Usha Ramanathan

When the UID project was launched in 2009, it was known that it would have a profound impact on privacy.

In decades past, violations of the right to privacy were brought into public debate, and into the courtroom, when telephones were tapped, or where the police placed a man under surveillance that included domiciliary visits at night, his habits, association, income, expenses and occupation enquired into, his movements and absences verified and collected and recorded on a ‘history sheet’ after he had been charged with dacoity but when he was discharged because of lack of evidence. Some judges thought some parts of this surveillance were illegal; others that it was unconstitutional. And the right to privacy began to be read into the fundamental rights of the

Constitution. In 1996, the Supreme Court was calling telephone tapping “a serious invasion of privacy”, and a series of directions issued forth in the event that, legally, telephone tapping had to be done.

Technology has added multiple layers of complexity to the notion of privacy. Facebook, Google and the internet generally have turned the world of privacy upside down.

Corporations controlling cyberspace, and using and claiming ownership of personal data, are hard at work creating a veneer of privacy even while they are discovering property in data that is exploding on the internet.

This is a relatively recent phenomenon, and there is a lot of hard policy work going on to rein in the galloping ambitions of the corporations. Finding a laxity induced by the difficulties posed to privacy by technology, projects such as the UID have been attempting to banish the right to privacy.

Computers and digitisation of data have produced widening opportunities to collect, collate, converge and mine data in ways not envisioned while the world was a different place, about a decade and some ago. Yet, there has been a certain degree of privacy where data that is collected is held in distinct silos. Medical data, educational records, travel information, credit card use, salaries, rental arrangements, library borrowings, caste and community, mortgages on land, details of employment, RTI requests – when these are in unconnected silos, privacy, and the personal security that privacy brings with it, has a chance.

The UIDAI, from early in its existence, has posed a threat to privacy, by being the number that will act a bridge between the various silos of information of a multiplicity of databases. The technique is called convergence.

Converging information which exists on various databases needs a device that can be used in each of the databases: that is the UID number.

So, first the number is produced, and then, it is “seeded” in various databases. So, in banks, travel tickets, land records, marriage registers, school rolls, medical establishments, driving licences, ration shops, credit cards, RTI requests, hotel bookings and anything else that can be reached, the UIDAI canvasses for the UID number to be inscribed into the record. Deriving data about any person from multiple databases then needs only mechanisms for data sharing, and data mining – defined as a process used by companies to turn “raw data into useful information”.

In carrying through this grand plan of convergence, the legal dimensions of privacy protection are sidestepped by claiming that enrolment for the UID is voluntary.

After all, those enrolling are wending their way to enrolment stations, standing in queues, and registering their biometrics and demographic data.

In this depiction of voluntariness, it is not acknowledged that, for those who choose not to enroll for a UID, there will be no gas subsidy, no subsidised rations, no marriage registration, no EWS quotas in schools, no pensions, no salaries even, as the Maharashtra government decreed, or no driving licence, as the Chandigarh administration decided, except that they withdrew when the Punjab and Haryana High Court asked them if, really, they had made the UID mandatory.

The UID number in various databases acts as a bridge between silos.

A draft report on privacy that the DoPT commissioned, and which was prompted by concerns about the UID, said as early as in 2010: “Data privacy and the need to protect personal information is almost never a concern when data is stored in a decentralised manner. Data that is maintained in silos is largely useless outside that silo and consequently has a low likelihood of causing any damage.

However, all this is likely to change with the implementation of the UID Project. One of the inevitable consequences of the UID Project will be that the UID Number will unify multiple databases.

As more and more agencies of the government sign on to the UID Project, the UID Number will become the common thread that links all those databases together. Over time, private enterprise could also adopt the UID Number as an identifier for the purposes of the delivery of their services or even for enrolment as a customer. Once this happens, the separation of data that currently exists between multiple databases will vanish.”

In the beginning, there were claims that the UID is merely a number with no great privacy implications, or impact on data mining and the commercialisation of data.. As time has moved on, these have metamorphosed into something quite else, protected from questioning by obfuscation and smoke screens.

The claim was that the UIDAI only collects basic demographic information and biometrics, and this will have no privacy implications.

Actually, the data fields have expanded and now include information such as mobile number, bank account number, e-mail address, which adds significantly to the personally identifiable, and trackable, information on the database. This, however, is not all. By aggressively pushing for seeding the number in all manner of databases, the UIDAI is working overtime to make convergence, and data mining, simple and viable.

Then, the method of performing authentication is intended to make tracking, real-time, easier. So, Mr Nandan Nilekani was heard saying at his World Bank talk in April this year: “Between the UID and banks and NPCI (National Payments Corporation of India), you can get analysis on (sic) real time from agents…..you will know exactly how many agents are active, how many transactions happened, per hour or per minute….” And, of course, this applies to the individual in the transaction, too.

The claim was that the UIDAI only answers with a yes/no and does not give out any other information. But, there is the “information sharing consent”, there are data sharing agreements, the e-KYC framework requires the UIDAI to pass on demographic and biometric information and make money on performing that task. After all, data is the new property.

Mr Nilekani has little patience with privacy. “I think privacy and convenience are opposites. It’s always a tradeoff,” he said to PBS, to NDTV, at the World Bank.

That is a remarkable low threshold at which he would have us abandon privacy. This, in any case, is not about convenience. It is about creating something that is a cross between Big Brother and the Panoptican. In the midst of this marketing blitzkrieg which is sweeping away concerns about fundamental rights and freedoms, it was Mr Sam Pitroda, speaking to the press in October 2010, who said it in words that are difficult to misinterpret: “So, the overall plan: UID will tag every person, GIS will tag every place, and the (PII – Public Information Infrastructure) will tag every programme.” It is from these ambitions that the right to privacy, and personal security, will have to be rescued.

The author is an academic activist. She has researched the UID and its ramifications since 2009