An RTI application filed by Bengaluru-based Col. Matthew Thomas, a petitioner in the Right to Privacy case before the Supreme Court, reveals that the Unique Identification Authority of India (UIDAI), custodian of Aadhaar data, signed contracts with foreign firms giving them “full access” to classified data and personal details of citizens, which they were allowed to store for seven years.
The Centre must direct the UIDAI to make a full disclosure of the project since its inception, including contracts signed, and who selected the firms recruited for the task. Then Chairman Nandan Nilekani must explain why the technology (hardware and software) for collecting and storing the data was not created domestically, when India is supposed to be the hub for information technology services.
The RTI reply punctures the UIDAI’s assertion that no private entity had access to unencrypted Aadhaar data. The contract with US-based biometric service provider, L-1 Identity Solutions Operating Co. Pvt. Ltd. (now owned by French transnational Safran Group), clearly says the firm was given Aadhaar data access “as part of its job”. Other firms given identical contracts from 2010 to 2012 include Morpho and Accenture Services Pvt. Ltd.
In 2014, Prime Minister Narendra Modi was persuaded that Aadhaar could expand the reach of his social welfare programmes exponentially. But recently, when data breaches became glaring, Nilekani dismissed the problem saying data security is challenging in a digital age and ran back to his parent company. The unanimous verdict of the nine-judge bench of the Supreme Court, upholding Right to Privacy as a fundamental right, reportedly reflects this belated understanding at the top echelons of government.
The contract’s Clause 15.1, ‘Data and Hardware’, says the firm “may have access to personal data of the purchaser (UID), and/or a third party or any resident of India...” Clause 3, which deals with privacy, says the biometric service provider (BSP) could “collect, use, transfer, store and process the data”. Also, the BSP shall process all personal data in accordance with applicable law and regulation and should not disclose such information. The contract does not define ‘personal data’.
However, according to UIDAI, personal data includes biometric (fingerprints, iris) and demographic data (name, date of birth, address, mobile number), and could include bank details, licence number, PAN number, passport number and other information furnished as part of Know Your Customer (KYC). A clause in the contract says the firm should maintain the biometric template created by it and on termination or expiry of contract, “transfer all the proprietary templates to UIDAI”.
The UIDAI claimed it had purchased the software and hardware for the Aadhaar programme, but the contracts show that the BSPs provided hardware for the first one crore enrolments. It is not known if the hardware was checked to ascertain if data could be stolen via a back door. UIDAI’s assertion that no data ever left its servers and premises cannot be trusted as the language of the contracts clearly shows that foreign firms had access to raw data.
But is this surprising? In a Forward to a Credit Suisse study (Ideas Engine Series, 29 June 2016), Nandan Nilekani wrote, “Once in a while a major disruption or discontinuity happens which has huge consequences. In 2007, the internet and the mobile phone came together in a whole new product called the smartphone... [which] could support OTT (Over The Top) applications. The messaging solution for the smartphone…came from WhatsApp, a start-up”.
Nilekani argued that Indian Banking is experiencing a ‘WhatsApp’ moment, as smartphones could reach 700 million by 2020 and over one billion Indian residents have the online biometric identity, Aadhaar. Hence it is possible to “visualise a future where every adult Indian has an Aadhaar number, a smartphone and a bank account”.
More insidiously, Aadhaar provides on-line authentication using fingerprint or iris, which can be done from anywhere, making transactions ‘presence-less’. Aadhaar’s eKYC feature enables a bank account to be opened instantly by using one’s Aadhaar number and biometric; something prone to misuse. In Jammu & Kashmir, illegal immigrants (Rohingyas) have acquired Aadhaar and ration cards.
Extolling many facets of the new technology (the India Stack), Nilekani states, “as data becomes the new currency, financial institutions will be willing to forego transaction fees to get rich digital information on their customers (italics added)”. This would accelerate the move to a cashless economy as merchant payments will also become digital.
Commending Credit Suisse’s “insightful report”, Nilekani agrees that there is a US$ 600 billion market capitalisation opportunity possible in the next ten years, which will be shared between existing public and private banks, new banks and new age non-bank financial companies (NBFCs). “It may even go to non-banking platform players, which use the power of data to fine-tune credit risk and pricing, and make money from customer ownership and risk arbitrage”. He expects a serious challenge to Public Sector banks which currently enjoy a 70 per cent market share.
The Payment Bank (Paytm), launched in 2016 (Alibaba holds 40 per cent stake), and Unified Payment Interface (UPI)-powered payment interfaces, hope to encash the shift towards digital transactions, and get their share of the coveted US$ 600 billion pie. Credit Suisse anticipates that private banks, NBFCs’ and fin-tech players will be its prime beneficiaries.
Credit Suisse explains that financial providers will become data rich in just two or three years as they receive data via transactions made through their apps, digital footprints left by individuals, smartphone data and online tax information, as 3 to 5 billion invoices go digital with GST. Forecasting consumer debt to rise to 25 per cent of GDP from the current 17 per cent on the back of new data availability, the SME lending market could grow from US$ 620 billion to US$ 3,020 billion over the next decade. Aadhaar seems tailored to benefit private bankers.
This writer was invited to enroll for the National Population Register vide acknowledgement slip 130, form number 02046115, household block no. 0021, household number 128, by Enumerator O.P. Singh, dated 26 May 2010. Aadhaar was supposedly for BPL beneficiaries. It turned out they were one and the same.
Now, it is not clear who controls the data; certainly it is prone to misuse. The Sonia Gandhi-led regime unleashed this menace through lies and deception. The Modi-led government must fix this treachery. No country in the world has allowed Bankers and Corporations such totalitarian access to intimate data about its citizens.
Back to Top