Aadhaar breach is serious, but bigger challenge is a data and privacy protection law
It takes, some times, a negative event to bring important issues on the debating table. The 4 January 2018 report alleging data breach of Aadhaar brings the larger issue of data protection, privacy and their protection back in public discourse.
Nobody in her right mind would be comfortable with her data, now extracted by the authority of law, being compromised, sold, shared, used, circulated, downloaded. Whatever the financial cost, howsoever high the regulatory walls, a breach is bad enough. That the data of Indian residents could be done in such a casual manner — a price of ₹500 for the data, ₹300 for a software that reads that data and a time of 10 minutes — makes it worse. The report says the breach gives access to the Aadhaar number, name, address, postal code, photo, phone number and email. This is personal information and can be abused in several ways, from financial to criminal.
Whatever the financial cost, howsoever high the regulatory walls, a breach is bad enough.
For instance, if a rogue manages to steal a phone and can map the name of the person with the details above, the entire edifice of the OTP (one time password) as a mechanism of checking and protection of banking transactions becomes meaningless for online transactions. More so, when changing the number entails a long-winded, physical process, ironically for an idea that is entirely digital. If a debit or credit card is stolen, digital transactions can happen with ease. Beyond financial losses, this breach enables criminal offences. Imagine stalkers following a woman through her phone right upto her home.
If these are not bad enough, the reaction of Unique Identification Authority of India (UIDAI), the organisation tasked with housing this data safely, was worse: through the Press Information Bureau (PIB), it simply denied the report and called it a case of misreporting. “There has not been any Aadhaar data breach,” PIB stated on Twitter [ii]. “The Aadhaar data including biometric information is fully safe and secure.” But further down it says that the “reported case appears to be an instance of misuse of the grievance redressal search facility”. Which is right — no breach or instance of misuse?
PIB further states [iii] that “mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for successful authentication fingerprint or iris of individual is also required.” Finally, it says that legal action, including lodging of FIR (first information report), is being done. Is UIDAI accepting a breach of non-biometric information and saying all is well because the fingerprints and iris scans have not and cannot be accessed? If yes, it is out of tune with the 21st century India.
Like several issues earlier, lack of patience will ensure that this breach of information too will blow away and get lost in the sands of political spins — one side alleging serious violations, the other defending with denial. And the truth may not be in the middle. Indeed, it may lie outside Aadhaar.
The truth may not be in the middle. Indeed, it may lie outside Aadhaar.
For an issue that affects almost every aspect of a modern life, from identity and money to investments and DBT (direct benefit transfer) entitlements, we need to prevent petty politics from further contaminating our digital future. We need to take this issue into our hands, engage deeply with it, so that the resultant law protects as much as enables us as a nation. The latest ideas of privacy, data and information protection, and the legal provisions enabling it are situated in two places. First, in a 24 August 2017 order of the Supreme Court [iv]. And second, in a white paper by a committee chaired by Justice B.N. Srikrishna [v]. Both provide the intellectual, legal and moral basis for public discourse, before it is finally enacted by Parliament into law.
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,” the nine-judge Constitutional bench of the Supreme Court ruled [vi]. But it did articulate the legitimate concerns of the State on one hand and individual interest in the protection of privacy on the other. “Apart from national security, the state may have justifiable reasons for the collection and storage of data,” it noted [vii]. Benefits to “impoverished and marginalised sections of society,” for instance. Or prevention and investigation of crime, and protection of the revenue.
Justice Srikrishna’s White Paper takes this judgement into account and lists out seven key principles [viii] that must inform a data protection law. One, the law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance. Two, the law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims. Three, as an expression of human autonomy, consent must be informed and meaningful. Four, data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject. Five, the data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing. Six, enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms. And seven, penalties on wrongful processing must be adequate to ensure deterrence.
Coming to Aadhaar, we need to examine the law [ix] closely. While Clause 30 gives the government the power to collect biometric information deemed to be sensitive, it is the protection mechanism under Clause 29 that places restrictions on its sharing, displaying or posting. Finally, Clause 37 nails it down and states that whoever discloses, transmits, copies or disseminates any identity information shall face a fine of upto ₹10,000 for an individual, ₹1 lakh for a company, and imprisonment that may extend upto three years. We can argue that these penalties are inadequate. A company can earn crores of rupees for data breach, a country can inflict untold damage. When seen in context, Aadhaar would be a subset of the larger debate around privacy and information protection. We can look at this law as a necessary but not a sufficient tool to protect data and privacy.
While Clause 30 gives the government the power to collect biometric information deemed to be sensitive, it is the protection mechanism under Clause 29 that places restrictions on its sharing, displaying or posting.
Where, for instance, would we place the do not disturb registry? Although it began ineffectively, and has started functioning only over the past 12 months or so, the stray call does come. Or, how do we deal with universal banks, where details of a salary account in a bank are shared with the insurance company of the same group with impunity, despite Reserve Bank of India explicitly prohibiting it? “Provided that information collected from customers for the purpose of opening of account shall be treated as confidential and details thereof shall not be divulged for the purpose of cross selling, or for any other purpose without the express permission of the customer,” the clause states [x].
These are only some of the issues citizens and consumers face. In the increasing digitalisation of India, privacy will become a political battle. As a result, a law that gives privacy protections to citizens while allowing flexibility to the State — in the matter of national security (that is and will remain undefined), for instance — is essential. Related laws, like those in finance, healthcare, education or telecommunications, will get suitably amended or repealed and embed themselves into a bigger privacy law. That privacy is a fundamental right has been set in place by the Supreme Court. It is upto the government to initiate and Parliament to enact these provisions into law.
As far as Aadhaar goes, the shrill debates will tighten the law. But finally, provisions of the data and privacy protection law will override it and Aadhaar will need to legally situate itself within this larger framework, as part of these wider rights.
It takes, some times, a negative event to bring important issues on the debating table. The 4 January 2018 report alleging data breach of Aadhaar brings the larger issue of data protection, privacy and their protection back in public discourse.
Nobody in her right mind would be comfortable with her data, now extracted by the authority of law, being compromised, sold, shared, used, circulated, downloaded. Whatever the financial cost, howsoever high the regulatory walls, a breach is bad enough. That the data of Indian residents could be done in such a casual manner — a price of ₹500 for the data, ₹300 for a software that reads that data and a time of 10 minutes — makes it worse. The report says the breach gives access to the Aadhaar number, name, address, postal code, photo, phone number and email. This is personal information and can be abused in several ways, from financial to criminal.
Whatever the financial cost, howsoever high the regulatory walls, a breach is bad enough.
For instance, if a rogue manages to steal a phone and can map the name of the person with the details above, the entire edifice of the OTP (one time password) as a mechanism of checking and protection of banking transactions becomes meaningless for online transactions. More so, when changing the number entails a long-winded, physical process, ironically for an idea that is entirely digital. If a debit or credit card is stolen, digital transactions can happen with ease. Beyond financial losses, this breach enables criminal offences. Imagine stalkers following a woman through her phone right upto her home.
If these are not bad enough, the reaction of Unique Identification Authority of India (UIDAI), the organisation tasked with housing this data safely, was worse: through the Press Information Bureau (PIB), it simply denied the report and called it a case of misreporting. “There has not been any Aadhaar data breach,” PIB stated on Twitter [ii]. “The Aadhaar data including biometric information is fully safe and secure.” But further down it says that the “reported case appears to be an instance of misuse of the grievance redressal search facility”. Which is right — no breach or instance of misuse?
PIB further states [iii] that “mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for successful authentication fingerprint or iris of individual is also required.” Finally, it says that legal action, including lodging of FIR (first information report), is being done. Is UIDAI accepting a breach of non-biometric information and saying all is well because the fingerprints and iris scans have not and cannot be accessed? If yes, it is out of tune with the 21st century India.
Like several issues earlier, lack of patience will ensure that this breach of information too will blow away and get lost in the sands of political spins — one side alleging serious violations, the other defending with denial. And the truth may not be in the middle. Indeed, it may lie outside Aadhaar.
The truth may not be in the middle. Indeed, it may lie outside Aadhaar.
For an issue that affects almost every aspect of a modern life, from identity and money to investments and DBT (direct benefit transfer) entitlements, we need to prevent petty politics from further contaminating our digital future. We need to take this issue into our hands, engage deeply with it, so that the resultant law protects as much as enables us as a nation. The latest ideas of privacy, data and information protection, and the legal provisions enabling it are situated in two places. First, in a 24 August 2017 order of the Supreme Court [iv]. And second, in a white paper by a committee chaired by Justice B.N. Srikrishna [v]. Both provide the intellectual, legal and moral basis for public discourse, before it is finally enacted by Parliament into law.
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,” the nine-judge Constitutional bench of the Supreme Court ruled [vi]. But it did articulate the legitimate concerns of the State on one hand and individual interest in the protection of privacy on the other. “Apart from national security, the state may have justifiable reasons for the collection and storage of data,” it noted [vii]. Benefits to “impoverished and marginalised sections of society,” for instance. Or prevention and investigation of crime, and protection of the revenue.
Justice Srikrishna’s White Paper takes this judgement into account and lists out seven key principles [viii] that must inform a data protection law. One, the law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance. Two, the law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims. Three, as an expression of human autonomy, consent must be informed and meaningful. Four, data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject. Five, the data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing. Six, enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms. And seven, penalties on wrongful processing must be adequate to ensure deterrence.
Coming to Aadhaar, we need to examine the law [ix] closely. While Clause 30 gives the government the power to collect biometric information deemed to be sensitive, it is the protection mechanism under Clause 29 that places restrictions on its sharing, displaying or posting. Finally, Clause 37 nails it down and states that whoever discloses, transmits, copies or disseminates any identity information shall face a fine of upto ₹10,000 for an individual, ₹1 lakh for a company, and imprisonment that may extend upto three years. We can argue that these penalties are inadequate. A company can earn crores of rupees for data breach, a country can inflict untold damage. When seen in context, Aadhaar would be a subset of the larger debate around privacy and information protection. We can look at this law as a necessary but not a sufficient tool to protect data and privacy.
While Clause 30 gives the government the power to collect biometric information deemed to be sensitive, it is the protection mechanism under Clause 29 that places restrictions on its sharing, displaying or posting.
Where, for instance, would we place the do not disturb registry? Although it began ineffectively, and has started functioning only over the past 12 months or so, the stray call does come. Or, how do we deal with universal banks, where details of a salary account in a bank are shared with the insurance company of the same group with impunity, despite Reserve Bank of India explicitly prohibiting it? “Provided that information collected from customers for the purpose of opening of account shall be treated as confidential and details thereof shall not be divulged for the purpose of cross selling, or for any other purpose without the express permission of the customer,” the clause states [x].
These are only some of the issues citizens and consumers face. In the increasing digitalisation of India, privacy will become a political battle. As a result, a law that gives privacy protections to citizens while allowing flexibility to the State — in the matter of national security (that is and will remain undefined), for instance — is essential. Related laws, like those in finance, healthcare, education or telecommunications, will get suitably amended or repealed and embed themselves into a bigger privacy law. That privacy is a fundamental right has been set in place by the Supreme Court. It is upto the government to initiate and Parliament to enact these provisions into law.
As far as Aadhaar goes, the shrill debates will tighten the law. But finally, provisions of the data and privacy protection law will override it and Aadhaar will need to legally situate itself within this larger framework, as part of these wider rights.