‘We raised the issue of privacy long before anyone else’

0
89

Fourteen months ago, Prime Minister Manmohan Singh asked the ex-CEO of Infosys to chair the Unique Identification Authority of India, a body set up with Cabinet approval in January 2009. When 55-year-old Nandan Nilekani, part of the Bengaluru brigade that led India’s IT revolution, decided to join Delhi’s bureaucratic maze, the project dreamt up by the Planning Commission in 2006 gained glamour and credibility. But there was also scepticism about whether a corporate manager would have the sensitivity to work out a system that was primarily meant to deliver social welfare to the right beneficiaries. Vaibhav Vats met the UIDAI chairman to seek answers to all the troubled questions around the project. Excerpts from the interview:

Strong foundation Nilekani says the UID project will provide the technological base for overhauling the PDS
Strong foundation Nilekani says the UID project will provide the technological base for overhauling the PDS
Photo: Shailendra Pandey

Why did you think the UID number would be an enabler in India? Can you spell out your vision for all of us?
The genesis of this project lay in the fact that a large number of Indians don’t have any recognised identity by the State. It’s alright for you and me. We have passports, credit cards, etc. But there are hundreds of millions of people who have no identity. They don’t have birth certificates or school certificates. They are basically bereft of any form of acknowledged existence. That becomes a form of exclusion. Increasingly, more and more benefits — either public services or private benefits — depend on proving who you are. When you don’t have a basic identity, you’re completely shut out from these things. Identity becomes a form of divide. People get trapped in a cycle of documentation. To get a driver’s licence you need a ration card, to get a ration card you need a birth certificate.

This problem is compounded by patterns of migration. Today, India has about 100-120 million migrants. Papers that might have value in your village have less value outside your village and certainly outside your state. So at the very basic level, we are giving a unique identity embodied in a number to every Indian resident — man, woman and child. This will now be a national identity, a portable identity, because the number will be verifiable anywhere in the country. That’s one big intention.

The UID claims that it will help streamline the delivery of social welfare…
Yes, over the last decade, India has been building its social welfare infrastructure. Right to Food, Right to Education, National Rural Health Mission, PDS, MGNREGA — all these things add up to a lot of expenditure directed towards individual beneficiaries. But because the basic identity infrastructure is faulty, you end up with a lot of ghosts in these schemes, a lot of duplicates. This means the government expenditure is not efficient. Secondly, it is not effective, because it’s not reaching the right people. And thirdly, it’s not equitable, because the people who should really be receiving the benefits are not on the list. The system is basically captured by people who shouldn’t be getting it. The idea now is to use this new identity infrastructure to re-engineer public services, so it can be more equitable and effective.

This is something many societies have done. During the Great Depression, the US came up with the Social Security Act, which led to the social security number. In the UK after the World War II they came up with the National Insurance number. We are at a similar point in our history.

There are many questions around the project — about efficiency, privacy, danger of profiling, etc… but we’ll come to that later. First of all, what information do people have to give to get a UID?
Let’s talk about the information we are keeping in our system. We keep the name, date of birth, sex, address and father’s or mother’s name and the biometrics. Apart from this, we are, in fact, by law forbidding listing things like caste and religion. Broadly, there are three methods of getting a number. It’s all on our website. First is the classic document method. The second is that the National Population Register is going to collect information and put it on public boards. If no one objects, they will deem that information to be accurate about you. The third, created specifically for the purpose of inclusion, is the introducer method. If a person does not have any documentation, there will be approved introducers — they could be employees of the state or an NGO. If these introducers are willing to vouch for the person’s identity and address, it will become a basis for giving a number. This is a very important inclusion method to facilitate the poor and marginalised get a UID.

But if you don’t know whether people are poor or even where they are located, how will this smoothen delivery of welfare schemes?
We cannot take the onus of establishing whether a person is eligible for something. It is the job of the state government, which is issuing rations, to decide eligibility. But they will use our identity infrastructure to establish identity.

Welfare schemes also fail due to systemic corruption and feudal power structures. How will merely having a UID change this feudal mindset and power structure?
Because you can build new systems on that. The way it’ll work is that when a beneficiary goes to a ration shop, the shop will only be able to disburse ration through an authentication process, which will involve the UID and biometrics. The shop will only get more rations based on the evidence that the ration actually went to the correct people. That’s how you stop diversion.

Also, you are saying the UID will create a portable identity that poor people can use across the country. But how will this create greater access for them?
The identity infrastructure we are creating gives you the basis on which you can build new systems. Let’s say someone moves from village A to village B, it takes him years to get a new ration card. We need to build a PDS system that allows him to do that more easily. We need a system that will move from being supply-based to being demand or replenishment-based. This will allow a beneficiary the power of choice. You have to understand that all these systems today are static. Overhauling the PDS will require huge political will. But at least the UID gives you the ability and technological base to do that. Without this, there’s no way you can pull it off.

Will it mean every poor person has to go physically to pick up their rations rather than one family member?
Not at all. Just as you can appoint joint holders in your bank account, a poor person can appoint family members who can pick up rations on his or her behalf. The point is the UID will make all this much easier to construct and more fool-proof for the beneficiary.

People think the UID will sort out problems like the corrupt PDS overnight. But you are saying new welfare systems have to be built based on this.
Yes, obviously. This is just a sort of soft infrastructure, a foundation. That’s why we call it Aadhaar. You have to re-engineer things like the PDS and social welfare schemes. There’s a white paper on that on our website. There’s lots of work ahead.

What about the biometrics? There’s a lot of concern about the reliability of biometrics. People from the working class, like labourers, suffer from corneal scars and their fingerprints get distorted over time through hard labour. What will happen to them if their biometrics don’t match after a while?
We’ve done the testing and found that with fingerprints and iris scans, we get 99 percent accuracy. Don’t look at it as a 100 percent solution. Look at it from where we are today. And from that view, it’s significant. We visualise that we’ll have a highlevel accuracy on enrolment. On authentication, there might be some problems. But we believe there will be ways around that. We shouldn’t let the 1 percent issues dominate or derail the discussion.

True. But it could create a lot of complications for some people. What are the ways around that you are thinking about?
We’ll have a password based on which the service provider can override the faulty authentication.

Isn’t that opening up dangerous possibilities of tampering?
That’s how we design systems. We are not claiming that this is some 100 percent solution. But just because there is no perfect system doesn’t mean you don’t do anything.

‘This is just a sort of soft infrastructure, an Aadhaar. You still have to re-engineer PDS and welfare schemes’

What about the sheer scale of operation? Does this mean we will need biometric devices in every shop?
There will be several forms of authentication — biometrics will be one. We will also provide non-biometric authentication. You can use a PIN number, which is like a password. Where there is a biometric application, you will need a mobile phone, a finger scanner and maybe a printer. But that can be accomplished.

The other big area of concern is data protection and privacy. The fact that you are using many other registrars to enrol people is causing a lot of concern.
Let me be clear. These registrars are already engaging with you and me. The bank today is already taking a lot of information from you. If you take a loan, they ask so many questions about your credit history. If you take an insurance policy, they ask intimate details about your health. So let’s be clear: a lot of registrars are already collecting a lot of information about you…

Yes, but so far these were islands of information held in separate silos. With the UID, the fear is all this data can be centrally converged. Shouldn’t there be strict protocols under which information will be protected under the UID?
First of all, when a registrar collects data for us, there are clear rules on how that data is to be used. When it reaches us, it goes into a black hole. Let’s say you are enrolling in Aadhaar. You give your biometric, the data is captured, the record is encrypted. It can’t be intercepted by someone, because it’ll all be encrypted and scrambled. When it comes to our database, we do a scan to de-duplicate and see if there’s another person with the same biometric. If it matches, it means you have already got a number from somewhere else. That is against the law. If you’re not registered, we give you a random number.

In other countries, you can tell a person’s year of birth and place of domicile because of the way the numbers are serialised. We are trying to improve on all that by generating a completely random number so you cannot make out anything about a person by looking at his UID. So our number doesn’t give away anything. It is only used to authenticate your identity if you’re a participant in a transaction.

But that means the State — or big corporations — can track every one of us at the click of a button. There are great fears about the misuse of data. 
There are protocols in place under the UID Act. The fact is, we raised the issue of privacy long before anyone else. What India really needs is a comprehensive data protection and privacy framework. The problem is not just unique to the UID. We have 700 million mobile phone users in the country where the same logic applies. You have PAN numbers. When you use Gmail or Google, targeted advertisements hit you. You are sharing intimate information on Facebook. Why should the anxiety only arise when one is trying to draw the poor into the benefits of technology? Our point is that as we become more electronically dependent, we need to legislate as a society on a privacy framework that cuts across functions. We ourselves suggested this to the government in May. It has come out with an approach paper on creating a privacy and data protection law. (http://persmin.gov.in/WriteReadData/RTI /aproach_paper.pdf )

Gaining legitimacy Looking for their names in the enrolment register at a homeless shelter
Gaining legitimacy Looking for their names in the enrolment register at a homeless shelter
Photo: Shailendra Pandey

You claim you will enrol 60 crore people in four years. Is that feasible? What is the estimated cost?
We have built the platform for enrolment. Since we have multiple registrars — like state governments, banks, LIC, the National Population Register, etc — we think we’ll be able to enrol Rs. 60 crore people in the next four years. As for the cost, we are reimbursing registrars Rs. 50 for every enrolment. We currently have the budget for 100 million people, which comes to about Rs. 500 crore. We have a sanctioned budget for around 3,000 crore. As and when we need to enrol more people, we will need more money. Given the scale of what we are doing, it’s really nothing. Some of the best minds in the country are working at very low fees on solving all the complex issues involved in setting up something like this. And they are doing it because they are engaged with the future of this country and believe this will help it.

You say the UID is voluntary. But one of the aims you stated was de-duplication. How will this happen unless everyone’s under the UID?
It’ll take several years to cover everybody. We have a billion plus people. When some people have the number and some don’t, you can’t have it as compulsory because you’re denying the people who don’t have it. So it is up to each service provider to handle this till they go universal in their space. Say from March 2011, some people will be able to access PDS based on the UID, but a lot of other people will have the old PDS. As long as both exist, they cannot make it mandatory that Aadhaar is the only way. But after a certain timeframe, they can insist everyone should have an Aadhaar.

So in about 10 years’ time, this means everyone will need to have a UID for basic government services and bank accounts. What about immediate benefits? Can a poor person now open an account without other documents?
Exactly, that’s the whole point.

But 80 percent workers enrolled with MGNREGA are already being paid through bank accounts. Why spend so much again on all this?
You must understand how things work on the ground. Let me explain. This country has six lakh villages, but there are bank accounts in only 6 percent of the villages. In this environment, when you open a bank account for a person, you are making him travel 10-40 km to get to a local bank. Ask around — you will find many workers don’t find it worthwhile to be part of MGNREGA anymore because it costs them so much to go and retrieve their wages from the bank. Also they get it after a time lag whereas they need their wages daily. In fact, poor people find the current system so cumbersome, they would rather keep money with themselves physically (which often gets robbed) or else they pay others in the village to keep their money securely.

To get past all this, using the UID, we are proposing a network of authenticating devices in every village where people can withdraw money. We call them micro-ATMs. So you’ll have someone called a ‘business correspondent’ in a village. It could be a self-help group, a kirana store, a PCO — it could be anyone. They will have an authenticating device plus some software to connect it to the banking system. We are in the process of tying up with several banks to open accounts for people with an Aadhaar number. These are serious, important issues. We must understand people’s problems on the ground without suspecting everyone’s motives for doing this.

‘We must understand people’s problems on the ground without suspecting everyone’s motives for doing this’

If you look at the UID in isolation, a lot of your arguments make sense. But the UID is located within a larger State, so the synapses and how the State uses the data will become very important. Your civil society critics say that Nandan is viewing himself in a sort of “corporate cocoon”, not as a piece of a larger political context. So, for instance, how will the Natgrid Home Minister P Chidambaram has pushed for make use of the UID?
For the record, governments in every country, including democracies, have access to databases in the interest of national security. As I said earlier, the challenge is to put in place the protocol and checks under which such access will be deemed necessary. If you look at the Times Square bomber, he was caught through surveillance of databases.

The question is, how do you create frameworks to see it’s done properly? That’s what you should be focussing your energies on, not on some number! Every technology has risk, but it also has great benefits. Here is something desperately required to create inclusion for millions of people. That’s an important social goal. Now you have the goal, you look at the risks and mitigate the risks. Ultimately, it’s a balance between social good and risk. And clearly, here the potential for good far outweighs the risks.

If this is such a positive tool, why did even the Conservative government in the United Kingdom scrap its national ID scheme?
To give the United Kingdom as an example in relation to India is disingenuous. The stated goal of that scheme was surveillance and immigration control. They already have a number, which they started in 1953. Their ID card was a very different project. So let’s not extrapolate randomly. The fact is that most countries have a number. We also need a number. We need it acutely because we have an obligation to millions of our countrymen. Why are we trying to prevent the access of the poor to public services?

One final question about redressal against misuse of the UID. The Bill states (Section 46) that “no court shall take cognisance of any offence punishable under this Act, save on a complaint made by the Authority”. This sounds like an extraordinary provision — that no one except the Authority itself can seek redressal under this Act! It would certainly defeat one of the purposes of the Bill, which is to impart some accountability to the Authority. What do you say about this?
Section 46 deals with offences under the Bill — this merely says that on issues such as hacking, impersonation, faking of biometrics, the Authority will be the one to initiate the complaint.

This provision will actually protect residents from unnecessary harassment from others. No one can file a case against anyone just because they believe there had been some wrongdoing, this needs to be brought to the notice of the Authority and action will be initiated.

That leaves many unaddressed questions. What if there is a dispute between a citizen and the Authority? And again, the Bill not only gives enormous powers to the Authority, but under Section 51 also allows delegation of powers. Are some safeguards not required?
This is a general provision of delegation that statutory authorities have so as to enable them to perform their administrative functions. The main powers related to the functioning of the authority are in Section 54, which gives the Authority the powers to make regulations on the key issues that directly affect the functions of the authority. This cannot be delegated.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Comment moderation is enabled. Your comment may take some time to appear.