Tunisia biometric passports

As Aadhaar amendment Bill lapses, Indian policymakers should rethink the digital identity project

Note: The article below was first published by Scroll.in, available here, and is republished here with permission.

Since its inception a decade ago, Aadhaar has been in the eye of several controversies and subject to prolonged hearings in the Supreme Court on the unique identity project’s legality. We would have seen another twist in this saga last week had the Union government succeeded in passing its Aadhaar and Other Laws Bill, 2018, a patchwork of amendments to the Aadhaar Act of 2016 as well as changes to the Prevention of Money Laundering Act and the Telegraph Act. Now that the Lok Sabha is set to be dissolved for the general election with the Bill still pending, it will lapse.

This pause offers an opportunity to examine the Indian state’s approach to Aadhaar and, more broadly, to digital identity projects and their impact on citizen’s rights.

Designing a sound digital identity

It is imperative that digital identity systems, particularly those backed by the state’s resources and legal powers, are designed, at the outset, around sound principles of governance, data protection and privacy, and cybersecurity.

substantial body of evidence on Aadhaar’s implementation has cast doubt on whether a centralised national digital identity programme can help make the delivery of social services more efficient by reducing leakage and corruption. Aadhaar’s exclusion errors, which in many instances have caused starvation and restrictions on social security, are well documented but the government has seemed unwilling to even recognise the problem, let alone provide an effective solution. It is now clear that a badly designed digital identity system will cause more harm than good – and it cannot be fixed or improved through periodic patches. Silicon Valley’s earlier approach of “launch and iterate” is not a feasible model for national identity projects.

Our national policy approach towards Aadhaar is far from robust. For one, the Unique Identification Authority of India, the statutory body which both administers and regulates Aadhaar, is the sole arbiter of grievances related to the unique identity. Yet, any attempt to ensure its independence are undercut by the many hats it wears –the body implements the Aadhaar project, regulates the different players within the Aadhaar ecosytem and is supposed to protect the rights of Indian residents.

India still does not have a comprehensive data protection framework despite the Union government promising the Supreme Court it would design one. It did solicit the public’s views on a draft Data Protection Bill produced by the Justice BN Srikrishna Committee, but ultimately failed to introduce it in Parliament.

A patchwork of simplistic fixes

The proposed amendments to the Aadhaar Act came in the wake of the Supreme Court’s ruling on the identity project’s legality. The judgement, delivered in September, curtailed governmental access to Aadhaar data by making it contingent on “necessity and proportionality”. It limited the use of Aadhaar for authenticating identity, laying out that only the state could use it – when mandated by law and subject to additional legal standards – and not private agencies. Indeed, the use of Aadhaar by private players, under law or contract, was found to be unconstitutional and violating the right to privacy.

In his dissent, Justice DY Chandrachud argued the the Aadhaar project as it currently exists was unconstitutional.

The amendment Bill, if passed, would have undone the Supreme Court’s adoption of some essential principles of privacy and data security for the Aadhaar project. It would have allowed anyone to use Aadhaar-based authentication under the provisions of “any law”, or for a purpose defined by the central government, or if they met as yet unspecified standards of privacy and security.

It also sought to amend the Telegraph Act and the Prevention of Money Laundering Act to enable telecom firms and banks to make Aadhaar-based authentication mandatory for their customers.

The Union government seemed unconcerned that the Bill flew in the face of the Supreme Court’s judgement holding such blanket imposition of Aadhaar and its use by private players to be dangerous and violate of the fundamental rights of Indian citizens. The government did not even bother to put the Bill up for public consultation and review. There is a troubling consistency here: the Aadhaar Act was pushed through Parliament without pre-legislative consultation or review by a parliamentary committee despite many MPs pleading for it.

Similarly, several far-reaching regulations issued under the Aadhaar Act have never been made available for review. Instead, they have been directly brought into effect by the government notifying them in the Gazette of India.

Need for a holistic rethink

Online authentication, a key pillar of Aadhaar as originally envisioned, was supposed to provide a robustly efficient means of establishing identity. The Bill introduced “offline verification” as an alternative. There may be several methods of such verification, yet the details remain sketchy.

One method of offline verification that is currently being used is the Aadhaar Paperless Local eKYC. While its privacy, security and surveillance aspects are still to be tested, it might be a less centralised method of authentication at the design level.

This method is not strictly “offline”, though. It requires the user to create and download a digitally signed file, which can be used for authentication.

Since most users require Aadhaar to avail essential services often in places of limited connectivity and digital literacy, this method may not help the biggest constituency it is designed to serve.

Other proposed offline verification methods such as QR Codes have been criticised for not being secure and liable to misuse.

In sum, offline verification appears to be a patchwork fix, much like the Virtual ID proposed last year, ostensibly to ensure that a user’s Aadhaar number is not shared with every requesting agency. Such fixes seem to be a desperate attempt by the Union government to provide simplistic solutions to a complex problem.

The government should take a step back and stop defending the indefensible. The lapsing of the amendment Bill can be a blessing in disguise; policymakers can now pause and rethink Aadhaar. At the least, rather than being constantly confrontational, they must start an open and honest discussion about the way forward for the digital identity project. For currently, in terms of design and priorities, Aadhaar is increasingly looking like a highly expensive and legally questionable project.