Aadhaar number and OTP. Makes social engineering much more easy. In the meantime ask your startup's security team how happy they or your customers will be if their data of similar type leaks. Security is not just about keeping password or biometrics safe.
You probably know the after effects of Ashley Madison data breach. Now imagine the kind of effect if the HIV/AIDS patient's profile data along with Aadhaar number leaks. With Aadhaar they can be uniquely identified. So again it's not always about safe biometrics.
There is much more to the security and privacy argument. I would suggest you to read this post on reddit which explains other aspects which I have not gone in detail here.
Q4: Why are you willing to give biometrics to foreign govts and corporations, but not to your own govt?
We have, for example - passport. Important terms to know are purpose, choice and consent.
A very popular question on social media these days is - How can you give biometrics for US visa but not to your own government. But it's important to remind everyone that one needs to get a passport before getting visa. Everyone who has a passport has given their biometrics to GoI. Again the purpose of the collection is clear and is by choice.
You also talked about the biometrics on phone. Now to assume everyone has a phone or has a phone with biometrics capability is a little too much. Many of us don't have a phone with biometrics. Happy to announce I don't need phone with biometrics to pay taxes.
You also talk about and I quote "control over its usage" and " strict protection of the law". Here you talk about the user's control over data and usage of it. Under Aadhaar Act citizen don't have any legal rights to the data. If it's leaked or misused I am not considered an aggrieved party. I cannot sue UIDAI or others involved. That is the kind of protection I get. Of course there is also "National Security" clause under which all the data including authentication records (which they save) can be shared. We need a complete and separate article on this aspect. So I am going to leave it at that.
Q5: Why are you opposed to using technology to benefit the nation?
No we aren't.
You say and I quote
Bank account data, PAN data, credit card information, and user information from online accounts, etc. have all been leaked in the past or have seen frauds, yet we have not stopped using online banking, abolished the PAN system, dismantled credit cards, or disconnected from the internet.
Everything mentioned here can be replaced (except PAN). I can also sue people responsible for it for damages. But in case of Aadhaar I can do neither.
As part of this question you expect "a sensible discussion by all." and "constructive arguments". Now go back to your introduction paragraph see if its sensible or constructive to call the critics corrupt, middle men or extreme.
To answer your question. There are many technologies that are built with the aim of helping the nation. But not everything with good intention can benefit the people of this nation. We think the way Aadhaar & its ecosystem is today is not beneficial to Indians given the risks. It's also important to know technology alone can't solve all problems.
Hope my answers helped you. Ask more questions.
Nice. Am thinking of doing a reply too. Classic propaganda piece. Worth deconstructing to show citizens how the government misleads citizens into believing falsehoods about dissenters.
Is there a need for a privacy law ? The ship sailed a while ago on that one. And Aadhaar had little to do with it. Aadhar is merely rationalising and locking down all the information that was *already* there with the government in one way or the other. All the leakages, complaints and stuff are about how *applications* have used or misused Aadhaar. It is not about the system itself.
My grouse with Aadhaar is that it is being used for purposes that it was not intended for : ie for linking people to transactions without explicit consent or by making it mandatory. Else for the BPL applications it was intended for, there is actually little else that can be better.
What’s Aadhar ? (a) It’s a number (b) It’s a system that provides for authentication by biometrics or OTP.
Demonising Aadhaar without understanding what it is about is the problem that prevents rational dialogue.
@AKM Thanks for the comment.
We need a Privacy and Data Protection Law. No one is saying no to it. But the law needs to be open for comments by public before it goes through parliament. Unlike Aadhaar Law.
Aadhaar is not just the number + auth. Aadhaar includes tech (number + auth) + Aadhaar Law + Aadhaar Eco System. Aadhaar ecosystem includes people who enroll, use APIs, external entities who store Aadhaar related data etc. UIDAI is responsible for all these.
I will take liberty in citing an example, Apple. Apple ecosystem includes Tech + ToS, PP + Apple ecosystem (Like App makers, stores etc). Here App makers can leak customers data, Apple can’t say its not Apple is not responsible. They have to act. Usually Apple is quite tough on them. They probably get banned for life from the ecosystem. Besides customer can take both App maker and/or Apple to court if they want.
So we can’t say Aadhaar/UIDAI is completely innocent. They knew they were going to have one billion people on their system. They should have thought about the rights of the people. They had an option of providing more rights to citizen and restrictions on ecosystem when they passed Aadhaar Law. They had an option of making the data leaks by third parties civil/criminally liable (to people). They didn’t. Law was passed so hastily without debate. It failed people.