Man denied Aadhaar after fingerprints partially match with seven others
A centralised database, dual use as identifier and authenticator, and lack of sound legal framework are its main weaknesses.
Aadhaar breach: Gaping holes in data security and the unreliability of biometrics put a question mark on the project. UIDAI's denials are increasingly unconvincing
2014/03/20: The latest controversy involving the Unique Identification Authority of India (UIDAI) is a testament to the basic privacy concerns raised at the scheme’s inception and repeatedly thereafter. In a sense, the Goa court order that sparked this particular incident — directing the UIDAI to give the CBI the biometrics of all enrolled people in the state in order to help investigate the gangrape of a seven-year-old girl — was inevitable.
Given the massive amount of identity data stored with the body heading up the Aadhaar card scheme, it was only a matter of time before a state authority attempted to exploit it. Even if the Supreme Court, approached by the UIDAI for relief, does its part in protecting the data from such use, it will be a temporary solution at best; a legal precedent is not an inviolable safeguard. The true responsibility — both for examining the basic structure of the scheme and clearly defining its limits — lies with Parliament.
As matters stand, there is no legislative framework underlying the scheme; it is functioning purely under the aegis of executive authority. That is dangerous for multiple reasons that were forcefully laid out by Parliament’s Standing Committee on Finance (SCoF) when it examined and rejected the National Identification Authority of India Bill, 2010. As the SCoF report points out, when the constitutional rights of citizens are at stake, executive powers must be circumscribed by the legislature. This is particularly so when both the data collection methods and the security of that data are suspect. As far as the former goes, there is no true ID verification at the point of data collection. That makes it far too easy for false records to be established in the system. The latter point is even more worrying. The UIDAI has hired various external agencies and NGOs to aid in collecting the biometric data, opening up the possibility of the information being misused.
Compounding these problems is the lack of comprehensive, well-implemented privacy laws in the country. In their absence, it becomes far too easy to use the data for tangential purposes — profiling and tracking citizens, information bleed into other databases and the like, much as the Goa court has ordered in this particular instance. This will ultimately prove to be counterproductive; the scheme’s success depends upon gathering as much data as possible, but the greater the lack of clearly defined security measures and limits, the more people are likely to be reluctant to participate.
These are all issues the incoming government must address. Privacy laws are a must in any case, not merely in this particular context. As far as the Aadhaar scheme goes, there are tough decisions to be made. Substantial resources have already been expended upon the programme; the new dispensation must now decide if it is worth persisting with, and if so, the best way forward to plug the loopholes. It must guard against the mission creep that saw the Aadhaar card become required identification for various government schemes before the Supreme Court took remedial steps. And it must ensure that the data is used solely for delivering social security benefits, not in aid of developing the state’s surveillance capabilities.