What happens to privacy when companies have your Aadhaar number?

Out today, the second part of my story on companies, aadhaar and privacy.

As the previous story in this series reported, some companies are using Aadhaar to share customer and business partner information. This could aid the rise of data-broking companies like Acziom in the United States that hold ever more detailed profiles of people.

With the number of private databases rising, the task of protecting the information of Indians is acquiring fresh urgency. This is because the downsides go beyond unnervingly accurate advertising.

Companies can use this data to customise pricing for you. As Propublica reported about Amazon and Uber, this may not always be in your best interest.

They can also be used to deny products, services or information to you. Google, as the Guardian reported in 2015, showed “an ad for a career coaching service advertising “$200k+” executive positions 1,852 times to men and 318 times to women”. In the process, they could deepen existing inequalities.

Or they can just peer into your personal life – as the taxi app Uber showed with its subsequently deleted “Rides of Glory” blogpost on what rides made between 10 pm and 4 am revealed about people’s sex lives.

Given such stakes, and the proliferation of the uses of Aadhaar, it is important to take a closer look at India’s privacy regime. Even as the use of customer data intensifies among Indian companies, what are the protections that exist?

Advertisements

How private companies are using Aadhaar to try to deliver better services (but there’s a catch)

Aadhaar, as India’s Unique Identity Project is called, aims to give a 12-digit unique identity number to all residents by collecting their fingerprint and iris scans. As of September, its database, maintained by the Unique Identity Authority of India, held the names, addresses and biometric information of more than 105 crore people.

The project was created by the United Progressive Alliance government in 2009 to reduce leakages in the country’s welfare programmes.

But, quietly, a range of private sector companies have started using it. This includes verification firms like Authbridge, banks like HDFC, telecommunications companies like Reliance Jio, among others.

So far, most discussions on Aadhaar have focused on its utility for welfare delivery and the risk of government surveillance. But as private sector companies incorporate Aadhaar into their systems, fresh questions and concerns are emerging about what this means.

why we need to talk about the companies building authentication apps off the aadhaar database

Monika Chowdhry, who heads the marketing division of Swabhimaan Distribution Services, the company that created TrustID, defended the app, saying it offers the valuable service of verifying people’s identities. “In our day to day life, we do a lot of transactions with people – like maids or plumbers. Till now, you would have to trust them on what they said about themselves and what others said about the quality of their work.” The company is solving that problem, she said. “We are saying ask the person for their Aadhaar number and name and we will immediately tell you if they are telling the truth or not,” Chowdhry said.

Chowdhry said that over time, the Aadhaar number of individuals will be used to create a private verified database of TrustIDs. “Our plan is to create a rating mechanism,” she said. Referring to the option for maid, plumbers and other service providers on the app, she added: “People like you and me, we have Linkedin and Naukri. What do these people have?”

How does the company use Aadhaar for verification and is there a reason to be concerned?

By limiting Aadhaar, Supreme Court may have given government a way to expand its reach

By now the contours of the events are known. On Tuesday morning, the Supreme Court referred to a Constitution Bench the question of whether Indians have a fundamental right to privacy. The same afternoon, when the judges reconvened, they restricted the use of the government’s biometrics-based identity project Aadhaar to only the public distribution system for food grains, kerosene and LPG.
These orders are unmistakably significant. But what do they mean for the public and the ambitious Aadhaar programme? Why is the Aadhaar project, which seeks to do no more than assign a unique number to all Indians, getting snared in questions of privacy?

I write again on Aadhaar after a long hiatus. See the tag cloud for other links on the project as well.

should aadhaar be junked?

The last 60 days have not been good to India’s much-feted Aadhaar project.

On the 30th of January, the UPA pressed the pause button on direct benefits transfer for cooking gas. On 26 February, the Mumbai High Court directed Aadhaar to share its biometrics database with the CBI. A year earlier, a seven year old had been raped in Goa. And the investigating agency, struggling to make headway, had asked the Unique Identification Authority of India (UIDAI) for biometrics it had collected in Goa. UIDAI refused to share information saying such a move would violate privacy of its number-holders and that its biometric database and deduplication systems were not designed for forensic inquiries. In response, the CBI went to the Mumbai High Court which directed UIDAI to share its database.

The third blow fell on 24 March when investigative journalism portal Cobrapost aired videos that allegedly showed UIDAI’s enrolment agencies agreeing to enrol people from neighbouring countries in return for a bribe. Between them, these three events underlined long-standing questions about the Aadhaar project.

Between them, these three developments highlighted large worries about the ambitious Aadhaar project. Read more here.

the follies of rushing in…

yesterday was profoundly anomalous. i filed two stories. both, as it were, on aadhaar. one on a sting by cobrapost which flagged faulty enrolments. and the other where the supreme court said aadhaar cannot share its database with anyone without consent from the number holders.

this is a significant development. over the last five years, a clutch of government departments and private companies have been collecting biometrics with gusto. however, with the privacy bill still on the drawing board, India has seen biometric data get collected, by multiple agencies, without any laws governing their collection, use or retention.

in the process, the country has entered a world of new risks. without, sigh, getting the safeguards in place. which brings us to the dispute between the cbi and the uidai which culminated in this SC judgement. it is one kind of an outcome.

The SC ruling was in response to a 26 February, 2014 ruling by the Mumbai High Court directing the UIDAI to provide the CBI with biometrics of all residents of Goa. The High Court’s ruling was related to the rape of a seven year old in Vasco last January. The case was handed to the CBI which, as the Aadhaar appeal to the SC says, initially asked it for biometric information of “all the persons in the state. That request was modified and only the fingerprints of 3 specified persons were asked for.”

Later, the CBI dropped that request. Says the Aadhaar affidavit, “The CBI has now found a chance fingerprint and asked Aadhaar to compare its data and the biometric data provided by the CBI.” Aadhaar refused to share information citing two reasons. One, that such a move would violate privacy of the number-holders. And two, that its biometric database and deduplication systems are not designed for forensic inquiries. When its appeal was rejected by the HC, UIDAI appealed to the SC.

what are the protocols for the use of such data? as legal researcher usha ramanathan says in the article: “the idea that databases can be used by anyone makes people vulnerable, especially in a state where there is neither law nor much respect for law.”

the good news is that the SC verdict clarifies matters to some extent. but the country still needs a regime on privacy and data (including biometrics) protection.

old enrolment concerns resurface re aadhaar

Investigative journalism portal Cobrapost has aired videos of sting operations that allegedly show the Unique Identification Authority of India (UIDAI) conducting a flawed enrolment process that allows people from even neighbouring countries to get an Aadhaar number after paying bribes.

it is hard to escape a sense of deja vu. these complaints — about poor scrutiny, corruption in enrolment, lax overview — have doing the rounds for a long time. but, see them another way, in the light of the assurances given by uidai in 2012 about having fixed deficiencies in its enrolment system, and it is clear that not much has really changed.