News that a parliamentary committee has rejected its enabling legislation must come as a jolt to the Unique Identification Authority of India (UIDAI). The committee is reportedly concerned about lack of citizenship test for Aadhaar, duplication with the National Population Register (NPR), the technology, data privacy, and costs. This comes close on the heels of the Home Ministry’s contention that the UIDAI data does not meet the “degree of assurance” required for NPR, implying that those who have already enrolled with the UIDAI (over 120 million) may have to re-enroll with the Registrar General of India (RGI)!
In the mean time, painstaking work by the UIDAI, often spearheaded by Chairman Nilekani himself, appears to be finally paving the way, bit by bit, for Aadhaar to become a nationally acceptable ID by banks, telecom providers, oil companies, and other government agencies. The latest example is RBI’s direction to banks to open Aadhaar-enabled accounts for beneficiaries of MGNREGS and other social security schemes. It would be a shame if these efforts were to come to a screeching halt on account of disputes within the government.
In our view, the vastly dissimilar goals of NPR and Aadhaar were bound to come into open conflict sooner or later. Now that they have, it is imperative that the government not only moves quickly to clarify its stand on the future of Aadhaar, but also reassesses its linkage with the NPR project, which raises even more serious questions about data privacy.
The UIDAI has consistently articulated its key objectives: To help eliminate fake and duplicate beneficiaries from welfare schemes and to provide a portable ID to millions of poor and migrants. Most states seem to agree with these goals and are looking forward to using Aadhaar in their e-governance initiatives (e.g. Karnataka, which reports 28 lakh illegal LPG connections, and 6 lakh BPL families without even ration cards!)
The UIDAI’s enrollment process calls for minimal personal details to uniquely identify a person (Name, Gender, Age and Address) and it involves physical verification of support documents. For those without them, it proposes the concept of Introducers, but very few enrollments to date appear to have relied on it. And, true to its goal of a portable ID, the UIDAI permits people to enroll anywhere in India, with a wide choice of Registrars; however, most enrollments so far have been by state governments and nationalized banks.
On data privacy, the proposed UID legislation would have required a court order or a central government joint secretary approval (in cases of national security) before divulging personal information beyond a Yes or No response. Critics, however, felt that it still did not measure up to international norms on data privacy. The parliamentary committee seems to agree.
But how do these objectives and processes compare to those of the RGI?
NPR’s purported goals are internal security and checking illegal immigration. But, ironically, the RGI says that enrollment is “irrespective of Nationality” and asks people to self-declare their Nationality! Also, while the 2003 Citizenship Rules call for a register of ‘Indian Citizens,’ NPR refers only to ‘usual residents’ – an amorphous term subsequently incorporated into the proposed UID legislation. So, if the parliamentary committee is concerned that Aadhaar does not establish citizenship, then surely the same concern ought to apply to NPR too?
The RGI has adopted the UIDAI’s biometric standards and plans to use UIDAI-empanelled enrollment agencies; so, presumably, it has no dispute over the UIDAI’s technology or process. Add to this the fact that most enrollments to date have been by states/nationalized banks and are based on verified POI/POA documents, and it is hard to see where exactly concerns about the reliability of the UIDAI’s data and technology are emanating from -- unless they refer to the future when the Introducer system takes off and Aadhaar on-line authentications begin.
The RGI also plans its own “mother database,” which it says will be used only within the government. But it makes no promises whatsoever on data privacy. This makes the UIDAI’s proposed strictures against data disclosure superfluous in the eyes of its critics, as the same information would presumably be accessible to any government agency through NPR!
Finally, in what could be seen as a major trespass on privacy, the RGI plans to display NPR lists in prominent places in villages and towns to invite objections from the public, with local authorities having the final word on who will be included in it. Although RGI does not explicitly say it, this futile exercise -- which could well pitch neighbors against each other -- is supposed to be its way of weeding out non-citizens! Unfortunately, this hugely worrisome prospect has been completely glossed over by those who have criticized the UIDAI for its data privacy stance and has been missing from the discourse on the Aadhaar-NPR conflict.
At the end of the day, just how the complicated and time-consuming NPR process will produce more reliable data than the UIDAI and will check illegal immigrants is hard to comprehend.
The RGI’s stress on ‘usual residents’ and the virtual veto power to local officials over one’s legal existence in an area is much more likely to lead to exclusion of millions who are virtually ‘ID-less’ today. In this regard, complaints of past census drives missing out large sections of urban poor are not exactly reassuring. This stands in stark contrast to the UIDAI’s emphasis on ‘inclusion’ and the portability of Aadhaar, which recognize the massive cross-state migrations of our peoples in search of employment. These two widely differing world views, I submit, are irreconcilable.
This difference is exemplified by a recent report from Hyderabad of a “security scare,” triggered by differences between NPR and Aadhaar enrollments: e.g. Ambarpet, where NPR had apparently enumerated 15,000 people, but the UIDAI had issued 21,000 Aadhaars. The report completely missed the point that either the RGI may have undercounted people in this urban setting and/or the UIDAI may have enrolled migrant workers in the area, as per its model. Regardless, the expectation that the two numbers ought to be the same, and the needless alarm when they are not, underscores the perils of closely linking Aadhaar with NPR in the public mind.
These are some of the larger issues that the government must come to grips with in its response to the current stand-off. On the one hand, if it is serious about the original objective of NPR, viz. checking illegal immigration, it must take a critical look at whether it’s current direction is likely to meet those objectives without massive violations of people’s privacy. On the other hand, if it is serious about the need for Aadhaar as a tool to better manage its welfare schemes, it must distance Aadhaar from the shadows of NPR and give it all the necessary legal and financial independence to meet its objectives.
Here are some possible steps that it could take in that direction:
- Make the issuance of Aadhaar to the ‘ID-less’ a top priority, without which mandating Aadhaar for welfare services will have no justification. This will necessarily involve scaling up the Introducer system and genuine partnerships with community groups working with these populations.
- Reaffirm the principle of mutual sharing of enrollment data between the RGI and the UIDAI as originally envisaged, in the interests of avoiding duplicate of work and saving costs; but ensure that Aadhaar is not solely dependent upon NPR data. In other words, allow the UIDAI to continue with its multi-Registrar enrollment model, which gives people a choice of when and where they can enroll.
- Accelerate the debate on a national data privacy law to cover all sensitive personal data held by the government as well as the private sector. In the mean time, amend the proposed UID legislation to require all databases containing Aadhaar numbers, including NPR and state databases, to comply with the same data disclosure criteria as currently proposed. This should also include an ‘opt-out’ provision, a well recognized data privacy principle, for anyone wishing to deactivate their Aadhaar records – obviously, with adequate safeguards against misuse, such as minimum waiting periods for de-enrollment and re-enrollment.
These measures may not answer all the questions surrounding NPR and Aadhaar, but they will certainly go a long way in ensuring that Aadhaar is not weighed down by the Home Ministry’s surveillance mission and by privacy concerns with NPR’s data. They will also better differentiate the two programs in the public mind, and will hopefully reduce the paranoia surrounding Aadhaar.
A shorter version of this article was published in The livemint on 13 Dec 2011