May 1, 2018, 2:00 AM IST
Well-meaning activists opposing private Aadhaar use are trying to throw the baby out with the bathwater. Inflammatory articles notwithstanding, there are genuine concerns with privacy which should be constraints on the use of Aadhaar and other data services, but not by banning private companies from innovating on the Aadhaar platform.
Trust, that Aadhaar will engender in private enterprise, is critical machinery to make interactions between unrelated parties frictionless. It will affect international competitiveness, and well-managed digital systems like Aadhaar will assist the economy to develop. There are functions the government should develop as Estonia has shown and others that the private sector will innovate much more effectively than any government could. It is useful to compare private health insurers like Oscar.com to US government efforts like Health.gov to see how much more the private sector can add.
Aadhaar is important for society. Many more services that assist the common man and eliminate fraud, waste and corruption can be developed on top of an Aadhaar service. Beyond payments, banking and even legal services, genuineness of product supply chains, food sourcing information, pharmaceutical supply chains, liquidity exchanges for all goods and services, as examples, could be based on Aadhaar.
Illustration: Uday Deb
The ultimate goal should be a system in which a user owns and totally controls some kind of digital wallet – much like the physical one we carry today for our paper documents. By limiting Aadhaar’s use to government only, we will forego the vast majority of its potential and the positive impact it can make.
Additionally, many people recognise that identity was the biggest error in defining internet standards and many problems could have been reduced if identity standards were a part of the protocol standards definition. India’s approach in creating a digital, online national ID as a public good for various government/ private uses is much better strategy than abrogating this important responsibility to the likes of Facebook and Google which are often used as substitutes to an internet ID.
Blockchain added to an Aadhaar ecosystem, and auditability requirements could solve this. By storing an encrypted identifier in a blockchain, one can separate the authentication system from one’s data, helping to protect privacy as the World Food Programme is doing in refugee camps. The blockchain programme touted a 98% reduction in fees, compared to traditional banking.
In fact, in some insurance and banking areas the regulations should insist on use of Aadhaar and immutability of the blockchain. Inline with RBI’s own experiments (Ref: IDRBT Report), it may even make sense to go further and create an India-specific digital rupee (crypto rupee) currency, a blockchain independent of the bitcoin-based blockchain and blockchain mining, and software contracts infrastructure tied to Aadhaar.
Blockchains have withstood many security attacks with hundreds of billions of dollars at stake and have proven more secure than government databases. Built on the Aadhaar foundation, IndiaStack services such as UPI (Universal Payment Interface), eSign, BBPS (Bharat bill pay services), GSTN (Goods and Services Tax Network) are the new digital rails to make India a data rich economy, reduce corruption and terrorism and lubricate other trust related efforts.
To achieve these larger goals, India needs to find a balance between the extreme government based anti-privacy policies of China and the other extreme of European GDPR rules which will hamper innovation. We need to enable fundamental capabilities like accountability, and software contracts which will improve trust in the economy because of enforceability, accelerate innovation and ensure for the less fortunate that services are delivered as promised, and that biases and discrimination are reduced in private services.
What a user shares with a bank may be different than what a user shares with Facebook. Incidentally, Apple regularly collects fingerprint data, PayTM, Apple and Google collect personal financial data, Amazon has your email and address and product preferences, and Facebook collects direct and indirect data from a myriad of sources including not only your email and phone number but your friends’ personal data too without their permission. Explicit regulations here can help and should apply equally to Aadhaar, Facebook, Google and others.
Privacy should not be a function of each service but rather explicitly defined by regulations that cover all use cases, be it Aadhaar, your medical data (electronic health records on the blockchain give the user maximum control of each use of their data, permission that can be easily revoked) or Amazon or Flipkart or digital banks. India’s move towards a comprehensive data protection bill (Ref: Srikrishna committee report on data-protection) is a move in the right direction.
I do agree with activists that users should control access to their data, supported by regulation with stringent penalties for misuse or disclosure, to build a robust but safe economy and all uses should be reportable to the user or their designated agents which can be non-profits and can ensure comprehension. As to the assertion that “sensitive data is continually being dumped in the open”, the government must enhance security, but this is unrelated to the issue of private or public use of the data.
The breaches have come on the government side and need fixing. And with upcoming cyber security countermeasures like homomorphic encryption and multi-party computation or differential privacy, almost certainly the private sector will provide better security and auditability than any government effort, given appropriate regulatory incentives and penalties. India has the opportunity to be a leader here to spur innovation, but also best protect users.
DISCLAIMER : Views expressed above are the author's own.
