Our everyday life is full of interaction with other people
or organisations. Depending on the nature of these interactions there could be
exchange of credentials. If I walk into a shop to buy a burger, normally the
shop keeper does not care who I am. He only needs the price to be paid with
acceptable instruments. He may ask for my phone number or address with an
intention to be in touch with me with his offers. But I have the choice to give
this or not. (Unless of course he is a monopoly supplier at that point of time
and I need the service desperately) But if I am trying to access a service or a
product which is meant to be provided only to specifically identified persons,
the service provider will require evidence to prove my identity.
Based on the criticality of service, the extent of credentials and / or endorsements that the service provider will ask will be different for different transactions. For example, the passport authority has extensive procedure to establish my identity; often they ask for multiple documents to establish my credentials before they issue a passport. The bankers may have a different way of establishing my identity; especially to meet the compliance requirement relating to KYC. The service providers with whom I have recurrent interactions may often provide me a special token to prove my identity during future interactions with them, thus avoiding extensive identity verification every time I have an interaction with them. These documents/ tokens are generally referred to as functional id. Some service providers may save on the effort required for establishing the id by making use of a functional ID issued by another entity (often government) as an evidence to establish my identity/ credibility. For example tax id or driving license is often accepted as a proof of identity by many service providers. For evidence purpose and for future investigation they may retain copy of the credentials provided to them.
There are some practical problems associated with the above.
(i) As most of the identity creds used are issued by service providers for
their clients many people; especially from poor of marginalised segment of the
society may not have any such credentials with them as they may not be availing
any services in their name from these service providers (ii) most of the
entities who provide such documents/ tokens do not publish the process they use
to issue the cred making it difficult for the users to judge how good the cred
issued by them is (iii) none of the entities that issue the cred (which are
often meant to be only for their clients) does provide a mechanism to third
parties to verify the authenticity the id token provided; resulting in use of
fake id documents by some.(iv) Most of the entities who are issuing the
functional ids have effective tools to avoid duplicate id generation. This
makes it possible for one person to manage to have multiple identities (iv) many functional ids are not accepted as
proof of identity by all service providers (v)when the service provided is very
sensitive or very valuable, the service provider will ask for multiple proofs (sometimes
including biometrics) as they are limited faith in many of the functional ids.
UIDAI was established to address these concerns. (i) It is
an entity established with a single focus; to issue and authenticate id for all
residents of the country, unlike most of the other ids which are issued to
limited set of individuals who are often beneficiaries of the service provider
(ii) It has established checks and balances of the highest quality to ensure
security and privacy of data and has institutional mechanisms in place to keep
it updated (iii)it has a very standard and published means of establishing the
identity of the person who is being enrolled. These are quite simple and
straightforward with clearly defined exception handling mechanism so that
practically nobody will be denied an opportunity to enrol (ii) it gives a
quick, easy and straight forward means to authenticate the id by third parties
and that too only with the consent of the id holder(iii) the biometric
characteristics collected makes it almost impossible for a person to obtain multiple
ids (iv) it is recognised as a proof of id by almost all service providers (v)
it collects bare minimum attributes of a person compared to all other accepted
functional ids. UID does not collect or store any attributes other than name,
dob, address , sex, father’s name and biometrics in their database.(vi) UIDA
does not share the biometrics collected with any other entities which is guaranteed
by an act of parliament. Further it does not also collect or save the purpose
for which the id was authenticated (vii) it gives an facility for the holders
to be enquire online which entities have authenticated their id. This is also enshrined in Aadhaar Act
In this context, many service providers insisting that their
clients should provide their Aadhaar as proof of identity is not in anyways
overreaching their right and need to establish the identity of their clients.
Rather, this is only making their process stronger and makes their services
accessible to a larger cross section of the society who otherwise would have
been denied of the service. The latter is a major boon for a large cross section of the society who thanks to Aadhaar are able to access a wide verity of services. In a similar fashion the requirement of authentication of id behind each tax id also is helping the Income Tax Department to weed out many instances of multiple tax ids by same person to avoid tax.
The database of Aadhaar has quite limited data relating to a
person. Aadhaar based authentication is allowed only through registered entities
through registered devices. As a part of authentication they do not store the
purpose for which the authentication was undertaken by service providers. In
this way, UIDAI does not and is not able to profile any of the UID holders or
track their activities. Compared to this
all entities who collect information about their clients to issue functional
ids and provide services hold significantly more information about their
clients. Most of them in electronic form which are often connected to internet
without strong security measures in place. Many of them even sell this data to
third parties to other agencies. The number of un-solicited mails and sms we
get is a proof of this.
The big difference in case of Aadhaar is that it provides a
means to authenticate the Aadhaar even without sharing the data relating to aadhaar.
(UIDAI only provides a yes/ no response to an authentication request. Only in
limited and specified cases it also allows certain specified entities to
collect the demographic information available with them against consent by the
user). Thus the worry that UID database is a violation of privacy is unfounded.
Further, compared to most other databases which compile and maintain their
client information the security processes are much stronger. Therefore, in cases where ID is required to
be established for service delivery, it is safer for both service provider and
recipient to use Aadhaar as proof of id; especially considering the wide coverage
of Aadhaar and easy and fast enrolment possible. The service providers may also
introduce exception handling mechanism to handle rare cases of not being able
to have an Aadhaar or being authenticated with Aadhaar.
Another concern is that if the Aadhaar number of a person is
used as proof of id by various service providers, it will give the government a
mechanism to track a person extensively. This again is a myth. All services
provided will take some kind of functional id as a proof of id. Most
beneficiary databases have been converted or in the process of being converted
to electronic form. With the modern computing and analytics tools, if the
government decides to profile any person they will be able to do so by linking
these multiple databases even without Aadhaar being linked.
To protect privacy what we need is a clear legal framework
on who can collect what data, what is the disclosure they have to provide to
their clients and what should be the data retention and data sharing policy
with respect to all entities who collect third party data. Going after Aadhaar
is nothing but a folly or just plain ignorance of the landscape of id
establishment today.
No comments:
Post a Comment