Losing control -- these two words best explain what has transpired so far over the last year on the debate about Aadhaar, data protection and the unfortunate episode of the twitter challenge thrown by R S Sharma, the outgoing chairman of the Telecom Regulatory Authority of India, now dubbed ‘Aadhaar-gate’.

The Unique Identity Authority of India (UIDAI) might continue to deny that it lost control of who is allowed to peer into its ‘secure’ database for Rs 500, but one needs to just look at some YouTube videos to know that the story had been there for all to see for at least a year before it became known, thanks to a journalist, whom the UIDAI went after in typical style. That it also lost control of who is allowed to write to its database, until the Uttar Pradesh Special Task Force busted a gang, which used a cracked enrolment software to bypass all known security measures is, however, not widely reported.

If not knowing what to say is also an example of losing control, then the UIDAI’s twitter handle is now a perfect example, thanks to Sharma. It might advise residents that it is perfectly safe to share Aadhaar numbers and put out video advertisements encouraging the behaviour one day but say exactly the opposite a few days later.

What explains this flip-flop? The list of entities who have kept a copy of the residents’ Aadhaar data could be so large or unknowable that the UIDAI has denied details of such entities when asked via RTI. The list of reported Aadhaar data leaks has grown so long and frequent that it no longer registers in the public consciousness as news.

The only possible response under these circumstances was perhaps to push the cynical narrative that there was no cause for worry even if the demographic details and Aadhaar number of residents had been exposed -- even when there exists enough public documentation that that is not true. The TRAI chairman indeed attempted to do exactly that, but instead ended up losing control of the debate.

The plight of the residents is no different. At least seven starvation deaths have been reported in Jharkhand because of Aadhaar, in which people lost control over their food security guaranteed by the State. Some months ago, 30 lakh people lost control of which bank account their LPG subsidy would be deposited into, thanks to a telecom giant with whom they had linked their Aadhaar numbers; eight months later, MNREGA beneficiaries faced the same issue.

Loss of control is, however, a symptom. The real issue is that the State for a very long time ran the Aadhaar project without any legal backing and, when challenged, mounted a technical defence that the jurisprudence of the Supreme Court did not recognise that privacy is a fundamental right.

This was followed by further assertions that people don’t have absolute rights over their own bodies and that privacy arguments were therefore totally bogus.

While rejecting these arguments, the Supreme Court not only clarified that privacy is a fundamental right, Justice Nariman also framed (lack of) “Consent” as “Unauthorised use of personal information”. Put simply, lack of (need for) consent is a loss of control over usage of one’s own data. Looking backwards, one can trace how lack of consent and hence loss of control is at the heart of UIDAI’s operating structure. When the Aadhaar Act was passed, the UIDAI CEO had claimed that “It (consent) is not required, because the Act validates all the actions done earlier”. The above is just a restatement and emphasis of the “no explicit consent” policy being followed since 2012, which predated the Aadhaar Act, 2016.

Not surprisingly, the very same frame of reference has gone into the draft data protection act submitted by the Srikrishna Committee as well. It does formulate that consent “must be free, informed, specific, clear and capable of withdrawal”, but it does not make it mandatory for data collected by the State.

In other words, if the State wants to collect and process data, the individual’s consent is not required. And so, we are back to 2012, when the Aadhaar project ran with no legal sanctity and did not even admit that people had a fundamental right to privacy.

Losing control of their lives because of the coercive measures were taken by the State and even private service providers is now a shared experience for the population. While some may not be able to draw rations or receive pensions, others may not be able to file their income tax returns or open bank accounts.

The important question still remains, though. Why should this happen to so many of us, even though we are law-abiding citizens? If we do cede control of our lives, permanently in some small measure in various aspects of our lives, are we truly free? Is this what our ancestors fought against the erstwhile East India Company for? Is this what they intended for us when they gave us the Constitution?

We will know soon enough.



(The writer is a security researcher)

Also read: Data bill: Safe from prying govt?

What is to be protected?