By Ram Sewak Sharma
There has been a concerted campaign in the last few weeks ‘exposing’ the Aadhaar ‘data leak’. The impression given in many sections of the media is that something very serious has happened and personal and sensitive information of citizens has been hacked and leaked.
This is sensationalisation that makes a mountain out of a molehill. What really has happened is that the information relating to beneficiaries of various programmes of state governments — already published on the websites of concerned departments — has been suddenly discovered by some activists and exposed as a massive data leak.
The timing of the ‘discovery’ is also interesting since the case relating to Aadhaar is being argued by the concerned parties and issues of privacy are being debated. For starters, Aadhaar is not a secret or confidential number. It is a random number bereft of any intelligence. It is just a number attached to an individual in a unique manner. As per the Aadhaar Act, “An Aadhaar number shall be a random number and bear no relation to the attributes or identity of the Aadhaar number holder.”
If I give my Aadhaar number to you, you can cause no harm to me. Secondly, biometric information collected by the Unique Identification Authority of India (UIDAI) for ensuring uniqueness has been declared as the ‘sensitive personal data’ within the meaning of IT Act.
The Aadhaar number is not a ‘sensitive personal data’. Finally, one shares her Aadhaar number to many agencies for getting various services and facilities. Aadhaar numbers are shared with the Indian Railway Catering and Tourism Corporation for availing senior citizen benefits in rail travel, with telcos for getting mobile SIMs, with banks to link bank accounts, and with oil marketing companies to get LPG subsidy.
Thus, each of the agencies is in possession of Aadhaar numbers. Many state and central government departments are seeding various beneficiary databases with Aadhaar numbers to weed out duplicates and ghosts. The Mahatma Gandhi National Rural Employment Guarantee Act scheme, scholarships and pensions are three such examples out of many.
No Numbing Numbers
Section 29(4) of Aadhaar Act prohibits the publication of Aadhaar numbers except for the purposes specified by regulations. The regulations also reiterate this provision and provide that no entity shall make public any database or record containing the Aadhaar numbers of individuals unless they have been “redacted or blacked out through appropriate means, both in print and electronic form”.
Thus, if the authorities do publish the information, the Aadhaar number should be either partially or fully masked in that publication. The purpose of these restrictions is that while Aadhaar numbers themselves are not confidential, their publication in various public records will make it easy to collate information about persons. Collation of data, unfortunately, has become relatively easy in the digital world even otherwise. Now to look at the issue from the angle of the Right to Information (RTI) Act.
The broad objective behind RTI is to ensure transparency in the functioning of public authorities and enable social audit of various programmes. Under RTI, public authorities are under obligation to provide the information available with them unless the same has been expressly prohibited under Section 8 of the Act. Section 4 of the RTI Act mandates every public authority to publish information in its possession in a digital form.
Specifically, Section 4(b)(xii) mandates the publication of details of beneficiaries of various subsidy programmes being executed by every public authority. Hence, it should be clear that the list of beneficiaries of various programmes are being published by concerned state governments in compliance of RTI Act.
If a person applies for getting the details of beneficiaries of any scheme under the RTI Act, the public authorities will be duty-bound to provide all the information they have, including the Aadhaar numbers.
Section 8 exemptions will not be able to hold back the Aadhaar numbers. Now the issue is: what constitutes the details for the purpose of publishing on websites? Should an Aadhaar number be included in the details of a person? This is essentially a question of balancing transparency of public records and privacy of individuals.
My personal view is that the last four digits of Aadhaar number can be published and the first eight digits be masked. This will satisfy the provisions of both RTI and the Aadhaar Acts. However, to say that publication of Aadhaar numbers by authorities constitutes a data breach, or data leak, is far from the truth.
Digits Safe in Digital Era
The government has categorically asserted that not even a single example exists of a breach or leak of data from UIDAI. As UIDAI keeps data encrypted all the time with the highest encryption standards, the probability of leak is almost zero.
Under RTI, governments have been publishing details of all kinds including bank accounts (in case of MNREGA workers) and Aadhaar numbers. Further, now that the Aadhaar Act has certain provisions relating to the publication of Aadhaar numbers, there is a need to harmonise the transparency requirements of the RTI Act with the privacy-related provisions of the Aadhaar Act. The best way is to partially mask the Aadhaar numbers before publishing them on a digital platform.
(The writer is chairman, Telecom Regulatory Authority of India)