India’s digital identity platform obfuscates privacy concerns again
India’s controversial digital identity system, Aadhaar, is in the process of rolling out Virtual Identity Aadhaar (VID) in an effort to assuage privacy concerns, as referenced in the first circular put out on January 8. Before delving into the specifics, what exactly are those privacy concerns? It is important to know what they are in order to evaluate the VID solution and how it assuages those concerns.
Why is an Aadhaar number sensitive, unlike a driver’s license number or a voter ID card number? Because it is used for authentication to avail services, while other ID numbers are not. Hence its leakage compromises both the privacy and the security of the resident. Further, the ubiquitous seeding of the same number across multiple databases allows states and private parties to create a 360-degree profile of an individual, as argued in the Supreme Court case on Aadhaar.
The Unique Identification Authority of India (UIDAI), however, has denied that these concerns exist, even in theory. It has argued this in the Supreme Court. But, paradoxically, it now is making an attempt to fix these concerns, which proves they in fact do exist.
Entities that have Aadhaar data
The circular by UIDAI divides the authentication user agencies into global and local AUAs and mandates that local AUAs must use VIDs henceforth. Further, another circular classified telecoms, payment banks, wallets, insurers, digital lockers and eSign providers as local AUAs (should use VIDs) and everyone else as global AUAs (can use Universal IDs or VIDs).
There are a total of 326 e-KYC (electronic know-your-customer) user agencies (KUAs) and 254 AUAs that have access to Aadhaar numbers. The UIDAI has further indicated in a Right to Information (RTI) reply to GoNews that it does not know or won’t tell if there are other entities that have access to Aadhaar numbers. The leak list maintained on the Medianama site lends credence to the view that the authority does not know who else apart from these entities has access to the Aadhaar numbers.
If the authority does not even know the entities that have Aadhaar data in their database, how can it ensure their deletion and move toward VIDs?
It is also very unclear on entities that have Aadhaar data and over which the authority has notional jurisdiction, what is the data that they hold (for instance states and AUAs), and what they should alter or delete, and how. For instance, the Department of Telecommunications in a circular to telecom companies instructed them to replace the Aadhaar numbers with UID tokens, without outlining how this process would be achieved.
Consider the plight of telecom subscribers who have already linked their Aadhaar number to their mobile-phone accounts. Will they now be forced to give their VID to telecom companies, under further threat of disconnection, to ensure their own privacy? And even if they are forced to do so, what prevents the telecom companies from creating a cheat sheet of the old UIDs and the new VIDs?
Therefore, the natural conclusion is that only new users who do an e-KYC authentication to get SIM cards will use VIDs. But how will they know how to generate their virtual IDs?
The default VID
The latest enrollment software, by default, not only generates a virtual ID but also prints them on every Aadhaar letter. This breaks the assertion that UIDAI made in its January 2018 circular that “it is not possible to derive an Aadhaar number from a VID.”
Further, even the UIDAI-friendly State of Aadhaar report has reiterated what is already well known. The most common use of Aadhaar is its paper form. Given that paper cards are used as peanut wrappers, are found in wells by the thousands, are sold to scrap dealers and abandoned in dumps, this allows anyone to register the mapping of a virtual ID to an Aadhaar number.
But why would UIDAI choose this design of printing a default VID on physical cards, when there are alternatives to generate a VID such as the resident portal and the easy-to-hack mAadhaar mobile application?
The clue lies in the list of local authentication user agencies (AUAs), all of which have ambitions to enter the digital lending market, which Aadhaar is promising because of the digital trail it generates when used everywhere. Given that the population it intends to target is mostly digitally illiterate, UIDAI chose the shortcut of generating a default VID, even without them wanting to, knowing very well they will not change it.
While it is possible for the digitally literate population to generate one more VID to revoke the default VID, even this can only be done after a minimum period set by UIDAI. This in effect reduces the privacy value of VIDs further.
Do unique tokens really work?
One of the concerns that were raised by Supreme Court Justice Dhananjaya Chandrachud on using Aadhaar everywhere was about commercial surveillance by private entities. In theory, VIDs being unique and revocable, these entities will not be able to do the same. However, this defeats the business models of digital lending and financial-technology companies, which need to know if the same person has availed two different loans, using two different VIDs.
They could easily do that by matching demographic information and permanent account numbers (PANs). However, the target population, to whom they intend to provide loans and services, do not even earn enough to come within the ambit of income tax, and hence will not have a PAN, which makes deduplication slightly harder.
Hence every local AUA who is mandated to use VIDs gets the same “token” as described by the Aadhaar authority, which remains constant, for multiple VIDs of the same UID.
This is functionally similar to using the same UID as before and incentivizes AUAs and KUAs to become bigger, as it enables large-scale commercial surveillance more viable.
The primary concern of using the same Aadhaar number everywhere and the numerous leaks is that it compromises biometric authentication. VID was only a viable solution for this problem if it had been rolled out in 2010. But in 2018, every database is already seeded with the Aadhaar numbers across all public and private entities, rendering this move completely meaningless.
The current circulars, however, do not make “VID only” the primary authenticator and instead take a differentiated model between public and private entities. Now most entities still use UIDs for authentication, and only some use VIDs. Further, extraneous considerations have forced UIDAI to publish the VID, defeating safe authentication using VIDs entirely.
Using Aadhaar numbers everywhere also created a surveillance problem for the government and private entities. The classification of global AUAs was specifically created to avoid dealing with the government-surveillance issue, while the same UID token per local AUA ensured commercial surveillance through consolidation and collusion.
In effect, the virtual ID feature is just an attempt to save Section 57 of the Aadhaar Act, which allows unlimited use of Aadhaar by private parties, through technological obfuscation, completely bypassing the core privacy concerns.