6 September 2017

AADHAAR, DATA SECURITY AND BREACH OF PRIVACY

Sandhya Jain

A Right to Information (RTI) application filed by Bengaluru-based Col Matthew Thomas, a petitioner in the right to privacy case before the Supreme Court, reveals that the Unique Identification Authority of India (UIDAI), custodian of Aadhaar data, signed contracts with foreign firms giving them “full access” to classified data and personal details of citizens, which they were allowed to store for seven years.

The Centre must direct the UIDAI to make a full disclosure of the project since its inception, including contracts signed, and who selected the firms recruited for the task. The then UIDAI chairman Nandan Nilekani must explain why the technology (hardware and software) for collecting and storing the data was not created domestically when India is supposed to be the hub for information technology services.

The RTI reply punctures the UIDAI’s assertion that no private entity had access to unencrypted Aadhaar data. The contract with US-based biometric service provider, L-1 Identity Solutions Operating Company Private Limited (now owned by French transnational Safran Group), clearly says that the firm was given Aadhaar data access “as part of its job”. Other firms given identical contracts from 2010 to 2012 include Morpho and Accenture Services Private Limited.

In 2014, Prime Minister Narendra Modi was persuaded that Aadhaar could expand the reach of his social welfare programmes exponentially. But recently, when data breaches became glaring, Nilekani dismissed the problem saying data security is challenging in a digital age and ran back to his parent company. The unanimous verdict of the nine-judge bench of the Supreme Court, upholding right to privacy as a fundamental right, reportedly reflects this belated understanding at the top echelons of the Government.

The contract’s Clause 15.1, ‘Data and Hardware’, says the firm “may have access to personal data of the purchaser (UID), and/or a third party or any resident of India...” Clause 3, which deals with privacy, says the biometric service provider could “collect, use, transfer, store and process the data”. Also, the biometric service provider shall process all personal data in accordance with applicable law and regulation and should not disclose such information. The contract does not define ‘personal data’.

However, according to UIDAI, personal data includes biometric (fingerprints, iris) and demographic data (name, date of birth, address, mobile number), and could include bank details, licence number, PAN number, passport number and other information furnished as part of Know Your Customer (KYC). A clause in the contract says the firm should maintain the biometric template created by it and on termination or expiry of contract, “transfer all the proprietary templates to UIDAI”.

The UIDAI claimed it had purchased the software and hardware for the Aadhaar programme but the contracts show that the biometric service providers provided hardware for the first one crore enrollments. It is not known if the hardware was checked to ascertain if data could be stolen via a back door. UIDAI’s assertion that no data ever left its servers and premises cannot be trusted as the language of the contracts clearly shows that foreign firms had access to raw data.

But is this surprising? In a Forward to a Credit Suisse study (Ideas Engine Series, June 29, 2016), Nilekani wrote, “Once in a while a major disruption or discontinuity happens which has huge consequences. In 2007, the Internet and the mobile phone came together in a whole new product called the smartphone... (which) could support Over The Top applications. The messaging solution for the smartphone…came from WhatsApp, a start-up”.

Nilekani argued that Indian banking is experiencing a ‘WhatsApp’ moment, as smartphones could reach 700 million by 2020 and over one billion Indian residents have the online biometric identity, Aadhaar. Hence it is possible to “visualise a future where every adult Indian has an Aadhaar number, a smartphone and a bank account”.

More insidiously, Aadhaar provides on-line authentication using fingerprint or iris, which can be done from anywhere, making transactions ‘presence-less’. Aadhaar’s eKYC feature enables a bank account to be opened instantly by using one’s Aadhaar number and biometric; something prone to misuse. In Jammu & Kashmir, illegal immigrants (Rohingyas) have acquired Aadhaar and ration cards.

Extolling many facets of the new technology (the India Stack), Nilekani states, “as data becomes the new currency, financial institutions will be willing to forego transaction fees to get rich digital information on their customers (italics added)”. This would accelerate the move to a cashless economy as merchant payments will also become digital.

Commending Credit Suisse’s “insightful report”, Nilekani agrees that there is a $600 billion market capitalisation opportunity possible in the next 10 years, which will be shared between existing public and private banks, new banks and new age non-bank financial companies (NBFCs). “It may even go to non-banking platform players, which use the power of data to fine-tune credit risk and pricing, and make money from customer ownership and risk arbitrage”. He expects a serious challenge to public sector banks which currently enjoy a 70 per cent market share.

The Payment Bank (Paytm), launched in 2016 (Alibaba holds 40 per cent stake), and the Unified Payment Interface (UPI)-powered payment interfaces, hope to encash the shift towards digital transactions, and get their share of the coveted $ 600 billion pie. Credit Suisse anticipates that private banks, NBFCs’ and fin-tech players will be its prime beneficiaries.

Credit Suisse explains that financial providers will become data rich in just two or three years as they receive data via transactions made through their apps, digital footprints left by individuals, smartphone data and online tax information, as three to five billion invoices go digital with the Goods and Services Tax. Forecasting consumer debt to rise to 25 per cent of the gross domestic product from the current 17 per cent on the back of new data availability, the SME lending market could grow from $620 billion to $3,020 billion over the next decade. Aadhaar seems tailored to benefit private bankers.

This writer was invited to enroll for the National Population Register vide acknowledgement slip 130, form number 02046115, household block no. 0021, household number 128, by Enumerator OP Singh, dated May 26, 2010. Aadhaar was supposedly for BPL beneficiaries. It turned out they were one and the same.

Now, it is not clear who controls the data; certainly it is prone to misuse. The Sonia Gandhi-led UPA regime unleashed this menace through lies and deception. The Modi-led Government must fix this treachery. No country in the world has allowed bankers and corporations such totalitarian access to intimate data about its citizens.

No comments: