Urgent need for independent impact assessment of National UID project
June 14, 2010 05:35 PM
Samir Kelekar
In the absence of hard numbers, it is anybody's guess as to what is the real intent of the UIDAI project. Is the project really meant to help the poor? Or is it just a corporate ruse to link people, track them and do targeted marketing, with the poor being used as a fig leaf to justify the huge spend on the project?
Unique Identification Authority of India (UIDAI) chairman Nandan Nilekani has been very concerned about privacy implications of the National Unique Identification (UID) project. Time and again, he has emphasized that the project could lead to privacy violations. For instance, he said in March of this year and I quote from an msn.com article: "We are also conscious of the privacy issue. In fact the UID database cannot be read by anybody. The only thing you can use it for is authentication. We are making all efforts technically and legally to see privacy is protected," Nilekani, a former Infosys co-founder, told IANS in an interview.
"At the same time we need a larger debate of privacy and what laws we need in
the country. Today we don't have any privacy laws," said Nilekani who quit Infosys last year and was handpicked by Prime Minister Manmohan Singh to head the authority."
However, as of today, we haven't seen any law on privacy implications that
has been proposed in Parliament.
The publicly available minutes of the recent(6 May 2010) meeting with civil society organizations that the UIDAI had indicates that while UIDAI will draft a law on data security and endorse any potential law dealing with privacy violations, it is not clear if the UIDAI itself considers it as its mandate or even responsibility to come up with the legal framework concerning privacy violations and misuse of the UID database. And if that is the case, that is indeed not just unfortunate but looking at recent developments could even be dangerous.
A few days back, UIDAI signed its first registrar. And who could that be? It was the Life Insurance Corporation of India (LIC). Various media reports have pegged the LIC database size having data of 60 million to 200 million customers.
Some entries of this database namely name, address, and biometrics which LIC will now capture will be shared with UIDAI. What are the privacy implications of the above?
Even granted that the LIC shared only the name, address with UIDAI, the fact is the same entity which has your medical and other vital records now has your fingerprints, iris scans and the UID number. Crores of people buy life insurance or medical insurance from LIC. Lots share their financial data too. For instance, long back when I went to the US for higher studies, I took a loan, which required a guarantee in the form of a, LIC policy. LIC has in its records the fact that I took a loan, and many other details of mine. It is another matter, whether LIC has deleted my name from its database or not, once my policy was matured and I was no longer their customer.
A high-priced consultant brain could give LIC ideas on how to increase its revenue.
Share the medical records with a credit card company. Now, say ICICI Bank is the next registrar of UIDAI. Thus, ICICI now has its credit card number mapped with a UID. Suddenly, one day you start getting, along with your credit card statements, advice on how to deal with your diabetes, or worse still an infectious skin disease that you once had and no longer have. God forbid if you have something like HIV. What you apparently missed is a minor report in the newspaper that ICICI Bank tied up with LIC to share their databases. Now consider you are a young man about to get married, and your fiancé sees your credit card statements time and again having this same ad or advice on how to deal with your infectious disease. Chances are, you can kiss good bye to your upcoming marriage. Worse still, your land lady who stays downstairs who has all the time on her hands happens to inspect the covers of your daily letters or credit card statements. The kind of hell that one could go through is only limited by one's imagination. And given the market centric world that we are in, where everyone is out to sell info for money for all kinds of purposes, UID-the common element that unambiguously links the info-is just the thing we do not want. This is just the tip of the iceberg; wait till something like the Income tax department becomes a UIDAI registrar and has your UID.
You could be potentially stopped from boarding a flight going abroad because you have delayed filing your tax returns.
Quite interestingly, the UID concept was marketed so that the poor could get government doles and to plug leakages in government schemes. How many of the poor have even heard of LIC leave alone avail of their services?
The UIDAI argument is that LIC has this micro-finance system, which the poor avail of. What is not clear is what percentage of LIC's customer base comprises of these micro-finance customers.
In the absence of hard numbers, it is anybody's guess as to what is the real intent of the UIDAI project. Is the project meant to help the poor really or is it just a corporate ruse to link people, track them, do targeted marketing and the poor are just used as a fig leaf to justify the huge spend on the project? And if both, what are the extents of each? Further, if UIDAI is shirking its responsibility to come up with a legislation that will prevent misuse of the UID from abuse by the state or other parties as mentioned above, the only potential justification for this project-namely security of the nation-also falls through.
Finally, I shudder to think of the security issues involved now that apart from the UIDAI database, here is another database-the LIC one which has your fingerprints. One can only imagine of the consequences, given the past records of the security of our government-owned systems.
I was always of the opinion that the UID might have been a good concept. But
after seeing the developments-lack of any feasibility or impact assessment study, the whopping escalation of costs (would anyone in his/her sane mind spend Rs30,000 crore on something just based on a few pages written in a book; the latest estimates peg the cost at Rs45,000 crore), and lack of privacy and other laws preventing misuse, I am getting convinced that the UID project is going wayward. The least that needs to be done is to urgently conduct an independent third-party impact assessment study of the UID project.
And this has to be carried out by an entity which has no potential business interests in the business that will ensue from the UIDAI project, so that they have no vested interests in the results of the study.
As I close this, I think of the new India that is emerging in our cities. Whether one likes it or not, lakhs of our young girls escape the drudgery and hunger in their lives in their villages and come to our cities. Some have dreams of becoming an Aishwarya Rai; many work in dance bars. But our country is far from one about equal opportunities. Most end up working hard just to make ends meet.
Many want to get rid of their old identities, which tie them to their past, their caste, what not. They want to create new identities for themselves, forge new relationships with upwardly mobile guys in the city. What use is UID to them? They do not avail of government doles or aren't beneficiary of any huge government schemes.
Their main interaction with the government happens when cops try to extract bribes from them. It is an open question whether the UID will help them or will be more like a millstone tying them irrevocably to their past.
(Dr Samir Kelekar is founder-director of Teknotrends Software, Bengaluru
June 14, 2010 05:35 PM
Samir Kelekar
In the absence of hard numbers, it is anybody's guess as to what is the real intent of the UIDAI project. Is the project really meant to help the poor? Or is it just a corporate ruse to link people, track them and do targeted marketing, with the poor being used as a fig leaf to justify the huge spend on the project?
Unique Identification Authority of India (UIDAI) chairman Nandan Nilekani has been very concerned about privacy implications of the National Unique Identification (UID) project. Time and again, he has emphasized that the project could lead to privacy violations. For instance, he said in March of this year and I quote from an msn.com article: "We are also conscious of the privacy issue. In fact the UID database cannot be read by anybody. The only thing you can use it for is authentication. We are making all efforts technically and legally to see privacy is protected," Nilekani, a former Infosys co-founder, told IANS in an interview.
"At the same time we need a larger debate of privacy and what laws we need in
the country. Today we don't have any privacy laws," said Nilekani who quit Infosys last year and was handpicked by Prime Minister Manmohan Singh to head the authority."
However, as of today, we haven't seen any law on privacy implications that
has been proposed in Parliament.
The publicly available minutes of the recent(6 May 2010) meeting with civil society organizations that the UIDAI had indicates that while UIDAI will draft a law on data security and endorse any potential law dealing with privacy violations, it is not clear if the UIDAI itself considers it as its mandate or even responsibility to come up with the legal framework concerning privacy violations and misuse of the UID database. And if that is the case, that is indeed not just unfortunate but looking at recent developments could even be dangerous.
A few days back, UIDAI signed its first registrar. And who could that be? It was the Life Insurance Corporation of India (LIC). Various media reports have pegged the LIC database size having data of 60 million to 200 million customers.
Some entries of this database namely name, address, and biometrics which LIC will now capture will be shared with UIDAI. What are the privacy implications of the above?
Even granted that the LIC shared only the name, address with UIDAI, the fact is the same entity which has your medical and other vital records now has your fingerprints, iris scans and the UID number. Crores of people buy life insurance or medical insurance from LIC. Lots share their financial data too. For instance, long back when I went to the US for higher studies, I took a loan, which required a guarantee in the form of a, LIC policy. LIC has in its records the fact that I took a loan, and many other details of mine. It is another matter, whether LIC has deleted my name from its database or not, once my policy was matured and I was no longer their customer.
A high-priced consultant brain could give LIC ideas on how to increase its revenue.
Share the medical records with a credit card company. Now, say ICICI Bank is the next registrar of UIDAI. Thus, ICICI now has its credit card number mapped with a UID. Suddenly, one day you start getting, along with your credit card statements, advice on how to deal with your diabetes, or worse still an infectious skin disease that you once had and no longer have. God forbid if you have something like HIV. What you apparently missed is a minor report in the newspaper that ICICI Bank tied up with LIC to share their databases. Now consider you are a young man about to get married, and your fiancé sees your credit card statements time and again having this same ad or advice on how to deal with your infectious disease. Chances are, you can kiss good bye to your upcoming marriage. Worse still, your land lady who stays downstairs who has all the time on her hands happens to inspect the covers of your daily letters or credit card statements. The kind of hell that one could go through is only limited by one's imagination. And given the market centric world that we are in, where everyone is out to sell info for money for all kinds of purposes, UID-the common element that unambiguously links the info-is just the thing we do not want. This is just the tip of the iceberg; wait till something like the Income tax department becomes a UIDAI registrar and has your UID.
You could be potentially stopped from boarding a flight going abroad because you have delayed filing your tax returns.
Quite interestingly, the UID concept was marketed so that the poor could get government doles and to plug leakages in government schemes. How many of the poor have even heard of LIC leave alone avail of their services?
The UIDAI argument is that LIC has this micro-finance system, which the poor avail of. What is not clear is what percentage of LIC's customer base comprises of these micro-finance customers.
In the absence of hard numbers, it is anybody's guess as to what is the real intent of the UIDAI project. Is the project meant to help the poor really or is it just a corporate ruse to link people, track them, do targeted marketing and the poor are just used as a fig leaf to justify the huge spend on the project? And if both, what are the extents of each? Further, if UIDAI is shirking its responsibility to come up with a legislation that will prevent misuse of the UID from abuse by the state or other parties as mentioned above, the only potential justification for this project-namely security of the nation-also falls through.
Finally, I shudder to think of the security issues involved now that apart from the UIDAI database, here is another database-the LIC one which has your fingerprints. One can only imagine of the consequences, given the past records of the security of our government-owned systems.
I was always of the opinion that the UID might have been a good concept. But
after seeing the developments-lack of any feasibility or impact assessment study, the whopping escalation of costs (would anyone in his/her sane mind spend Rs30,000 crore on something just based on a few pages written in a book; the latest estimates peg the cost at Rs45,000 crore), and lack of privacy and other laws preventing misuse, I am getting convinced that the UID project is going wayward. The least that needs to be done is to urgently conduct an independent third-party impact assessment study of the UID project.
And this has to be carried out by an entity which has no potential business interests in the business that will ensue from the UIDAI project, so that they have no vested interests in the results of the study.
As I close this, I think of the new India that is emerging in our cities. Whether one likes it or not, lakhs of our young girls escape the drudgery and hunger in their lives in their villages and come to our cities. Some have dreams of becoming an Aishwarya Rai; many work in dance bars. But our country is far from one about equal opportunities. Most end up working hard just to make ends meet.
Many want to get rid of their old identities, which tie them to their past, their caste, what not. They want to create new identities for themselves, forge new relationships with upwardly mobile guys in the city. What use is UID to them? They do not avail of government doles or aren't beneficiary of any huge government schemes.
Their main interaction with the government happens when cops try to extract bribes from them. It is an open question whether the UID will help them or will be more like a millstone tying them irrevocably to their past.
(Dr Samir Kelekar is founder-director of Teknotrends Software, Bengaluru
