Biometric data

Huge concerns

Print edition : April 28, 2017

People waiting to enrol for Aadhaar at a centre at Beeramguda in Medak district, Telangana. A file picture. Photo: Mohd. Arif

Collecting biometric data at a National Population Register centre at Tiruvottiyur in Chennai. A file phtograph. Photo: B. Jothi Ramalingam

It has been mathematically proved that the unique identification number need not be unique at all. Besides, the way biometric data of the country’s huge population are collected, handled and stored gives rise to serious concerns about the citizen’s privacy and the country’s security.

THE controversy about Aadhaar, or unique identification number, acquires a sinister overtone when one realises that no other country in the world except Pakistan has done a similar codification exercise for its citizens. The pursuit of the biometric Aadhaar project by the Narendra Modi government, in violation of the Supreme Court’s October 15, 2015, order, defies logic. The court had stated categorically that the use of the unique identification number should not be made mandatory and restricted the use of Aadhaar to six schemes (the public distribution system, the Mahatma Gandhi National Rural Employment Guarantee Scheme, the National Social Assistance Programme, the Prime Minister Jan Dhan Yojana, the Employees Provident Fund Office and liquefied petroleum gas distribution). In these schemes, too, the order said, enrolment for Aadhaar was voluntary.

But the Centre has made Aadhaar mandatory for a clutch of financial services/transactions, such as obtaining or retaining PAN (permanent account number) cards, filing of income tax returns and obtaining a SIM card or a driving licence, giving rise to serious concerns. Does it not constitute a breach of the right to privacy? What are the safeguards for data security? In case of misuse of information, which authority can be approached for redress? Are the government’s intentions genuine?

These questions assumed seriousness after a bizarre set of tweets started doing the rounds in social media in the last week of March. Sakshi Dhoni, cricketer M.S. Dhoni’s wife, in a series of tweets, complained that Dhoni’s Aadhaar details had been leaked by an agency in Ranchi he had approached to update his details. The agency, VLE Mariya Farooqui, had tweeted not only a picture of Dhoni giving his biometrics but uploaded his application form as well. Union Minister for Law and Information Technology Ravi Shankar Prasad “liked” the tweet without realising that it constituted a serious breach of the cricketer’s privacy. It was only after Sakshi Dhoni raised a complaint that the agency’s tweet was deleted. The agency has been blacklisted for 10 years.

Had Sakshi Dhoni not noticed the breach, the information could have been misused by unscrupulous elements, resulting in irreversible damage to the cricketer in the long run.

The incident has brought to the fore the real and serious danger of biometric data breach associated with Aadhaar and its consequences. The other issues that needed to be addressed include outlining the safety mechanism embedded in the system to reassure people that the data being collected are in safe hands and provide a platform for people to seek justice if their data are stolen, tampered with or misused.

Big hoax

Activists involved in conducting studies on the dangers associated with Aadhaar and legal experts are of the opinion that Aadhaar is a big hoax being played on the country, seriously compromising not only the individual’s safety and security but the nation’s security as well. “The next wars are not going to be fought with guns and tanks, neither are they going to be fought with nuclear weapons. They will be fought with information and whoever has access and control of information will win. Here we are giving all our information to foreigners on a platter. Why?” asked Aishwarya Bhati, a senior Supreme Court lawyer who is handling one of the writ petitions challenging Aadhaar in the court.

According to Aishwarya Bhati, all the data collected for biometric identification are stored in servers abroad and anyone having access to these servers can play havoc with this information. “Imagine you can delete crores of citizens with a click of the mouse, people will simply cease to exist,” she said. While this may sound like science fiction, it is a real possibility when one considers the ground reality. Linking all sorts of identities, like bank accounts, telephone numbers, SIM, PAN cards and driving licences with just a single number means you have all these data stored in just one place and anyone having access to this one database can tamper with this number and your entire identity disappears from the digital world. You become a non-existent person if that one digital number is the only access you have for accessing all your other identities.

The possibility of data being tampered with is a real one if one takes into account the way data are collected and the agencies that are collecting them. First of all, these agencies were not screened and all sorts of companies with poorly trained staff have been involved in collecting biometric data without having any clue about data security or how information should be handled. There have been instances of the personnel employed by these agencies simply abandoning the completed enrolment forms, compact discs and computer hard discs, leaving all the information unattended. In Bengaluru, first information reports have been filed over such instances. These FIRs are a part of the petitions that are pending in the Supreme Court. It is also intriguing why the Supreme Court has not yet taken up the issue with the urgency that it merits: it recently refused to hear a clutch of petitions on an urgent basis, giving the government time to go ahead with linking Aadhaar with all other identities.

Activists who have been involved in gathering information point out the dangers associated with Aadhaar. They say biometric identification across large numbers does not work, these work only for a small, targeted audience, say, for a small number of hardened criminals. “In a large number, the chances of fake/duplicate identities are there and this can potentially lead to misuse of data,” said Col (retd) Mathew Thomas, an activist from Bengaluru, who is also one of the petitioners challenging Aadhaar in the Supreme Court. According to him, the UIDAI had confessed that the chances of errors in the data are huge: one in 10. As per this admission, there already are 80 million fake or duplicate data in the 1.12 billion data that have been gathered. This figure has been arrived at by a system called Automatic Biometric Identification System, which employs the principles of probability to arrive at the margins of error. According to Thomas, this admission of 80 million fake data is mentioned in the UIDAI’s reply to his writ petition on page number 171. “With such mind-boggling potential for fraud/error, it is unfortunate that the Supreme Court is not hearing our petitions urgently and the government is having a field day taking the citizens for a ride,” he said. “Since the Aadhaar number is prone to duplication it cannot be described as a unique identification number. The very aadhaar of Aadhaar is fake,” he said.

Hidden facts

Thomas, who has extensive experience in handling and keeping large data in the Army and has an idea about how data can be tampered with, said: “Aadhaar is such a sham. First of all, people should know it is not a smart card, it is just a number which cannot replace their identity card and since the government has not clarified this categorically, this is one of the deceits. Another deceit is the secrecy surrounding the name. Aadhaar is the name of a private trust of Nandan Nilekani, the brain behind the unique identification concept, and it is inexplicable why this has been kept such a secret all this while,” he says.

Another point that made the entire Aadhaar exercise suspect, he said, was the manner in which private companies, employing semi-literate contract employees, gathered and handled data. “I have filed copies of FIR showing how Aadhaar numbers were issued to illegal immigrants, how data collected by some of these agencies were just lying around unattended. The entire manner in which this exercise was handled was wrong,” he said.

Aadhaar card is prone to misuse because any resident, who may or may not be a citizen, could get an Aadhaar card and claim government benefits. “There are instances of illegal immigrants having got Aadhaar and I have filed proof of this with my petition,” he said.

Yet another fact about Aadhaar, which has been kept carefully hidden, he said, is that the United States agency which had been entrusted with collection and storage of data, called L1 Identity Solutions Operating Company Ltd, was the same company that gathered data for Pakistan. Incorporated in Delaware, U.S., the company was taken over by Safran, which actually is a French government-owned consortium, dealing with defence contracts. “All this information has been kept hidden from the Indian people and this gives rise to suspicion. What this government is doing constitutes a potential threat to our national security. We are handing over all our information to foreign agencies on a platter. This is the largest database ever and only fools can do it,” Thomas said.


The fact that this humongous database is prone to errors and hence constitutes a grave risk to not only individuals but also to the country has been proven mathematically by Dr Hans Mathew, whose mathematical calculations prove that at current population figures, one in every 121 persons will have his biometric identifiers matching with another person. Such cases are described as duplicands, and in the case of Aadhaar there will be an extremely high number of duplicands. Hence “the unique identification number” provided to individual identifiers cannot be unique. The paper, which was published in the February 27, 2016, issue of Economic & Political Weekly, said the formula (simple differential calculus) used by Hans Mathew was the same as the one used by UIDAI in the early stages of its data collection. Mathew, who does mathematical and statistical modelling at the Centre for Internet and Society, Bengaluru, inferred that such a high number of duplicands meant the programme was bound to fail to uniquely identify individuals.

Issues relating to privacy are even more worrying. The technology involved in biometrics is such that a person can be identified even when he does not want to. This increases one’s vulnerability. According to Sunil Abraham, executive director, the Centre for Internet and Society, the government should have opted for a smart card instead of biometric identification because in a smart card operation, the individual’s consent is built in, while with biometrics even a dead or unconscious person can be identified, increasing the potential for misuse.

According to Chinmayi Arun, executive director of Centre for Communication Governance, National Law University Delhi, in a country like India where the government holds the view that citizens have no right to privacy (Attorney General Mukul Rohatgi said this in the Supreme Court), such pervasive surveillance will give rise to a police state because the act provides for no safeguards to citizens in case there is a breach of privacy. There is no external oversight agency to monitor the functioning of the UIDAI and there is no mechanism available to citizens if a breach of privacy happens. In case of breach of privacy, the UIDAI has to initiate action, which, ironically, puts it in a conflict of interest position.

Without ensuring a citizen’s right to privacy, it is difficult to understand how other fundamental rights can be guaranteed at all. Is the government willing to compromise the very tenets of democracy for the sake of Aadhaar?

This article is closed for comments.
Please Email the Editor