India 's UID And The Fantasy Of Dataveillance
By Binu Karunakaran
24 August, 2009
The perils of establishing nationwide identity systems have always been a hot topic of debate in countries that attach great value to privacy and human rights of its citizens. Plans to launch national ID cards have met with stiff opposition in UK , which announced the final design of its card in end of July 2009. The United States Senate too is getting ready to debate the PASS ID bill, a renamed version of George Bush regime's REAL ID that will bring in a national ID through the backdoor.
Compare this with the scenario in India where the UPA government is pushing ahead with a national ID program through the Unique Identity Development Authority of India (UIDAI), a body created blatantly bypassing the authority of parliament. And there is not even a whimper of protest from civil society groups or politicians. The government presumably does not want to lose time on creating consensus or engage in a national debate on a project which has irrevocable implications on data security and privacy of individuals. The government knows that no questions on its limit of stupidity will be raised because the whole business has been outsourced to a CEO with brand equity called Nandan Nilekani. Now we hear that the illegitimate UIDAI will be made legitimate by an Act of Parliament - that loud thumping of desks drowned by the blabbering of many tongues.
According to one estimate Rs. 150,000 Crore (US$ 30.9 bn) of taxpayers' money will flow out into the gargantuan task of making our lives similar to that of aquarium fish and no less secure. Imagine that kind of money and political will power going into healthcare and sanitation or basic education and poverty alleviation.
Show me your UID?
If media reports can be believed there won't be any human-readable intelligence loaded into the UID . It will be a random generated number (no physical card) that citizens can quote in dealings with government authorities, banking/taxation transactions or while interacting with e-governance applications. That would mean that personal information will exist only in a database and need to be paired with the UID when the situation demands. A unique number that will subsume our multiple and divisive identities, the mark of the perpetually wired beast
Some reports indicate having a UID might not be mandatory at all. But chances are that even if the UID is made voluntary the large inconveniences of non-participation will make it effectively mandatory.
The draft report on Personal Identification Codification (PIC) released by the Expert Committee on Metadata sheds some light on the data elements that would be stored in the database of the national identity system. The report says the objective of the PIC is to identify each and every person uniquely at the national level to ensure interoperability of information related to individuals collected by various govt/non government organisations. This throws up several questions: Will the government be the only authority which can use or request the UID? What information in those databases will be linked explicitly to other databases? Who has the authority to create this linkages and who all can access this information? Would the people who use the UID for various transactions be informed of the algorithms used to analyse their data. Will the data collected stored forever? Article 20, clause 3 of the Indian constitution states that " No person accused of any offence shall be compelled to be a witness against himself ." Will data records generated by the UID be used against the accused in a court of law? There is not much clarity on this as the confidentiality level of data elements (open to all, open only to security agencies/NGOs) are yet to be finalised.
But the security agencies will definitely have a say on this. They would be specifically interested in Data mining, a process that involves the use of mathematical analytical tools to detect patterns in large sets of data with the purpose of predicting certain kinds of behaviour, such as the propensity to engage in criminal activity or to purchase particular consumer goods. They would also be looking at data matching - the technique of comparing different databases so as to identify common features or trends in the data.
Oxford dictionary defines Function Creep as the way in which information that has been collected for one limited purpose, is gradually allowed to be used for other purposes which people may not approve of: The Social Security Numbers (SSNs) in the US, initially designed as only for administering social security benefits are now a common element in public and private sector databases, allowing for easy sharing and correlation of disparate records. In India the electoral ID cards currently fulfill a similar role. UIDs in the future might become mandatory when you apply for a cell phone connection, book an airline ticket or make a hotel reservation. The existence of common cross-references will make it easy for anyone setting out to create linkages between different sets of information that exists in a database.
How personal is your mobile number?
An alarming feature of the UID, if the PIC document is to believed is the proposal to include mobile phone and landline numbers as a data element for identification. Most telephone companies and ISPs store records of customers' telephone calls and it is now easy to map movements of a cell phone user by reading the way it locks with towers. A plan to centralise communications data in a government database will make it amenable for datamining for unusual patterns of behaviour. More than terrorists, in a country like India where the security agencies are known to toe the ruling party line, such facilities would be used to target political adversaries. More such hair-rising ideas are being researched by the government including conversion of Unique Identity Number (UID) into your very personal mobile number.
In the words of C-DOT Executive Director P.V. Acharya: "What we have thought is why not have one unique number associated with the person like the social security number in US or the UID. So that unique number we can use for the purpose of mobile communications also."
There are other worrying factors in the Personal Identification Codification like the inclusion of occupation and suffix (titles) code that speaks of a built-in class bias. The document envisages unique codes for all citizens - legislators to senior officials, corporate managers to office clerks and farm labourers to technicians. The suffix code according to the report will be used to identify titles bestowed by the state - Bharat Ratna, Padam Vibhushan, IAS and IFS. What could be the need for including census data relating to your status in society as an identification element? Will not this give rise to a situation where citizens will be discriminated against. How would an ordinary traffic policeman searching your ID papers in a highway react when he comes to know that you are an IAS official?
Annoyingly the PIC report depends on dubious online sources for defining its metadata elements - blogs and online dictionaries. For eg: Finger Print is defined by a definition copy pasted from an obscure website ppsblogs.net/crimescene/files/2007/06/forensics-terms.doc . I am not implying that the given definition is any way incorrect. Only that the task assigned to them deserves a bit more seriousness than a high school home assignment.
Identity, security and privacy are terms that represents highly complicated, nuanced and deeply philosophic issues. The UID project itself deals with digital sovereignty of India and the privacy and dignity of its citizens. The project now certain to be linked to India 's multi-billion dollar e-governance program should also be viewed in the context of ongoing tussle between votaries of 'multiple-standards' (read proprietary software) and 'single standard'(read open source).
Pressure is on the government from the IT industry lobby to go in for 'reasonable and Non Discriminatory ( RAND )' terms and multiple standards. If accepted this will lead to multiple, proprietary standards. In a meeting held in June 2009 Nasscom pleaded the case of 'multiple' standards, while the Department of Information Technology (DIT), was of the view that 'complete interoperability could possibly be achieved only through single standard.' But statement made by the DIT secretary during the meeting also hints at a possibility of ensuring interoperability through multiple standards in consultation with Industry.'
Database state and the right to Information Self-determination
In 2006 a Congress MP from Maharashtra Vijay J. Darda introduced an obscure piece of legislation in the Rajya Sabha. Though limited in scope and feeble in approach, The Personal Data Protection Bill, 2006 was an attempt to engage some of the dangers posed by the modern database state. The bill seminal in many ways is still gathering dust tucked deep inside the file of still pending bills in Rajya Sabha. One of the sections of the Bill read: The personal data of any person collected by an organization whether government or private, shall not be disclosed to any other organization for the purposes of direct marketing or for any commercial gain. The personal data could be disclosed to voluntary or charity organizations only after obtaining prior consent of the person.
Such a clause would have defeated the very purpose of data protection bill because a very thin line separates the modern NGOs from Corporate houses. The distinction between public sector and private databases are now increasingly blurred. We are also living at a time when services are increasingly being provided through public-private partnerships and joint ventures.
The newly amended IT Act has some provisions that deals with data protection but it is not clear if they can tackle issues of privacy thrown up by the sensitive nature of personal information coded in an Unique ID that can be mapped or mashed up in the realm of cyberspace. The section 43A states that if a “body corporate” possessing, dealing or handling any “sensitive personal data or information” in a computer resource which it owns, controls or operates is negligent in implementing and maintaining “reasonable security practices and procedures”, and thereby causes wrongful loss or wrongful gain to any person, this "body corporate" will become liable to pay damages as compensation to the affected person.
Vijay Darda's Bill for the first time in India was talking about the right of an individual to decide on what information about self should be communicated to others and under what circumstances. The right of Informational Self-determination is considered crucial with regard to the protection of privacy of an individual in the age of internet and real-time updated computer databases which makes total surveillance possible.
The term was first used in the context of a German constitutional ruling relating to personal information collected during the 1983 census. The German Federal Constitutional Court ruled: “[...] in the context of modern data processing, the protection of the individual against unlimited collection, storage, use and disclosure of his/her personal data is encompassed by the general personal rights of the [German Constitution]. This basic right warrants in this respect the capacity of the individual to determine in principle the disclosure and use of his/her personal data. Limitations to this informational self-determination are allowed only in case of overriding public interest. ”
A 2009 report commissioned by the Joseph Rowntree Reform Trust Ltd on the perils of the British Database State analysed 46 UK government databases and found that only six of them have a proper legal basis for any privacy intrusions and are proportionate and necessary in a democratic society. It found that nearly twelve of them are illegal under human rights and data protection law and should be scrapped or substantially redesigned. The remaining 29 databases were recommended for an independent review because of significant privacy concerns.
It would be an absolute misadventure on part of India , which lacks even basic legislation to protect the personal data of its citizens, and a climate for informed debate on the ethical and moral implications of the UID project to play into the hands of a few dataveillance fantasists.