India’s Debate on Biometrics Could Influence Data Protection Worldwide

A woman gets her fingerprints scanned for India’s Aadhaar unique identification database. Reuters


In Hindi, the word aadhaar means “foundation”, and carries the connotation of stability and reliability. But in its use as the name of the Indian government’s universal biometric identity scheme, Aadhaar has turned into the punchline of social media jokes, a legal controversy, and a metaphor for the state’s dangerous intrusion into the lives of its citizens.


This month, the Supreme Court in New Delhi will begin hearing a collection of civil society petitions about the Aadhaar initiative, whether it endangers Indian citizens’ right to privacy and if its mandatory nature is justified. The verdict will have widespread repercussions for the Aadhaar scheme and for data protection in India more broadly. It will also hold familiar parallels for other countries around the world that face dilemmas involving data security, institutional efficiency, and citizen welfare.


The arguments against Aadhaar illustrate how far the scheme seems to have drifted from its initial conception. When the Unique Identification Authority of India was set up in 2009 its primary aim was to efficiently distribute subsidies and government welfare benefits. India is notoriously ‘leaky’ when it comes to such disbursals; whether it is doles of cash or subsidized food or fuel, significant sums are lost to inefficiency or graft. In a 2015 paper, for instance, two Indian researchers discovered that roughly half of the 55.45m tons of food grain intended for 99m poor families never reaches its stated recipients. The cost of the government’s various subsidies is roughly 4.2% of India’s $2.2trn GDP.


Using an electronic identity system to ascertain the identities of recipients would reduce this leakage, the government claimed. So it advocated aggressively for Aadhaar, enthusiastically enrolling people by scanning their fingerprints and irises, photographing them, and issuing them a long white card bearing a barcode, QR code, and a unique 12-digit number. Aadhaar soon became the world’s largest biometric database.


Compulsory in practice


But the Aadhaar ID was never meant to be compulsory, as confirmed by the Supreme Court in another case earlier this year. Over the past two years, however, Aadhaar has been expanded to such an extent that it is now required for many government services unrelated to welfare and even for services offered by private companies. It has become de facto mandatory.


An Indian citizen now requires Aadhaar to file their tax returns, even though they already have a separate taxpayer ID number. They need to link their Aadhaar to their insurance policies and bank accounts, and require Aadhaar for any bank transaction above INR50,000. Indian citizens require Aadhaar to have cooking gas piped to their homes, maintain their mobile phone connections, and renew their driving licenses. Government hospitals have denied treatment to paying patients on the grounds they did not have Aadhaar cards. Schools and colleges have refused to admit students who lack the cards, and university students without Aadhaar are not eligible for scholarships. Artists must now produce their Aadhaar card to access state-funded grants in the performing arts. The victims of the Union Carbide gas leak in Bhopal in 1984 need Aadhaar to receive compensation. On Twitter, people exchanged stories of how Amazon requested Aadhaar numbers to track lost packages. In many of these cases, other forms of government-issued identification such as a passports or a taxpayer ID cards are deemed insufficient. A recent newspaper advertisement for a painting contest warned that schoolchildren wishing to enter must supply their Aadhaar details. It now seems impossible to conduct daily life in India without an Aadhaar ID.



The Indian government has frequently argued that Aadhaar’s benefits of transparency and efficiency will only grow the more it is used. Aadhaar’s critics, however, maintain it is an unnecessary imposition given the various other identification mechanisms Indians already have. They also argue Aadhaar’s data is insufficiently protected and its links to so much personal information represent a violation of individual privacy.


State overreach


There have already been leaks of Aadhaar data on multiple occasions. In May, the Centre for Internet and Society reported four government web sites had put the data of 135m Aadhaar cardholders at risk, including names, Aadhaar numbers, and even bank account details. In August, an app developer was arrested for exploiting a data flaw that allowed him to access millions of Aadhaar records. Indian government web sites, notorious for being poorly maintained, have inadvertently published Aadhaar details by exposing their back-end databases to the public.


More worrying still, Aadhaar has become the single key to unlocking every silo of an individual’s life. A hacker – or a snooping government – can use Aadhaar to find out what you spend money on, whom you call, the hotel you stay in while vacationing, your medical history, and the school your children attend. Indians will have little recourse in the face of attacks on their data. It was only in August that the Supreme Court even recognized privacy as a fundamental right and overruled the government, which had argued the case against privacy. Legal protections against infringements on privacy or personal data are loose and vague, and penalties have never been imposed on guilty companies or individuals. Citizens are often unaware of these laws or the importance of guarding their data. Even if they choose to prosecute, it is likely their case will linger interminably in India’s molasses-slow judiciary.


The circularity of the Aadhaar dilemma is vexing. The Indian government set out to create a mechanism such as Aadhaar because its state institutions are weak: It is unable to track its own subsidies, prevent theft, and punish guilty offenders or deter potential ones. Technology now offers sophisticated ways to gain the transparency and efficiency institutions lack. And yet, because of the very weakness of those institutions, the technology also poses a danger in how it can be deployed without accountability, how its data is at risk, and how it transgresses upon the liberties and privacy of citizens.


This combination of circumstances can be seen in developing and developed countries alike. All state institutions are keen to harness their citizens’ data; all corporations want to access that same data or control it in the manner Facebook and Google do; everywhere, concerns exist that data is insufficiently protected and privacy risks being violated.

Woman jostle to enroll themselves in the Aadhaar unique identification system in the outskirts of the western Indian city of Ahmedabad on February 14, 2013. Amit Dave/Reuters


Tapping into a global debate


Examples abound. This year, Ireland saw a wave of protests over the government’s introduction of a “national ID card by stealth” – a biometric welfare service card that is not mandatory but is required to renew passports and driving licenses or to access welfare benefits. In the United States, 74% of citizens lack confidence in their government’s capacity to protect their data, according to an Accenture survey from April. The European Union’s General Data Protection Regulation, which comes into force in May 2018, applies to all foreign companies that process the data of EU residents, giving users more control over their personal data. Several governments in Africa have been accused of surveilling their citizens or having weak privacy laws; in Uganda’s case, both. China’s planned Social Credit System, which effectively ranks its people by trustworthiness, envisions an even more Orwellian intrusion by the state into the lives of ordinary Chinese citizens than already exists.


The near-universal nature of these concerns points to the fundamental trends shaping the individual’s relationship with the state and the corporation today. In a pre-digital age, a person was valuable for their own purchasing power and their actions as a consumer; today, their worth also lies in the intelligence their choices provide to companies, advertisers, and security agencies. The technological ability to extract, compile, and process this intelligence has improved so fast that it has left many things outdated, including our own understanding of the potency and importance of our data; the laws that can protect such information; and the institutions that must enforce those laws. Furthermore, our data is not only collected but also increasingly centralized. A sizeable portion of our data already resides in the servers of three or four giant internet companies; the accumulation of information by governments will centralize our data still more in hands that are arguably even less accountable.


There is, accordingly, an urgent need for the architecture of privacy laws and data regulation to run neck-and-neck with the speed of technological development itself. In India, that architecture is only now getting off its starting block. But Indians will keenly follow the deliberations of their Supreme Court over the coming weeks to learn which direction the fate of their data is headed in. A verdict that rolls back Aadhaar’s cumbrous intrusions into daily life will represent a significant victory for the right of Indians to maintain their privacy in daily life.


Samanth Subramanian is the author of This Divided Island: Stories from the Sri Lankan War. His work has appeared in The New Yorker, The New York Times, The Guardian, and Wired, amongst other publications. He tweets at @Samanth_S