Skip to content

Under the Aadhaar system, all Indian citizens are being allotted a unique twelve-digit identity number by the State upon obtaining biometric data including fingerprint and iris scans and upon submission and verification of certain demographic data including the name, date of birth and residential address.

The new identity is different from all previous identity documents issued by the State. While a driving license or a passport were identity ‘documents’ that once issued were in the possession and under the control of the citizen as “original documents”, the Aadhaar number and associated demographic and biometric data is a data entry in a digital database in the possession and under the control of the State and any other entities who might gain access to this database whether with legal authority or otherwise.

Further the nature of the information that the State uses to identify a person under the Aadhaar system is entirely different from that used under earlier systems of identification. Until now the State relied upon photo-identity cards to determine someone’s identity. Under the Aadhaar system, the markers for identity determination include fingerprints and iris scans. For the first time, biological data not visible to the human eye and inaccessible to and non-decipherable by a lay person or a non-expert, is being obtained from citizens and is being stored digitally in a central repository for all 1.3 billion Indians with the ostensible purpose of identifying them.

Yes, the citizen is issued an Aadhar card with a number on it, but that card and the photograph on it and the face of the person presenting that card are no longer sufficient for the State to accept that the person is who he or she says they are. The biometric data must match. If the biometric data match fails, then the State will refuse to accept the identity of that person.

Also, the Aadhaar based identity is ultimately a number in a digital database. That number can be deactivated or even deleted. The database is outside the possession and control of the citizen. If his Aadhaar number in the database ceases to exist, the citizen has no proof of his identity as a citizen. The citizen ceases to exist for the State.

The Aadhaar related debates have focused on the right to privacy and on the apprehension of surveillance by the State and on issues of the security of Aadhaar databases. But there are more deep-seated concerns about the Aadhaar biometric identification system that I discuss here and which are important to understand how great a threat the Aadhaar biometric identification system poses to the privacy, liberty and security of Indian citizens.

There are several scenarios in which this digital biometric identification database can fail, be modified, be stolen, be leaked, be misused or be manipulated by State or non-State interests to the detriment of citizens and their rights. I discuss how the centralized and digital nature of this database as well as its use of biometric markers of identity which by their very nature are not accessible to or verifiable by ordinary individuals, creates many such scenarios where citizens can lose control over their identity and their very person-hood and be left with no recourse in extremely harmful situations. The greatest threat posed by the Aadhaar system is that citizens will lose control over their identity, they will be unable to establish their identity under certain circumstances, and they will also be exposed to an exponentially higher risk of identity theft.

The digital Aadhaar biometric identification system it is argued not only violates the right to privacy, but it creates significant risks that threaten the very right to identity and person-hood of Indian citizens and thus the right to citizenship itself. The Aadhaar system fundamentally alters the social contract underlying the Constitution of India by enabling a potentially malevolent State to deny the very identity of “inconvenient” citizens. A cost-benefit analysis of the Aadhaar system, even accepting its stated advantages, cannot justify such immense risks to citizens.

This post was originally published here by Seema Sapra.

1

The layman often does not know how many tiers of privilege are invisible too him. I have often wondered how I can purchase something that costs less than a dollar and it gets stuck in customs to never be seen again, or emerge after a few months, but couriers deliver international parcels within days. And it was evident that this is a mystery to many and even more have solved it with conspiracy theories, because the only plausible explanation to occur to me till today, living in a bribe riddled country was a twitter user's suggestion made a few years ago, that courier companies have their contacts in customs who clear parcels swiftly for them, while regular parcels wait.

It was today that I realized it is not so. Take the case of Mumbai The Courier cell at the airport clears parcels with Airway bills right there at the airport. Then comes the parcels with tracking numbers starting from "E" - EMS type ones at the Post parcel sorting office behind Sahara Hotel. The poor ones starting with C go all the way to Ballard Estate to clear customs. I guess this is an additional precaution in case customs fails to delay non-courier parcels enough. I imagine they have less storage space at the airport to keep lags, and that is the only reason they come through faster, because surely the government would not prefer some methods of shipments over others, including the government run postal system. Yeah, that was sarcasm. And yes, the speed of international couriers in delivering your parcel is not because they are "better" at it, but because customs seems to hurry them through while taking their own sweet time for others.

Regardless, this is not the purpose of the post. I got a call from DHL today, asking me to upload KYC documents for a shipment coming for me. This is a small quantity of oat bran and apple fiber - both of which, for mysterious reasons are not manufactured in India - at least for retail. I wanted to see what the products are. The total cost of both packets could not be over Rs. 500. KYC for a 500 rupee parcel, failing which it would be returned to sender? Unbelievable. I lost my temper with DHL - they want my official, personal identification and proof of address for their staff to be able to download and print whenever they "need" - PERMANENTLY? WHY? How are my documents their business at all and further, what is their justification to keep them in a usable format with them once the delivery is done?

This led to a search.

The gist of the problem is that our Customs department in all its wisdom issued a circular requiring KYC documents for every parcel going in or out of the country - regardless of the value of the parcel and whether it is eligible for customs duty. This is, presumably to prevent import/export fraud or money laundering, etc. Apparently customs hasn't realized that the letters that are so happily exempt can easily carry diamonds.

Now, as per Customs, these documents can be collected at the time of pick up or delivery. But obviously this is a headache for courier companies, that have found their own workaround. They simply ask customers to upload their documents to the courier's website, from where the courier will use them automatically in the future - at least reducing future headaches. This is a streamlining of operations, that makes sense - from the perspective of a courier. A courier is not responsible for national or individual security or rights of citizens. And our country, that claims to want to go digital has no concept of digital security at all beyond the "money" sites as I call them - tax, aadhaar.

As a result, we have a whole horde of foreign companies with databases of valid identification and proofs of addresses complete with email addresses and phone number (required at time of upoading documents) - from which they can also get date of birth. These documents are obviously good enough quality to be able to be printed and used by third parties for KYC. These documents are accessible - at the very least - to call center employees who call you up to discuss them and employees who will print them out from the database, attach them to parcels, take the parcels for customs clearance and perhaps further down the assembly line all the way to your door, including local delivery agents.

Now, what sort of security problems could be possible because of this?

At the point of the database

Call center employees, people taking print outs or such all the way to your door are unlikely to be highly skilled employees. They are necessary in large numbers. It is unclear what sort of screening procedures happen for them to be entrusted with such data.

Corrupt employees could easily sell identification documents of real people for money. Something like this has the potential to sit nicely on a DVD to go to the highest bidder.

Spy agencies could use such data for various purposes against Indian interest, including the basis of new fake identities. All it takes is one driving licence or passport to rent a place and become a local in a new place and get pretty much any document and begin a brand new life and toss the photocopy of the passport away on getting their new driving licence or whatever. Would be a pretty handy "Shopping mall of documents" to check out which customer of the courier company had photo identification that best suited the agent they were planting.

Given that the records would also come with email addresses and phone numbers with a good chance of being linked to the documents, the possibilities increase. Consider for example a person walking into a mobile provider's showroom asking for "his" SIM to be blocked and providing alternative documents to get a new SIM. If the address proof is a bank statement, for banks where customer ID is the login, should be a simple matter to reset password with a new SIM. Not to mention a list of people using international couriers is an automatic list of people extremely likely to be using electronic payments, to be from the rich and upper classes.

And you don't even have to have dishonest couriers for this. Databases get hacked and data dumps are sold on the black market. One created from such a source would have a very high percentage of lucrative targets with a good possibility of being vulnerable to targeted attacks or identity theft.

There are very very few places where you could get such complete information on such a targettable group - not even government databases could probably give you email addresses, phone numbers and printable copies of ID documents in one place.

How could this be avoided?

First and foremost, six years is plenty of time to collect data. Customs and revenue folks should provide statistics on how many cases of fraud were caught due to KYC data. At the very least, they must demonstrate that the expense and risk to individuals and country of conducting this circus is justified by results of the use of KYC data.

There is no reason to require documents for items not qualifying for duty to begin with - which would be the bulk of parcels. Where duty was paid, customs can easily require the receiver to upload documents to a government website for customs clearances instead of third parties based outside India. Couriers could even expedite the process by intimating customers not registered in customs to do it with their AWB number on booking of shipment to prevent delays in customs. Even then, it is unclear what KYC documents achieve - would be more useful to get a PAN number, which can, quickly be checked against bank accounts, tax status, import licences and more as well as payments made, while providing least "one stop" exploitable information to someone misusing it.  With something as specific as a PAN number, customs could even have automatic flags for more than "X" number of shipments in "Y" period - without even having to resort to any kind of snooping or invasions of privacy. Otherwise, simply having a few different shipping addresses (home, office, warehouse, shop - all would have address proof/rental agreement) could result in a workaround for illegal imports anyway.

 

This absurd requirement for customs puts both individuals as well as country at risk. This cannot be blamed on couriers - they are merely getting customers to "voluntarily" (or else you won't get your parcel) give up their documents to prevent inconvenience to themselves. While they are using the documents legally and have a good excuse for their coercive behavior, it is the responsibility of the government to secure the nation as well as its citizens from potential crime.

At the very least couriers must obtain explicit consent from regular customers to store their data permanently or be required to destroy such records once the need for documents is over - at least minimizing risk.

Third party databases containing complete identifiable information of Indian citizens from documents to contact information and date of birth - are a recipe for security disaster sooner or later.

What can we do to protect ourselves till then?

Do your international shipping through Postal departments as opposed to couriers. Or via E-Commerce websites that have shipping arrangements that don't require you to upload sensitive documents to third parties. You will still have to pay customs duty where applicable, but your documents would be less vulnerable to misuse.

Nagrik Chetna Manch (NCM) filed a Contempt Petition (21656 of 2015) on 6th July 2015 initiating proceedings for committing civil contempt of the Hon’ble by violating it’s interim orders dated 23.09.2013 and 16.03.2015 in Writ Petition (Civil) 494 of 2012 and dated 24.02.2014 in Special Leave Petition (Criminal) 2524 of 2014. The contemnors are (1) Pradeep Kumar Sinha, Cabinet Secretary, Union of , (2) Swadheen S Kshatriya, Chief Secretary , (3) Raghuram Rajan, Governor, Reserve Bank of India (4) Nasim Zaidi, Chief Election Commissioner, of India.

NCM noticed that there was a spurt of directives in the last few months by both the Central and State governments violating the orders of the Supreme Court by mandating linkages of benefits to the possession of Aadhaar number. We give below a few examples for the basis of the Contempt Petition.

The Department of Electronics and Communication Technology integrated Aadhaar to draw benefits in the newly launched Digital India Program. The Ministry of Labour and Employment made Aadhaar card compulsory for ESI services. The Ministry of New and Renewable Energy made Aadhaar mandatory for receiving capital subsidy. The Ministry of Rural Development made Aadhaar compulsory for MNREGA services.

The Govt. of made Aadhaar compulsory for ration services at Fair Price Shops and for school admissions and the Election Commission of India issued instructions for linking Aadhaar card with Elector’s Photo Identity Card.

In it’s interim order dated 23.09.2013 passed in WP (C) 494 of 2012, the Supreme Court had directed, “in the meanwhile no person should suffer for not getting the Aadhaar number and when any person applies to get the Aadhaar number voluntarily, it may be checked whether the person is entitled for it under law as it should not be given to any illegal immigrant.” In its order dated 24/03/2014 in SLP 2524/2014 filed by the Unique Identification Authority of India against the Central Bureau of Investigation and others, the Supreme Court had restrained the UIDAI from transferring any biometric information of any person to any other agency without a written consent.

Nagrik Chetna Manch has prayed for prohibition of linkage of Aadhaar number to any benefits, to end the discrimination of persons into Aadhaar and non-Aadhaar residents and restrain the from transferring any biometric information of any person from or to any other agency without specific written permission.

NCM’s Contempt Petition 21656 of 2015 in the Supreme Court

On 6th July 2015, Nagrik Chetna Manch (NCM) filed Contempt Petition bearing no. 21656 / 2015 under Art 129 & 142 of the Constitution of India read with section 12 of the Contempt of Courts Act 1971 for initiating contempt proceedings against the Contemnors for committing Civil Contempt of Hon’ble Supreme Court whereby violating it’s interim orders dated 23.09.2013 and 16.03.2015 passed in WP (C) no. 494 of 2012. As well as order dated 24.02.2014 passed by Hon’ble Supreme Court in SLP (Crl) no. 2524 of 2014. Contemnors being (1) Pradeep Kumar Sinha, Cabinet Secretary, Union of India, (2) Swadheen S Kshatriya, Chief Secretary Government of Maharashtra, (3) Raghuram Rajan, Governor, Reserve Bank of India (4) Nasim Zaidi, Chief Election Commissioner, Election Commission of India.

Earlier NCM had filed WP no. 932 of 2013 in public interest against the use of the UID number by RBI, ECI, RGI and GoI on the grounds mentioned in the WP in which notice had been issued on 19.11.2013 by the Hon’ble Supreme Court and the same was tagged with aforesaid WP (C) 494 of 2012.

In it’s interim order dated 23.09.2013 passed in WP (C) no. 494 of 2012, the Hon’ble Supreme Court while feeling importance of this matter, listed it for final hearing. And also directed that in the meanwhile no person should suffer for not getting the Aadhaar number and when any person applies to get the Aadhaar number voluntarily, it may be checked whether the person is entitled for it under law as it should not be given to any illegal immigrant.

In an order dated 24/03/2014 in another matter Special Leave to Appeal (Crl) No.2524/2014 filed by the Unique Identification Authority of India (UIDAI) against the Central Bureau of Investigation () and others, the Supreme Court had restrained the UIDAI from transferring any biometric information of any person who has been allotted the Aadhaar number to any other agency without his consent in writing. The order further stated that no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled. All the authorities were directed to modify their forms/circulars/likes so as to not compulsorily require the Aadhaar number in order to meet the requirement of the interim order passed by the Hon’ble Supreme Court.

Despite these orders neither the nor States and their functionaries have been complying the orders of the Supreme Court in letter and spirit. They have continued to cause suffering by continuously mandating more and more for registration and linkages to the Aadhaar. The NCM quotes a few examples of the violations by the contemnors in the Petition.

The Department of Electronics and Communication Technology, for example, launched the Digital India Program on 1st July 2015. This program integrates Aadhaar as a mandatory feature to draw any benefits. The Ministry of Labour and Employment, Govt. of India issued advertisement in for making Aadhaar card compulsory for ESI services. The Ministry of New and Renewable Energy, Govt. of India issued notice No. 5/34/2013-14/RT dated 01.01.2015 for making Aadhaar card compulsory for receiving capital subsidy. The Ministry of Rural Development, Govt. of India issued letter dated 18.02.2015 and again on 25.02.2015 for making Aadhaar card compulsory for MNREGA services. The Minister of Rural Development, Govt. of India answered a unstarred question on 05.03.2015 whether the Union Government proposes to link accounts opened under Pradhan Mantri Jan Dhan Yojana with Aadhaar number to transfer subsidy and wages under MGNREGS directly indicating that “The States have been asked to take active measures to link the bank accounts of the workers with their Aadhaar numbers. In order to make use of the benefits under the PMJDY, all States have been requested to undertake an immediate drive to open Pradhan Mantri Jan Dhan Yojana (PMJDY) accounts for all the active wage seekers who already do not have a Bank/ Post Office account in the nearest commercial Bank/ Post Offices. Wherever accounts have been freshly opened by MGNREGA workers under the PMJDY, such accounts are being linked with Aadhaar number of the beneficiaries.”

The Govt. of Maharashtra issued Cabinet Resolution dated 03.03.2015 for making Aadhaar card compulsory for ration services at Fair Price Shops. The Resolution also requires the transfer of biometric information to the Govt. of Maharashtra despite there being no consent in writing of the persons whose biometric it may be. The Govt. of Maharashtra issued GR dated 21.04.2015 for making Aadhaar card compulsory for school admissions.

The Reserve Bank of India issued letter dated 26.11.2013 for making Aadhaar card readers compulsory for all new infrastructure services.

The Election Commission of India issued letter dated 27.02.2015 for linking Aadhaar card with EPIC. This process of seeding is meaningless without discriminating, and thus causing to suffer, those without an Aadhaar.

In the meanwhile as the common man continues to suffer the Aadhaar, NCM has alleged in its Petition 932 of 2013, that the linkage of Aadhaar to various databases is destroying governance and ability to govern. NCM has also highlighted that it will end the rule of law and perhaps even compromise the sovereignty of India. Such linkage of bank accounts to Aadhaar is facilitating money laundering. Linkage of Aadhaar to the EPIC and NPR is destroying the ability to distinguish citizens from residents and giving citizenship to illegal immigrants as well as anti-nationals.

NCM in the CP filed, prays for prohibition of operations related to Aadhaar number by Contemnors forthwith and until final disposal of WP (C) no.494 of 2012, require contemnors to end suffering caused by discrimination of persons into Aadhaar and non-Aadhaar residents through the continued usage or seeding of Aadhaar by any agency and restrain the contemnors from transferring any biometric information of any person who has been allotted the Aadhaar number from or to any other agency.

Qaneez Sukhrani

Secretary, Nagrik Chetna Manch

Telephone: +919822056782

28

While there is no denying that in a country like India, there is a need for identification that people can create easily and use nationwide, the Aadhaar card project goes way beyond that, and in the process, messes up the basics as well. There are several problems I have with the Aadhaar card. Chief among those are:

Privacy concerns from Aadhaar leaks

Biometric data is not something you can change if cases of misuse crop up. There does not seem to be appropriate care taken by the government to protect the data from unauthorized access.

  • The data is to be privatized through NIUs (National Information Utilities), where once the data is stable, it would not even belong to the government but private utilities, controlling it as a monopoly. The citizen, urged by the government to create the cards is not informed about how their personal information will be used or controlled.
  • Foreign companies with links to foreign intelligence organizations have been given access to the Aadhaar database.
  • Recent revelations show that data once entered in the UID system cannot be removed. This basically means that once you get an Aadhaar card made, your information is out of your control and you will not be able to cancel your own identification data.
  • Storage on servers in the US. The US is getting increasingly data hungry and alarming disclosures of illegal access to databases, where even Google had to encrypt internal traffic to protect privacy have come to light. The US can legally get access to data stored on servers within the country - regardless of your permission or the permission of government of India.

The cost of the Aadhaar project

India is a developing country. We have many priorities on our funds, and it is unclear how an expense of an estimated 150,000 crore rupees helps the Indian citizen or does anything that a far cheaper identity card couldn't. For example, the cost of India's census was 2200 crore in 2011. And the census reached every citizen (at least in theory), and has produced information that is of tremendous utility and diverse applications. This is several times our entire health budget encompassing subsidized education, running hospitals, vaccinations, medicine costs, teaching hospitals and what not nationwide.

In contrast, India seems to have spent some 2,500 per card so far, though the citizen is not required to pay anything. Much of this large cost appears to be due to the expenses involved in collecting and working with biometric data, yet the biometric data is neither collected in an efficient manner, nor used at all in verifying identification. Then why is the expense done?

Additionally, while the investment is done using government funds, ready databases will be controlled by private entities (who will profit from offering identification services), and the government will be paying customers of the databases it has already spent a bomb to create. Of course, no citizen has been given any power to refuse his or her information being used for profit by private entities with the blessings of the government.

Coercion to register for Aadhaar - voluntary and mandatory?

What is increasingly evident as a project that will profit specific entities is being forced on citizens who wish to avail of their rights as citizens. Attempts to tie UID identification with everything are increasing. The idea of government subsidies is being replaced by citizens buying at market prices and being reimbursed by the government into their "Aadhaar linked" bank accounts. In other words, spend more on food and fuel, or give us your biometric data. Several instances of schools requiring Aadhaar card details of students have come to light, which is probably a violation of the Right To Education act, since refusing education to children for any reason is punishable under the RTE.

In a country where a fifth of the population is under a poverty line that belongs on "extreme survival" type shows rather than a Planning Commission planning for the well being of a country, essentially this amounts to a direct order to spend what it takes on travel to your Aadhaar card center, get whatever proofs are needed or pay some corrupt officials, invest some money in creating a bank account, raise the money to purchase necessities at market price and wait for the refund to come. Or you can buy at market price and not get a refund. This is as good as holding a gun to the stomachs of the poor and telling them to register for an Aadhaar card.

No legal basis for the UID project

There is no legal basis for UID. The draft bill was rejected by a standing committee in 2010 and has never seen the Parliament ever since. Courts have ruled over and over that people cannot be forced to create Aadhaar cards and they cannot be refused their rights for the lack of Aadhaar cards, but it has no impact on a rogue government that continues to push more and more essentials into dependency on Aadhaar identification, regardless of lack of any legal authority to do so.

False claims of preventing corruption

India is a country where the corrupt are the first to get false papers made. The idea that an Aadhaar card will prevent corruption is bogus. Completely bogus. It has been demonstrated over and over that false Aadhaar cards are being made. These Aadhaar cards can easily be used to create bogus bank accounts or gas connections and so on. With elections coming up, one only wonders how many Aadhaar cards were used to create multiple voter IDs in different places by various elements engaged in election rigging. Replies to RTI clearly demonstrate that the Aadhaar card number attached to various accounts is not verified using the very expensive biometrics. Unsurprising, considering that earlier exposes of fraudulent cards have demonstrated cards for a coriander plant and cards for people who never visit the Aadhaar center as long as they provide a photo. So what biometrics would they be verified against?

The new bailout plan for banks

As bad loans and debt in banks make news, only to fall silent quickly, the government bright idea of forcing citizens to make bank accounts if they want their right to affordable food and fuel is not something to be sneezed at. In a country of the size of India, people keeping a token balance in a bank account will also rapidly total up to a large amount of money. This is in addition to the various entities that will earn interest from the citizen's investment of the additional price that will later get refunded (only for other citizens to make the investment and so on). This clearly provides the controllers of various services close to power cartels a quick source of cash. At the cost of the citizen, the poorer among which will have no credibility for proper loans and may end up caught in vicious cycles with loan sharks to raise money for the expensive purchase. I am not joking. I imagine over half of India's population won't be able to come up with a thousand rupees for a gas cylinder without borrowing from someone to be repaid when salary happens and so on. The refund they will eventually get will earn interest to some already powerful entity for the duration till they get it.

Potential for misuse

As stated earlier, Aadhaar cards can be made very easily and with little verification raising potential for criminals to create alternative identities easily. In a state where police are often found complicit in crimes, syping and persecution, it may be possible for vested interests to plant records of biometric details matching someone they want to target among evidence. Multiple identification can be used to get around limits to profit from government schemes, like getting employment under multiple names under MNREGA or getting more cylinders of gas using subsidies under multiple identities.

Considering that the biometric data is not used to verify identity, there is nothing stopping a person from making several cards in several names at different places - say - in one place for each phase of the polls... to take Sharad Pawar's "joke" into completely realistic possibility.

Illegal immigration and terrorism

Aadhaar cards could facilitate regularization of illegal migrants or terrorists leading to cartelization of such practices and exploiting government facilities and adding burden on the state. They could be used by political parties for election rigging by manipulating demographics of a place. Given some time, it will be impossible to distinguish an Indian citizen from a migrant, since all their documentation will essentially be authentic.

Unauthorized use of Aadhaar cards

There have been instances reported in newspapers where banks contacted people who got their Aadhaar cards made offering to open a bank account that would link to the card. How the bank got the person's information including name, Aadhaar card number and address to send the offer to.... should be a thought that will get any sane person paranoid.

And the obvious problem

If at some point we start using the UID data to verify people, there is no proof that it will work, given the extensive problems with the data revealed so far.

There are many other reasons. Basically Aadhaar is a project that has profited many with interests ranging from profiteering to "a historic experiment" and the "largest biometric database in the world", but it has little to offer the common man that simple registration and cards without biometrics wouldn't. It isn't even like we are using the biometrics, or that they are reliable anyway.