Research and Advances
Architecture and Hardware India Region Special Section: Big trends

Privacy Concerns with Aadhaar

Posted
  1. Article
  2. References
  3. Authors
Indian flag and binary code

The debate engendered by the Aadhaar project has propelled India from being a predominantly pre-privacy society to one in which privacy protection in digital databases has emerged as a major national concern. The welcome and scholarly Supreme Court judgment8 has upheld privacy as a fundamental right, and informational self-determination and the autonomy of an individual in controlling usage of personal data have emerged as central themes across the judgment. The main privacy concerns with Aadhaar are:1

  • Identity theft. Aadhaar is vulnerable to illegal harvesting of biometrics and identity frauds because biometrics are not secret information.4,11 Moreover, possible leakage of biometric and demographic data, either from the central Aadhaar repository or from a point-of-sale or an enrollment device, adds to the risk.
  • Identification without consent using Aadhaar data. There may be unauthorized use of biometrics to identify people illegally. Such violations may include identifying people by inappropriate matching of fingerprint or iris scans, or facial photographs stored in the Aadhaar database, or using the demographic data to identify people without their consent and beyond legal provisions.
  • Correlation of identities across domains. It may become possible to track an individual’s activities across multiple domains of service using their global Aadhaar IDs, which are valid across these domains. This would lead to identification without consent.
  • Illegal tracking of individuals. Individuals may be tracked or put under surveillance without proper authorization or legal sanction using the authentication and identification records and trails in the Aadhaar database, or in one or more authentication-requesting-agencies’ databases. Such records may reveal information on location, time, and context of authentication and the services availed.

Also, Aadhaar does not record the purpose of authentication. Authentication without authorization and accounting puts users at serious risks of fraud because authentication or KYC meant for one purpose may be used for another.6 Recording the purpose of authentication is crucial, even for offline use.2 Privacy-by-design is not achieved by self-imposed blindness.

Lack of protection against insider threats and lack of virtual identities—which were retrofitted in a limited way9—raise some serious privacy concerns, and the absence of a clear data usage policy and regulatory oversight exacerbates the problem.1 Without a robust consent and purpose limitation framework and a regulatory access control architecture, the privacy concerns will remain. The inadequate privacy safeguards can potentially give the government of the day unprecedented access to information and power over its citizens threatening civil liberty and democracy.3,5,7

The Supreme Court’s three-pronged proportionality test for the constitutionality of Aadhaar was based on determination of a rational nexus between the objectives and the means, of necessity—implying that the adopted means are the least intrusive for the purpose—and of balancing of extents to which rights are infringed.7 Although the majority judgment upheld the constitutionality of Aadhaar, it struck down most of its uses on privacy grounds and limited its scope to only disbursement of welfare and income tax. The dissenting minority judgment, however, found Aadhaar to be unconstitutional in its entirety. Moreover, the Supreme Court of Jamaica has also recently struck down its very similar Jamaican National Identification and Registration Act (NIRA) as unconstitutional by heavily relying upon and extensively citing the dissenting Aadhaar judgment.10 Judicious design of a national identity system that is respectful of fundamental rights is still very much an open problem.

Back to Top

Back to Top

    1. Agrawal, S., Banerjee, S. and Sharma, S. Privacy and security of Aadhaar: A computer science perspective. Economic and Political Weekly 52, 37 (2017), 16.

    2. Banerjee, S. and Sharma, S.V. An offline alternative for Aadhaar-based biometric authentication, 2018; http://bit.ly/330m8jn

    3. Drezé, J. The Aadhaar coup, 2016; http://bit.ly/2IfqQSe

    4. Khaira, R. Rs 500, 10 minutes, and you have access to billion Aadhaar details. Tribune India, 2018; http://bit.ly/2wW5wdY

    5. Khera, R. Dissent on Aadhaar: Big Data Meets Big Brother. Orient Black Swan, 2019.

    6. PTI. UIDAI suspends Airtel, Airtel Payments Bank's e-KYC license over Aadhaar misuse, 2017; http://bit.ly/2IJnjdR

    7. Puttaswamy, KS and Another v Union of India. Writ petition (Civil) No 494 of 2012. Supreme Court judgment dated Sept.26, 2018; https://indiankanoon.org/doc/127517806/

    8. Puttaswamy, KS v Union of India. Writ petition (Civil) No 494 of 2012. Supreme Court judgment dated Aug. 24, 2017.

    9. Sharma, S. (via P.V. Singh). Virtual ID is a good beginning; much more remains to be done, 2018; http://bit.ly/2YxDmp5

    10. Supreme Court of Judicature of Jamaica. Justice Sykes, B. Justice Batts, D. and Justice Hamilton, L-P. Claim No. 2018HCV01788 between Julian J. Robinson and The Attorney General of Jamaica, 2019; http://bit.ly/31r3XTg

    11. Viswanath, L. Four reasons you should worry about Aadhaar's use of biometrics, 2017; https://thewire.in/featured/real-problem-aadhaar-lies-biometrics

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More