Times of India: New Delhi: Tuesday, May 09, 2017.
There has
been a concerted campaign in the last few weeks ‘exposing’ the Aadhaar ‘data
leak’. The impression given in many sections of the media is that something
very serious has happened and personal and sensitive information of citizens
has been hacked and leaked.
This is
sensationalisation that makes a mountain out of a molehill. What really has
happened is that the information relating to beneficiaries of various programmes
of state governments already published on the websites of concerned departments
has been suddenly discovered by some activists and exposed as a massive data
leak.
The timing of
the ‘discovery’ is also interesting since the case relating to Aadhaar is being
argued by the concerned parties and issues of privacy are being debated. For
starters, Aadhaar is not a secret or confidential number. It is a random number
bereft of any intelligence. It is just a number attached to an individual in a
unique manner. As per the Aadhaar Act, “An Aadhaar number shall be a random
number and bear no relation to the attributes or identity of the Aadhaar number
holder.”
If I give my
Aadhaar number to you, you can cause no harm to me. Secondly, biometric
information collected by the Unique Identification Authority of India (UIDAI)
for ensuring uniqueness has been declared as the ‘sensitive personal data’
within the meaning of IT Act.
The Aadhaar
number is not a ‘sensitive personal data’. Finally, one shares her Aadhaar
number to many agencies for getting various services and facilities. Aadhaar
numbers are shared with the Indian Railway Catering and Tourism Corporation for
availing senior citizen benefits in rail travel, with telcos for getting mobile
SIMs, with banks to link bank accounts, and with oil marketing companies to get
LPG subsidy.
Thus, each of
the agencies is in possession of Aadhaar numbers. Many state and central
government departments are seeding various beneficiary databases with Aadhaar
numbers to weed out duplicates and ghosts. The Mahatma Gandhi National Rural
Employment Guarantee Act scheme, scholarships and pensions are three such examples
out of many.
No Numbing
Numbers
Section 29(4)
of Aadhaar Act prohibits the publication of Aadhaar numbers except for the
purposes specified by regulations. The regulations also reiterate this
provision and provide that no entity shall make public any database or record
containing the Aadhaar numbers of individuals unless they have been “redacted
or blacked out through appropriate means, both in print and electronic form”.
Thus, if the
authorities do publish the information, the Aadhaar number should be either
partially or fully masked in that publication. The purpose of these
restrictions is that while Aadhaar numbers themselves are not confidential,
their publication in various public records will make it easy to collate
information about persons. Collation of data, unfortunately, has become
relatively easy in the digital world even otherwise. Now to look at the issue
from the angle of the Right to Information (RTI) Act.
The broad
objective behind RTI is to ensure transparency in the functioning of public
authorities and enable social audit of various programmes. Under RTI, public
authorities are under obligation to provide the information available with them
unless the same has been expressly prohibited under Section 8 of the Act.
Section 4 of the RTI Act mandates every public authority to publish information
in its possession in a digital form.
Specifically,
Section 4(b)(xii) mandates the publication of details of beneficiaries of
various subsidy programmes being executed by every public authority. Hence, it
should be clear that the list of beneficiaries of various programmes are being
published by concerned state governments in compliance of RTI Act.
If a person
applies for getting the details of beneficiaries of any scheme under the RTI
Act, the public authorities will be duty-bound to provide all the information
they have, including the Aadhaar numbers.
Section 8
exemptions will not be able to hold back the Aadhaar numbers. Now the issue is:
what constitutes the details for the purpose of publishing on websites? Should
an Aadhaar number be included in the details of a person? This is essentially a
question of balancing transparency of public records and privacy of
individuals.
My personal
view is that the last four digits of Aadhaar number can be published and the
first eight digits be masked. This will satisfy the provisions of both RTI and
the Aadhaar Acts. However, to say that publication of Aadhaar numbers by
authorities constitutes a data breach, or data leak, is far from the truth.
Digits Safe
in Digital Era
The
government has categorically asserted that not even a single example exists of
a breach or leak of data from UIDAI. As UIDAI keeps data encrypted all the time
with the highest encryption standards, the probability of leak is almost zero.
Under RTI,
governments have been publishing details of all kinds including bank accounts
(in case of MNREGA workers) and Aadhaar numbers. Further, now that the Aadhaar
Act has certain provisions relating to the publication of Aadhaar numbers,
there is a need to harmonise the transparency requirements of the RTI Act with
the privacy-related provisions of the Aadhaar Act. The best way is to partially
mask the Aadhaar numbers before publishing them on a digital platform.
(The writer
is chairman, Telecom Regulatory Authority of India)