Friday, January 8, 2010

Security And Privacy Issues Of The Unique Identity Number Project Of India

The Unique Identification Authority of India (UIDAI) is not a legally constituted authority. In the absence of just and reasonable law(s) to support the same, it would violate the Human Rights and Fundamental Rights of the citizens of India, say techno-legal experts like Praveen Dalal. The interaction of Information and Communication Technology (ICT) with Human Rights is no more a science fiction and India must keep in mind the mandates of Human Rights Protection in Cyberspace while implementing projects that have no legal sanction and backing. The below mentioned opinion has raised some pertinent security and privacy violation issues in this regard.

The air is thick with schemes that will enable the state, and its agencies, to identify every resident, and to track what they are doing. The UIDAI, in its working paper, says that enrolment will not be mandatory, but acknowledges that in practice it is expected not to be voluntary. The ‘Registrars’, who will enroll people on to the data base, will be both private operators and government agencies, and they will be encouraged to insist that they will entertain only those who are willing to enroll. Over a short time, only those with UID numbers may find themselves able to access services.

That is the effort. Just on its own, it could even seem benign. There are two phenomena that take the innocence out of the exercise.

The first is ‘convergence’. ‘Convergence’ is about combining information. There are presently various pieces of information available separately, and held in discrete ‘silos’. We give information to a range of agencies; as much as is necessary for them to do their job. The passport agencies do not need to know how many bank accounts you have, or whether you drive a car. The telephone company need not know how you have insured your house. The police do not need to know how often you travel, not unless you are a suspect anyway. It is this that makes some privacy possible in a world where there are so many reasons why, and locations where, we give information about ourselves. The ease with which technology has whittled down the notion of the private has to be contained, not expanded. The UID, in contrast, will act as a bridge between these silos of information, and it will take the control away from the individual about what information we want to share, and with whom.

This is poised to completely change norms of privacy, confidentiality and security of personal information. The terms ‘security’ and ‘privacy’ seem to be under threat, where technological possibility is dislocating many traditional concerns.

The second phenomenon is ‘tracking’. Once the UID is in place, and convergence becomes commonplace, the movement of people, their monies, their activities can be brought together, especially since transactions from buying rice in a PDS shop to receiving wages to bank withdrawals to travel could begin to require the number. There is a difference between people tracking a state, and the state, and the ‘market’ tracking people. The UID is clearly not what it is presented as being: it is not benign, nor a mere number which will give an identity to those who the state had missed so far.

Interestingly, the working paper of the UIDAI starts with a claim that the UID will bring down barriers that prevents the poor from accessing services and subsidies by providing an identity, but soon goes on to clarify that the “UID number will only guarantee identity, not rights, benefits or entitlements”. Given that it is the powerlessness of the poor, inefficiency, the perception of the poor as not deserving of support, sympathy or rights, and the status of illegality foisted on them that stops them from getting what is due to them, and given that corruption and leakages in the system mutate and persist, this quick stepping back is wise indeed.

In the excitement about technology being deployed to do something that has not been done anywhere in the world, the importance of privacy and protection from misuse of personal information is getting eclipsed.

It is significant that the UIDAI working paper makes no mention of national security concerns, and the surveillance, and profiling, possibilities it will create. Yet, the UID is not a project in isolation. The NATGRID, which the UID will facilitate, places the whole population under surveillance; and the home minister is talking about a DNA bank.

Fallibility, the difficulties inherent in reaching those in extreme poverty, the choiceless existence on a database and the possibility of undesirable others getting hold of information only add to the scariness of the scenario that we seem to have accepted without discussion, challenge or debate. And, once accomplished, we would have reached a point of no return.

The writer is an independent law researcher.