For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones.
BuzzFeed News Reporter
posted on Apr. 4, 2017, at 5:18 p.m.
In February 2017, Microsoft announced Skype Lite, a brand-new edition of Skype just for India. A more spartan version of Microsoft’s marquee messaging service, Skype Lite is designed to run well on cheap Android phones and to handle calls over flaky 2G data networks — the trappings of an app made by a large, wealthy corporation for a large and largely poor emerging market. But that’s not all it does.
Skype Lite also taps into a giant government-owned database filled with the demographic and biometric records — names, dates of birth, addresses, phone numbers, photographs, iris and fingerprint scans — of more than a billion Indian citizens.
Touting that feature onstage at a launch event in Mumbai, Microsoft’s executives offered the most vanilla of demos: a job interview over Skype.
“If I want to hire somebody, I would feel more comfortable knowing that I am indeed talking to the right candidate,” said Skype engineer Rahul Malegaonkar. To do that in in Skype Lite, he explained, all an interviewee would need to do is punch in their 12-digit government-issued UID — short for unique identifier — which the app would check against the government database.
Some 1.12 billion Indians — more than 99% of citizens over 18 — now have UIDs thanks to this authentication system. It’s called Aadhaar — “support” or “foundation” in Hindi — and it is the largest, most ambitious national identity program in the world.
At an event in Mumbai held in February, Microsoft showed off Skype Lite’s built-in support for Aadhaar in the most vanilla of demos: a job interview over Skype. Microsoft
When it was first rolled out in 2009, Aadhaar was envisioned as a voluntary identity system that would help the Indian government crack down on fraud in the country’s notoriously corrupt welfare system. But over the years, it’s become effectively mandatory as the government and private sector alike rely on it to provide all manner of identity-linked services to India’s vast and diverse population. Now, less than a decade after its debut, Aadhaar is, for many Indian citizens, a proverbial “one ID to rule them all.” Not only is it a means of accessing India’s welfare system, it’s tied to everything from banking and internet services to international travel and marriage registration — and, of course, Skype.
Onstage at the company’s Mumbai event, Malegaonkar’s Skype Lite app displayed a large green checkmark along with dummy name, address, and date of birth information.
“Yep, it seems like we have a match,” he exclaimed, as the audience clapped wildly.
Meanwhile, India’s privacy experts rolled their eyes. “A proprietary software company harvests personal information from a centralized government database using unaudited technology in a jurisdiction without a proper privacy or data protection law,” said Sunil Abraham, director of the Centre for Internet and Society (CIS), an influential Bangalore-based think tank. “Sounds perfect to me!”
A Microsoft spokesperson assured BuzzFeed News that Skype Lite was compliant with local regulations. “We don’t store any users’ Aadhaar information,” the company explained. “Rather, we pass [the details] through to the government’s central Aadhaar database.”
Former Deputy Chairman of Planning Commission Montek Singh Ahluwalia with UIDAI Chairman Nandan Nilekani during the launch of new Aadhaar-based services and permanent enrollment centers in New Delhi. Mail Today / Getty Images
Who am I?
For millions of Indians, government-vetted identification has been elusive for decades. This is particularly true in India’s most impoverished regions, where a lack of simple birth or address documentation can lock people out of crucial services many take for granted — bank accounts, insurance, pensions, government services. With a very simple set of objectives, Aadhaar was designed to change that. It would provide every Indian with an official identity, and it would allow government agencies and private companies like Microsoft to authenticate that identity by plugging into a set of software application interfaces called the India Stack.
In 2009, the Indian government established the Unique Identification Authority of India (UIDAI) under the country’s IT ministry and tapped Nandan Nilekani, billionaire and co-founder of IT services juggernaut Infosys, to oversee it. Nilekani called Aadhaar a “turbocharged version of the Social Security number,” and a year later, the agency began collecting citizens’ demographic data — names, addresses, photographs, mobile numbers, iris scans, and all 10 fingerprints — and adding it to a centralized database.
Pitched as a panacea to welfare fraud by India’s ruling Congress party, Aadhaar was lauded by some of the biggest names in technology. Bill Gates called it a “world-class digital foundation,” and Microsoft CEO Satya Nadella said it was “pretty tremendous.” The Wall Street Journal called it “the most technologically and logistically complex national identification effort ever attempted.” After decades of being invisible, India’s poor would now simply authenticate themselves through their irises or fingerprints to receive their share of subsidized food and cooking fuel. The corruption that had plagued India’s welfare system was done for.
But in the years that followed, an increasingly vocal group of privacy activists, security experts, and citizens raised concerns about the implications of creating a vast database of biometric information for the population of an entire country. “Aadhaar is being converted into the world’s biggest surveillance engine,” Indian news website Scroll warned in a recent opinion piece.
And other critics sounded an equally troubling note: With the most intimate details of over a billion people in a database, what if Aadhaar were to be hacked?
No way out
“Indians have historically had different sets of information stored across different databases, such as their bank accounts, driver’s licenses, passports, accounts with cell phone carriers, and more,” said Nikhil Pahwa, editor of Indian technology news website MediaNama and a staunch Aadhaar critic. Traditionally, these weren’t linked to one another. “What Aadhaar aims to become is a single ID linking your entire life across dozens of these databases together,” he said. “This allows it to be used for mass surveillance and targeting very easily.”
While India’s Supreme Court has repeatedly ruled that Aadhaar numbers are not and cannot be required of the country’s citizens, it’s becoming increasingly difficult to get by without one. Indeed, Aadhaar’s critics complain that the Indian government has been shrewdly pushing it into broader usage by requiring it for things like driver’s license applications and renewals, and soon cell phone numbers.
Last month, the government passed a finance bill making it mandatory for every Indian who files tax returns to input their Aadhaar number. Asked if the government was forcing citizens to get Aadhaar despite the Supreme Court mandate, finance minister Arun Jaitley replied simply, “Yes, we are.”
In the future, Indians may be required to use Aadhaar to log on to public Wi-Fi hotspots, buy train tickets, access bank accounts, withdraw pension money, use matrimonial websites, and buy tickets for cricket matches — among other things.
Critics paint a grim picture of India with mandatory Aadhaar: an Orwellian state with every action of every citizen under constant scrutiny at all times.
Got it. It is compulsorily mandatory to voluntarily get yourself an Aadhaar card.
“All this is illegal and is in contempt of the Supreme Court,” Usha Ramanathan, a legal researcher and activist who has been a vocal opponent of the Aadhaar project ever since it launched, told BuzzFeed News. “The Aadhaar project is less about technology and more about technocracy.”
In November 2016, Ramanathan organized a daylong session in New Delhi that was attended by more than 50 people — lawyers, activists, social workers, researchers, academics, and journalists — to draw up a plan to spread awareness about privacy issues related to the Aadhaar program.
“Aadhaar is a sitting duck.”
“Aadhaar alters the relationship between the citizen and the state,” said Shyam Divan, a Supreme Court lawyer who has been fighting the project in the country’s highest court for years, and who was present at the event. “It’s concerning, because it tilts the balance so steeply in favor of the government.”
That concern is well grounded in reality. In March 2016, India’s parliament passed legislation giving federal agencies access to the entire Aadhaar database — all billion-plus names, fingerprints, irises, mobile numbers, addresses, and photographs — in the interest of “national security.” In February, the UIDAI was accused of trying to silence critics by filing a police complaint against a writer who wrote about the project’s data security vulnerabilities. And in March, the agency filed a criminal complaint against a television journalist who aired a segment showing how he was able to use a fake name along with his real one to get two different Aadhaar numbers.
Nandan Nilekani (left), the billionaire brain behind Aadhaar, interviews Microsoft CEO Satya Nadella, who has lauded the Aadhaar project, at an industry event in Bangalore in February. Nilekani has dismissed privacy and surveillance concerns around Aadhaar. - / AFP / Getty Images
“You can’t change your fingerprints”
Sunil Abraham, the CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.
“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is far from stellar. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.
