Pages

Friday, June 8, 2018

To be or not to be Part 9- Aadhaar: Proving my Identity


Our everyday life is full of interaction with other people or organisations. Depending on the nature of these interactions there could be exchange of credentials. If I walk into a shop to buy a burger, normally the shop keeper does not care who I am. He only needs the price to be paid with acceptable instruments. He may ask for my phone number or address with an intention to be in touch with me with his offers. But I have the choice to give this or not. (Unless of course he is a monopoly supplier at that point of time and I need the service desperately) But if I am trying to access a service or a product which is meant to be provided only to specifically identified persons, the service provider will require evidence to prove my identity.
                         
Based on the criticality of service, the extent of credentials and  / or endorsements that the service provider will ask will be different for different transactions. For example, the passport authority has extensive procedure to establish my identity; often they ask for multiple documents to establish my credentials before they issue a passport. The bankers may have a different way of establishing my identity; especially to meet the compliance requirement relating to KYC. The service providers with whom I have recurrent interactions may often provide me a special token to prove my identity during future interactions with them, thus avoiding extensive identity verification every time I have an interaction with them. These documents/ tokens are generally referred to as functional id. Some service providers may save on the effort required for establishing the id by making use of a functional ID issued by another entity (often government) as an evidence to establish my identity/ credibility.  For example tax id or driving license is often accepted as a proof of identity by many service providers. For evidence purpose and for future investigation they may retain copy of the credentials provided to them.

There are some practical problems associated with the above. (i) As most of the identity creds used are issued by service providers for their clients many people; especially from poor of marginalised segment of the society may not have any such credentials with them as they may not be availing any services in their name from these service providers (ii) most of the entities who provide such documents/ tokens do not publish the process they use to issue the cred making it difficult for the users to judge how good the cred issued by them is (iii) none of the entities that issue the cred (which are often meant to be only for their clients) does provide a mechanism to third parties to verify the authenticity the id token provided; resulting in use of fake id documents by some.(iv) Most of the entities who are issuing the functional ids have effective tools to avoid duplicate id generation. This makes it possible for one person to manage to have multiple identities  (iv) many functional ids are not accepted as proof of identity by all service providers (v)when the service provided is very sensitive or very valuable, the service provider will ask for multiple proofs (sometimes including biometrics) as they are limited faith in many of the functional ids.

UIDAI was established to address these concerns. (i) It is an entity established with a single focus; to issue and authenticate id for all residents of the country, unlike most of the other ids which are issued to limited set of individuals who are often beneficiaries of the service provider (ii) It has established checks and balances of the highest quality to ensure security and privacy of data and has institutional mechanisms in place to keep it updated (iii)it has a very standard and published means of establishing the identity of the person who is being enrolled. These are quite simple and straightforward with clearly defined exception handling mechanism so that practically nobody will be denied an opportunity to enrol (ii) it gives a quick, easy and straight forward means to authenticate the id by third parties and that too only with the consent of the id holder(iii) the biometric characteristics collected makes it almost impossible for a person to obtain multiple ids (iv) it is recognised as a proof of id by almost all service providers (v) it collects bare minimum attributes of a person compared to all other accepted functional ids. UID does not collect or store any attributes other than name, dob, address , sex, father’s name and biometrics in their database.(vi) UIDA does not share the biometrics collected with any other entities which is guaranteed by an act of parliament. Further it does not also collect or save the purpose for which the id was authenticated (vii) it gives an facility for the holders to be enquire online which entities have authenticated their id. This is also enshrined in Aadhaar Act

In this context, many service providers insisting that their clients should provide their Aadhaar as proof of identity is not in anyways overreaching their right and need to establish the identity of their clients. Rather, this is only making their process stronger and makes their services accessible to a larger cross section of the society who otherwise would have been denied of the service. The latter is a major boon for a large cross section of the society who thanks to Aadhaar are able to access a wide verity of services. In a similar fashion the requirement of authentication of id behind each tax id also is helping the Income Tax Department to weed out many instances of multiple tax ids by same person to avoid tax.
 
The database of Aadhaar has quite limited data relating to a person. Aadhaar based authentication is allowed only through registered entities through registered devices. As a part of authentication they do not store the purpose for which the authentication was undertaken by service providers. In this way, UIDAI does not and is not able to profile any of the UID holders or track their activities.  Compared to this all entities who collect information about their clients to issue functional ids and provide services hold significantly more information about their clients. Most of them in electronic form which are often connected to internet without strong security measures in place. Many of them even sell this data to third parties to other agencies. The number of un-solicited mails and sms we get is a proof of this.
 
The big difference in case of Aadhaar is that it provides a means to authenticate the Aadhaar even without sharing the data relating to aadhaar. (UIDAI only provides a yes/ no response to an authentication request. Only in limited and specified cases it also allows certain specified entities to collect the demographic information available with them against consent by the user). Thus the worry that UID database is a violation of privacy is unfounded. Further, compared to most other databases which compile and maintain their client information the security processes are much stronger.  Therefore, in cases where ID is required to be established for service delivery, it is safer for both service provider and recipient to use Aadhaar as proof of id; especially considering the wide coverage of Aadhaar and easy and fast enrolment possible. The service providers may also introduce exception handling mechanism to handle rare cases of not being able to have an Aadhaar or being authenticated with Aadhaar.

Another concern is that if the Aadhaar number of a person is used as proof of id by various service providers, it will give the government a mechanism to track a person extensively. This again is a myth. All services provided will take some kind of functional id as a proof of id. Most beneficiary databases have been converted or in the process of being converted to electronic form. With the modern computing and analytics tools, if the government decides to profile any person they will be able to do so by linking these multiple databases even without Aadhaar being linked.

To protect privacy what we need is a clear legal framework on who can collect what data, what is the disclosure they have to provide to their clients and what should be the data retention and data sharing policy with respect to all entities who collect third party data. Going after Aadhaar is nothing but a folly or just plain ignorance of the landscape of id establishment today.

"In the social jungle human existence there is no feeling of being alive without a sense of identity."

Erik Erikson

No comments:

Post a Comment