Those enrolling on the UID database have not been informed that their data is to yield profit for the UIDAI, Rs288.15 crore a year and its only investor, the government, does not even own the data. How many in the government are even aware of this investing of ownership in an entity that continues to remain deliberately undefined and opaque

The Unique Identification Authority of India (UIDAI) was set up by an executive notification dated 28 January 2009. As per the notification, the Planning Commission was to be the nodal agency “for providing logistics, planning and budgetary support” and to “provide initial office and IT infrastructure”. As part of its “role and responsibilities”, the UIDAI was to “issue necessary instructions to agencies that undertake creation of databases, to ensure standardisation of data elements that are collected and digitised and enable collation and correlation with UID and its partner databases”. It was to “take necessary steps to ensure collation of the National Population Register (NPR) with the UID”. And, the UIDAI “shall own and operate” the UID database.

In July 2009, Nandan Nilekani was appointed as the chairman of the UIDAI, representing a lateral entry of a person from the private sector into the government, with the rank of a Cabinet minister.

The UID project proceeded without a law, despite the seriousness of privacy and security concerns till, caving in to public pressure, a draft Bill was prepared by the UIDAI in June 2010; and it was not till December 2010, after the project had begun to collect resident data, that this Bill was introduced in Parliament. The Bill stayed close to the framework for corporate control over databases that was later enunciated in the report of Technology Advisory Group on Unique Projects (TAG-UP) of which Mr Nilekani was the chair, and which gave its report in January 2011.

The Bill to give statutory status to the UIDAI was roundly rejected by the Parliamentary Standing Committee on Finance in December 2011. The Parliamentary Committee recommended that both the Bill and the UID project be sent back to the drawing board. There has been no effort since to reintroduce the Bill. Every time the UIDAI is confronted with questions about the legality of its enterprise, its officers assert that the executive order of 28 January 2009 is the legal instrument from which they derive their authority; and that order makes them the ‘owner’ of the database.

In the context of the UID project:

• Residents from whom the data is being collected have not been informed that the government is not the owner of the data, or of the database; nor what the legal status of the ownership by the UIDAI will mean for the citizen/resident;

• the UIDAI set up a Biometrics Standards Committee in September 2009, which gave its report in December 2009. Its report reveals that the UIDAI intended to “create a platform to first collect identity details of residents, and subsequently perform identity authentication services that can be used by government and commercial service providers”;

• the “UIDAI Strategy Overview”, in April 2010, estimated that it would generate Rs288.15 crore annual revenue through address and biometric authentication once it reaches steady state, where authentication services for new mobile connections, PAN cards, gas connections, passports, LIC policies, credit cards, bank accounts, airline check-in, would net this profit. Those enrolling on the UID database have not been informed that their data is to be yield profit for the UIDAI; they were perhaps expected to read up from the UIDAI website.

• as set out in the TAG-UP report, the data we think we are giving to the government is to end up on the database of what will be in the nature of a private company once it reaches steady state. When it is still a start-up, and till it reaches steady state at least, it will be funded by the government. After that, the government, like other commercial service providers, will become the customer of the UIDAI;

• with the UIDAI owning the database, the column in the UIDAI enrolment form for “information sharing consent” acquires a new significance. The UIDAI has all along been claiming that it will only be providing authentication by saying ‘yes’ or ‘no’, and nothing more. But, when the consent to share information is recorded on the database as having been given, the UIDAI may give all data on their database to any “service provider”, a term of wide and undefined import. That is, it is not only authentication services that the UIDAI will provide; through this consent, it is also assuming the authority to make money on the data that it holds, both demographic and biometric. This will provide it one more avenue to find customers, and one more product to market. Mr Nilekani often refers to the UID database as “open architecture”, and avows that a wide array of applications can be built on it;

• the claim that enrolment is voluntary has rung hollow for some time now. For one thing, the UIDAI plainly has no authority to compel anyone to enrol or to use their service. However, the UIDAI has been hard at work urging governments, banks, oil companies and other institutions to adopt the UID, to re-engineer their databases to fit the UID and to seed all their systems with the UID. The push is for ubiquity. The UIDAI has been complicit in the coercion and bullying that is now part of the UID enrolment process, and its silent acquiescence while people are threatened with exclusion from services and benefits if they have not enrolled, for a UID is one dimension of complicity. It is easy to understand why this is happening, for, as critics have observed, the services, and the people, have little to gain from the UID, while the UIDAI finds compulsion an easy way to expand their database;

• the non-existence of a law that says where the liability will lie in the event of identity fraud, or failure of the system of authentication resulting in denial of services, for instance, places the burden on the individual with no responsibility on the UIDAI for the consequences of the failures of fraud;

• while ubiquity of the UID would be a recipe for tracking, profiling, tagging, converging of databases and result in violations of privacy in which ways that could threaten personal security, this would become a mere incidence of the business, leaving the resident/citizen unprotected;

• the 2009 notification that set up the UIDAI says that the UIDAI is to “take necessary steps to ensure collation of the NPR (National Population Register) with the UID”. Registering in the NPR is compulsory under the Citizenship Act and the Citizenship Rules of 2003. Although biometrics is not within the mandate of the NPR, they have also been collected in the process of building up the NPR database. Therefore, the data mandated to be given to the NPR is being handed over to the UIDAI to be ‘owned’ by the UIDAI!

I wonder how many in government are even aware of this investing of ownership in an entity that continues to remain deliberately undefined and opaque.

References

• • Notification No. A-43011/02/2009-Admn.I dated 28 January, 2009 published in Part I, section 2 of the Gazette of India
• • UIDAI Strategy Overview: Creating a Unique Identity Number for Every Resident in India, UIDAI, Planning Commission, GoI, April 2010
• • Standing Committee on Finance (2011-12), National Identification Authority of India Bill 2010, Forty-second Report, Lok Sabha Secretariat, December 2011
• • Report of the Technology Advisory Group for Unique Projects, Ministry of Finance, January 31, 2011
• • Biometrics Design Standards for UID Applications, prepared by the UIDAI Committee on Biometrics, December 2009.
  
  Read Part I of the series over here:Aadhaar: Private ownership of UID data- Part I

(Dr Usha Ramanathan is an independent law researcher and has been critically following the policy and practices of the UIDAI since 2009)