Like demonetisation and GST, Aadhaar has been in the news for both good and bad reasons. On one hand we have heard how crores of rupees in non-entitled subsidy have been saved by the government but then on the other hand we have had horror stories of destitutes being deprived of entitlements because of the lack of an Aadhaar identity. In general, those who believe in the current prime minister are bullish about Aadhaar but they forget that many of them had opposed the same on the grounds of privacy when it was proposed by the previous government. What is missing in all such discourse is a clear understanding of how Aadhaar operates and how it could fail.
Ever since it was freely and finally admitted that 90% of all money that the Central government transmits to citizens as subsidies is stolen by middlemen there has been a demand for a direct benefit transfer (DBT) mechanism. One obvious mechanism is through bank accounts : Instead of selling 3 kg of rice to Ram once a week at Rs 2/kg, make him buy the same rice at Rs 20/kg from the market but send the difference, Rs (20-2) x 3 x 4 = Rs 216, to Ram’s bank account every month so that he does not have to spend any more than Rs 2/kg. But since there are a thousands of people who call themselves as Ram, we would need to connect “our” Ram’s bank account to “our” Ram’s hungry body using a marker that is unique to “our” Ram, namely his fingerprints and iris scan. This is the genesis of the Aadhaar database and the Aadhaar number.
But this simple concept has been criticised for three major reasons - namely privacy, potential for misuse and operational inefficiency. Before we examine these in greater detail, let us look at how the database is created and used.
To create a new Aadhaar number for a new registrant, we need the (a) biometrics - iris scan and all 10 fingerprints (b) name, gender, date of birth, address and (c) optionally a cellphone number and email address. Since the biometrics is the only data that is guaranteed to be unique for each person, a de-duplication exercise is carried out to check if another Aadhaar number has already been generated for the same set of biometrics, to ensure that no one body gets attached to two or more Aadhaar numbers.
To confirm a person’s identity using Aadhaar before he is allowed to avail of any benefit or service, a verifier has to transmit the person’s Aadhaar number to UIDAI along with either biometric data ( as in the case of banks or phone companies) or name and date of birth (as is the case of some mutual funds). In either case, UIDAI replies either with (a) a binary YES / NO that confirms or denies the association of the Aadhaar number with the accompanying data or with (b) a more detailed extract from the Aadhaar database that includes photograph but specifically excludes the “core” biometric information. In some less critical situations, for example, where a physical copy of Aadhaar needs to be downloaded, the optional phone number or email address is used to send a one-time-password to establish an association between the Aadhaar number and the phone/email and hence by extension to the name of the person. In this must be clearly understood, and communicated to all, that the physical possession of Aadhaar card -- that can be manufactured by anyone with a computer and a printer -- is no proof of anything at all and should never be used for any kind of verification.
Now let us look at privacy and potential for misuse, the two major concerns.
The basic data that is stored is quite primitive. Name, gender, date of birth and address is already available with the government in Voter cards and Election rolls but the optional phone number and email is an addition. Frankly, phone/email is a better way of contacting a person in the 21st century so there is no ideological difficulty in storing that information. The real, new addition is the biometric but that is a part of the original design to prevent duplication. So prima facie, there is no real privacy concern unless there is misuse and this misuse can be of two types - first deliberate misuse by the government and second, illegitimate misuse by hackers.
By requiring individuals to link Aadhaar numbers to bank accounts and cellphones, government gets an easy way to discover who owns and operates which bank accounts and telephone numbers. But this demand is nothing new? Under anti money laundering schemes, the banks are in any case required to use stringent KYC processes to know their customers. Similarly, because of terrorist and other security concerns, telephone companies are forced to use similar stringent KYC processes. Whether such intrusive knowledge is necessary is irrelevant to the Aadhaar debate. If we have accepted KYC processes in banks and telephones, then there is no additional loss of privacy in linking bank accounts and telephone numbers to Aadhaar and thus simplify traceability. Hence the claim that Aadhaar represents a new mechanism to misuse private information is baseless.
Moreover, insinuations that Aadhaar can be used by the government to surreptitiously know bank balances from linked accounts or to surreptitiously listen in to private telephone conversations on linked phones are so ludicrous and absurd that there are not even worth contradicting.
However, this does not mean that any government agency -- from the municipality crematorium to the motor vehicles department -- or even private agencies like hospitals and airlines should start demanding Aadhaar for rendering services. Rules framed under the Aadhaar Act 2016 should stipulate which all public services require Aadhaar and this information must be made available on the UIDAI website.
What happens when things go wrong? There is no point in claiming that the Aadhaar database is “totally secure and hacker proof”. No computer system ever is. So what we should plan for is to estimate the damage to the registrant if the data is compromised. Let us examine what could happen if the Aadhaar database is hacked and the information falls into the hands of unauthorised people, or if the government goes rogue and starts using the information in a manner not envisaged under the Aadhaar act? Consider various scenarios …
What all can a criminal do with the text information about a person that is stolen from the Aadhaar database? Neither can he open a new bank account, nor get a new telephone SIM as both require a biometric validation. At best he can attempt to get phone-banking access to a bank account by quoting the date of birth, but knowing this, no sensible bank should ever accept DoB as a verification question.
Can he take a loan and wreck the Aadhaar registrants credit rating? This is unlikely unless there is collusion with the employees of the bank to which the registrants loan is linked, but they have the number anyway - so there is no incremental exposure. Can the phone number be used to access bank accounts through UPI apps or digital wallets? This is theoretically possible if someone clones your SIM but if we want to guard against this then we should not share our phone numbers with anyone at all. In fact, the worst case scenario is a barrage of spam or crank calls. But then again, this is already an issue with many of us and not really an Aadhaar specific abomination.
Can the picture of the registrant can be misused? The government, or a criminal, can use a public image of an individual, say in a newspaper or on social media, and use face recognition technology to identify him. This may, in principle, be used to identify either real criminals or persons hostile to the government but the possibility of its effective use is pretty low. Hence the threat is quite far fetched.
Finally, the biometrics. In principle, this should never reach anyone outside UIDAI but what if it does? There do exist locks and access control devices that use biometrics like fingerprint and iris scans to grant access to assets that could range from nuclear weapons to even iPhones and these may, in principle, get compromised. But the process of transferring the data from digital format to the access control device is, to say the least, very complicated. Readers may recall the movie Angels and Demons where a dead scientist’s eye was gouged out and used to open a vault protected by a retinal scanner to understand how complex the process is and even then, it has been proven that this is simply impossible. Retinal scanners need a living eye to focus on a point and hence cannot be fooled by a static image of the iris pattern. Similarly, while it may be possible in-principle, to steal one’s fingerprint images and use them at a crime site to implicate the owner, the physical challenges of actually doing so are very high that the probability of its occurrence is quite low.
So net-net, a hack of the Aadhaar database could of course result in a flood of spam on your phone and email box but all the other scenarios described have a very low probability of causing actual damage. In fact, many of the conveniences that we use -- passport, air travel, cellphone, online banking, Gmail -- have greater probability of causing damage to our privacy and in a throwback to Heisenberg's Uncertainty Principle, let us accept that it is impossible to maximise both privacy and convenience at the same time. One must always trade-off any one against the other. Unless you are like Richard Stallman -- the open source guru and privacy fanatic, who does not use cellphones, credit cards, hotel wifi, Google search engine, Facebook and many other conveniences of daily life in his quest for total privacy -- a lot information about you is already in the public domain and Aadhaar will hardly add anything more to that. Hence Aadhaar being a threat to privacy is more of a urban myth or an attempt at scare mongering. The recent hack or unauthorised access of the Aadhaar database, as reported in The Tribune must be seen in this context.
But even if the threat of privacy recedes, Aadhaar faces the one big challenge that hobbles and frustrates all bold policy initiatives in India -- the threat of a poor implementation. Like demonetisation, GST or even more prosaic projects like building roads and highways, the Aadhaar project is full of operational pitfalls. First there was an immense shortage of biometric equipment and trained staff and it was quite difficult to get an Aadhaar number to begin with. Then there were significant process issues that were not thought through adequately. For example, what to do about people with age, medical or disability related problems that do not allow biometrics to be captured easily? Some of these problems have been highlighted both in mainstream media as well as on social media and remedial action has been taken as an afterthought but much more detailed level planning needs to be done to handle genuine exceptions to the regular processes.
What is immediately needed however is to flood the country with low-cost, but high-reliability biometric devices that can communicate seamlessly with the Aadhaar database and allow instant confirmation of a person’s Aadhaar number and hence his identity. Unless the Supreme Court puts a roadblock to many of the ambitious Aadhaar based projects that the government has in mind -- particularly in the area of digital payments and smartphone wallets -- we will see an exponential increase in the number of verifications. Without a quick and reliable verification mechanism, these projects will falter and Aadhaar will be blamed for this.
Finally, the Aadhaar database should not become a single point of failure for the nation. What this means is that even if the database is hacked-into and corrupted, no critical operations like banking, stock market or PDS should come to halt and cripple the nation. Critical systems should be loosely coupled to the central database and there should be adequate workarounds that allows bypass but with clear audit trails.
In 1985, when the author arrived in the United States for his PhD program, he realised to his chagrin there was no way that he could register at the university or open a bank account without a Social Security Number (SSN), that he as a foreign national did not have. But this scenario had been anticipated and the University had been authorised to allot a temporary SSN to new foreign students that could be used in lieu of the actual one for upto six weeks. The real SSN was of course allotted by the social security administration after a thorough verification of immigration credentials which took about four weeks and all that the author had to do after that was to go back to each organisation and have his temporary SSN replaced by the real one.
The Aadhaar implementation should focus on processes, not technology that keeps changing by the hour. If the various processes that use Aadhaar are thought through and planned as beautifully as the example given above, Aadhaar will surely become a very useful tool for governance in India. While it is far from being fault free, a lot of “criticism” of Aadhaar is due to the fact that, as reported in the Economic Times (January 5, 2018), it is killing lakhs of non-existent, ghost teachers, ration card holders, students and other beneficiaries in whose name tax-payer’s money was being stolen from the public exchequer. That is why Aadhaar must continue.
this article originally appeared in Swarajya
image from techniknow |
Ever since it was freely and finally admitted that 90% of all money that the Central government transmits to citizens as subsidies is stolen by middlemen there has been a demand for a direct benefit transfer (DBT) mechanism. One obvious mechanism is through bank accounts : Instead of selling 3 kg of rice to Ram once a week at Rs 2/kg, make him buy the same rice at Rs 20/kg from the market but send the difference, Rs (20-2) x 3 x 4 = Rs 216, to Ram’s bank account every month so that he does not have to spend any more than Rs 2/kg. But since there are a thousands of people who call themselves as Ram, we would need to connect “our” Ram’s bank account to “our” Ram’s hungry body using a marker that is unique to “our” Ram, namely his fingerprints and iris scan. This is the genesis of the Aadhaar database and the Aadhaar number.
But this simple concept has been criticised for three major reasons - namely privacy, potential for misuse and operational inefficiency. Before we examine these in greater detail, let us look at how the database is created and used.
To create a new Aadhaar number for a new registrant, we need the (a) biometrics - iris scan and all 10 fingerprints (b) name, gender, date of birth, address and (c) optionally a cellphone number and email address. Since the biometrics is the only data that is guaranteed to be unique for each person, a de-duplication exercise is carried out to check if another Aadhaar number has already been generated for the same set of biometrics, to ensure that no one body gets attached to two or more Aadhaar numbers.
To confirm a person’s identity using Aadhaar before he is allowed to avail of any benefit or service, a verifier has to transmit the person’s Aadhaar number to UIDAI along with either biometric data ( as in the case of banks or phone companies) or name and date of birth (as is the case of some mutual funds). In either case, UIDAI replies either with (a) a binary YES / NO that confirms or denies the association of the Aadhaar number with the accompanying data or with (b) a more detailed extract from the Aadhaar database that includes photograph but specifically excludes the “core” biometric information. In some less critical situations, for example, where a physical copy of Aadhaar needs to be downloaded, the optional phone number or email address is used to send a one-time-password to establish an association between the Aadhaar number and the phone/email and hence by extension to the name of the person. In this must be clearly understood, and communicated to all, that the physical possession of Aadhaar card -- that can be manufactured by anyone with a computer and a printer -- is no proof of anything at all and should never be used for any kind of verification.
Now let us look at privacy and potential for misuse, the two major concerns.
The basic data that is stored is quite primitive. Name, gender, date of birth and address is already available with the government in Voter cards and Election rolls but the optional phone number and email is an addition. Frankly, phone/email is a better way of contacting a person in the 21st century so there is no ideological difficulty in storing that information. The real, new addition is the biometric but that is a part of the original design to prevent duplication. So prima facie, there is no real privacy concern unless there is misuse and this misuse can be of two types - first deliberate misuse by the government and second, illegitimate misuse by hackers.
By requiring individuals to link Aadhaar numbers to bank accounts and cellphones, government gets an easy way to discover who owns and operates which bank accounts and telephone numbers. But this demand is nothing new? Under anti money laundering schemes, the banks are in any case required to use stringent KYC processes to know their customers. Similarly, because of terrorist and other security concerns, telephone companies are forced to use similar stringent KYC processes. Whether such intrusive knowledge is necessary is irrelevant to the Aadhaar debate. If we have accepted KYC processes in banks and telephones, then there is no additional loss of privacy in linking bank accounts and telephone numbers to Aadhaar and thus simplify traceability. Hence the claim that Aadhaar represents a new mechanism to misuse private information is baseless.
Moreover, insinuations that Aadhaar can be used by the government to surreptitiously know bank balances from linked accounts or to surreptitiously listen in to private telephone conversations on linked phones are so ludicrous and absurd that there are not even worth contradicting.
However, this does not mean that any government agency -- from the municipality crematorium to the motor vehicles department -- or even private agencies like hospitals and airlines should start demanding Aadhaar for rendering services. Rules framed under the Aadhaar Act 2016 should stipulate which all public services require Aadhaar and this information must be made available on the UIDAI website.
What happens when things go wrong? There is no point in claiming that the Aadhaar database is “totally secure and hacker proof”. No computer system ever is. So what we should plan for is to estimate the damage to the registrant if the data is compromised. Let us examine what could happen if the Aadhaar database is hacked and the information falls into the hands of unauthorised people, or if the government goes rogue and starts using the information in a manner not envisaged under the Aadhaar act? Consider various scenarios …
What all can a criminal do with the text information about a person that is stolen from the Aadhaar database? Neither can he open a new bank account, nor get a new telephone SIM as both require a biometric validation. At best he can attempt to get phone-banking access to a bank account by quoting the date of birth, but knowing this, no sensible bank should ever accept DoB as a verification question.
Can he take a loan and wreck the Aadhaar registrants credit rating? This is unlikely unless there is collusion with the employees of the bank to which the registrants loan is linked, but they have the number anyway - so there is no incremental exposure. Can the phone number be used to access bank accounts through UPI apps or digital wallets? This is theoretically possible if someone clones your SIM but if we want to guard against this then we should not share our phone numbers with anyone at all. In fact, the worst case scenario is a barrage of spam or crank calls. But then again, this is already an issue with many of us and not really an Aadhaar specific abomination.
Can the picture of the registrant can be misused? The government, or a criminal, can use a public image of an individual, say in a newspaper or on social media, and use face recognition technology to identify him. This may, in principle, be used to identify either real criminals or persons hostile to the government but the possibility of its effective use is pretty low. Hence the threat is quite far fetched.
Finally, the biometrics. In principle, this should never reach anyone outside UIDAI but what if it does? There do exist locks and access control devices that use biometrics like fingerprint and iris scans to grant access to assets that could range from nuclear weapons to even iPhones and these may, in principle, get compromised. But the process of transferring the data from digital format to the access control device is, to say the least, very complicated. Readers may recall the movie Angels and Demons where a dead scientist’s eye was gouged out and used to open a vault protected by a retinal scanner to understand how complex the process is and even then, it has been proven that this is simply impossible. Retinal scanners need a living eye to focus on a point and hence cannot be fooled by a static image of the iris pattern. Similarly, while it may be possible in-principle, to steal one’s fingerprint images and use them at a crime site to implicate the owner, the physical challenges of actually doing so are very high that the probability of its occurrence is quite low.
So net-net, a hack of the Aadhaar database could of course result in a flood of spam on your phone and email box but all the other scenarios described have a very low probability of causing actual damage. In fact, many of the conveniences that we use -- passport, air travel, cellphone, online banking, Gmail -- have greater probability of causing damage to our privacy and in a throwback to Heisenberg's Uncertainty Principle, let us accept that it is impossible to maximise both privacy and convenience at the same time. One must always trade-off any one against the other. Unless you are like Richard Stallman -- the open source guru and privacy fanatic, who does not use cellphones, credit cards, hotel wifi, Google search engine, Facebook and many other conveniences of daily life in his quest for total privacy -- a lot information about you is already in the public domain and Aadhaar will hardly add anything more to that. Hence Aadhaar being a threat to privacy is more of a urban myth or an attempt at scare mongering. The recent hack or unauthorised access of the Aadhaar database, as reported in The Tribune must be seen in this context.
But even if the threat of privacy recedes, Aadhaar faces the one big challenge that hobbles and frustrates all bold policy initiatives in India -- the threat of a poor implementation. Like demonetisation, GST or even more prosaic projects like building roads and highways, the Aadhaar project is full of operational pitfalls. First there was an immense shortage of biometric equipment and trained staff and it was quite difficult to get an Aadhaar number to begin with. Then there were significant process issues that were not thought through adequately. For example, what to do about people with age, medical or disability related problems that do not allow biometrics to be captured easily? Some of these problems have been highlighted both in mainstream media as well as on social media and remedial action has been taken as an afterthought but much more detailed level planning needs to be done to handle genuine exceptions to the regular processes.
What is immediately needed however is to flood the country with low-cost, but high-reliability biometric devices that can communicate seamlessly with the Aadhaar database and allow instant confirmation of a person’s Aadhaar number and hence his identity. Unless the Supreme Court puts a roadblock to many of the ambitious Aadhaar based projects that the government has in mind -- particularly in the area of digital payments and smartphone wallets -- we will see an exponential increase in the number of verifications. Without a quick and reliable verification mechanism, these projects will falter and Aadhaar will be blamed for this.
Finally, the Aadhaar database should not become a single point of failure for the nation. What this means is that even if the database is hacked-into and corrupted, no critical operations like banking, stock market or PDS should come to halt and cripple the nation. Critical systems should be loosely coupled to the central database and there should be adequate workarounds that allows bypass but with clear audit trails.
In 1985, when the author arrived in the United States for his PhD program, he realised to his chagrin there was no way that he could register at the university or open a bank account without a Social Security Number (SSN), that he as a foreign national did not have. But this scenario had been anticipated and the University had been authorised to allot a temporary SSN to new foreign students that could be used in lieu of the actual one for upto six weeks. The real SSN was of course allotted by the social security administration after a thorough verification of immigration credentials which took about four weeks and all that the author had to do after that was to go back to each organisation and have his temporary SSN replaced by the real one.
The Aadhaar implementation should focus on processes, not technology that keeps changing by the hour. If the various processes that use Aadhaar are thought through and planned as beautifully as the example given above, Aadhaar will surely become a very useful tool for governance in India. While it is far from being fault free, a lot of “criticism” of Aadhaar is due to the fact that, as reported in the Economic Times (January 5, 2018), it is killing lakhs of non-existent, ghost teachers, ration card holders, students and other beneficiaries in whose name tax-payer’s money was being stolen from the public exchequer. That is why Aadhaar must continue.
this article originally appeared in Swarajya
No comments:
Post a Comment