I Have Nothing to Hide

by Salil Parekh

India’s national digital biometric identity system, the Aadhaar was introduced in 2009 by the UIDAI (Unique Identification Authority of India). The Aadhaar is a 12-digit unique identity number, which contains demographic and biometric data of the holder. Manifested in the form of a printed card which contains the holder’s basic information, the Aadhaar number, and a QR code make it easily accessible to an electronic terminal. The intent of the Aadhaar was to create a single unique identifier which the holder could use to confirm their identity to avail of services, instead of having to rely on a bevy of identification documents such as birth certificates and utility bills, amongst others. It is required to access government welfare schemes, such as unemployment benefits, distribution of subsidised LPG (Liquefied petroleum gas), and the MNREGA (Mahatma Gandhi National Rural Employment Guarantee Act) which guarantees at least 100 days of wage employment in a financial year. Private companies started to use Aadhaar as proof of identity, since it was quicker to do so as compared to verifying multiple documents. The Aadhaar API enabled easy identification using a fingerprint scanner to match biometric data. State governments also started mandating the use of Aadhaar to avail of various government services.

The implementation of Aadhaar was not without its challenges. Many found it difficult to obtain an Aadhaar ID, either due to technical difficulties associated with the biometric scanners, or the lack of certain identification documents. There were widespread issues reported while registering for an Aadhaar ID, with many holders having incorrect information recorded, having to pay bribes to register, failure in authentication, amongst many others. In many cases, the lack of an Aadhaar ID led to the inability of many to access crucial government welfare schemes and rations. The exclusion of citizens from welfare schemes due to the lack of an Aadhaar ID led the Supreme Court to issue an interim order in 2013, which stipulated that the government cannot deny a service to a resident who does not possess Aadhaar, as it is voluntary and not mandatory. However, in 2016, the BJP majority led government passed the Aadhaar Bill, which mandated the use of Aadhaar to access government subsidies. Soon, the Aadhaar was mandatory for mobile connections, opening bank accounts, availing of LPG subsidies, scholarships and higher education fellowships, crop insurance, income tax returns, vehicle registrations, death certificates, post office deposits, rations, and for any transactions over Rs. 50,000. In a 2018 judgment, the Supreme Court stated that the Aadhaar is not mandatory for opening bank accounts, getting a mobile number, or being admitted to a school.

Aadhar continued to be plagued by issues, with a reporter from The Tribune having successfully bought credentials to access the Aadhaar database for ₹ 5001. However, the UIDAI dismissed the report, and insisted on the security of the database and the system, and even filed an FIR (First Information Report) against The Tribune2. A Twitter user with the handle, @fs0c131y investigated the official Aadhaar app called mAadhaar, on Android and found a security flaw which could allow malicious entities to steal the users Aadhaar data3.

The Supreme Court judgement from 2018 is particularly interesting, as it stated that the right to privacy cannot be impinged without a just, fair and reasonable law. For starters, the ruling disallowed the use of Aadhaar by private entities for establishing the identity of the individual. The ruling also clarified a proportionality test, which was required in order for the mandatory linking of Aadhaar to any services. The proportionality test has four conditions. There must be a Legitimate Goal, a Rational Connection (suitable means of furthering the goal), a Necessity (There must not be any less but equally effective alternative), and a Balancing (It must not have a disproportionate impact on the right holder). This was a landmark ruling, which was important in checking the rampant use of Aadhaar.

The intention with Aadhaar was to create a single identification system, in order to simplify the distribution of government welfare and subsidies. An explicit aim of Aadhar was to make the PDS (Public Distribution System)-the mainstay of India’s food programs-more efficient and easily accessible to beneficiaries. In 2011, the United Progressive Alliance led government conducted India’s first caste-based census since 1931. Called the Socio-Economic Caste Census (SECC-2011), it was a study of socio-economic status of rural and urban households which collected data on caste and income of every Indian citizen and was coordinated by the Ministry of Rural Development of India. The study was conducted in order to get a more nuanced understanding of poverty and identification of beneficiaries of social welfare schemes. In 2017, the Central Government used the findings of the SECC as the main instrument of identifying beneficiaries, instead of the poverty line. This helped the government rollout schemes which focussed on indicators other than family income, such as assistance for building houses, pensions, skill training, providing business loans, amongst others.

In 2015, The Ministry of Rural Development (MoRD) of India proposed the creation of a continuously updating social registry to augment the existing SECC-2011 data with the intention of identifying beneficiaries eligible for government welfare schemes. Detailed in an investigative report by Huffpost India in 20204, this would allow the government to identify eligible citizens far quicker as compared to waiting for another census to update their registry. Additionally, this would also identify citizens no longer eligible, thus making the welfare distribution system far more efficient. The benefits of such a system would especially be noticeable in the event of a crisis, such as a natural disaster, or a pandemic. A continuously updating registry would also enable the tracking of beneficiaries across rural and urban areas, and disburse the corresponding welfare as applicable. The proposal suggested the creation of a centralised database, which relied on Aadhaar linked data to track the eligibility status of every citizen. Subsequently, this proposal has undergone years of development, with various organizations, including the UIDAI, MoRD, and the World Bank working on it. Tentatively called the National Social Registry, it is also known as the Social Registry Information System, and the SECC Social Registry.

The National Social Registry (NSR) will be created using multiple datasets linked by the Aadhaar ID. This will enable the NSR to collect any kind of data attached to an Aadhaar number. This would include information on banking, mobile SIM cards, higher education, scholarships, property, income, employment, and much more. The Huffpost report states that the government intends to have the database operational by 2021. In order to access the Aadhaar linked data without running afoul of the Supreme Court judgement of 2018, UIDAI has suggested amendments to the 2016 Aadhaar Authentication Act, which would bypass the 2018 judgement. In particular, the proposed changes would amend specific regulation concerning using identity information only for the purpose specified during authentication, and the sharing of authentication logs with any other person other than the Aadhaar number holder.

These changes would not only be detrimental to the privacy of the Aadhaar number holder as it enables the sharing of information to third parties whenever the Aadhaar is used for authentication, but also enable the collection of data for the National Social Registry. Consent received by the Aadhaar number holder for one purpose would then be considered consent for other uses, and with other government agencies.

However, it could be argued that the blanket consent wouldn’t pass the proportionality test defined by the Supreme Court in the 2018 ruling. The assumption of consent would contravene the requirement of a Legitimate Goal and the sharing of information wouldn’t meet Rational Connection (suitable means of furthering the goal). Additional changes by government organizations and think tanks propose the addition of the family tree to the database, as well as linkages to birth, death, and marriage registers in order to account for migration. In 2018, Prime Minister Modi approved the proposal to update the SECC, paving the way for creation for the National Social Registry.

The concept of a social registry isn’t a novel one, with many countries around the world having implemented versions of it, with the United States’s Social Security Number being a good example. It is interesting to note however, that the US’s SSN does not contain biometrics, and is generally not shared except for confidential transactions. It is considered to be highly sensitive information and the most protected personally identifying information. The creation of a social registry such as the proposed NSR needs to be counterbalanced with strong personal data protection rights, which gives the citizen informed choice in how their data is used. The NSR is not dissimilar to the Indian Census, however it does not have the legal protection of the census which mandates the confidentiality of those enumerated. In fact, the SECC-2011 also does not have these protections either.

The goal of the NSR is to identify citizens eligible for government welfare schemes, and as such should only contain the appropriate amount of data to meet the goal5. The proposed changes to the Aadhaar Authentication Act also hint at an approach which has little to no regard to the privacy of the Aadhaar card holders. Although it is expected that the government will use the NSR for its intended purpose, it is not yet known whether other government agencies, such as law enforcement will be granted access as well. The proposed changes to Aadhaar Authentication Act which assume blanket consent for any third party government agency to use the data would make it feasible for this to happen. A dataset of this magnitude can also be used in conjunction with machine learning algorithms to profile citizens. Manoranjan Kumar, the then Economic Advisor to the Ministry of Rural Development in 2015, was the author of the note which led to the proposal to create the NSR. He has expressed concern that this database could be misused by the government. In a note obtained by Huffpost India, he proposed increased privacy safeguards for the registry as he was worried about “the policing system and bureaucracy that is not hesitating to show crumbling morality”6.

There certainly is precedent for social registries created for the express purpose of helping to disburse government welfare being used by law enforcement agencies. Telangana conducted the Integrated Household Survey in 2014, which was similar in nature to the SECC-2011, with the intention of collecting nuanced demographic and socio-economic data of every resident of the state. The results of this survey were subsequently used to create a social registry system, without the use of Aadhaar as a single identifier. Called the Samagra Vedika7, it combines data from various databases to create a profile on every citizen. Heavily inspired by the X-Road of Estonia, this system is accessible by law enforcement agencies, in spite of it being created specifically for the purpose of poverty alleviation. In a demo shown to HuffPost India, the Samagra Vedika was able to showcase connections to any given person through family, residential location, and contact information. The system can pull up information on address, phone number, high school and higher secondary exam details, passport and driving licence information and vehicle ownership details for any given citizen. The Principal Secretary of Telangana’s Department of IT claimed that they can track down a person’s digital footprint with 96% accuracy with simply a name. The system did not require the consent of citizens, since it only collates data from existing state records and government agencies, and does not need to collect any fresh data. Since it does not use the Aadhaar, it is exempt from the 2018 Supreme Court ruling on the Aadhaar Act. The Samagra Vedika also uses machine learning algorithms to search through the data and effectively identify a person’s identity. Machine learning algorithms learn from the datasets they use, with the potential of reinforcing existing biases and behaviours.

The lack of transparency around the proposed National Social Registry and the Samagra Vedika is very worrying. It’s only through excellent investigative reporting, and multiple RTI (Right to Information Act) requests by Huffpost India that we are able to know of the existence of such registries and their workings. The asymmetry of power between the state and the citizens is also concerning, with a lack of data protection rights and the poor data security of the government.

The response to these systems is a mixed bag. Scrolling through internet forums like Reddit reveals most people are uncomfortable with the development of the NSR, and even in conversations with friends and peers, the response is mostly negative. However, there are a small number of people who are quite supportive of the NSR and similar systems. A response that I’ve seen across forums, both online and offline, is “I have nothing to hide, so why should it matter to me?” Another common rhetoric I’ve seen is “Unless you are anti-social, why should you be worried?” Citing the Social Security system in the United States, and the benefits it brings, the proponents of an all-encompassing social registry feel that such a system is necessary for progress.

The potential misuse of a social registry by the Indian government may not be immediately apparent, but there is a precedent for large, all-encompassing datasets to be abused. In 2019, a private technology company IT Grids Pvt. Ltd. was found to be in possession of 7,82,21,397 Aadhaar numbers from Telangana in a particular structured format8. This is in addition to 2,00,00,000 Aadhaar numbers from Punjab. The police believe that the data was being used by the company to map voters with beneficiaries of various government schemes and results of surveys conducted by the government. The origin of the data is yet to be determined, but the structure of the dataset is a replica of the format used in the SRDH (State Resident Data Hubs) and CIDR (UIDAI’s Central Identities Data Repository). UIDAI has denied reports of any data breach.

IT Grids is also the developer of the Seva Mitra app, created by the TDP (Telugu Desam Party), the ruling party for its cadres to interact with the party leaders. It is alleged that the cadres used the Aadhaar database to profile voters using an automated IVRS (Interactive Voice Response System), which would ask the Aadhaar card holder a few questions, based on which they created a list of people who weren’t likely to vote for them. The TDP cadres then filed Form 7 (Form 7 is an objection to a name being included in the voter list which can be filed by anyone about anyone else) requests to have them removed from the voter rolls. The matter is still under investigation, and the data recovered from the hard drives raided from IT Grids are still under forensic analysis.

The National Social Registry in it’s proposed form will hold a lot more data about Indian citizens than it requires to efficiently identify eligible candidates for government welfare schemes. The lack of transparency in the creation of this registry, and it’s usage is very concerning as well. An absence of personal data protection rights and the inability for courts to rule on data related matters gives the state disproportionate powers, and this power imbalance must be corrected. The NSR is a powerful tool, and in the hands of law enforcement can be used as a tool of mass surveillance, keeping track of all activities. You may not have anything to hide today, but perhaps in the future your activities, or your identity could make you a target. We’ve seen the targeting of voters in Telangana, and further allegations of the same were seen in Puducherry. The NSR is a tool, but if used with malicious intent can be used as a weapon.


Salil Parekh is a student at The New School. He writes often, but scarcely publishes.

References
1
Dark Connections

The internet is made up of interconnected pieces of data about its users. Every website has trackers installed in it, mostly belonging to Google or Facebook, that keep tabs on the people using it. This data is neither protected or encrypted, often fully accessible to anyone with the means to access it. Though these companies store our data and use it to sell their products to us, they are in no way responsible for it. This entire system is almost always not implicit and shrouded in the background of its utility. This section aims to connect these dots that exist in the dark underbelly of the internet, that we have a vague idea about, but that are not necessarily clear.
Making these connections can make the online experience feel scary and unsafe, but it already is. Although governments and large corporations are often seen as the problem, the truth is that they are far less interested in you or I than someone who knows us personally and has an agenda that involves us. This section shines a light on the dark patterns that enable your data to be collected and potentially mobilized against your interest.

2
Digital Forensics

In order to combat the practice of dark data, one can exploit the loopholes in its architecture. But in order to do this, we need to at least comprehend the full extent of the information that is collected about us. It is now possible for us to demand the data that is collected about us, though this option is not directly obvious to most people. Resources like APIs, Google Takeout, and OSINT tools allow us to conduct small-scale investigations with regards to where our data lives and what data exists about us. This section is a collection of attempts by the authors to gain access to and interpret their own data that exists online.
However, awareness of the data does not guarantee its control. Google may give us a copy of the data that exists about us in its servers through its Google Takeout service; but this does not mean that that we now own this data. Google can still use it however it likes, it has not been deleted from their databases. We are being given only an illusion of control and this is intentional. Digital Forensics can only grant us a window into this massive machine, the machinations of which may still continue to be unclear. This section explores these windows and what they teach us both about ourselves and about the technology that we utilize.

3
Data Futures

What is the future of dark data? People are increasingly aware that information about them is collected online. Governments are making efforts to regulate Big Tech and protect the privacy of citizens. How can we imagine better ways to exist in the system? How can we protect ourselves from its repercussions? This section speculates how dark data is changing as a practice. It discusses ways in which people can take action and re-examine their browsing methods. The ideas discussed here think about how technology can be used to propose solutions to the problem it has created.
It is important to consider that the practice of data collection and exploitation is ongoing. There is no easy way out of these cycles. However, we would like to believe that sparking deliberate thought and action to help you orient yourself in this Wild West landscape can make the process of coming to terms with dark data easier.

4
About

This digital edition was compiled from scholarship, research, and creative practice in spring 2021 to fulfill the requirements for PSAM 5752 Dark Data, a course at Parsons School of Design.

Editors

  • Sarah Nichols
  • Apurv Rayate

Art Directors

  • Nishra Ranpura
  • Pavithra Chandrasekhar

Technology Directors

  • Ege Uz
  • Olivier Brückner

Faculty

  • David Carroll
  • Melanie Crean

Contributors

This site needs no privacy policy because we did not install any tracking code and this site does not store any cookies.