What happens to privacy when companies have your Aadhaar number?

Out today, the second part of my story on companies, aadhaar and privacy.

As the previous story in this series reported, some companies are using Aadhaar to share customer and business partner information. This could aid the rise of data-broking companies like Acziom in the United States that hold ever more detailed profiles of people.

With the number of private databases rising, the task of protecting the information of Indians is acquiring fresh urgency. This is because the downsides go beyond unnervingly accurate advertising.

Companies can use this data to customise pricing for you. As Propublica reported about Amazon and Uber, this may not always be in your best interest.

They can also be used to deny products, services or information to you. Google, as the Guardian reported in 2015, showed “an ad for a career coaching service advertising “$200k+” executive positions 1,852 times to men and 318 times to women”. In the process, they could deepen existing inequalities.

Or they can just peer into your personal life – as the taxi app Uber showed with its subsequently deleted “Rides of Glory” blogpost on what rides made between 10 pm and 4 am revealed about people’s sex lives.

Given such stakes, and the proliferation of the uses of Aadhaar, it is important to take a closer look at India’s privacy regime. Even as the use of customer data intensifies among Indian companies, what are the protections that exist?

How private companies are using Aadhaar to try to deliver better services (but there’s a catch)

Aadhaar, as India’s Unique Identity Project is called, aims to give a 12-digit unique identity number to all residents by collecting their fingerprint and iris scans. As of September, its database, maintained by the Unique Identity Authority of India, held the names, addresses and biometric information of more than 105 crore people.

The project was created by the United Progressive Alliance government in 2009 to reduce leakages in the country’s welfare programmes.

But, quietly, a range of private sector companies have started using it. This includes verification firms like Authbridge, banks like HDFC, telecommunications companies like Reliance Jio, among others.

So far, most discussions on Aadhaar have focused on its utility for welfare delivery and the risk of government surveillance. But as private sector companies incorporate Aadhaar into their systems, fresh questions and concerns are emerging about what this means.

why we need to talk about the companies building authentication apps off the aadhaar database

Monika Chowdhry, who heads the marketing division of Swabhimaan Distribution Services, the company that created TrustID, defended the app, saying it offers the valuable service of verifying people’s identities. “In our day to day life, we do a lot of transactions with people – like maids or plumbers. Till now, you would have to trust them on what they said about themselves and what others said about the quality of their work.” The company is solving that problem, she said. “We are saying ask the person for their Aadhaar number and name and we will immediately tell you if they are telling the truth or not,” Chowdhry said.

Chowdhry said that over time, the Aadhaar number of individuals will be used to create a private verified database of TrustIDs. “Our plan is to create a rating mechanism,” she said. Referring to the option for maid, plumbers and other service providers on the app, she added: “People like you and me, we have Linkedin and Naukri. What do these people have?”

How does the company use Aadhaar for verification and is there a reason to be concerned?

the promises and perils of using databases for welfare delivery

Imagine a database that contains the following data about your family. Household level information like address, caste, asset ownership, the kind of house you live in, when you came to the city/village where you now stay, ration card number, etc. And individual level information about including names, ages, educational background, occupation, incomes, bank accounts, existing illnesses, UID numbers, PAN numbers, welfare entitlements, etc, of your family members. And now, imagine this database is to be for determining your tax obligations. Also imagine it will be visible to — for they are the ones maintaining it — government employees in the block/district office.

The pros and cons are immediately obvious. If the government has near-perfect information about everyone’s financial status, tax fraud will come down. However, if the information is wrong or if it is accessed by outsiders, the consequences for you could be severe.

The government of Madhya Pradesh (GoMP) is creating something similar — not for the urban affluents but for the poor.

Between December 2012 and now, it has taken the MoRD’s SECC (Socio Economic and Caste Census) survey and added household and individual level information like address, number of members, bank account numbers, NREGA card numbers, their entitlements, the quantum of land they own, whether the house is kuchcha or pucca, if it has a toilet, and so on. So far, about 85% of the households in the state, about 2.5 crore people, have been enrolled across urban and rural MP. It intends to use this database, called Samagra, for determining eligibility amongst the poor for welfare entitlements like pensions, scholarships and food.

Is this a good idea? The state government thinks so. But, if you look at a similar experiment carried out in Delhi, you will see how the use of databases can all too easily go wrong as well.

In 2008, the Congress government in Delhi had similar intentions in mind when it decided to overhaul its welfare delivery. Today, that failed experiment with databases reveals everything that can go wrong with databases: from exclusion to selective updation, from political profiling to privacy issues.

Delhi overhauled its welfare delivery architecture in two ways. One, it brought in databases. Two, it outsourced the last mile between the government and the people to NGOs. Both moves have badly failed. Please to be clicking on the links for more. Thank you.