Is aadhaar an invasion of privacy?

India: Controversial Aadhaar biometrics database expands

In India, parliament has decided to expand the controversial Aadhaar biometrics program. This allows companies to access the database to authenticate their users. The supreme court of the country had actually banned this, the new regulation lifts this ban.

All persons in India are registered by Aadhaar with fingerprints, face and iris photos. According to a study by the think tank IDinsight, 1.2 billion people were registered last year. Data protectionists criticize the program and the ten-year legislative process.

Mandatory authentication

According to the Supreme Court, Aadhaar's identification must not be mandatory. But the new law still includes "mandatory authentication":

Notwithstanding everything contained in the previous provisions, a mandatory authentication of an Aadhaar number holder for the provision of a service should take place if such authentication is required by a law passed by parliament.

Future laws can thus easily bypass the ruling of the Supreme Court, criticize data protectionists. Opposition MP Shashi Tharoor tried in parliament to introduce a ban on Aadhaar authentication by private companies. This ban was "shouted down" before the enlargement was passed. Prime Minister Modi's ruling party, which supports Aadhaar, enjoys an absolute majority in the Indian lower house.

New lawsuit in the supreme court

Activists have filed a lawsuit in the Supreme Court against the latest expansion:

The challenged regulation creates a back door to allow private parties access to the aadhaar ecosystem, thereby enabling state and private surveillance of citizens, and the challenged regulations allow the commercial exploitation of personal and sensitive information that is collected and only for state purposes were saved.

In addition, the new law violates last year's ruling. The court has now turned to the Aadhaar authority UIDAI to investigate these allegations.

The finance minister suggested making tax and aadhaar numbers interchangeable: "Wherever you have to enter your tax number, you can simply enter aadhaar instead - and even if you don't have a tax number, there is no problem." Users should do that : agree inside, however.

This plan is now being put into practice. But: All tax numbers that are not linked to Aadhaar numbers by August 31 will be switched off. The aim is to eliminate fake numbers.

Requirements disregarded

The law of 2016, which was actually limited in time, was first extended by a decree in March, before parliament now decided to extend and expand it. Such decrees are actually intended for emergencies, criticizes AccessNow - that Aadhaar was so urgently needed has not yet been proven.

The Indian network activist Nikhil Pahwa drew up a list of demands against Aadhaar in 2017. Right at the top: Registration must never become compulsory, not even - according to an Indian joke - “voluntary, but compulsory”. Services that cover a large part of the population always have to offer an alternative.

Pahwa also called for biometric information not to be used to identify authorities or companies: “I cannot emphasize it enough. Biometric information is a permanent identifier and can easily be compromised. "

Google search for pregnancy data

This compromise is not just theoretical but practical: there is a long list of data leaks. In 2017, at least 130 million aadhaar numbers with 100 million bank accounts and data such as name, age, gender in the state of Andhra Pradesh were accessible on government websites. In the next year it was a database of pregnancies: abortions, assessments of the risk of pregnancy and bank details were freely accessible on the Internet, linked to the Aadhaar number.

The websites were also indexed by search engines, so entries could easily be found on Google by name or address.

Most of these leaks have been fixed, at least regional authorities have either reacted directly and protected data or even switched off the websites altogether. But at the national level it looks a little different.

In January a journalist got access to all data stored by UIDAI - for the equivalent of 6.50 euros. With over a billion compromised users, it is likely to be one of the biggest data leaks of all time. An indictment by UIDAI followed within four days - against the journalist.

Privacy, yes, but not for the poor

However, a government spokesman claimed in parliament last year that "no data breach incident has been reported as of this writing". And as recently as February, UIDAI described reports of data leaks as “misleading” and “completely devoid of substance or truth”.

A government representative described the right to privacy as an "elitist" concept. Poor people are not interested in protecting their data, they are interested in food, home and clothing. At the time, the court ruled in favor of a fundamental right to privacy.

The IDinsight survey carried out in poor areas also comes to a different conclusion: For more than 96 percent of those surveyed, it was important to know whether and how the government uses their data.

“A lot of personal information is on Aadhaar. There is no reason to connect everything. Why should I share my daily life with the government? ”Said a Mumbai resident in the“ Privacy on the Line ”report.

Authority should check itself

The law that has now been passed provides for a fine of 10 million rupees - around 130,000 euros - for violating data protection regulations. Another million comes for every day the violation persists. The Aadhaar authority should be responsible for investigating cases and determining penalties.

"This can be problematic in view of the dual role for a single organization, raises potential conflicts and is not ideal in view of the complexity of the regulatory requirements," write the authors of the IDinsight survey. Instead, they are calling for an "independent, qualified and fully authorized data protection regulator" who can enforce the provisions of a strong data protection law.

Data protection law is stuck

Because India has so far no data protection law, although activists like Pahwas have been calling for it for a long time. Last week, the opposition MP Shashi Tharoor described data protection as a national security concern and criticized that the responsible minister had already announced such a law for the last legislative period. A draft committee has been in existence since 2017 - it receives advice from the same think tank as the Aadhaar draft.

And so the “like the finale of a far too protracted television series” published draft of the data protection law stipulated that data may be further processed without the consent of the data subject as long as this is done “for the execution of a function of the state, which according to the law is authorized to provide services or benefits to the data controller ". Translation: The data protection law does not apply to Aadhaar, the database was originally intended for social welfare.

Actually for welfare

The biometric authentication was intended to ensure that social assistance - especially food allowances - is distributed to the correct recipients. With more and more extensions, this project became the data giant it represents today.

According to the government, Aadhaar is a phenomenal success in social welfare: biometrics and digitization would have saved Indian taxpayers 11 billion euros between 2014 and 2018, largely by eliminating duplicate, incorrect or incorrect entries in the social welfare databases. In addition, the introduction of Aadhaar would have had very positive developments in drought areas, according to the economic report published last week for the last financial year.

According to activists, this is wrong: the dates in the budget have been chosen incorrectly and their evaluation is guided by incorrect assumptions. Rather, aid measures ordered by the Supreme Court, such as the provision of late wages, have improved the situation in the affected areas.

Millions of mistakes

The eleven billion euro savings are probably a bit too optimistic, write the authors of the IDinsight survey: The government has neither published its data nor has it made it clear whether only unauthorized recipients were really excluded from social assistance. And the exact value of the aadhaar system is extremely difficult to determine anyway.

And then there is another downside: the flaws in the system. Nine percent of respondents reported that their records contained errors such as misspelled or transcribed names. With traditional identification methods, only six percent of those surveyed reported errors.

Researchers believe that the true error rate is higher: “Respondents will probably only report the error if it has already led to denials of service or other incidents.” Only here it is not access to a website that is at stake , not even access to bank accounts - but to food.

Important for the allocation of food

In India's largest state, Rajasthan, 51 million people live in rural areas. Of these, almost ten percent receive help through the public distribution system. In the summer of 2017, more than two percent of the rural population were excluded from this program every month, even though they were actually entitled to it - because of Aadhaar.

An estimated 1.2 million people do not receive any groceries due to errors in authentication, a lack of connections to the central servers or due to power outages.

There have already been reports of starvation in families who were unable to collect their food deliveries because of aadhaar faults.

"At least 27 are directly linked to the fact that the new ID system could not be used," said the heroine of human rights Dr. Usha Ramanathan last week at the cultural symposium in Weimar. "This cannot be a way that any country should go further."

Would you like more critical reporting?

Our work at netzpolitik.org is financed almost exclusively by voluntary donations from our readers. With an editorial staff of currently 15 people, this enables us to journalistically work on many important topics and debates in a digital society. With your support, we can clarify even more, conduct investigative research much more often, provide more background information - and defend even more fundamental digital rights!

You too can support our work now with yours Donation.

About the author

Maximilian Henning

studies history and German in Freiburg and was an intern at netzpolitik.org in summer 2019. Now he writes irregularly. He is interested in self-organized online work and labor disputes in the platform economy, digital colonialism and the internet in normal life (is there a difference?). You can reach it at [email protected], encrypted if you like, or on Twitter.
Published 07/12/2019 at 4:00 PM