The UIDAI's plan to use population information compiled from Census 2011 data to generate the UID is fraught with dangers to individual freedoms and rights.
The pilot project of the UIDAI involved collection of biometric data of individuals, including (above) iris information and (below) fingerprints and photographs in various places.
When the Unique Identification Authority of India (UIDAI) was launched last year, there was no debate on its purpose or clarity about what methods it would use to give each one of 1.2 billion Indians a 16-digit unique identity (UID) number.
Although its Chairman, Information Technology (IT) star Nandan Nilekani, was given Cabinet rank, the UIDAI was not placed under a Ministry but within the Planning Commission, a non-statutory body, which has increasingly appropriated power without public accountability. There was no discussion on the merits of the project vis-a-vis other means of identification for purposes such as employment guarantee schemes, below-poverty-line (BPL) cards, or education entitlements.
The project has since ballooned into a gargantuan scheme. The latest Budget raised its annual allocation 16-fold. It has a new name (Aadhaar) and a logo. Meanwhile, Nilekani has decided that biometric data, including scans of both irises and all 10 fingerprints, will be used for each individual's UID. Even children between five and 15 years will be included “in view of the Right to Education”.
The project is now riding piggyback on the Census-2011 enumeration, which has begun. The Census data will be used to prepare a National Population Register, which will compile detailed information on each individual under 15 heads, including name, sex, date of birth, parents' details, present and permanent address, marital status and “if ever married, name of spouse”. It will include biometric data. According to Nilekani, the UIDAI will act as “the back-office of the NPR” by “de-duplicating” the collected data to generate the UID. As we see below, the UID-NPR-Census link is illegitimate.
There is no clarity about the project's purpose and the legitimacy of one of its principal functions: profiling citizens from whom the state is potentially at risk, to fight terrorism.
All manner of claims are made about its virtues and its potential to contribute to governance: it will create a reliable register of citizens; demarcate genuine nationals from illegal migrants; help the state keep an eye on terrorists, tax dodgers and money-launderers; bring 60 per cent of the poor who do not have bank accounts into the banking system; and promote microcredit delivery through fingerprint-compatible mobile phones. Above all, the project is supposed to enable accurate targeting of health care, food, National Rural Employment Guarantee Act benefits to the poor, while eliminating leaks and reducing corruption.
Confusion reigns on whether the UID will be mandatory or voluntary. Nilekani insists it will be optional and concedes that legitimate claimants will be excluded from benefits if it is made mandatory. Yet, logically, its coverage must be comprehensive in order to be efficacious.
Many government functionaries see the UID as a technological fix to social and administrative problems, including leaks in service delivery. Nilekani is more ambivalent. He recently said: “It's early days to say how leakages can be plugged. We are working on it.” The first set of UIDs will be issued between August 2010 and February 2011. By 2014, they will cover half the population, with 95 per cent accuracy.
Security rationale
The UID project looks like a solution in search of problems. It is sought to be justified through social and pro-poor functions that are well beyond its core-purpose and can perhaps be achieved by equally efficient means.
Its core rationale and primary purpose is much less lofty than its extravagantly claimed social benefits. It lies in security, surveillance and control – traceable to the idea of a mandatory Multipurpose National Identity Card for all Indians recommended by the Kargil Review Committee chaired by security hawk K. Subrahmanyam.
This committee greatly exceeded its brief and strayed into areas such as security and nuclear weapons doctrines. It seized the Kargil issue to drive a much larger “National Security State” agenda. Home Minister P. Chidambaram himself underscored the UID's security rationale by announcing the UIDAI's establishment in January 2009 as a timely response to the November 2008 Mumbai terror attacks.
This rationale further unfolded with the government announcing a plan to set up a DNA databank and a NATGRID (National Intelligence Grid) connecting 11 agencies, including the Intelligence Bureau, the Research and Analysis Wing, the Central Bureau of Investigation, the Directorate of Revenue Intelligence, the Central Board of Excise and Customs and the Central Board of Direct Taxes.
Pivotal intermediary
The information generated by the NPR will be shared with the UIDAI and NATGRID. The DNA bank and NATGRID are meant to combat terrorism and other challenges to internal security. The UIDAI will be a pivotal intermediary between numerous agencies: the Registrar General (which conducts the Census), the Reserve Bank of India (which regulates commercial banks), and telephone and Internet providers, besides intelligence agencies. This is essential if the UID number is to be accepted as a proof of identity. But how reliable is the UID as the prime, if not sole, information base for security agencies, indeed even the civilian administration? The answer is, not very. Its data would not be subject to verification. Since nationality is to be recorded “as declared” and so transmitted in downstream documentation, any number of non-citizens could instantly register themselves as Indian nationals. They could as easily open bank accounts, obtain Indian travel documents, and get jobs as genuine Indians. This obviously has negative security consequences. These should not be exaggerated. But the fact is that the UID is full of verification and authentification voids.
Even worse, the technology involved in it is highly problematic. A London School of Economics (LSE) team analysed a similar project considered by the British government. It concluded: “The technology envisioned… is to a large extent untested and unreliable. No scheme on this scale has been undertaken anywhere in the world. Smaller and less ambitious systems have encountered substantial technological and operational problems that are likely to be amplified in a large-scale national system.” The problems will get immensely magnified in India, which is almost 20 times more populous than Britain and has a rickety administrative system.
The issue of the reliability of IT-based methods is ignored in India, thanks to blind faith in IT. This society is bewitched by technology but has a poor appreciation of science or the scepticism it counsels. Thus, we refuse even to countenance problems of data security and vulnerability to manipulation of electronic voting machines (EVMs), although these are widely recognised in technologically more literate societies – and although IT professionals based at the University of Michigan have successfully hacked into Indian EVMs ( The Times of India, May 21).
The UIDAI's database will be preyed upon by numerous agencies, Indian and foreign, commercial and governmental, security-related or involved in industrial espionage. Recently, researchers from the University of Toronto exposed a China-based computer espionage network that pilfered classified documents from India's Defence Ministry. The “compromised” installations included the Directorate-General of Military Intelligence; three Air Force bases; Indian Military Engineer Services in four places; a Mountain Artillery Brigade in Assam; two Indian military colleges; and Indian Embassy computers in Kabul, Moscow, Dubai, and Nigeria (see http://nytimes.com/2010/04/06/science/06cyber.html). Similarly, DNA databases can be corrupted, potentially victimising innocent citizens.
Nothing suggests that the UIDAI-related databases will be more secure than military networks. There is, besides all these weighty considerations, the question of costs of creating and maintaining an enormous database of 1.2 billion citizens. The LSE study estimated that the cost in Britain would be £10-20 billion. The proportionate cost in India would exceed Rs.2 lakh crore, enormous for a poor country, where 70 per cent of the population has no toilets. This means forgoing increased provision of public services.
In an interview to CNN-IBN, Nandan Nilekani does not deny that “this is a project where we are going into uncharted territories, the technological challenges are immense and one of the risks of the project is technology” (http://www.hindu.com/thehindu/nic/nandannilekani.htm). He also concedes that “I don't know what the exact figure… is”, but still contends that “it is much less than [Rs.1.5 lakh crore]… by a factor of 10”.
Violation of privacy
However, all these grave problems pale beside the UID's potential for invading citizens' privacy and violating constitutional freedoms. NATGRID will provide security agencies real time access into 21 categories of databases – including bank account details, credit card transactions, driving licences, and visa and immigration records. An intelligence official has been quoted as saying: “Once you feed in a person's name, you'll get all the details about him, across all databases.” These include overdue traffic fines and credit card records. “There really will not be any secrets from the state.”
The data collected would greatly exceed the need-based information that people furnish to different agencies to operate a bank account, obtain a passport or get a ration card. Now all this information will be pooled and made to converge in a single database available to hundreds of government departments at the click of a mouse.
This convergence means that the citizen will lose control over his/her personal information. Official agencies can use this information to track citizens' movements, bank transactions and other legitimate activities. This constitutes an impermissible intrusion by Big Brother into privacy, a fundamental right.
The NPR and NATGRID can track and profile individuals by studying transactions and patterns. The NPR is being compiled not under the Census Act but under the Citizenship Act, 1955. The Census Act guarantees confidentiality and says personal data is “not open to inspection nor admissible in evidence”. Such protection is missing from the latter, which makes citizen registration “compulsory”. The Census Act aims at capturing the profile of the population, not individuals. Profiling of individuals is liable to violate their freedom, privacy and confidentiality.
However, strangely, the UIDAI disowns all responsibility for how its database will be used. It openly declares it is in “the identity business”. It states: “The responsibility of tracking beneficiaries and the governance of service delivery will continue to remain with the respective agencies.” Also, “the UID number will only guarantee identity, not rights, benefits or entitlements”. This falsifies the key rationalisation offered for the scheme: namely, that the UID will break the barriers that prevent the poor from accessing public services/subsidies.
The Indian state's record of abusing technology and personal information is deplorable. Take the recent tapping of politicians' conversations by agencies using new “passive interception technology”, which enables them to eavesdrop on all mobile communication within a 2-km radius. This led to an uproar in Parliament. But the government is planning to legalise the use of such equipment while short-circuiting the procedure for wiretapping under the Telegraph Act, which requires the approval of the Home Secretary and review by a high-level committee headed by the Cabinet Secretary.
The state has always tried to acquire extraordinary powers over citizens and then abuse them. One only has to recall the record of implementation of our preventive detention laws, TADA, POTA and the more than 200 other extraordinary laws such as the Public Security Acts of many States to be gravely concerned at the abuse potential. What India needs is not the UIDAI, but effective legislation to defend privacy and punish intrusion into it.
The intelligence agencies are not answerable to the public and are outside the purview of the Right to Information Act. We can never know what they know about citizens and how they interpret and use this information. The UID scheme and associated database-sharing will enable state agencies to know every minute detail of a citizen's life, but the citizen is barred from knowing what they know about him/her and what they do with that knowledge. This is a mockery of democracy.
This society is already paying heavily for the state's practice of the politics of suspicion, whose most extreme expression is “encounter killing”. The National Human Rights Commission (NHRC) recently admitted that as many as 2,560 police “encounters” were reported to it between 1993 and 2006 – an annual average of 183. It found almost half – 1,224, to be precise – to be “fake” or staged, that is, non-judicial executions.
The state behaves particularly roguishly when acting in the name of defending national security. Experience tells us that the key to fighting terrorism is to treat it as a crime and bring its perpetrators to book while addressing its root causes. What is needed is not more intrusive surveillance, nor more sophisticated electronic databases, but good, honest policing, patient collection of evidence and competent prosecution.
To put yet more draconian and unaccountable powers in the hands of the state is to write the charter of citizens' slavery. The UID project does exactly that. It must be uncompromisingly opposed. Or else, we will slide down the slippery slope of strangling people's freedoms and rights and using increasingly intrusive means to “discipline” citizens. Nothing can harm democracy more grievously.
V. RAJU
The pilot project of the UIDAI involved collection of biometric data of individuals, including (above) iris information and (below) fingerprints and photographs in various places.
When the Unique Identification Authority of India (UIDAI) was launched last year, there was no debate on its purpose or clarity about what methods it would use to give each one of 1.2 billion Indians a 16-digit unique identity (UID) number.
Although its Chairman, Information Technology (IT) star Nandan Nilekani, was given Cabinet rank, the UIDAI was not placed under a Ministry but within the Planning Commission, a non-statutory body, which has increasingly appropriated power without public accountability. There was no discussion on the merits of the project vis-a-vis other means of identification for purposes such as employment guarantee schemes, below-poverty-line (BPL) cards, or education entitlements.
The project has since ballooned into a gargantuan scheme. The latest Budget raised its annual allocation 16-fold. It has a new name (Aadhaar) and a logo. Meanwhile, Nilekani has decided that biometric data, including scans of both irises and all 10 fingerprints, will be used for each individual's UID. Even children between five and 15 years will be included “in view of the Right to Education”.
NAGARA GOPAL
The project is now riding piggyback on the Census-2011 enumeration, which has begun. The Census data will be used to prepare a National Population Register, which will compile detailed information on each individual under 15 heads, including name, sex, date of birth, parents' details, present and permanent address, marital status and “if ever married, name of spouse”. It will include biometric data. According to Nilekani, the UIDAI will act as “the back-office of the NPR” by “de-duplicating” the collected data to generate the UID. As we see below, the UID-NPR-Census link is illegitimate.
There is no clarity about the project's purpose and the legitimacy of one of its principal functions: profiling citizens from whom the state is potentially at risk, to fight terrorism.
All manner of claims are made about its virtues and its potential to contribute to governance: it will create a reliable register of citizens; demarcate genuine nationals from illegal migrants; help the state keep an eye on terrorists, tax dodgers and money-launderers; bring 60 per cent of the poor who do not have bank accounts into the banking system; and promote microcredit delivery through fingerprint-compatible mobile phones. Above all, the project is supposed to enable accurate targeting of health care, food, National Rural Employment Guarantee Act benefits to the poor, while eliminating leaks and reducing corruption.
DIBYANGSHU SARKAR/AFP
Confusion reigns on whether the UID will be mandatory or voluntary. Nilekani insists it will be optional and concedes that legitimate claimants will be excluded from benefits if it is made mandatory. Yet, logically, its coverage must be comprehensive in order to be efficacious.
Many government functionaries see the UID as a technological fix to social and administrative problems, including leaks in service delivery. Nilekani is more ambivalent. He recently said: “It's early days to say how leakages can be plugged. We are working on it.” The first set of UIDs will be issued between August 2010 and February 2011. By 2014, they will cover half the population, with 95 per cent accuracy.
Security rationale
The UID project looks like a solution in search of problems. It is sought to be justified through social and pro-poor functions that are well beyond its core-purpose and can perhaps be achieved by equally efficient means.
Its core rationale and primary purpose is much less lofty than its extravagantly claimed social benefits. It lies in security, surveillance and control – traceable to the idea of a mandatory Multipurpose National Identity Card for all Indians recommended by the Kargil Review Committee chaired by security hawk K. Subrahmanyam.
This committee greatly exceeded its brief and strayed into areas such as security and nuclear weapons doctrines. It seized the Kargil issue to drive a much larger “National Security State” agenda. Home Minister P. Chidambaram himself underscored the UID's security rationale by announcing the UIDAI's establishment in January 2009 as a timely response to the November 2008 Mumbai terror attacks.
This rationale further unfolded with the government announcing a plan to set up a DNA databank and a NATGRID (National Intelligence Grid) connecting 11 agencies, including the Intelligence Bureau, the Research and Analysis Wing, the Central Bureau of Investigation, the Directorate of Revenue Intelligence, the Central Board of Excise and Customs and the Central Board of Direct Taxes.
Pivotal intermediary
The information generated by the NPR will be shared with the UIDAI and NATGRID. The DNA bank and NATGRID are meant to combat terrorism and other challenges to internal security. The UIDAI will be a pivotal intermediary between numerous agencies: the Registrar General (which conducts the Census), the Reserve Bank of India (which regulates commercial banks), and telephone and Internet providers, besides intelligence agencies. This is essential if the UID number is to be accepted as a proof of identity. But how reliable is the UID as the prime, if not sole, information base for security agencies, indeed even the civilian administration? The answer is, not very. Its data would not be subject to verification. Since nationality is to be recorded “as declared” and so transmitted in downstream documentation, any number of non-citizens could instantly register themselves as Indian nationals. They could as easily open bank accounts, obtain Indian travel documents, and get jobs as genuine Indians. This obviously has negative security consequences. These should not be exaggerated. But the fact is that the UID is full of verification and authentification voids.
Even worse, the technology involved in it is highly problematic. A London School of Economics (LSE) team analysed a similar project considered by the British government. It concluded: “The technology envisioned… is to a large extent untested and unreliable. No scheme on this scale has been undertaken anywhere in the world. Smaller and less ambitious systems have encountered substantial technological and operational problems that are likely to be amplified in a large-scale national system.” The problems will get immensely magnified in India, which is almost 20 times more populous than Britain and has a rickety administrative system.
The issue of the reliability of IT-based methods is ignored in India, thanks to blind faith in IT. This society is bewitched by technology but has a poor appreciation of science or the scepticism it counsels. Thus, we refuse even to countenance problems of data security and vulnerability to manipulation of electronic voting machines (EVMs), although these are widely recognised in technologically more literate societies – and although IT professionals based at the University of Michigan have successfully hacked into Indian EVMs ( The Times of India, May 21).
The UIDAI's database will be preyed upon by numerous agencies, Indian and foreign, commercial and governmental, security-related or involved in industrial espionage. Recently, researchers from the University of Toronto exposed a China-based computer espionage network that pilfered classified documents from India's Defence Ministry. The “compromised” installations included the Directorate-General of Military Intelligence; three Air Force bases; Indian Military Engineer Services in four places; a Mountain Artillery Brigade in Assam; two Indian military colleges; and Indian Embassy computers in Kabul, Moscow, Dubai, and Nigeria (see http://nytimes.com/2010/04/06/science/06cyber.html). Similarly, DNA databases can be corrupted, potentially victimising innocent citizens.
Nothing suggests that the UIDAI-related databases will be more secure than military networks. There is, besides all these weighty considerations, the question of costs of creating and maintaining an enormous database of 1.2 billion citizens. The LSE study estimated that the cost in Britain would be £10-20 billion. The proportionate cost in India would exceed Rs.2 lakh crore, enormous for a poor country, where 70 per cent of the population has no toilets. This means forgoing increased provision of public services.
In an interview to CNN-IBN, Nandan Nilekani does not deny that “this is a project where we are going into uncharted territories, the technological challenges are immense and one of the risks of the project is technology” (http://www.hindu.com/thehindu/nic/nandannilekani.htm). He also concedes that “I don't know what the exact figure… is”, but still contends that “it is much less than [Rs.1.5 lakh crore]… by a factor of 10”.
Violation of privacy
However, all these grave problems pale beside the UID's potential for invading citizens' privacy and violating constitutional freedoms. NATGRID will provide security agencies real time access into 21 categories of databases – including bank account details, credit card transactions, driving licences, and visa and immigration records. An intelligence official has been quoted as saying: “Once you feed in a person's name, you'll get all the details about him, across all databases.” These include overdue traffic fines and credit card records. “There really will not be any secrets from the state.”
The data collected would greatly exceed the need-based information that people furnish to different agencies to operate a bank account, obtain a passport or get a ration card. Now all this information will be pooled and made to converge in a single database available to hundreds of government departments at the click of a mouse.
VIJAY KUMAR JOSHI/PTI
Nandan Nilekani, UIDAI chief: "The technological challenges are huge."
The NPR and NATGRID can track and profile individuals by studying transactions and patterns. The NPR is being compiled not under the Census Act but under the Citizenship Act, 1955. The Census Act guarantees confidentiality and says personal data is “not open to inspection nor admissible in evidence”. Such protection is missing from the latter, which makes citizen registration “compulsory”. The Census Act aims at capturing the profile of the population, not individuals. Profiling of individuals is liable to violate their freedom, privacy and confidentiality.
However, strangely, the UIDAI disowns all responsibility for how its database will be used. It openly declares it is in “the identity business”. It states: “The responsibility of tracking beneficiaries and the governance of service delivery will continue to remain with the respective agencies.” Also, “the UID number will only guarantee identity, not rights, benefits or entitlements”. This falsifies the key rationalisation offered for the scheme: namely, that the UID will break the barriers that prevent the poor from accessing public services/subsidies.
The Indian state's record of abusing technology and personal information is deplorable. Take the recent tapping of politicians' conversations by agencies using new “passive interception technology”, which enables them to eavesdrop on all mobile communication within a 2-km radius. This led to an uproar in Parliament. But the government is planning to legalise the use of such equipment while short-circuiting the procedure for wiretapping under the Telegraph Act, which requires the approval of the Home Secretary and review by a high-level committee headed by the Cabinet Secretary.
The state has always tried to acquire extraordinary powers over citizens and then abuse them. One only has to recall the record of implementation of our preventive detention laws, TADA, POTA and the more than 200 other extraordinary laws such as the Public Security Acts of many States to be gravely concerned at the abuse potential. What India needs is not the UIDAI, but effective legislation to defend privacy and punish intrusion into it.
The intelligence agencies are not answerable to the public and are outside the purview of the Right to Information Act. We can never know what they know about citizens and how they interpret and use this information. The UID scheme and associated database-sharing will enable state agencies to know every minute detail of a citizen's life, but the citizen is barred from knowing what they know about him/her and what they do with that knowledge. This is a mockery of democracy.
This society is already paying heavily for the state's practice of the politics of suspicion, whose most extreme expression is “encounter killing”. The National Human Rights Commission (NHRC) recently admitted that as many as 2,560 police “encounters” were reported to it between 1993 and 2006 – an annual average of 183. It found almost half – 1,224, to be precise – to be “fake” or staged, that is, non-judicial executions.
The state behaves particularly roguishly when acting in the name of defending national security. Experience tells us that the key to fighting terrorism is to treat it as a crime and bring its perpetrators to book while addressing its root causes. What is needed is not more intrusive surveillance, nor more sophisticated electronic databases, but good, honest policing, patient collection of evidence and competent prosecution.
To put yet more draconian and unaccountable powers in the hands of the state is to write the charter of citizens' slavery. The UID project does exactly that. It must be uncompromisingly opposed. Or else, we will slide down the slippery slope of strangling people's freedoms and rights and using increasingly intrusive means to “discipline” citizens. Nothing can harm democracy more grievously.
