By Eben Moglen and Mishi Choudhary

A couple of weeks back, Bill Gates committed his globe-girdling foundation to the goal of spreading Aadhaar to the world. This is a good idea wrapped up in a terrible idea.

Aadhaar’s premise – that the poorest of citizens has the most to gain from the efficiencies that strong, fast, inexpensive identity authentication offers in improving public services, payments, credit and healthcare – is undoubtedly correct. Aadhaar’s marketing – that these efficiencies have been achieved through the creation of one big, vulnerable database containing more than a billion peoples’ biometric identifiers – is a shoddy effort to ignore the increasingly obvious flaws in the system.

Because the premise of Aadhaar is correct, the Indian government has an enormous political stake in ignoring the flaws and shutting down public conversation. Globalising Aadhaar’s ambition is a worthy goal for the world’s social welfare policy makers, including the World Bank and Gates Foundation. Imitating a system that has barely reached version 1.0 and is already showing serious architectural flaws would be serious policy malpractice.

Gates said that biometric identity authentication raises no privacy issues “in itself”, and went on in the next breath to say that every application built on top of it must be assessed individually for risks to privacy. Like TSB, the UK bank that ludicrously asserted before Parliament this month that its “basic banking engine” was working perfectly even though most of its customers could not access their accounts and some customers were able to access other peoples’, this idea that “the base is fine, it’s just everything else that might be broken” makes nonsense of any sane concept of technical architecture.

In theory, Aadhaar is indeed one base for a society wide digital infrastructure. Digital society requires reliable means of quickly and inexpensively asserting and confirming individual identity. The approach Aadhaar takes appears to be elegant and effective: collect everyone’s social and biometric identifiers (name, address, fingerprint, retinal data, eventually genomic sequence data), put them in one great big single database and provide a network access protocol to that database.

But this “one base for everything” approach contains both an architectural fallacy and a barrel full of unintended consequences. The rush to make Aadhaar mandatory for all sorts of social activities, from mobile telephone ownership to university enrollment, has been pressed on by a government eager to reap the theoretical advantages regardless of the burgeoning evidence of practical weakness. No reasonable evaluation of risks incident to security compromise and identity data loss has occurred. Implausibly, Aadhaar’s proponents have simply insisted that this one datastore will never be hacked or compromised, despite the overwhelming evidence that no data system (from the Swift system that ties together the world’s banks, to the security classification data on US federal employees, to UK national social security data) permanently and successfully resists intrusion.

What consequences will follow – and what measures of remediation will be possible – when a national-scale single-token identity store like Aadhaar is cracked, no proponent has explained. It will be as though we all used the same password on every website, and the list has gotten out all at once. Without a serious and complete explanation of the risks, their management, and the course of remediation after failure, no government should accept responsibility for the adoption of the technology.

In actual use, Aadhaar is presenting other operating flaws. Errors in biometric data acquisition in the field have left individuals who should be Aadhaar’s most important beneficiaries – those in receipt of public assistance – unable to receive subsistence benefits. The price at which parties can buy access to Aadhaar numbers in bulk has dropped low enough, according to press reports, to prove that leakage is occurring on a significant scale. Reports of false Aadhaar card scams are so frequent they no longer make the front page.

These difficulties are not merely “bugs in the system”. They are indicative of an underlying reality: using one single database and one single identity management scheme for everything from buying vegetables in the market to getting a passport will not work.

Neither overreaching government surveillance nor widespread criminality can be prevented if a society’s identity management structure is one big pile of infinitely valuable data surrounded by a macrocosm of arbitrary software. Aadhaar’s proponents have trumpeted the “open APIs” that can connect every Tom, Dick and Harry’s apps to the well-spring of government-managed identity. They have not, as they should, required that all programmes using the APIs be open source code, available for public inspection and auditing.

Privacy cannot be assured at all, illegal government surveillance cannot be prevented, and protection of the economy from widespread crime is impossible if government mandatorily collects information capable of compromising every citizen’s identity and then takes no responsibility for the management of risks downstream. As the Supreme Court considers the relationship between this technology and privacy rights of citizens, all parties – including billionaires from abroad – would benefit from some additional modesty.

It is right to begin learning how to bring the benefits of digital society to the entirety of the population, including by making digital identity a universal commodity. But we should be constantly improving not only the details but the fundamental design of our technology in light of experience. And we should not accept the present light-hearted “I’m just fine, it’s everybody else who has problems” attitude that Aadhaar’s public and private sector cheerleaders have adopted.

Eben Moglen is Professor of Law and Legal History at Columbia Law School. Mishi Choudhary is legal director of Software Freedom Law Centre, New York