Articles/Opinion

Major Concern: India set to compromise citizen’s privacy through the unique identity project

By Sikh Siyasat Bureau

April 12, 2010

Author: Praful Bidwai

After promising a serious public debate on the sensitive issue of breach of citizen privacy and other risks associated with the Unique Identity project, the government has rushed headlong into it. There hasn’t been a proper discussion of the risks even in the Cabinet, leave alone in Parliament or a larger public forum.

The public has been stampeded into and delivered to the UID project through the device of the National Population Register, which itself piggybacks on the just-launched Census 2011 operation. The NPR data will be sent to the UID Authority of India, which after filtering it and weeding out duplication, will issue a 16-digit UID to each person.

Although the scheme was meant to be voluntary according to the authority’s working paper, it seems set to become the preferred document that governments will demand for giving people access to social services including the public distribution system for food, National Rural Employment Guarantee Act, and educational and health-related schemes. This is supposed to eliminate leaks, help improve service delivery and reduce corruption. Even if this claim appears extravagant, it at least seems benign.

However, there’s a much greater and distressing, if understated, dimension to the NPR-UID, related to security and surveillance. Indeed, security seems to be the project’s primary purpose. The NPR in its present form was recommended by the Kargil Review Committee chaired by security hawk K Subrahmanyam. The committee greatly exceeded its brief and recommended mandatory multipurpose national identity cards for all Indians.

The UID’s security rationale was emphasized by none other than Union Home Minister P Chidambaram when he announced that UIDAI was established in February 2009 as a timely response to the November 2008 Mumbai terrorist attacks. As we see below, UID will lead to gross violations of the citizen’s privacy and abuse of personal information. Handing over excessive power to the state has dangerous implications.

The NPR will collect information on each person on 15 counts, including name, sex, date of birth, present and permanent address, names and UIDs of parents, marital status — and ‘if ever married, name of spouse’. Worse, it will include biometric identification, including a photograph and impressions of all 10 fingers. The database will be shared with UIDAI and NATGRID (National Intelligence Grid) connecting 11 security and intelligence agencies, including the Intelligence Bureau, Research and Analysis Wing, Central Bureau of Investigation, Directorate of Revenue Intelligence, central boards of excise and customs and of direct taxes, Narcotics Control Bureau, etc.

NATGRID, to be established by May 2011, will provide security agencies real-time access into 21 categories of databases — including bank account details, credit card transactions, driving licences, and visa and immigration records. An intelligence official has been quoted as saying: “Once you feed in a person’s name, you’ll get all the details about him, across all the databases.” These include the colour of his/her car, the outstanding traffic fines to be paid, and the last time he/she paid by card for a late-night dinner with a friend. “There really will not be any secrets from the State.”

This data would far exceed the discrete bits of largely need-based information that citizens currently have to furnish to different official agencies. The police don’t need to know if an ordinary citizen (as opposed to a suspect) has more than one bank account or possesses health insurance. Your bank doesn’t need to know how often you travel and where. The passport office needs to know your name, address and date of birth, but not whether you own a two-wheeler. Now all this discrete data will be pooled together and made to converge in a single database, which will be available to hundreds of government departments at the click of a mouse.

The citizen will lose control over the personal information s/he chooses to share. Some of this information is liable to be passed on to commercial agencies and private companies, which will use it to make money. After all, the designated ‘registrars’ under the UIDAI will include private operators as well as government agencies. They could sell the information, for a profit, to banks, health insurers, prospective employers or foreign security agencies.

Citizens will lose control over how the information might be used to track their movements, activities and monetary transactions. Disclosure of intimately personal details — pre-existing illnesses, romantic relationships, anonymous donations — may cost a job or earn her/him stigma.

The UID, then, will not be a mere number to assign an identity to people, such as below-poverty-line families which were left out of the official count but deserve to be included in welfare schemes. Rather, it will be a device to track and profile individuals through various transactions — from cash withdrawals from banks, to receiving wages, to buying PDS grain — and other means.

Yet, UIDAI disowns all responsibility for how its database will be used. It openly declares it’s “in the identity business. The responsibility of tracking beneficiaries and the governance of service delivery will continue to remain with the respective agencies.” Also, “the UID number will only guarantee identity, not rights, benefits or entitlements”. This falsifies the ostensible basis on which the entire scheme was founded: namely, that the UID will break the barriers that prevent the poor from accessing public services.

In fact, for all its presumed benefits, UIDAI only hopes to cover 600 million people, or one-half of India’s population, over five years, and that too with 95 percent accuracy. This means that half the people will still be denied the presumed public service benefits from the scheme. In any case, the technology it will employ is untested, unreliable, and probably unsecured. If someone hacks into its database, the consequences, including those for national security, could be horrendous.

The compilation of the NPR isn’t being done under the Census Act, but under the Citizenship Act 1955 and Citizenship Rules 2003. This distinction is all-important. The Census Act guarantees confidentiality and says personal data is “not open to inspection nor admissible in evidence”. Such protection is missing from the Citizenship Act, which makes citizen registration “compulsory”. The Census Act aims at profiling the population, not individuals. The Citizenship Act’s function is to profile individuals, potentially violating their freedom, privacy and confidentiality.

The basic model of the UIDAI is deeply flawed, based as it is on the Integrated Automated Fingerprint Identification System of the US Federal Bureau of Investigation, which holds the biometric data of 50 million people. The FBI has long been notorious for using personal information to target civil rights groups, Left-leaning intellectuals and those it paranoically regards as subversive — for instance, John Lennon of the Beatles! Many countries, including the UK, US, the bulk of the European Union and Australia, have given up on national ID card schemes because they are too expensive, “too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence”.

Besides costing an unconscionable Rs 1.5 lakh crores, UIDAI’s huge database will be vulnerable to even greater abuse given the Indian police’s unflattering record of harassment of citizens, the dysfunctional nature of the Indian justice delivery system, and ceaseless victimisation of the poor by official agencies.

The National Human Rights Commission has admitted in response to a Right to Information Act inquiry that as many as 2,560 police ‘encounters’ were reported to it between 1993 and 2006 — an average of 183 a year. It found that almost half — 1,224 cases — were ‘fake’ or staged: i.e. non-judicial executions. For police and security agencies which can kill at will, the UIDAI database and NATGRID will be more grist to the satanic mills.

None of this can be justified in the name of security or counter-terrorism. The key to fighting terrorism is to treat it as a crime and bring its perpetrators to book while addressing the root-causes of the grievances that breed terrorism in the first place. What’s needed is not more and more intrusive surveillance, which is prone to abuse — as numerous cases including the victimisation of journalist Iftikhar Gilani so starkly show — nor more sophisticated electronic databases. What’s needed is good, honest policing, patient collection of evidence, and sincere, competent prosecution.

We have already paid a huge price in the form of human rights violations of innocent citizens who are wrongfully detained, physically abused and tortured in the name of fighting terrorism. As many as 170,000 undertrials languish in our jails for petty offences. Even Union Law Minister Veerappa Moily has written to the chief justices of the high courts requesting them to do everything possible to facilitate their early release.

We certainly cannot afford another draconian system devoted to tracking and surveillance. The notorious intelligence agency of the German Democratic Republic, STASI, had the motto ‘The State Must Know Everything’. The horrifying story of how the knowledge was used to harass, detain and deny jobs to thousands of artists, intellectuals and writers, and to kill innocents, unfolded soon after the Berlin Wall collapsed and the GDR disintegrated. Surely, the Indian state shouldn’t want to replicate those horrors.