Private companies are collecting more information than before about us. This extends from global companies like Facebook, Google and Uber to local ones in financial services, startups and others.

Not only are they collecting more information about us than before, aided in part by the extraordinary amount of data logged by our mobile phones, they are also acquiring data from others.

Where does Aadhaar, India’s biometrics-based identity number, fit into this picture?

As the previous story in this series reported, some companies are using Aadhaar to share customer and business partner information. This could aid the rise of data-broking companies like Acziom in the United States that hold ever more detailed profiles of people.

With the number of private databases rising, the task of protecting the information of Indians is acquiring fresh urgency. This is because the downsides go beyond unnervingly accurate advertising.

Companies can use this data to customise pricing for you. As Propublica reported about Amazon and Uber, this may not always be in your best interest.

They can also be used to deny products, services or information to you. Google, as the Guardian reported in 2015, showed “an ad for a career coaching service advertising “$200k+” executive positions 1,852 times to men and 318 times to women”. In the process, they could deepen existing inequalities.

Or they can just peer into your personal life – as the taxi app Uber showed with its subsequently deleted “Rides of Glory” blogpost on what rides made between 10 pm and 4 am revealed about people’s sex lives.

Given such stakes, and the proliferation of the uses of Aadhaar, it is important to take a closer look at India’s privacy regime. Even as the use of customer data intensifies among Indian companies, what are the protections that exist?

This article will try to answer those questions by looking at how companies use Aadhaar data and then evaluate the relevant privacy protections in place.

For identity verification

Some companies use the Aadhaar number for authentication – to check whether a person is who she claims to be. Every time they do so, a data trail is generated with the Unique Identification Authority of India, which manages the Aadhaar database. The Authority logs millions of authentication requests every day.

According to the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, the Unique Identification Authority of India cannot store the purpose of the authentication. But there is still a lot of data it can store, and for a long period.

“Due to the presence of surrounding blocks of information – for example, from whom the request is received – the purpose can be easily inferred,” said Apar Gupta, a technology lawyer. “The information in logs will allow very precise inferences to be drawn about the personal life of an individual, and serve as a proxy for content – where they have bank accounts, their telephone subscriptions, residence, what institutions they visit and so on.”

The Aadhaar regulations that have been introduced in Parliament for the enforcement of the Act allow the Unique Identification Authority of India to retain authentication logs for six months, and archive them for five years. The requesting entities – both public agencies and private companies – will maintain the logs, including the Aadhaar number, for two years, and then archive them for five years or longer in the case of a court order.

Experts caution against the retention of data for such long periods. Data breaches could potentially violate people’s privacy. In 2014, European Union’s highest court ruled that data retention is illegal.

Since the Aadhaar regulations provide for retention of logs over several years, legal experts say this undermines the privacy of users.

For building customer profiles

A second set of companies using Aadhaar download an individual’s information at the time of authentication.

When a customer provides her Aadhaar number to a company like Reliance Jio while applying for its service, the company not only runs a query on the Aadhaar database to verify her name and number, it also downloads other information about the customer like address, date of birth and gender. This data is used to electronically fill out the Know Your Customer forms, replacing what is right now a manual process.

Such use is possible due to Aadhaar’s API-based architecture. API stands for Application Programme Interface, which allows users to open up their technology and systems for others to use. As a subsequent article in this series will explain, while conceptualising Aadhaar, the first chairperson of the Unique Identification Authority of India Nandan Nilekani and his team created an architecture which lets even private companies send authentication queries. This works only if companies have access to the customer’s Aadhaar number.

This is not illegal – the Aadhaar law passed in March 2016 allows private companies to use Aadhaar. But it is a breach of promise since most people submitted their biometrics because they were told government services would hinge upon having an Aadhaar number. They did not know that these numbers could be used by companies as well.

As of now, there are no restrictions on which companies can use the authentication engine. All the Authority now has control over is keeping the database updated, and ensuring the backend keeps pace with demand.

It is a proposition that Abhijit Sen, a former member of the erstwhile Planning Commission, had found problematic as long back as 2014. “Should access to authentication be on demand to everyone?” he asked. “Can my insurance company ask for a right to authenticate?” He was talking about a scenario where “an insurance company can ask for the Aadhaar number, and then club that with health records from hospitals, and then deny a person insurance”.

As a programmer with iSpirt, a Bangalore-based association which evangelises software products, said companies are adding additional information – like transaction histories – to the data they collect at the time of enrolment. At this time, only a handful of highly regulated sectors – like banks – have norms on how companies can use the data they collect.

For sharing data

But it goes beyond that. Some companies, as the previous article reported, are using this data to build not just profiles but also to share them. Take Eko and Capital Float. Both are small specialised players in a financial services market dominated by banks. They shared data in order to compete with banks by offering complementary services to customers.

Combining databases allows companies to create more detailed profiles. An instance of such use comes from MFIN, the microfinance industry’s association. Not only is the microcredit industry insisting borrowers get Aadhaar numbers, it is also, as Ratna Viswanathan, CEO, MFIN, told Scroll.in, uploading their lending and repayment data on a central database every fortnight, which now includes borrowers’ Aadhaar numbers.

What is the legal position on such use that doesn’t involve Aadhaar-authentication but just the number, and yet can result in transaction data being shared as well?

MFIN’s use of Aadhaar, said legal researcher Usha Ramanathan, is not permitted under the Aadhaar Act. She said the Act doesn’t allow making the number mandatory for any service including the electronic Know Your Customer verification which MFIN says it has been doing. “The 2016 Act does not permit ‘seeding’ of numbers in any database,” Ramanathan said. “Even eKYC, which may be seen as being allowed by section 8(3), can only be by specific consent. And it certainly cannot be made a condition for providing the service.”

Viswanathan did not respond to subsequent emails from Scroll, asking MFIN to provide a legal basis for its use of Aadhaar numbers.

Consent layer

Data sharing raises important questions over data ownership. To use a non-Aadhaar example, who owns your data in, say, the database of the taxi app Ola, which holds information on the address from where you get picked up or dropped, the phone number, the places you visit most often? Is it you, Ola or the driver? Should you have a say if a company wants to share this data? Should all companies – to go back to the example of a hospital chain and an insurance company – be able to share your data?

“Under the IT Act [Information Technology Act], companies need informed consent to share personally identifiable information,” said Pramod Varma, the Chief Technology Architect of Aadhaar. “Under the Aadhaar law, any storage, usage, sharing can be done only with explicit consent. And you cannot take consent once and keep using it.”

However, there are massive questions about enforceability. Regulation, said the iSpirt programmer, provides mandatory rules. But what is also needed is enforceability. “That is a bigger problem. Our systems are weak,” he said.

On their part, a team of software evangelists, which includes Varma, said the answer lies in a consent application they are creating. “As data sharing possibilities rise, there is a need to give users control over this,” said Varma. “Right now, consent is not trackable or auditable. It should tell you the purpose for [data] sharing. It should be timebound – I should be able to stipulate how long the consent will be valid. Essentially, the person whose data it is, has to be in the middle.”

Every time an Aadhaar number is used, said Varma, a notification should go to the number holder. This will allow consent to be tracked.

But this too has problems. For one, as of now, the consent layer that has been created, said the iSpirt programmer, addresses only one Aadhaar-based application interface – the electronic signature. Second, there is no legal backing for a consent layer. It is just something the software technologists are putting together. This means a company could obtain approval from a customer to share her Aadhaar data, but share more data than permitted. Or it could share the data without taking her approval at all. There are no legally mandated restrictions.

Finally, there are questions over people’s financial and digital capacities, and their ability to give, monitor and revoke consent.

Weak regulations

In the meantime, even as these questions remain unaddressed, data-sharing and mining is underway in a myriad ways.

All this echoes what has happened in the West. The United States, for instance, has strict legal regulations on how the Social Security Number can be used. Despite that, the country has seen a lot of irresponsible data sharing without enough control for civilians.

India does not even have a strong regulatory framework for Aadhaar, as the next story explains.

This is the fourth part in a series on the expansion of Aadhaar and the concerns around it. Read the other parts here.