Aadhaar has been making headlines for all the wrong reasons recently - from data breaches to insecure design there are challenges that Aadhaar faces from both legal and technical standpoints. As we’re seeing more countries look to Aadhaar as model for digital identity management, it is more vital for us to be clear about the challenges and potential solutions that are plaguing the program.
The Indian Supreme Court has directed that Aadhaar is only legal if it’s voluntary and restricted to a limited number of schemes.
The Government so far has made verification through Aadhaar mandatory for a wide range of government services, including vital subsidies that some of India’s poorest citizens rely on survive. By their nature, vital subsidies aren’t voluntary. More than 130 Government services require Aadhaar numbers to access them, with state governments and other agencies making it compulsory for many other schemes.
An increasing number of stories of some of society’s most vulnerable being denied welfare due to problems with Aadhaar compound matters significantly. For many Indians, it is literally life-and-death – two of the government’s biggest social welfare schemes – the National Food Security Act (NFSA) and the Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA, also known as NREGA) – require Aadhaar registration to access.
The Government of India is selling access to this database to private companies to use and combine with other datasets as they wish.
This will allow companies to have access to Indians’ most intimate details and create detailed profiles of citizens, without giving citizens control over that data or how it’s used.
In addition, the government has reserved the right to share data “in the interest of national security”, a term that is undefined.
There are little to no protections on how Aadhaar data is used, and no meaningful user consent. Indians’ cannot have trust in systems when they do not have transparency or a choice in how their private information will be used.
Individual privacy and security can’t be adequately protected under Aadhaar’s closed software development process. The Indian government has long spoken of Aadhaar’s API as “Open API”, but there is nothing open about the development, source code, or contributors. As a result, Aadhaar is less secure – and this lack of security and privacy is not optional.
Many countries, including the US, do not consider Aadhaar’s authentication methods (of biometrics and one-time passwords) to have a high level of security.
Aadhaar’s lack of security was highlighted in early January 2018. Access to the all of the demographic data in the Aadhaar database was obtained by journalists for just Rs. 500 (~USD 8) containing sensitive information on Indian citizens.
Aadhaar is one of the most pervasive and invasive surveillance systems the world has ever seen
A biometric database of every citizen shifts the balance of power dramatically in favour of the government – it's one of the most pervasive and invasive surveillance systems the world has ever seen.
Many potential abuses of the Aadhaar are currently illegal, but are easily overcome using technology. For example, correlation of user behavior by Authentication User Agencies is currently illegal, but technically quite simple to obtain.
Private companies are starting to demand that customers hand over their Aadhaar numbers in order to access services – including Amazon, who requested customers' Aadhaar numbers in order to investigate lost packages. Since then, Indians have been reporting many other companies requiring the same.
Learn how to keep you and your digital loved ones secure at Mozilla’s Safety First web guide.
Check out the 8 day data detox, by Mozilla partner Tactical Tech.
Learn how to protect your browser history with former Mozilla fellow Matt Mitchell
Before anything else, Prime Minister Modi and the Government of India should pause further roll out of Aadhaar until the major problems with Aadhaar have been addressed.
India’s privacy law must be a national policy priority for India. The Supreme Court of India has unequivocally found that privacy is a right of all Indians guaranteed by the Constitution, now it is up to the Government of India to enact privacy protections in law.
The Justice Srikrishna Committee was set up to create recommendations for a new and robust privacy law – India’s first comprehensive data protection law. Its published public consultation document has several notable omissions and loopholes that must be addressed, as well as finding an easier way for India’s citizens to meaningfully contribute to consultations.
The Supreme Court of India should continue to enforce the right to privacy and other legal protections in ongoing litigation around Aadhaar.
A strong and effective privacy law is vital to act as a check and balance to the far-reaching Aadhaar system.
The Indian government must release Aadhaar as true open source software rather than use language of open source, and encourage the use, development, and adoption of open source as a pillar of the Aadhaar system
The Government of Prime Minister Modi has an opportunity and responsibility for India to take its place as a global leader on protecting individual security and privacy. Mozilla hopes India will take this chance to be a beacon to the world on how citizens should be protected.