#
If a tree falls in a forest and no one is around to hear it, does it make a sound?
#
The philosopher George Berkeley first asked this question in the early 18th century and
#
a modern equivalent of it might well be.
#
If you don't possess an ID card given by the state, do you even exist?
#
This is a poignant question for many people which is best illustrated by the story of
#
Lal Bihari was a farmer from Azamgarh in Uttar Pradesh.
#
He was born in 1951 and when he was 25 years old, in 1976, he was informed by a government
#
official that he was dead.
#
Apparently his cousins had bribed a government officer to get him declared dead so that they
#
So now Lal Bihari told the officer, but I am here before you.
#
The officer wouldn't listen.
#
There weren't any documents to prove that he existed.
#
So Lal Bihari now realized that to prove that he existed, he would have to get his name
#
in the official records.
#
He threw stones at a police station so that he would be arrested and his name would be
#
He kidnapped his cousin.
#
No one seemed to care so he sent the boy home with an ice cream.
#
He applied for compensation for his alleged widow.
#
He organized his own funeral.
#
And finally, he stood for elections against V.P Singh from Allahabad in 1988 and Rajiv
#
Gandhi in Amethi in 1989.
#
He lost both elections.
#
By this time, he had formed the Uttar Pradesh Mritak Sangh or the Dead Man's Association
#
They had 20,000 members, people who had been declared dead and did not have an ID with
#
which they could prove their existence.
#
Lal Bihari himself on a court case and was declared alive in 1994, two decades after
#
But this land is still full of the walking dead.
#
And my point in telling you this story is not that ID cards are a good thing.
#
My point is that no government should ever have such power over the citizens.
#
Welcome to the Seen and the Unseen, our weekly podcast on economics, politics and behavioral
#
Please welcome your host, Amit Barma.
#
Welcome to the Seen and the Unseen.
#
My topic for today is Aadhaar.
#
And my guest is my old friend, Nikhil Pawar of Media Nama.
#
When I started blogging a decade and a half ago, Nikhil was one of the early friends I
#
In those days, he was a young, roly poly, cherubic, enthu cutlet with a permanent smile
#
And he's still a young, roly poly, cherubic, enthu cutlet all these years later, except
#
that now he is also one of the most formidable warriors of freedom in the online space.
#
Nikhil runs Media Nama, a highly respected media company, and has been a prominent digital
#
activist, most well known for his Save the Internet campaign and for spearheading the
#
Nikhil, welcome to the Seen and the Unseen.
#
Thanks Amit and thanks for the great intro.
#
It's great to be talking to your friend about these issues because that's when you're most
#
comfortable and we can have a great conversation, I hope.
#
I want to make this episode a sort of a beginner's guide to Aadhaar, to people who hear that
#
term bandaid about but aren't really sure what it is apart from just an ID card, which
#
as you go on to enlighten us, it's not an ID card at all.
#
But can we start by talking about all the various objections that you have to Aadhaar?
#
So there's a long list of them, but the first part is that the idea that this is a national
#
ID is a misnomer because it's not national, it's a resident ID.
#
If you are in India for 182 days or above, you can go and get an Aadhaar, which is why
#
an Uzbek citizen in, I think, Visakhapatnam had committed a crime and she was caught with
#
an Aadhaar card not in her name, in a fake name in a sense, right?
#
There was a Pakistani national in Pathankot who was caught with an Aadhaar card as well.
#
So any foreigner who stayed in India over 182 days will need an Aadhaar card effectively
#
if they want a bank account, if they want a working mobile connection.
#
So it's not a national idea because anyone can get it.
#
In fact, that means it's a very weak form of ID, because even like a passport or a driving
#
license is a far better form of ID having gone through verifications and you know, if
#
someone has an Indian passport, you know they're an Indian citizen, right?
#
So the other part of it is that it's also not an ID because there is no verification.
#
So what happens is that when you get an Aadhaar, and I haven't gotten one and you haven't
#
So essentially what happens is that you go, you take an existing ID and they take your
#
fingerprints, they take your iris scan and they give you an Aadhaar card after a particular
#
There is a journalist called Devayan Roy who works with 3N and IBM and he went through
#
this process, realized that there was no verification that's taking place.
#
So he got an Aadhaar card made in a different name.
#
He went to the verification center and they made a fake driver's license for him, I think.
#
And so both got submitted at the same time, his actual submission as well as his fake
#
So he reported it and the UIDA filed a case against him.
#
What happened eventually was that they granted him an Aadhaar in the false name.
#
So Devayan, no, it's sad because, you know, Devayan is in court trying to get his Aadhaar
#
And you know, I asked the UIDA CEO that question at GCCS, which was a global conference taking
#
And he laughed and he said that, you know, I'm saying that he will be stuck with his
#
name for the rest of his life.
#
And this is the beauty of Aadhaar that if you get it in the wrong name, you're stuck
#
with that name for the rest of your life.
#
He said his words were that, you know, his child will go to school and say that my papa's
#
I mean, that's disgusting.
#
But it is what it is and it shows the mentality of the UIDA when it comes to these issues.
#
So the point is that anyone can take any ID and get an Aadhaar made in that name.
#
Now, there are criminals who may have potentially changed their name now and now have a clean
#
record and there's no way of knowing that.
#
So, you know, really when you look at Aadhaar from this perspective about being an ID, it's
#
not really an ID, it's more of a proof of authentication.
#
It's a proof that your fingerprint is connected to this Aadhaar number or not, because there
#
A passport is a better means of which you have cops who come to your home, they talk
#
to your neighbors, there's some amount of physical check that takes place before you
#
The scale at which Aadhaar has been implemented, it was impossible to do that.
#
The pace at which it was being implemented, there's a large number of fakes that would
#
So that's another problem with Aadhaar that, you know, there were about 49,000 endowment
#
agencies whose license was canceled for violation of processes when it came to the creation
#
of Aadhaar, including one that was storing biometrics and effectively using replay biometrics
#
to generate new Aadhaar numbers because they were being paid per ID generated.
#
And so it was the incentive structure was created in a manner that they would create
#
more endowments and there was no way of checking this.
#
You know, so I think the whole system is flawed in the way it has been developed.
#
And there is, you know, there's a Silicon Valley philosophy that goes, move fast and
#
There is an agile development sort of approach which says that start and then keep iterating
#
But when you're looking at something of a national scale that impacts the lives of people,
#
I think the philosophy we ought to have is move slow and fix things.
#
You know, you have to be deliberate, you have to be conscious, you have to monitor, and
#
you have to fix these problems before it impacts a large number of people.
#
In this case, the rush to just get more and more people on board.
#
And this is something which Nadan Delekhani has talked about, which is that if you move
#
so very, very quickly in these things, the opposition does not have time to consolidate.
#
So by the time they realized what was going on, these guys had moved much further.
#
Did he say this approvingly or?
#
I think, yeah, he said this as a strategy that they deployed because there was opposition
#
to Aadhaar from the very beginning as well.
#
So I'm saying that this is the negative outcome of it.
#
The problems that we're facing now is an outcome of the rush.
#
So that was another point that I wanted to make about how not to create a national ID
#
You are going to mess up people's life if you do that.
#
And the thing to remember is that there is so much at stake, like, it makes me really
#
angry when you just told me, you know, what the UAID chairman said about, you know, Deba
#
and Roy being stuck with the fake name forever and almost a sense of schadenfreude that he
#
kind of expressed is that they control the lives of the people.
#
This whole approach that the people belong to the state and we can do what we want with
#
Like, you know, I started my show with an intro about Lal Bihari Mirtak, who you must
#
And and that attitude just infuriates me, you know, and therefore this is also about.
#
So it's us as citizens and as people being deprived of agency, we are not given a choice
#
about whether we want an Aadhaar or not.
#
And so, you know, I think this is one of the challenges that we face and this is why there's
#
a great deal of anger amongst people right now, because you're constantly bombarded with
#
messages about having been forced to link it.
#
The question that I would like to ask is how many people who have gotten an Aadhaar actually
#
wanted to get one and how many have been forced to get one and by making it mandatory for
#
so many things, you've effectively forced like I know students who didn't want one but
#
had to get one because they wouldn't be allowed to sit in exams if they didn't have one.
#
And how do they feel about this is something that we have to take into account.
#
And this is an argument that's also being made in court that it's we have the right
#
to informational self-determination, which is that we have the right to choose what we
#
want to do with that information, who we give it to.
#
And by being forced to get an Aadhaar and being forced to give this information to the
#
government, we are being robbed of our agency.
#
What's happening with Aadhaar in this case is that it is taking your and my personal
#
information, converting it into a public asset and then privatizing it without us having
#
So, for example, the National Health Information Network is probably going to get rolled out
#
next year with Aadhaar linked electronic health records.
#
Last year, Viral Acharya, the deputy governor of the RBI spoke about the creation of a public
#
credit registry, which then startups can build businesses on top of saying that the baseline
#
of personal credit information, the financial transactions that we do will be provided by
#
the government and then they can add their own data sets on top of it to provide you
#
more granular services.
#
Some part of this is good, but the question is, where is the agency here in the sense
#
So we're being forced to part with our data and the idea is to build businesses on top
#
And what I keep telling people is, you know, whatever you say about Aadhaar, my fundamental
#
objection to it, as you correctly nailed right now, is a question of consent, it's a coercion
#
that we are forced to take Aadhaar.
#
You know, you might say it's insecure or it's not insecure or whatever, but if you have
#
the agency to be able to decide, that's fine.
#
And the whole Aadhaar, Imbroglio in a sense, illustrates the perversity of what the state
#
The state is ideally there to protect our rights and to protect our property.
#
But now what is happening is I am told that if by 31st March I don't link my Aadhaar
#
to my bank account, they could freeze my bank account.
#
The government is there to protect my money, not to, you know, I mean, is basically theft
#
No, and what this does essentially is that it's changing the relationship between the
#
citizen and the state because of all the information that they're now able to collect on you.
#
So if you go back to the idea of Aadhaar, I think you need to look at it from a mass
#
surveillance perspective.
#
So about, I think, five, six years ago, we heard about this project being rolled out
#
called NatGrid, which was a national intelligence grid effectively.
#
And the idea was that it would connect 21 databases together.
#
So your bank, your mobile, et cetera, all of these things.
#
Now, you know, if you think about it, an Amit Sharma in one database is not going to be
#
an Amit Sharma in another database, right?
#
The deduplication is very difficult because the names are going to be, are the same across.
#
John Smith, you know, from that perspective.
#
What the Aadhaar number does is it deduplicates these databases.
#
Phase two of NatGrid, from what I've read, is going to have 955 public and private databases.
#
So every aspect of your life, every interaction is going to effectively become an Aadhaar
#
link database, which will then be available to the state when they want to glean information
#
Now, zoom out and look at the impact that can have on a democracy and that impact that
#
can have on an individual's agency if the state has that much informational power over
#
And so these are very dangerous times for us as citizens and for our rights, also for
#
the opposition parties, because, you know, this government may not be that bad, but who
#
knows five governments down the line, you will have a totalitarian entity that uses
#
this information to effectively change the course of history forever.
#
I mean, every individual should just think of the government in power as being the absolute
#
worst that he can think of, whatever that might be.
#
And you give them this much power.
#
And you said earlier that this reverses the relationship between the citizen and the state.
#
I would actually say it illustrates it and in the sense that it's pretty much been this
#
way that the state has treated its citizens as its subjects.
#
And the difference of Aadhaar and the control that they have over our lives because our
#
data now belongs to them is that the state is empowered.
#
Like typically you'd imagine that in these modern times, technology empowers individuals.
#
But here you actually have Aadhaar empowering the state against its individuals instead
#
of protecting the individual.
#
So one of the arguments that's being made is that Google has your data, Facebook has
#
So one part is, yes, that is voluntary.
#
But also they have a lot of data about you.
#
So we're in an era where all of these entities have a large amount of information about us.
#
But we really have little control over information that is us in the sense in today's day and
#
Every single activity that we do generates data.
#
People are talking about the quantified self with, I mean, I have a friend who's stuck
#
some device in his arm and he uses it to monitor his blood sugar levels.
#
That's going to an app.
#
So we're generating truckloads of information about ourselves and we'll continue to do that.
#
The power equation with the platforms is also something to consider.
#
So the state's solution for dealing with that changing power equation and these platforms
#
like whether it's Google, it's Facebook, it's Amazon, it's Microsoft, Tencent, Baidu, the
#
state's solution there is to, hey, give us your data as well.
#
So we'll also use that.
#
So we're effectively in a situation where there is a global market failure in data protection
#
And the solution to that problem shouldn't be more data.
#
It should be giving us more control over our data.
#
In fact, the fundamental role of the government should be to protect the rights of its citizens
#
and therefore the government should be putting those data protection laws in place rather
#
than trying to exploit its absence.
#
So this is one of the problems with Aadhaar, that Aadhaar was brought in to an ordinance
#
initially without a privacy law in place.
#
There still isn't a privacy law.
#
The current committee that's looking at the privacy law is essentially, it has people
#
who've argued against a fundamental right to privacy in the Supreme Court, right?
#
It has the CEO of the UIDA and the UIDA is really not one that's going to uphold privacy
#
the way it's operating right now.
#
So we have a problem here that we don't have a data protection law.
#
Aadhaar, even when it was taken through parliament, it was taken as a money bill with the Rajya
#
Sabha having no role except making recommendations which the Lok Sabha rejected because the current
#
government has a majority in the Lok Sabha.
#
And those protection requirements were actually fairly good in the sense you had, one was
#
for the definition of national security because in India, there is no definition.
#
So the state has complete freedom in terms of who, under what causes it goes and snoops
#
You know, there was purpose limitation, which was another solution where you can only limit
#
it to a few select services and not build a whole private ecosystem or enable a whole
#
private ecosystem on the basis of our data.
#
So checks and balances were essentially rejected in parliament.
#
And therefore, even from like, it's almost been a journey of the state constantly trying
#
to hoodwink its citizens over the last few years.
#
And this is not just the BJP, by the way, it happened with the Congress as well.
#
It's a BNA of the state.
#
And so I'm very worried about where we're going with this and how the future is going
#
to be if this is allowed, because, you know, I don't, I don't, I'm not sure whether the
#
Supreme Court judges really realize the ramifications of what they're dealing with over here.
#
We got a great judgment in terms of the fundamental right to privacy.
#
But the way it looks at, there were exceptions that were brought in, especially for welfare.
#
And that's what the lawyers, some lawyers that I've spoken with seem to think that that
#
is a means of justifying Aadhaar.
#
So we don't know where this case is going to go, but I think it's pretty worrying.
#
Let's move on with your laundry list of objections to Aadhaar, which I know is a long one.
#
So the other is that actually this is about the permanence of the Aadhaar number, which
#
is a single permanent number that is you effectively, and the permanence of biometrics as a password.
#
Now that's just stupid, because if, imagine having an email address with a permanent password
#
So this is, and, and what's happened over the past few years is that government departments
#
have been leaking Aadhaar numbers and a lot of personal information by the millions.
#
I mean, a CIS report pointed out that only about four schemes had details of over 135
#
And all of this is available on Google search.
#
So sketch out a scenario for me.
#
What happens if some, what can, what can go wrong if someone's Aadhaar number?
#
First let me tell you what information it had, right?
#
Because I've seen some of these Excel sheets because government departments uploaded Excel
#
sheets with personal information on their websites.
#
And you had to do a Google search for a file type XLSX in quotes, Aadhaar number, and you
#
would get some of these sheets, which you can download and get people's personal details.
#
So they had Aadhaar number, bank account, address, date of birth, father slash spouse's
#
name, you know, gender in some cases, caste and religion in some cases in Excel sheets.
#
So spell out for me what can go wrong when this kind of data gets released or falls into
#
So one is of course targeting, you know, if, as Aadhaar gets linked to more and more things,
#
individuals can be targeted in a manner which is predatory.
#
And we've seen some of this happen because the information that's being leaked where
#
you had a situation where people were getting phone calls saying, I'm calling from so and
#
Is this your Aadhaar number?
#
Is this, is this your bank account number?
#
I'm sending you a verification code because you have to link your Aadhaar to your bank.
#
And then people would give that detail and they would find that money's been transferred
#
In fact, this happened to a member of parliament in Punjab as well.
#
I received a call in fact, and I have the audio of that because I recorded it where
#
and it wasn't Aadhaar related, but because I don't have an Aadhaar, but it was related
#
to PhonePay, which is a UPI payments app, which I use.
#
And so the person didn't realize that I know about the payments ecosystem.
#
He said, I'm sending you a verification code.
#
When I looked at my phone, it was a password reset code.
#
And so for most people who can't understand English and because this, they're going to
#
give this information away because they think that the person who's calling them is legitimately
#
calling from these places.
#
How did you realize it was a password reset code?
#
It would have just been a number, right?
#
Your password reset code, so the credit to PhonePay over here, it said your password
#
reset code is so and so.
#
So I think, but again, it was entirely in English.
#
And so we are going to face problems because there are issues of information asymmetry
#
and bounded rationality.
#
And people may not understand the implications of what they're doing and they might find
#
that money's been funneled out.
#
And they've been wiped out.
#
But they still have their Aadhaar number.
#
They still have their Aadhaar number.
#
So again, so going back to the issues, one major problem is the centralization of all
#
this data in a single database.
#
And so what we found a month or so ago, there was a story broken by Rasna Khera of the Tribune,
#
where she was added to a WhatsApp group of people who were selling access to the Aadhaar
#
So what the government had done was they had made some village level entrepreneurs at some
#
common service centers, customer support people for, you know, people who walk up to them
#
saying we have these issues, et cetera, that allowed access to the Aadhaar database.
#
They were selling access to the database at 500 rupees a pop.
#
And they were doing that because there were no checks and balances in place in terms of
#
So if you use WordPress, you have administrator, editor, contributor, et cetera, et cetera.
#
So here's the thing, WordPress was started in 2004, 2005, WordPress then had a better
#
permission architecture than Aadhaar does today.
#
And so people who've got access get access to the entire database.
#
From a centralization database, the other issue that if it gets compromised, if access
#
gets compromised, the access to the entire database gets compromised.
#
It's not in silos, it's not like as per district and you have limited amount of access.
#
So it's a bad idea because it creates a single point of failure.
#
The other single point of failure is the Aadhaar number itself, because it's a unification
#
of an identity into a single number.
#
So you know, today you can give your driver's license somewhere as an ID proof.
#
You can give your PAN, you can give your Aadhaar number.
#
If you have federated IDs or separate IDs, then there is a certain amount of security
#
that comes in because only one part will get compromised.
#
Sometimes if people take a driver's license, they don't know what that is ID proof for.
#
No one knows what you've given as an ID proof for your bank.
#
It could be one of multiple things.
#
But if there's a single number that is the ID proof for everything, and remember it's
#
not an ID proof, effectively it can compromise you across the board.
#
Once someone has your Aadhaar number, all they need is your biometrics or they need
#
OTP is easily hackable and biometrics have been cloned from fingerprints.
#
There were school students, everything, there were college students in Bombay who were found
#
faking attendance because they had cloned fingerprints and you had attendance based
#
on fingerprint authentication.
#
In Surat, biometrics were being sold, biometric databases were being sold and I saw this photograph
#
of a pink thumb impression that someone could just take and put on an authentication machine.
#
So again, because you're using biometrics and biometrics have been cloned, the iris
#
has been cloned, the fingerprint has been cloned, a face ID is even easier to clone
#
You are going to have problems going forward.
#
If any system can be gamed, it will be gamed.
#
And here you have a government which is building a system and the government is always going
#
to be staggeringly incompetent at this.
#
And the ingenuity we have in our country, we can game anything.
#
You put the two together and it's a recipe for disaster.
#
And we've seen multiple instances of that.
#
So again, from a security access perspective, in UP there was a case where people had cloned
#
fingerprints and they were generating Aadhaar numbers and they were selling that software
#
bypassing the iris authentication for an enrollment officer by essentially patching the Aadhaar
#
Because of bad incentives, they were paid by the number of Aadhaars generated.
#
Again, right now it is enrollment.
#
Once enrollment is finished, if let's say 100% are given that they're probably fakes
#
in the system, 106% of this country is enrolled, then you will find other scams emerging bit
#
We don't know the scale of this problem and there are, like I said, 49,000 enrollment
#
agencies whose license was cancelled.
#
And we don't know how many fakes that are in the system right now.
#
For all those people who were enrolled by those agencies, have they been re-enrolled
#
Is there any information to that effect so far?
#
And that's again because of a lack of transparency from the UIDAI.
#
They are repeatedly rejecting requests of right to information.
#
So they have something to hide it seems.
#
But again, going back to the earlier point about this relationship between the state
#
and the citizen, we're in a situation where transparency is expected of citizens but not
#
And there are millions of common citizens who are victims of this.
#
And you spoke about Debye and Roy and obviously he's privileged enough that you are speaking
#
about him and asking questions about him.
#
But most common people have no recourse at all.
#
They may not even know English.
#
They may not know how to negotiate the system in any way whatsoever.
#
And I don't think there's a separate debate to be had on the state of media and the economic
#
health of media in this country right now, but really most publications don't have people
#
who can go out into the villages and see the kind of problems that they're facing.
#
Scroll has done some great work on this.
#
And one of the main issues that's coming up is exclusion.
#
So you know, I'm a ghost right now and I'm assuming so are you because neither of us
#
And the problem right now is that for a lot of people, especially in Rajasthan and Jharkhand
#
where it's been made mandatory to the greatest extent for getting welfare, old people, daily
#
wage laborers whose fingerprints either change or don't work or there isn't sufficient connectivity,
#
they're not getting their welfare.
#
And there are people, instances of people who have died because they haven't gotten
#
Think of an 80 year old woman who now has to go 20 kilometers to authenticate with her
#
fingerprints that may or may not work and then therefore has to go repeatedly, whereas
#
earlier she could have given her ration card to a neighbor to go and get that.
#
Now there was pilferage that was taking place earlier, but there are also instances emerging
#
in news reports of people for whom the fingerprint authentication has failed based on what the
#
person who's giving rations is saying and what they found is that that authentication
#
actually worked and the rations were essentially pilfered out.
#
So it's not really affecting pilferage or stealing of rations as much because you may
#
have authentication that's taking place, but you're not able to address quantity theft.
#
So as an effective mechanism, it's not really working and even the numbers that they're
#
talking about have been overstated and we've done detailed analysis.
#
Anand Venkatanayanan is a person who's done detailed analysis on how the numbers are overstated
#
by thousands of multiples, I mean where it might be about 150 crore in savings is being
#
posited as 49,000 crores of savings or something like that.
#
So again, because there is lack of transparency from the government and because there's also
#
attribution to Aadhaar where it shouldn't exist, for example, in case of West Bengal,
#
ghosts and fakes were effectively removed through door-to-door surveys, but the savings
#
from what we understand are being attributed to Aadhaar.
#
So essentially right now the system is geared up towards doing anything possible to save
#
And again, within the welfare delivery system it's had the effect of empowering the rent
#
seekers which is the opposite effect that you'd want.
#
But just more than that, people have died because they haven't got admission to hospitals
#
because the people demanded an Aadhaar card, we've heard horror stories like that.
#
And there is a moral cost to that and it infuriates me that people sitting in air-conditioned
#
cabins in Delhi treat this as collateral damage, much as they did during demonetization, talking
#
about vague long-term benefits while there is actual suffering happening on the ground.
#
But I think that's kind of the state of political discourse today that growth at any cost and
#
people are being seen as collateral damage and you're trying to digitize the economy
#
by forcing people into it.
#
See, I'm someone who loves tech, I've covered this space for 12 years, love the internet
#
and I've always been idealistic about the role that technology can play in the sense
#
even media numbers built on this idea that our role is to help enable an open, fair and
#
competitive digital ecosystem in the country.
#
But really what turned my thinking around Aadhaar was this was around demonetization
#
and digital payments and when people were primarily talking about forcing change upon
#
the country, almost like I likened it to white man's burden as digital man's burden, that
#
it is the role of the digitally enabled to force everyone to become digitally enabled.
#
And that's not how I became digitally enabled, it was by choice, it was as agency.
#
And so there's a philosophical shift that has taken place where those who've benefited
#
from it feel that it's their job to force others to conform to it.
#
And because it brings inefficiency and savings and power for them, but I think this is largely
#
And it's very interesting, you'll hear supporters of Prime Minister Modi talking about how they
#
hate communism and so on, but all of this is right out of Chairman Mao's playbook.
#
You know, the mass coercion during the time of demonetization, the kind of social engineering
#
that is being attempted in various ways of which Aadhaar is a phenomenally powerful tool.
#
Well, if you if you look at the removal of agency, the one aspect that really stands
#
out is in the Aadhaar Act, where if your data gets stolen, you can't go to court.
#
So the law disables you from going to court, only the UIDAI can go to court.
#
Now, why would the UIDAI go to court against another government department?
#
So far, they've only gone to court against journalists and researchers who've pointed
#
out issues with Aadhaar, which is again a wrong thing to do.
#
But they have not gone to court against at least 216 websites that were publishing Aadhaar
#
information, even though the Aadhaar Act doesn't allow it.
#
And the thing is, you should have, if your rights are infringed, you should be able to
#
go to court on your own behalf.
#
It's not just that, what that system, if you're able to go to court, it helps correct the
#
So effectively, Aadhaar is not going to get fixed unless someone goes to court.
#
If your data gets stolen and you go to court, it forces people to make the systems more
#
secure because they might get fined or someone might get jailed.
#
But now those incentives don't exist.
#
And I think from what I remember, when Ravi Shankar Prasad, the IT Minister was asked about
#
this in parliament, I think he said that, you know, if we do that, then there would
#
be too many cases, which is almost an admission of a problem.
#
Which also indicates his government's unceasing focus on optics.
#
They don't care what really happens, they just care how it's reported.
#
Well, I don't know about that aspect of it, but from one of the things that I've noticed
#
is that there's also a great deal of lying that's going on, like this constant refrain
#
that there has been no breach.
#
And that's optics effectively, right?
#
But the fact is that a breach is unauthorized access.
#
So if Rasnakeera of the Tribune was able to get unauthorized access to the Aadhaar database
#
by paying 500 bucks to someone, that is a breach.
#
You know, if let's say Abhinav Srivastava, a developer in Bangalore, was able to access
#
the Aadhaar database because NIC, a government body, was running access to it on HTTP instead
#
of HTTPS, and it's a non-secure connection which can effectively, data can be taken from
#
that, that is a breach.
#
If biometrics have been cloned or being sold, that is a breach.
#
So I think by denying that there's a problem, we're not going to solve it because if you
#
think about it from a governance standpoint, the first part of the solution is to accept
#
that there's a problem.
#
Then it is to involve the right-minded stakeholders in trying to figure out the source of the
#
problem, trying to find out the solution, and then solving it.
#
And also informing about solving it and bringing in processes of transparency so that there
#
is accountability in the future.
#
None of this is happening right now.
#
And so we're just digging ourselves a deeper hole by denying that the problem exists.
#
So you know, another part of the problem with the way Aadhaar is being run is that there
#
is no monitoring mechanism.
#
There is only, there's only an audit mechanism, which means that someone has to do an audit
#
Now nobody seems to be doing that audit because journalists and researchers are finding problems
#
and the UIDAI goes and sues them for it.
#
If that problem hadn't been reported by a news agency, the UIDAI probably would never
#
have known about it and the leaks would have kept happening.
#
And you're actually disincentivizing people from finding the problems in the system you're
#
But more, I mean, it's, but it's just as important to remember if there is a problem
#
and nobody reports it, going back to your tree falls in a forest example, who knows?
#
There is probably data leaking everywhere that we don't even know about.
#
So that's why you have researchers with some anonymous Twitter handle called F society
#
That is, that's effectively constantly, almost on a daily basis, pointing out issues with
#
Aadhaar because an anonymous handle probably has a better chance of doing that because
#
if an Indian handle did it, they'd probably get sued or they'd get put in jail.
#
So I have a sneaky feeling that anonymous handle is also a ghost like us.
#
No, but you know, so going back to the agency issue, the UIDAI under the Aadhaar act can
#
also cancel your Aadhaar number for any reason they may deem necessary.
#
And do you have recourse?
#
I'm not sure about the recourse part.
#
Because if you think about it, only the UIDAI can go to court.
#
And also only, even if everyone could go to court, only the incredibly privileged people
#
like us would actually be able to do so at a practical level.
#
Most people in this country, they don't really have that option.
#
I mean, but you know, they also don't have it easy even getting an Aadhaar number.
#
So, you know, you've seen instances of endowment agencies because of the atmosphere of desperation
#
that's been created by the government, having to pay bribes to get an Aadhaar number.
#
It's supposed to be very cheap, but the people who've had to pay 300, 500 thousand bucks
#
to get an Aadhaar number.
#
And this is essentially rent seeking that's happening at an enrollment level right now.
#
There will probably be rent seeking that will happen if you need to get some data changed.
#
So we don't know where this is going.
#
But really, that's where the corruption has come in.
#
If you look at it, Aadhaar has effectively enabled corruption at that level, even though
#
the state may not see it as that.
#
I mean, as the old saying goes, power corrupts.
#
So the more power you give, the more corruption you will have.
#
What else is in your laundry list?
#
So one of the things is that the people who've already been compromised forever.
#
And so that's one of the problems I have with Aadhaar that the leaks have happened at such
#
a large scale that we really don't know what to do about it.
#
So if someone's actual information about their bank account number, Aadhaar number, religion,
#
address, date of birth, father's name, husband's name, if all of that identifiable information
#
that can be used to compromise them has been put in the public domain or has been leaked,
#
how do you protect them?
#
What do you do for them?
#
They're compromised for the rest of their lives.
#
They can't do anything.
#
I'd love suggestions on how we can fix that now.
#
So the way I look at it is that this is an increasing problem.
#
And we need to suspend Aadhaar right now to mitigate the problem.
#
I don't know if we can solve it.
#
But at least for the time being, we need to recheck our processes, we need to figure out
#
where all the leaks are happening.
#
And you can't do that with an ongoing system because it's like you plug one hole and then
#
you suddenly realize there's another one, there's another one, there's another one.
#
This is not something that can be done live.
#
First you plug all the holes, then you think about repairing the wall at a fundamental
#
And that's what we first need to suspend the project and figure out where all the problems
#
I also mentioned about not being able to count the fakes in the Aadhaar system because there
#
is no way of knowing if you've created a fake Aadhaar number or an ID.
#
In fact, you can essentially take a photo of an Aadhaar card, put in any random number,
#
put in your photograph, put in any random name, and most people will accept it as a
#
proof of identification because of the environment that we've created where it's acceptable.
#
So in most countries, they have chips and that chip is a means of authentication.
#
You can't really put in a fingerprint scanner everywhere and I don't think people should
#
be going and scanning their fingerprints everywhere because it's so easy to clone fingerprints.
#
Someone can just place a machine before you, you put your thumb on it and they say, oh,
#
this one didn't work and they put another one and that works.
#
They could have just cloned it from the first one.
#
I mean the same thing with credit cards, the way you clone it, yeah.
#
So the other problem is that 15 states have already taken copies of the Aadhaar database
#
under something called the SRDH or the State Resident Data Hubs.
#
Now in Andhra, what we've seen is that all sorts of information is being linked to it.
#
So you know, the UIDA and Ravi Shankar Prasad have gone out and said that we're only collecting
#
demographic data, which you would give to your bank or your mobile operator and stuff
#
But at the state level, they're linking stuff like traffic violations to it.
#
They're linking property records, petty crimes information and this is happening in case
#
Now what you develop effectively over a period of time when you start collecting and linking
#
all of this information is you get a 360 degree profile of each single individual and that
#
kind of data in the hands of a state is very dangerous.
#
You know, because historically even income tax records have been out of bounds for other
#
government departments, right?
#
So the silos that existed which protected us are now being broken through the creation
#
of the centralized database.
#
And so the scale of the problems that this is going to cause is something we don't even
#
It's difficult to comprehend because there are also no checks and balances in place.
#
So many of these states don't have a state level Aadhaar Act to regulate the collection
#
and sharing of this information.
#
Now one argument that UIDA is making is that the Aadhaar Act also applies to the states
#
where the states already have collected way more information than the Aadhaar Act allows
#
the central government to take.
#
So the ambiguity is actually there right now to be misused.
#
And just thinking aloud the political repercussions of this on our democracy can be staggering.
#
I mean, just to take two examples, in 1984 we now know that a lot of the rioters had
#
electoral rolls by which they identified which house the people they wanted to victimize
#
lived in and they just went door to door to those houses.
#
And that is just a very limited set of data and the damage it caused.
#
And equally, you saw recently how T. Star Settelwaard's credit card details were leaked
#
out at a government press conference where they said that, listen, this woman used her
#
credit card to buy alcohol as if buying alcohol is a crime.
#
And the fact is that data should not have been out there.
#
Exactly and what right does a government have to release that data in the first place?
#
I mean, they should have the data and if they have it, you know.
#
So that affects the opposition in a democracy.
#
And it has a chilling effect on the opposition as well.
#
If you know your bank account can be freezed, if your entire life can be shut down.
#
Well, look at it from another perspective, right?
#
The beauty of digital is that the data is digital and so therefore the data can be manipulated.
#
So if let's say there's a murder that's taken place three, four kilometers from here,
#
how do I know that Amit wasn't there?
#
If his location data puts him there, if he's done a credit card transaction in the same
#
building at some swap on the ground floor, right?
#
So these are the things.
#
You think you're giving ideas that will get me into trouble, buddy, you've got more enemies
#
Well, so just going back to that last example.
#
The other thing you have to keep in mind in terms of the databases that get created is
#
that there is no control that the UIDAI has on private databases.
#
So through this AKYC mechanism, which is why I started off by saying that this is the conversion
#
of personal data into a public asset and then privatized is that private agencies and private
#
entities are now creating their own databases built on this information.
#
And so what we saw, for example, in case of Reliance Jio and the data that had leaked
#
last year was that someone launched a site called magicapk.com because there was a vulnerability
#
at some vendors database.
#
I mean, this is what I read in the news reports at some vendors code side that Jio had given
#
They started a site where you had to put in a mobile number and they would give you demographic
#
Now, the Aadhaar number area in that was kept blank.
#
So I'm not sure whether they had access to it or not, but who's to say that there won't
#
be other players that might actually store that and add more information.
#
And how does a UIDAI keep this data secure after it has left the UIDAI?
#
See, when you do a credit card transaction, you know that Amazon sometimes stores your
#
You can allow Amazon to store your card details.
#
But Amazon goes through this compliance mechanism called PCI DSS, which is a data security standard
#
that it has to follow in order to be allowed to store the data.
#
In case of Aadhaar, I don't know if there is a mechanism to actually check whether people
#
are maintaining certain data security standards or not.
#
And given the way NIC has given access to the database on HTTP and NIC is both an AUA,
#
which is an Aadhaar user agency and a KUA, which is a KYC user agency, which again can
#
share demographic information.
#
I don't think it's following the protocols, but it's a government body.
#
So I don't know what the government is going to do about.
#
Is it going to cancel the license of another government body?
#
So this is damn confusing because I see like two contradictory dystopian situations.
#
One situation is that we have a government which is so inept that it is messing everything
#
up and is making a mess of the whole thing.
#
But the other dystopian situation is that if you really look at it, this is if you wanted
#
to be a totalitarian state with everyone's data under your control and everyone's life
#
one fingertip away from destruction, this is a masterful way of doing it.
#
Which do you think is more true?
#
I'm not going to second guess in terms of intent of the government.
#
That is somewhat the effect that it's ending up having anyway.
#
They have all the data, they have complete control and they have it in extra quick time.
#
Look and it is not to say that the intent was bad when it began from that perspective.
#
Because we don't know what the intent was.
#
Like I am someone who supported Aadhaar when it started because I saw the massive benefits
#
it would bring in if the KYC costs would be taken on by the government.
#
Because at that point I remember Nokia had done some presentation which talked about
#
the cost of authenticating each individual was about 270 rupees.
#
And therefore that is a massive cost if you want to bring everyone into the financial
#
Now the government through Aadhaar was taking on that cost so that you would have financial
#
inclusion that comes in.
#
But the beast that this has become on top of that and the repercussions of collection
#
of personal information is something which many of us had not considered.
#
Which is why under the BJP under Yashwant Sinha there was this great parliamentary standing
#
committee report that came out which pointed towards all of these issues.
#
Which brings me to my last point which again we learnt from that particular report which
#
was about biometrics being an inexact science.
#
So there are always going to be people who will be excluded because biometrics are a
#
probabilistic means of authentication.
#
So there will always be false negatives and false positives which is that there will be
#
people whose fingerprint is correct but that they are going to get rejected and the people
#
whose fingerprints do not match but they will be accepted.
#
And so I would like to see the government actually make Aadhaar mandatory for boarding
#
flight because there will always be someone who will be rejected and the elitism problem
#
that we have in terms of technologists talking about how probabilistic science is fine.
#
When those guys get denied flights because their fingerprint doesn't match I think they
#
will start thinking about things a little differently.
#
I don't think for them it really matters that there are people who are not able to get their
#
daily rations or their monthly rations and the people who are starving because of problems
#
with Aadhaar because it's not impacting them personally.
#
But let's make it mandatory for flights and see what happens.
#
But also in this context you can't talk probabilities I mean the duty of the state is to protect
#
You can't exclude anybody to say that a 0.0 whatever percentage is not on it has to be
#
No no so there is always going to be exclusion.
#
Because biometrics are fundamentally flawed.
#
Because biometrics change because your fingerprints get worn out because as you age they change.
#
So effectively this idea of having a probabilistic authentication and also a permanent mode of
#
authentication with biometrics which can be compromised is just bizarre.
#
Because if by the way if there is a 100% match there's probably a fake biometric being used.
#
So the whole edifice falls apart on this basically so tell me this you've outlined a number of
#
problems and I think any one of them on their own is a disqualifier by itself and together
#
they're quite overwhelming.
#
But what are the sort of solutions that you think are possible going forward?
#
So one is an easy one which is make it voluntary.
#
If you don't want one you shouldn't have to get it.
#
But that ship is sail right 900 million people already have it and a lot of the data has
#
So there's another solution there right.
#
But the other one was make it optional.
#
So Aadhaar should be one of the authentication mechanisms used one of many so that people
#
can then protect themselves.
#
Then is the idea of deprecating IDs which is that let's say if your passport changes
#
then the passport number changes.
#
So have Aadhaar deprecate over a period of time so that you have to go and get a new
#
one that's a new number so your exposure is limited from that perspective.
#
Or rather you can get a new one if you want to.
#
If you want to of course.
#
One of many IDs in use for any kind of authentication.
#
The other is to give users control to change and revoke their IDs.
#
So if I want to change my Aadhaar number I should be able to change it.
#
If I want to just cancel it and never use it again I should have the freedom to do so
#
because that also gives people agency.
#
One technical solution which is also being used I think in Denmark is the idea of using
#
derived authentication or pseudonymization.
#
So the UIDI initially had this idea of having a virtual ID which is going to be built on
#
top of Aadhaar so that you give your instead of giving your Aadhaar number at places you
#
Now the problem with the way they're implementing it is that they're only allowing one virtual
#
ID at a time and the likelihood is that people will not know how to revoke it or change it.
#
And so their implementation is not that great.
#
But let's say in case a UPI which is the payments mechanism with every app you can create a
#
new ID so your bank account doesn't get exposed and one single ID doesn't get exposed.
#
You also need to give citizens a right to legal recourse.
#
If I can go to court then it forces a system to fix itself because there might be monetary
#
damages on the government or court ruling might force it to change.
#
You need a purpose limitation for Aadhaar which is that it should not be linked to or
#
usable for sensitive personal information and you should have a limited use case for
#
which it is allowed so as not to create a situation where people overexpose themselves
#
or give their Aadhaar number or help create databases at a lot of places.
#
No usage of biometrics whatsoever that needs to go and in fact the biometric data that's
#
been collected needs to be destroyed.
#
Of course one thing which for us that ship has sailed but what other countries are looking
#
at similar mechanisms can do is that they need to have a data protection law and a privacy
#
law before rolling something like this out.
#
We've obviously done things the wrong way here.
#
We need money to be spent on an awareness campaign and disproportionate amount of the
#
budget needs to be on that awareness campaign so that people understand what to do, what
#
They have a ready reckoner for how not to compromise themselves because there is clearly
#
there's information asymmetry.
#
Most people don't realize the impact that this has.
#
These are some of the ideas that I have.
#
The push for 100% is actually what is hurting us a lot right now because in that push we
#
are more focused on getting to 100% rather than building a system that works.
#
So tell me something, in your interactions with policy makers, with politicians, with
#
bureaucrats, how receptive have they all been to these ideas of yours?
#
Where is the opposition coming from?
#
I think one is the sunk fallacy, sunk cost fallacy that we spend so much of money and
#
therefore we can't destroy it now, which is why these are recommendations for fixing it
#
rather than shelving it altogether because I think shelving it would be a better idea,
#
but in the absence of that there needs to be a mechanism to fix it or at least limit
#
the damage that gets caused.
#
Most opposition members, they don't like the system because they're also worried about
#
surveillance and exclusion is a very, very big problem that they are seeing in their
#
One of the things that again that I forgot to mention earlier about the problem with
#
Aadhaar that it's become a national security risk.
#
So they are also conscious of that because all this data available, accessible with such
#
poor security in place compromises most citizens in this country, like Aadhaar is the biggest
#
honeypot that exists for any hacker to get into because effectively you can dismantle
#
a country's financial system if you get access to all of this data one way or another.
#
Which seems fairly easy to do, I mean given the protections in place.
#
So we have, but at least from the government side I don't think they're really engaging
#
or they're talking much right now because for them they don't want to admit that there's
#
a problem because that's the way politics currently works.
#
No one wants to admit to having made a mistake.
#
I'm not sure where the Congress stands on all of this because at one level you have
#
Kapil Sibyl arguing very well in court, I mean pushing back against some provisions
#
But at the same time you have the Karnataka Congress which is pushing an Aadhaar bill.
#
So you know, I think it's almost two-faced the way they're behaving.
#
We don't have, no one has a solution right now.
#
Or no one wants to even try for the solution by the looks of it.
#
So Nikhil, I'm going to ask you to sum it up by referring to a quote of yours from a
#
TV interview I saw recently where you said that the Supreme Court decision about Aadhaar
#
is, quote, the most important decision in our history, unquote.
#
And then you went on to say, quote, what we do, and by we you meant the citizens of India,
#
what we do will impact generations, unquote.
#
These are very big words.
#
This is a very, very big issue.
#
The consequences are very momentous.
#
No, I think that the amount of data that we're releasing right now through this, and remember
#
this is, Aadhaar is going to get linked to the DNA database when it gets created once
#
the DNA bill gets passed, right?
#
So like you said, our lives are data, we are data.
#
And so therefore, from an individual liberty perspective, this is the biggest decision
#
that's going to be taken about our future, about our data, about our interactions, because
#
effectively this is going to be used by algorithms to, on the good side, give us loans, but on
#
the bad side, change the way we vote maybe in the future, or whether there is any totality
#
in action by some government in the future.
#
So really, these are our rights that are going to get impacted in ways that we can't really
#
This is also the creation of a mass surveillance state with very limited checks and balances,
#
because frankly, under the guise of national security, very few checks and balances exist
#
So what we need to do as citizens is really push back now.
#
I mean, it has to, I said this to some of the lawyers in the Supreme Court case a couple
#
of years ago, that this only gets fixed when it becomes an election issue.
#
I hope that the Supreme Court does the right thing, because they are effectively going
#
to get judged for what they judge, or for what they do, but we can't depend on courts
#
This is a political problem, and I think there has to be a political solution, and it is
#
on citizens to force a political solution for this.
#
So I think anyone who's been listening to this episode will, I think, agree with me
#
that if we don't act now, it might be too late from a citizen's perspective, but if
#
my listeners want to know, want to ask you that, okay, I'm really concerned, but what
#
concrete thing can I do now as a citizen?
#
A whole bunch of things, right?
#
Number one, we have a site called speakforme.in, which allows you to mail your MP.
#
There's some pre-prepared text in that.
#
Go and change it, right, whatever you want, and just send it to your MP, because once
#
MPs know that their constituents are worried, there is a likelihood that they will again
#
internally push their parties to improve the way they're thinking about it.
#
Whatever you can, inform more people about the issues, because right now what's happening
#
is that most people don't understand the problems that we're dealing with.
#
Share this podcast with as many people as possible so that people realize that the scale
#
of the problem that we're facing right now, and you know, this has been pretty exhausting
#
because for a lot of us who've been talking about this issue over the past few years,
#
and especially for Usha Ramanathan, who's been talking about this for almost six, seven
#
years now, if not more, it's a very lonely battle because most people don't either understand
#
the scope of the problem, understand the issues, and things are changing so quickly that every
#
time a new solution comes up, you're wondering, or something that the UID does, for example,
#
with face ID or with virtual ID that they were doing, you think that that solves the
#
problem even though it doesn't.
#
So I would say do not trust the government on this.
#
Do not trust the UID on this because they're trying to retain a system which is flawed.
#
Go out and tell them that you want them to either remove the system or fix the system
#
because the only thing that you have going for you is your vote right now.
#
I don't think there is any other option to solve this problem.
#
That's an inspiring call to action.
#
May you never walk alone.
#
Thank you so much for coming on the show, Nikhil.
#
Thank you for having me here.
#
If you enjoyed listening to the show, do follow Nikhil on Twitter at nixxin at Nixon.
#
You can also read his writings and follow the work of his colleagues at Medianama.com.
#
You can follow me on Twitter at Amit Verma, A-M-I-T-V-A-R-M-A, and for past episodes of
#
The Scene in the Unseen, do hop over to sceneunseen.in.
#
Thank you for listening.
#
If you enjoyed listening to The Scene in the Unseen, check out another hit show from Indus
#
Works Media Network's Cyrus Says, which is hosted by my old colleague from MTV, Cyrus
#
You can download it on any podcasting network.
#
He bends down to test the warm water for his bath.
#
He comes here to quench his thirst for a hot shower and some podcasts.
#
You can witness how he enjoys having other people talk about cool stuff in his bathroom.
#
Indeed, it helps him with his loneliness.
#
You can find more of his pieces on ivmpodcast.com, your one-stop destination where you can check
#
out the coolest Indian podcasts.
