First Person

The Aadhaar Act: Why You Should Panic

Let’s start with some news reports!

“This bill deals with one primary focus and that is: Whoever gets benefit from the Consolidated Fund of India, either state government or the Centre and other institutions — the person is entitled to have an Aadhaar card.”

~ Finance Minister Arun Jaitley, during the Aadhaar Bill debate in Lok Sabha on March 11, 2016

May 26, 2016: Samsung expects to score over rivals by being the preferred device maker for delivering government services with its iris scanner-equipped tablets for Aadhaar authentication.

May 31, 2016: Microsoft’s plan to link its video calling service Skype with the Aadhar database for making authenticated calls with government institutions and others is expected to move further.

June 14, 2016: The Shivmogga Zilla Panchayat has introduced Aadhaar enabled biometric attendance system (AEBAS) in government high schools across the district. Under AEBAS, the teachers should register with ktzpshivamogga.attendance.gov.in, the webportal of the Zilla Panchayat formed to monitor the attendance.

June 14, 2016: You might soon require an Aadhaar card to file police complaints in Maharashtra.

June 16, 2016: B Reddy, a resident of Parsigutta, who went for transfer of ownership of an auto, had to return home as he did not have his Aadhaar card. Aadhaar was made compulsory by Telangana transport department for various services.

September 12, 2016: The Indian Railway Catering and Tourism Corporation (IRCTC) has set 2016-end as its target to launch Aadhaar-linked ticketing services to increase transparency in bookings.

September 12, 2016: Ecommerce company Paytm has launched an electronic, Aadhaar-based client-authentication system that will help upgrade its digital wallet customers to account holders of its upcoming payment bank

September 22, 2016: Instead of using the registration forms, Reliance Jio stores are handing out SIM cards using the Aadhaar-based registration process and if a consumer doesn’t have an Aadhaar card, he or she is out of luck.

September 23, 2016:  Chandigarh Housing Board has decided to link all housing board properties with the Aadhaar numbers of the allottees.

Today: The Government be like:

via GIPHY

The Government has been going gung-ho recently about rolling out the Aadhaar card and its uses. In October 2015, the Supreme Court had told them that Aadhaar card cannot be made mandatory for any service. Ever since the Bill got passed in Budget session last year, the government just went ahead and did it anyway (as demonstrated above). Last week, the Supreme Court again reminded the government that they just cannot do this.

Looking at the way things are going, good taxpaying people like me will have to register for Aadhaar in order to interact with my own government for pretty much anything.  I don’t have an Aadhaar card and I don’t intend to get one either. Why?

Because I’ve read the Aadhaar Act and it has *so many loopholes*!

Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

So I read the whole bill and I thought it’s important for everyone to understand what the Aadhaar Act, which was passed on March 16, 2016 & notified on September 12, 2016, entails and what are the flaws.

The bill is important because this might be the biggest experiment of social engineering we are embarking on as a country. I will try to concentrate on the policy part of it and not the privacy aspect of Aadhaar. That will be an ethical debate which you can go right ahead and have on Twitter (Let’s do this!). I would love to hear your thoughts on it.

I will not do a clause by clause analysis, but highlight the clauses wherever necessary, in case you want to cross-check and find context.

Introduction of the bill

If you want to read the bill yourself, it can be found here.

The introduction of this bill in Lok Sabha was a little unconventional from the norm. It was passed as a money bill. Technically, a bill itself cannot be presented as a money bill, but the speaker can give a certification to say if it’s a money bill or not.

What is a money bill and why all this brouhaha?

This. Pliss to scroll to the bottom.

Bills which exclusively contain provisions for imposition and abolition of taxes, for appropriation of moneys out of the Consolidated Fund, etc., are certified as Money Bills. Money Bills can be introduced only in Lok SabhaRajya Sabha cannot make amendments in a Money Bill passed by Lok Sabha and transmitted to it.

I have kept that portion bold because I have a feeling that the Government was in a hurry to pass this bill and didn’t want Rajya Sabha to stall it. The upper house has proved to be an absolute pain for the present government and has stalled a lot of their reforms. This might be a way for the National Democratic Alliance government to get it through in a hurry. It was done on a Friday. Remember “Take out the Trash” day?

Understandable.

Sort of.

Depending on which side you are on.

via GIPHY

So is it a money bill then?

I would say, no. What this bill is trying to do is create a system to manage subsidies. It has nothing to do with the subsidy moneys itself. If we see other legislation, a lot of them draw from the Consolidated Fund of India. So why is this bill special? If this bill is indeed a money bill, it might also mean that a lot of bills in the future might also be certified so. Methinks that is dangerous.

Explain the process of how Aadhaar cards will be used. Briefly pliss.

This can get a little complicated so bear with me.

There are three elements to this:

1) Unique Identification Authority of India

The Government is going to create an independent authority called Unique Identification Authority of India (UIAI). In the bill (Chapter 4), it is defined as an independent company with its own seal and identity. The peeps employed by this Authority will be deemed to be Government employees (Clause 49).

So, erm… not really independent from Government control.

2) Central Identities Data Repository

UAIA in turn is going to be responsible for creating and managing a Central Identities Data Repository (CIDR). It’s going to be a protected black box where sensitive biometric information of Aadhaar card holders will be stored. It will be well-protected and there are heavy fines and penalties for anyone who tampers with the data inside (Chapters VI and VII).

Sidenote: The penalties are quite heavy and seem effective.

3) Authentication

People who want subsidies will be authenticated by their Aadhaar Card before they get the money.

If, say, a farmer wants subsidy money, he/she will present his card. The guy/gal responsible for disbursal of the amount will scan the barcode. This information will be relayed to the CIDR mainframe and verified. The person who is verifying it will get a simple ‘Yes/No’ answer. So, basically, it would be like a credit card swiping system where only authentication is done and nothing else.

So the CIDR is protected, the Aadhaar will be used for Authentication only and UIAI is an independent authority (sort of). That sounds like a good move to me!

Yes. The idea is good. But we need to differentiate between the intent and the implementation. It is indeed a well thought out process but the bill has flaws.

Read the Aadhaar Act and you will reach the point where they define “biometric data”, put in a “national security” clause and basically leave it open for modification through simple notifications for a period of three years (Hint: We all know what is happening in 2019).

Tell me about the ‘Biometric Information’ and how it’s defined in the Act

I urge you, just this once for the sake of full dramatic effect, go to the bill. Page 2, Clause 2, sub clause (g).

(g) “biometric information” means photograph, finger print, Iris scan, or other such biological attributes of an individual as may be specified by regulations
via GIPHY

This definition is super vague. They have also said that these “biological attributes” will be specified by regulations. Biometric Information, in the future, might even include DNA. I’m not messing around – the Finance Minister admitted this in Parliament (Page 172):

By leaving the definition so open ended, they have kept a provision to include other ethically unacceptable biometric information. Even medical information and organ scans can be included.

Does anyone in Parliament read regulations? Nope.
Does anyone oppose those regulations? Nope.

Again, remember “Take out the Trash Day”?

Deep breath. Now tell me about the National Security clause.

Pretty much everywhere in the bill, you get the impression that the information in the CIDR is well protected and there are enough penalties in place to prevent mischief. Clause 28 talks about “security and confidentiality” (good only). Clause 29 talks about “restriction on sharing information” (again, good only).

Then comes along Clause 33 (2) which pretty much negates both those clauses in case of situations of National Security.

Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government.

I don’t know about you, but I get really worried when I see the words “national security” these days. Just like our sedition laws, national security can be interpreted in a number of ways in any given situation. Leaving a clause like this lying around is dangerous IMHO.

Alright. Hyperventilating now. Third point about changing the bill through notification?

For that we take a wonderful journey all the way to Clause 58 on Page 17, to the very end of the oh-so-complicated-and-well-worded bill.

(1) If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order, published in the Official Gazette, make such provisions not inconsistent with the provisions of this Acts may appear to be necessary for removing the difficulty: Provided that no such order shall be made under this section after the expiry of three years from the commencement of this Act.

I don’t get it. This clause basically puts in a ‘lockdown’ provision. Before that comes into effect, they can make changes in the bill through notification in the Gazette. Basically, bureaucrats will have a free reign over what this bill will do after it is passed by Parliament.

Important Koschans:

If you are drafting a bill that is so important, why don’t you make it watertight?

Why is there this clause in the end which allows the Central Government to make changes through an order and, after they have done that, present it to the Parliament? It should be the other way round: First Parliament, then the Executive.

Why is there a lockdown of this provision after three years?
Is there a rationale for keeping the year 2019 as a finish line to make changes and “remove difficulties”?

Conclusion

The concept of Aadhaar appears to be good. In Utopia.

It will reduce on ground corruption and bring transparency. But after going through this Act, I am a little worried about how this system can be misused by our dear politicians and bureaucrats. I just don’t trust the people who will handle this system. They are known to be incompetent in matters related to technology.

Personally, I don’t want to end up in a state where I have to forcefully make an Aadhaar card, give my very sensitive biometric information to a government (ANY GOVERNMENT) and then be used as a lab rat for some massive social engineering experiment.

Feel free to tell me my paranoia is over-exaggerated and for no good reason. But then:

via GIPHY