Aadhaar has been under scrutiny for a long time now and the never-ending debate on whether it is necessary for disbursal of welfare or just a ruse to get hold of all our information shows no sign of simmering down yet. Reetika Khera, an Associate Professor (Economics and Public Systems Group) at the Indian Institute of Management, Ahmedabad, tell us why we should be afraid of our information being handed over through Aadhaar, the implication of consent to provide that information and more about why the Aadhaar project is failing.





The Economic Survey of India, released a day before the Union Budget, suggests that the government wants to use data as a public good. What's your take on that?



The Economic Survey's 'Data as a Public Good' proposes that the government should monetise all the data that it holds, to facilitate data-driven businesses (e.g., credit scoring, fin-tech, etc.). Our personal data are useful from the point of view of enabling some businesses, they come with many dangers (of identity theft, identity fraud, etc.). What data can be collected, stored, and sold are contentious issues. The Survey assumes that adequate privacy laws and data protection laws are in place, when in fact they are not. The term digital kleptocracy is useful to understand what is going on: digital kleptocracy is a means by which rich tech companies ‘mine’ poor people’s data (in fact, ‘steal’, as people are unaware of their data being harvested and used) for profit. What the Economic Survey advocates is not only for the government to facilitate such practices, but also join this bandwagon of digital kleptocrats.





The new Aadhaar regulations have made it voluntary. Do you think this will change the scenario in any way? Do you think it is being dragged just because the government does not want to discontinue the venture no matter how futile it seems?



As far as Aadhaar is concerned, when the government says ‘voluntary’ it actually means ‘mandatory’. This has been so from the beginning, since 2010, when the Congress-led UPA government brought Aadhaar. In its final verdict on the Aadhaar matter, the majority opinion, which otherwise upheld the constitutional validity of the project, had struck down Section 57 as unconstitutional. Section 57 allowed private entities, including mobile phone companies and banks, to demand Aadhaar for identity verification. The judges were concerned about the vagueness of purpose, and unbridled access, for private entities under that section. The government has brought back access for private entitles through the Aadhaar Amendment Act, 2019.







Like you pointed out earlier, the most vulnerable sections of society have been affected the most by the government's so-called pioneering welfare distribution pathway that is Aadhaar. But what would you suggest, if you have to, as a better way to reach beneficiaries and also reduce corruption in the system?



Many reforms implemented in states such as Tamil Nadu, Chhattisgarh, Odisha, even Madhya Pradesh, Jharkhand and West Bengal which can be tried in other states. One, the use of non-biometric smart cards in Tamil Nadu. Such smart cards allow a digital record to be maintained, without the pitfalls of Aadhaar (the use of unreliable biometrics and the need for online connectivity to two servers – that of the food department and of UIDAI). Two, simplified and clear entitlements which allow greater awareness – a big enabler of accountability, whose effectiveness is not understood widely enough. Door-step delivery, handing over PDS outlets to community institutions (e.g., in Odisha they are mostly run by Gram Panchayats), reasonable commissions to dealers or appointing salaried employees to distribute grain, etc.

As far as NREGA and social security pensions are concerned, the biggest safeguard against wages or pensions being swindled are bank and post office accounts. Those have been in place since 2008-9. Once your money is credited into your account, Aadhaar provides no further safeguard. (In fact, research by others is suggesting that Aadhaar has been responsible for misdirecting almost half of NREGA wages in Jharkhand.)





Countries like the USA have the social security number system that we tried to imitate. The government also said that the introducer system will help Indians without a legal ID have one. What went wrong?



Initially, Aadhaar was not like the social security number (SSN). For instance, the SSN does not even have a photograph, let alone fingerprints and iris scans. In terms of use also, Aadhaar was not to be used for, say, filing taxes or in the banking system. Since the past five years, Aadhaar has become more and more like SSN. The SSN has been at the root of many cases of identity fraud and identity theft. SSN data breaches by companies like Equifax have compromised the sensitive personal information of nearly half of the US population. In India, as in the US, the government/UIDAI say, no data was breached from the Aadhaar servers. But for someone whose data has been compromised, it does not matter whether the thief entered the home through the door or the window. What matters is that their (data) security was compromised.

The vulnerability to fraud is being created by the government and corporations who designing such systems for their own benefit. The price is paid by ordinary citizens, with little remedy. For instance, Equifax in the US is a repeat offender in terms of data breaches, but no real action has been taken against them.





The new regulations might say that Aadhaar is optional but the Reserve Bank of India has officially allowed banks to access the eKYC service, provided that the process is carried out with the consent of customers. Are we still under the same kind of threat?



The keyword here is “consent”. How many customers understand what they are consenting to? Who will explain this to them, beyond asking them to sign on the consent form? How many will read the terms and conditions to which they are consenting? What is important, therefore, is ‘informed consent’ – in a meaningful way.

Think of all the things that the government wants us to link our Aadhaar number to. Linking all our personal information to a unique number (that cannot be changed) such as Aadhaar, is like putting all our eggs in one basket. This can lead to a domino effect: if any one of these data silos is breached, it can be used to get information about us from other domains as well.

We need to be aware of the personal harms that result from data breaches. For instance, in mid-2017, the personal data (including possibly their name, address, SSN, driver’s license, etc.) of nearly half of the US population was compromised by Equifax. It has thereby exposed them to phishing attacks and identity fraud forever, potentially allowing bank accounts, credit cards to be opened in their names.



(Reetika is currently on leave from her post as Sulaiman Mutawa Associate Chair Professor in the Department of Humanities and Social Sciences at the Indian Institute of Technology, Delhi)