Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email


Aadhaar Act needs a relook from the security and privacy aspect, to avoid mistakes made with the IT Act

March 28, 2017

By Pavan Duggal

Indian authorities and agencies have been collecting information much before Aadhaar came into the picture. But most of the time, the information has been located in silos. For instance, the passport agency will only have your data for passport-related purposes, the local RTO will have your driving license information for their own need and so on. For the first time, we are coming across Aadhaar which is providing an interconnected ecosystem. That, from a consumer standpoint, is going to present a huge amount of data privacy issues.

Aadhaar is an executive order which only got legalised last year in the form of an Aadhaar Act. Also the Aadhaar Act does not do adequate justice to the issue of privacy. There are no distinctive provisions and safeguards that the consumer expects. It is weak when it comes to data privacy and personal privacy. Further, issues pertaining to cybersecurity have not been clearly addressed in the Aadhaar Act. So the perception that Aadhaar is safe is not completely true.

Where does the buck stop with the Aadhaar database

Take the fact that Aadhaar databases are getting increasingly compromised. You cannot bisect Aadhaar between the central registry and the ecosystem. So in a case where you ecosystem is getting compromised, you cannot say that your central registry is safe, but the issue is with the third party agencies who store Aadhaar data locally. That argument does not fly. Far more needs to be done as far as cybersecurity is concerned, than what is currently available.

Unfortunately, a lot of people are defending Aadhaar for the sake of defending it. For instance, last month UIDAI lodged complaints against Axis Bank Ltd, business correspondent Suvidhaa Inforserve and e-sign provider eMudhra, stating that they had allegedly attempted unauthorised authentication and impersonation by means of illegally storing Aadhaar biometrics. Similarly, last week there was a report which talked about how Aadhaar numbers were searchable on Google. So the Aadhaar numbers are floating in the open, which does not augur very well when it comes to increasing the confidence of the populace. If you have the Aadhaar number easily available with a Google search, the chances of potentially misusing it do exist.

The fears pertaining to misuse of Aadhaar data are real, because the concerns have not been adequately addressed. Another factor to consider is that since the Aadhaar Act was passed, there have been massive developments that have taken place in the field of cybersecurity. And we constantly need to relook at Aadhaar from the perspective of evolving the cybersecurity paradigm.

More significantly, Aadhaar constitutes a critical information infrastructure of our country. Aadhaar is linked to many services. So all it needs for criminals or non-state actors is to destabilise Aadhaar data and everything associated with it comes crumbling down.
Aadhaar is part of your life now, whether you like it or not

We have to accept the fact that Aadhaar is now a part of our life, so there is no point avoiding it. There are over 110 crore verified Aadhaar accounts. But at the same time, the information contained with Aadhaar isn’t regular information, but biometric information. The other thing to take into consideration is that a lot of these third-party service providers are now retaining a lot of your personal data, biometric data on their own systems, under the garb of Aadhaar authentication. Couple of these third party service providers are exploiting some loopholes in the Aadhaar Act 2016, and storing biometric information on their private systems. Once that happens, it will be a huge blow to the credibility of Aadhaar. This will also start eroding people’s confidence.

Aadhaar Act does not touch concretely on issues pertaining to data privacy, personal privacy. Consequently India does not even have a law on privacy. Under the current circumstances, if your Aadhaar information is misused, the law is very clear – you are the person who is responsible if you don’t report the issue. Now say if you are not aware that your Aadhaar data is being misused or wake up only after it is too late – according to the law, you are still liable as you have not reported the issue.

Interfacing with the IT Act

There is definite need to strengthen the Aadhar ecosystem. The concept of Aadhaar is very good, and good work is being done with benefits transfer for instance, no doubt about that. But at the same time, there is no clarity about how Aadhaar complies with the IT Act, because at the end of the day Aadhaar via the UIDAI has become an intermediary.

Everybody is harping on the central repository. But the repository is not Aadhaar, but just a core kernel of the Aadhaar ecosystem. The entire ecosystem needs to be more safe and secure and there isn’t any effective protection as such. So if your Aadhaar is compromised today, you don’t have effective remedies as a consumer. The offences under Aadhaar can only be registered after UIDAI reports. So people have been rendered remedy-less.

For instance, if you are one of those thousand people whose Aadhaar number is visible on Google, what option do you have? There is no effective remedy. Users want concrete effective remedies, which the Aadhaar Act does not provide.

It’s time we acknowledged the shortcomings in Aadhaar and work towards creating an effective framework around Aadhaar rather than saying it is the best. We need to adopt a more proactive approach. The law never envisaged that private parties are going to create their own databases of user data, under the garb of Aadhaar verification. So there are huge problems we need to acknowledge.

We need to revisit the Aadhaar Act 2016. The interplay between the IT Act and Aadhaar Act is a huge grey area. Aadhaar Act is only a subset of the IT Act, which is the mother legislation. There are many kinds of cybercrimes that have emerged post demonetisation, that need to be taken into account in the Aadhaar Act. The linking of Aadhaar with various government schemes without having done the legal homework could land India into a huge e-governance disaster. We should work on strengthening the ecosystem.

Need to avoid a repeat of the mistakes with IT Act

The current state of affairs shows a conflict between the executive and judiciary, which could go into a confrontational approach, which should be avoided. The Supreme Court had reiterated the order that Aadhaar should not be made mandatory after the notification of the Aadhaar Act.

Making it mandatory can effectively deprive people of their fundamental rights and could ultimately be unconstitutional. When you make Aadhaar mandatory, you are making a distinction between those who have it and those who don’t. This amounts to violation of rights to equality.

We should learn from the mistakes we did with the formulating and later amending the IT Act. It was first launched in 2000, and for years the government said that it was adequate. But eventually, we had to make a lot of amendments to it.

Tags: , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
Aim, Fire: Bulletproofs Is a Crypto Privacy Breakthrough
January 16, 2018

There's a new privacy technology in the crypto Wild West, and if the rate at which it's winning favo...

Read more
UIDAI introduces concept of ‘Virtual ID’ to address privacy concerns
January 10, 2018

NEW DELHI: In a bid to address privacy concerns, the UIDAI on Wednesday introduced a new concept of ...

Read more
Is Bitpay Bullying Other Bitcoin Wallets and Hurting Users’ Privacy?
January 8, 2018

Bitpay is facing a backlash against its decision to implement a controversial feature it says is mea...

Read more
Bitcoin billionaires & privacy crusaders: Tech leaders to follow in 2018
January 3, 2018

The end of year is a time of reflection for most, but when it comes to the innovating industries of ...

Read more
Snowden’s new app is a step forward in privacy protection – former MI5 officer
December 27, 2017

Ed Snowden’s new personal security app can be a good tool to protect individual privacy in the tec...

Read more