When Mahendra Singh Dhoni's personal details, as mentioned in his Aadhaar card form, appeared on social media on 29 March, there was a big hue and cry. This was because the ace cricketer's private information was shared by one of the many private agencies which help the Unique Identification Authority of India (UIDAI) enrol citizens for the Aadhaar biometric process. The Dhoni affair, of course, did not involve any criminal intention. It was just that a star-struck representative of the agency that enrolled Dhoni wanted to share his joy at encountering the legend in the course of his work.
So far so good. But this incident put paid to the lie that the government has been repeating—that it has evolved such a fool-proof mechanism that once the personal data is fed into the computer and stored in the centralised server of the UIDAI, it cannot be accessed even by the very agency which had uploaded it, let alone others.
Even if an individual gets to know that her biometric information has been compromised, she has no right, under the Aadhaar Act, to go for legal action.
The fact that the agency was able to post a tweet through the common handle @CSCegov saying "Ace cricketer Mahendra Singh Dhoni and his family get their Aadhaar updated at VLE Mariya Farooqui's CSE at Ranchi, Jharkhand" and put his details as it appeared on the Aadhaar website clearly establishes the fact that the enrolling private agencies could retrieve the data from the system at will and such information could be used by private entities for business or even nefarious designs.
This was more clearly brought home by the sinister biometric data breach that came to light in February this year—business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, along with Axis Bank, had allegedly illegally stored Aadhaar biometrics. According to the UIDAI, Suvidhaa Infoserve, eMudhra and Axis Bank had been complicit in unauthorised authentication and impersonation. What stood out was that one individual was supposed to have taken part in 397 biometric transactions between 14 July, 2016 and 19 February, 2017. Of these, apparently the largest number of transactions had been done by the Axis Bank itself (194) while eMudhra was involved in 112 and Suvidhaa Infoserve in 91 transactions.
The saving grace in this case was that the UIDAI itself noticed the biometric data breach and lodged a complaint. What is distressing is that the person concerned, whose biometric data was misused for unauthorised authentication, had no clue about such a colossal breach. That is the big cause for concern.
What is a bigger cause of concern is that even if an individual gets to know that her biometric information has been compromised, she has no right, under the Aadhaar Act, to go for legal action. She can only bring it to the attention of the UIDAI which is the only authorised body to act in such cases.
But then everyone is not a celebrity like Sakshi Dhoni that a tweet from them will propel the Union IT Minister to swing into action (Ravi Shankar Prasad ordered the blacklisting of the agency within hours of Ms Dhoni's tweet). If you are a common person, there is every chance that your voice will remain unheard.
What makes the fear real, and not imaginary, is the government's contention that the citizens of the country do not have the entitlement to any right to privacy...
That is the crux of the privacy question being raised by the human rights activists. What makes the fear real, and not imaginary, is the government's contention that the citizens of the country do not have the entitlement to any right to privacy as it is not specifically enumerated in the Indian Constitution. Such a stance constitutes a grave threat to our democracy.
The ominous scenario is, in fact, gradually building up. The government initially justified the collection, storage and use of personal data on the premise that it is a "condition for receipt of a subsidy, benefit or service", as stipulated under Section 7 of the Aadhaar Act. This was seen as the exclusive relationship between the State and its citizens. That made sense.
But questions were raised when the government broadened the scope of the Aadhaar operation and brought private parties into play. It allowed private organisations to use Aadhaar biometrics for their commercial use. Many activists have cited the example of TrustID—"an app that allows the user to verify any individual using their Aadhaar number." In private hands, this is a dangerous proposition.
There is a larger concern if even the government of the day—be it BJP or Congress or anything else—should be trusted with the large pool of biometric information. As the fiercely independent economist and social activist, Jean Drèze (who was part of the UPA's National Advisory Council but resigned when the UPA government did not pursue pro-poor policies and who is also a critic of some of the anti-poor policies of the NDA government) writes:
"The main danger is that Aadhaar opens the door to mass surveillance. Most of the Aadhaar-enabled databases will be accessible to the government even without invoking the special powers available under the Bill, such as the blanket "national security" clause. It will be child's play for intelligence agencies to track anyone and everyone—where we live, when we move, which event we attend, whom we marry or meet or talk to on the phone. No other country, and certainly no democratic country, has ever held its own citizens hostage to such a powerful infrastructure of surveillance."
Drèze quotes from Glenn Greenwald's famous book, No Place to Hide: "History shows that the mere existence of a mass surveillance apparatus, regardless of how it is used, is in itself sufficient to stifle dissent."
Well, Drèze's apprehensions may be exaggerated but every conscientious citizen of the country must not downplay these concerns. After all, it involves the larger interest of safeguarding our basic rights as well as democratic institutions.