India has forged new ground in digital infrastructure with its IndiaStack[1] initiative and Aadhaar, the biometric identity system at its core. Aadhaar is the largest state-sponsored digital identity system in the world. With over 1.1 billion Indian residents enrolled, it is transforming the world’s second most populous nation from an underdeveloped state into an advanced digital society. It isn’t perfect, but its successes and failures offer important lessons in the opportunities and the pitfalls of national identity systems.
Architecturally, Aadhaar is a voluntary, biometric-based identity proofing layer upon which additional services can be built. By design, it is as minimal as possible, enabling a single function: state-endorsed biometric authentication of individual Indian residents. It is one of five core IndiaStack[1] applications, which together provide foundational digital services throughout India. The other four are:
eKYC – Digitize your KYC (Know Your Customer for bank account creation).
UPI – Transfer money between bank accounts in India.
Digilocker – Retrieve, Store & Share verified digital documents.
eSign – Sign any document electronically.
In addition to these government provided applications, registered companies can build apps on top of IndiaStack. In the words of its chief architect:
Large scale social problems require “unbundling of the problem” and creation of “shared digital infra” as “public good” on top of which “innovative solutions” can be “assembled” to meet diverse contextual needs. – Pramod Varma, Chief Architect, Aadhaar
At the 2017 ID2020[2] summit, Pramod Varma put it this way: Aadhaar provides robust de-duplication so services can know definitively that people aren’t lying about their identity, such as filing double claims for benefits or other advantages. A set of open APIs, IndiaStack provides “digital infrastructure platforms as public good to allow solutions to be assembled by the ecosystem.” In other words, the five IndiaStack services are a public good that enables applications that better serve the people of India.
Aadhaar’s separation of identity from the services which depend on it is a profound shift towards a human-centered Internet. No longer is an individual’s identity tracked on an ad-hoc basis by private, corporate interests like Google and Facebook. Instead, identity proofing is provided as a fundamental utility of the state, just like roads, water, and the courts. Or a passport.
Many contend the opposite: that the functional result of a system like Aadhaar is the subjugation of the individual to the state. That by creating a national system to track everyone’s digital actions, India has, in fact, reduced the humanity of its residents to mere digital ones and zeros. While traveling abroad may deserve additional credentialing, like passports, makes sense, within one’s own country, a free state has no legitimate cause for persistent tracking of individuals’ digital transactions.
In short, Aadhaar is at least as controversial as it is enabling. To understand the conversation about Aadhaar, let’s examine it through the lens of Functional Identity, introduced in my two previous articles. Speaking of Identity[3] and How Identity Can Enable A People-Centered Internet [4].
The experience
It starts with enrollment.
Individuals in India establish an Aadhaar number by visiting a registrar or enrolling agency. Enrollees provide proof of identity and address through documentation, assertion by a head of family, or specially authorized “Introducers”. Biometrics are captured by certified devices: retina scan and fingerprints. Individual’s demographics are also recorded: name, birthdate, physical address, and an optional mobile number or email address. These are associated in a central government database with a unique identifier, the enrollee’s new 12 digit Aadhaar number.
When individuals use Aadhaar for authentication to various services, they provide their Aadhaar number and at least two of three authentication mechanisms (biometrics, demographics, and a One Time PIN sent by email or mobile). This request is encrypted and sent to a central verification service, which returns a simple Yes or No, indicating successful authentication or not. Services are then provided or denied.
Let’s put this in terms of Functional Identity.
Here are the nouns and verbs of Functional Identity in Aadhaar:
The nouns
SUBJECTS | Individuals in India, both citizens and otherwise. |
IDENTIFIERS | Unique, 12 digit Aadhaar numbers are created in the centralized Aadhaar database for each enrolled individual. |
ATTRIBUTES | Biometric templates (retina, fingerprint), demographic data (name, date of birth, address, gender), and optional contact info (email or mobile). Plus, any attributes stored by service providers and associated with an individual’s Aadhaar number. While these are not within the Aadhaar system, they are a functional part of the identity enabled by Aadhaar. |
RAW DATA | Sensor readings from authentication devices. Meta-data associated with each authentication request: timestamp, source of authentication request, etc. |
DERIVED ATTRIBUTES | The only derived attributes I discovered are One Time PINs which can be sent to the registered email or mobile number for immediate use at the point of authentication. Please email me if you know of any Aadhaar analytics creating new attributes based on raw data and attributes. |
The verbs
ACQUIRE | Attributes are acquired at enrollment, which takes place at authorized enrollment centers, some of which are privately owned and operated. Biometric scans and demographics are acquired at the point of authentication throughout active use of the system. |
CORRELATE | Biometric and demographic attributes are correlated with the Aadhaar number during enrollment. At the point of authentication, at least two of the following three are submitted to a centralized registry for verification:
On a successful match, the individual is correlated with their Aadhaar number. Services relying on Aadhaar correlate the physical person and their own records with that identifier. |
APPLY | Based on the internal records associated with a given Aadhaar number, various services may be provided or denied. For example, the national welfare system uses Aadhaar to ensure no one is paid twice for the same welfare benefit. Services may also accumulate records that can be securely and reliably associated with the authenticated individual, restricting future access to that individual or someone with their explicit consent. |
REASON | At the point of authentication, the central verification service analyzes the sensor data, demographics, and One Time PIN to find a matching profile. Presumably anomaly detection monitors authentication requests to help detect possible cyberattacks. Other data mining may occur, but legally it needs to face the test of national security. Details of any such mining are not public at this time. |
SECURE | Data is secured by cryptography, process, and regulation. Resident data and raw biometrics are always kept encrypted, even within registry data centers. Individuals can freeze their Aadhaar number so nobody can use it, even them. By law the biometric and demographic data used for authentication cannot be stored. In practice, not all systems adhere to the requirements. |
The controversy
Aadhaar is a transformative experiment, designed to leapfrog India’s infrastructure from an underfunded, underdeveloped bureaucracy struggling to reach all of its citizens to an efficient digital society where cost-effective electronic services can be reliably provided more quickly, more broadly, and with greater impact at lower cost and waste.
At the same time, the open approach raises fundamental questions about privacy in a digital world. As “voluntary” use of Aadhaar for services effectively becomes mandatory due to the hassle of alternatives, IndiaStack becomes a compulsory architecture of surveillance covering nearly all digital life, requiring neither probable cause nor search warrants. As IndiaStack enables even more services and touches on even more aspects of individuals’ lives, the surveillance coverage and privacy risks only increase. Shouldn’t it be possible for a person to buy a cup of coffee without the government knowing about it? Is it really appropriate to embed government tracking into the majority of transactions in an Indian person’s life?
Several court cases have charged Aadhaar, IndiaStack, and related services with violating the rights of Indians to “life and liberty” as protected under Article 21 of the Indian constitution. In August of this year (2017), the Indian Supreme Court ruled that privacy is more than just a common law right, subject to legislative override. Rather, it is a fundamental right that cannot be denied without appropriate cause and due process.
“The State must ensure that information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed,” said Justice S K Kaul. He added that … “automated processing of personal data… to analyse or predict… performance at work, economic situation, health, personal preferences… can result in discrimination based on religion, ethnicity and caste.”
Justice Chandrachud ruled that creating regimes for data protection “requires a careful and sensitive balance between individual interests and legitimate concerns of the state”. [5]
The court’s ruling sends several cases back to lower courts for judgment in light of a more stringent constitutional, rather than common law, test of legality.
The controversy is far from settled. As the details are considered, the benefits must be weighed against the harms. Ultimately, India must decide whether the good outweighs the bad as well as what can and should be done to reduce those harms without losing this promising new digital infrastructure.
In my next column, I’ll dive into that debate: The benefits and the harms, the options for improvement and lessons learned.
It’s clear that Aadhaar is an unprecedented success by many measures. The rest of the world has much to learn from both its victories and its failures. Perhaps, through Aadhaar, we can better understand the true opportunity for a people-centered Internet.
This article also appears here.
References
[1] The IndiaStack website. http://indiastack.org
[2] ID2020 http://id2020summit.org
[3] Joe Andrieu, “Speaking of Identity”
[4] Joe Andrieu, “How Identity Can Enable A People-Centered Internet”
[5] Kaushik, Krishin, “Right to Privacy: After Supreme Court judgment, all eyes now on Aadhaar case” The Indian Express. August 25, 2017. Accessed online October 17, 2017, http://indianexpress.com/article/india/right-to-privacy-verdict-what-next-all-eyes-now-on-aadhaar-case-4812352/
In all honesty, a number of people don’t like it. They are being bullied into connecting this with their pan cards and giving the government the ability to watch nearly everything they do. It’s a bit too big brotherish for me.