The Case Against Aadhaar
If there is one document that has proliferated in India more than anything else, it is the Aadhaar card. Touted initially as a technological solution to the menace of corruption in welfare programmes, it has slowly emerged, quite unannounced, as an identification number for all citizens. It has found widespread acceptance and appears to have become the new normal.
To understand the truth about Aadhaar, we first need to understand the technology underlying it. The Aadhaar programme has identified biometrics (i.e. biological attributes of an individual) as the unique markers that will help to establish one’s identity unambiguously and without duplicity. The question is whether biological attributes are indeed unique to each individual? The answer is yes! An easy analogy from the world of mathematics would be real numbers. No two real numbers can ever be exactly equal. Same is the case with biometrics, whether fingerprints or iris scans or any other. The de-duplication process in Aadhaar enrolment exploits this very uniqueness of biometrics, thereby promising that it will be impossible for one person to fraudulently acquire more than one Aadhaar number. Here is where the limitation of technology comes. Just like real numbers could come arbitrarily close, biometrics may also come arbitrarily close among several individuals. One individual may be distinguished from another provided their biometrics differs by more than the tolerance of the matching technology. It is well possible that two or more persons may fall within the tolerance limit and hence all but the first such person to enrol may be deemed to be duplicates. An affidavit filed by the UIDAI in response to a writ petition mentioned that out of 80 crore enrolments at that time, about 8 crore were rejected as fake/duplicate. The ratio of 1 in 10 is significantly higher than theoretical estimates of discernibility using biometrics. While the UIDAI may consider this an achievement, it may actually be reflective of the complex reality of India, where large numbers of people have poor quality biometrics, due to poor living conditions and/or hard labour. The Aadhaar Act and regulations do include provisions to enrol people having unreadable biometrics, but these are more for legal completeness. There are numerous cases where persons with worn out fingerprints or cataract in their eyes are finding it very difficult to get themselves an Aadhaar number.
Another interesting point here is that with the sample space continuously growing, the chances of overlap will keep increasing to a point where the existing set of biometrics may reach saturation. A new biometric will have to be added then. It is noteworthy that the Aadhaar Act, 2016 does not limit the definition of “core biometric information” to fingerprints and iris scan. Someday we may see the government collecting DNA of all citizens. This is not fear mongering. Since 2007 the Govt. of India has been working on a Human DNA Profiling Bill and it was slated to be presented in March 2015, but shelved due to opposition from concerned citizens. The government’s ambitions are limitless. We are all being drafted into a grand social cum science experiment, with unforeseen consequences along the way. It would be relevant to recall here that when the Aadhaar programme was first rolled out, only fingerprints were used for de-duplication. Iris scan was added only some years later as fingerprints were proving to be too noisy. So we already have a precedent. Should a new biometric be added to the Aadhaar programme, all existing enrollees will also have to queue up to submit the same, otherwise how would the de-duplication technology work? So the UIDAI may rejig the database any number of times as per its own assessment and may throw out new duplicates each time. The technology is continuously evolving and always probabilistic, while an individual’s identity should be deterministic. Denying an individual his identity is nothing short of denying him the fundamental right to life.
Those already in possession of an Aadhaar number may consider themselves to have crossed the above barrier. But are they out of the woods? Here comes another aspect of biometrics. The human body is continuously changing due to age, alongside other abrupt factors like illness or accident or manual labour. To give an extreme example, does a person enrolling into Aadhaar at the age of 20 expect that his fingerprints and irises will remain unchanged even at 80? The same technology that distinguishes one person from another is also applied to positively identify an already enrolled individual, the process being called “authentication”. Authentication will succeed till the changes in biometrics do not exceed the tolerance threshold, with respect to the records in the Aadhaar database. But how can a person estimate beforehand to what extent his body parts have changed? The Aadhaar Act recognises this problem and conveniently places the onus of successful authentication on the individual. Clauses 6 and 31(2) effectively state that it is the individual’s responsibility to keep his biometric records in the database up to date; clause 31(2): “In case any biometric information of Aadhaar number holder is lost or changes subsequently for any reason, the Aadhaar number holder shall request the Authority to make necessary alteration in his record in the Central Identities Data Repository…”. This is a well-nigh impossible proposition. Should a person make it his favourite pastime to visit the Aadhaar centre whenever possible, or should he wait for the axe to fall some day? Authentication failures are actually playing out in the field, in states where Aadhaar has been linked to PDS or subsidised kerosene or old age pensions. An official survey in Andhra Pradesh in 2015 found that the success rate was below 50% in many ration shops. These are not teething problems, unlike what the UIDAI would like us to believe. These are due to the nature of the data itself and can never be completely fixed. In order to get around the everyday problem due to biometrics, states like Gujarat and Karnataka have started issuing several months’ worth of print coupons against one authentication. So we are back to the same paperwork that we so famously wanted to avoid with the promise of technology. Some of those queuing up for Reliance Jio SIM cards would have also faced the same issue
Thus, the mere possession of Aadhaar number/card is no assurance of identity. It is not a question of if, but when a person will trip the authentication test. A person faced with authentication failure has no recourse but to visit the nearest enrollment centre for updating his data. While this may not seem much for city dwellers, for the vast rural areas, the nearest Aadhaar centre may be at the next town or district headquarters. Regulation 19(a) of the Aadhaar (Enrolment and Update) Regulations, 2016 simply states that “the resident will be biometrically authenticated and shall be required to provide his Aadhaar number along with the identity information sought to be updated”. What when the information to be updated is the biometrics itself? Will it be treated as a new enrollment, or will there be expectation that at least one biometric should continue to match? There are myriad possibilities and consequent uncertainties here. Further, the Aadhaar Act and regulations contain provisions for “deactivating” an Aadhaar number, should there be suspicion of fraud. So there is every chance that a person’s identity may be stuck in limbo, between an unreliable technology and an insensitive bureaucracy. Aadhaar becoming a condition precedent for accessing any particular service, a matter of right has become a matter of chance.
The confusion surrounding biometrics is most apparent in the way children are being enrolled. As per regulations, biometrics should be collected at the ages of 5 and 15. There is no basis to believe that some particular ages are “biometric milestones” in a person’s lifetime.
Clauses 6 and 31(2) are impractical (if not impossible) conditions to comply with, but these are critical for the Aadhaar technology to work. Denial of service may directly compromise life and livelihood and liberty and hence the Aadhaar programme is a fit case to be held ultra vires the Constitution.
Needless to say, Aadhaar minus the biometrics would be nothing but a replication of data from other identity documents and therefore no more capable of preventing fraud than what is already possible. Thus, from a technology perspective, Aadhaar is not just useless but actually detrimental, as it may only end up causing misery to genuine, bona fide citizens.
Rollout and big data
So, how has a technology that is so unreliable achieved such scale? Aadhaar enrolments have crossed over one billion and almost all people, from newborns to old, are in the database. The reason is that different sections of people are seeing different faces of Aadhaar. The ones who are actually being dispossessed due to the Aadhaar technology are those at the bottom of our country’s social/economic pyramid. They hardly have any voice or visibility. Aadhaar is one more addition to the daily struggle that their life is. However, since Aadhaar strikes at the most crucial welfare services, these sections may not remain silent for long.
For the better off sections, the interface with Aadhaar is mostly limited to “seeding” the Aadhaar number wherever asked to – bank accounts, EPF, LPG connection, etc. This is a seemingly painless exercise. These sections are not exposed to the vagaries of biometric authentication in a life threatening manner and hence do not make much hue and cry. However, the unification of citizen databases is an extremely significant by-product of the Aadhaar programme but is nowhere covered explicitly in the Aadhaar Act. There is more than just macro level linking of various databases. Aadhaar is proposed to be linked to such things as rail tickets, airport entry, mobile payments and PoS/ATM transactions. So the Aadhaar server will hold an active log of all movements of all citizens in real time. Further to this, there is the implicit requirement from the Aadhaar technology (discussed earlier) that all citizens keep their biometric records in the database continuously updated. The Aadhaar Act has provisions for the government to access all information in the database, both identity information and the activity log, in the interest of “national security”. National security may sometimes be synonymous with the incumbent government’s insecurity. There should be reasonable suspicion of crime before an individual may be put on surveillance. Holding all citizens on a leash, just in case they may go wrong, is a recipe for ending meaningful democracy and civil liberties.
The big brother government apart, there is always the risk of unauthorised access to the database. The Aadhaar Act claims to addresses these concerns by mandating that the UIDAI follow the best security practices and also by prescribing punishments for any unauthorised access or breach. We all know that the world’s best servers have been hacked. Punishing a few individuals responsible for a breach is unlikely to mitigate the consequences of such breach. In most cases, nobody would even have knowledge of an unauthorised access. So, what is the best way to remain safe? The answer is not to create such a database in the first place. It is a myth that centralization of power (in this case data) is essential to achieve efficiency. Aadhaar data is unbounded and may grow to include anything and everything.
In conclusion, the Aadhaar programme proposes to set up technological barriers to the commission of fraud but takes no responsibility towards the identity crisis it may cause to bona fide citizens. The big data it generates, together with the continuous collection of citizens’ biometric data, is a frontal attack on the future of civil liberties in our country. On these counts, the Aadhaar programme should be scrapped ab initio. The Aadhaar Act, which provides a semblance of legality to it, actually exposes the unviability of the underlying technology in the clearest possible terms and should help the Supreme Court in concluding the matter at the earliest.