Page 30 - Proceedings of the 2017 ITU Kaleidoscope
P. 30

2017 ITU Kaleidoscope Academic Conference




           2. SOURCES & POTENTIAL FOR AADHAAR DATA            is estimated to have added  approximately 600 thousand
                                                              new users per day in its first six months. More recently, the
           The NYU GovLab research  centre defines open data as  -   Department of Telecommunications issued a direction to all
           "publicly available data that can be universally and readily   telecom service providers to re-verify their mobile
           accessed, used and redistributed free of charge.  It is   subscribers through the eKYC process by February, 2018.
           structured for usability and computability” (GovLab, 2016   Based on current figures, this move would cover a telecom
           [5]). In case of Aadhaar, its open data potential is closely   subscriber base of about 1.2 billion connections.
           linked to its characteristic design,  features and   As more and more Government and private agencies move
           functionalities. We therefore begin by examining the   towards Aadhaar-based authentication systems, we see two
           architecture of the  Aadhaar  project and then proceed to   primary sources of data emanating  from  the  Aadhaar
           identify the categories of data that can emanate  from its   ecosystem: (i) statistics of Aadhaar enrolment and usage of
           different processes.                               the database available with UIDAI; and (ii) data generated
           The UIDAI has been tasked with three key  functional   through government and private uses of Aadhaar. Each of
           processes: enrolment, identification and verification   these categories of data comes  with a  unique  set of
           (MeitY,  2017  [14]).  Through  an  extensive  network  of   challenges pertaining to the ownership of the information,
           enrolment agencies, UIDAI collects the demographic   the extent to which it can and should be made public and
           (name, date of birth,  gender, address) and biometric   the incentives that  might drive  such disclosure. Before
           (fingerprints, iris  scan and photograph) information of   turning to these issues in the next section, we first identify
           individuals  for the purposes of enrolling them into the   the types of information that can emerge from Aadhaar and
           Aadhaar system.  All the collected information is housed in,   its uses, and the potential value of such data.
           and  managed by, the UIDAI Central Identities Data
           Repository. The next step of “identification” refers to the   2.1. Release of open data by UIDAI
           de-duplication of biometric data in the UIDAI database. In
           this de-duplication process the Aadhaar system performs a   The decision and the responsibility of creating open data
           check of the information collected for each new enrolment   vests upon owner or manager of the database. This right is
           against all the enrolled data to ensure “uniqueness”. This   exercised  within the bounds of legally permissible
           results in the issuance of a unique Aadhaar number to the   disclosures. We therefore begin this section by examining
           individual, which is meant to be a random number with no   the  extent to which  the Aadhaar  Act permits (or, at the
           built-in intelligence.                             least, does not prohibit) UIDAI from making any Aadhaar
           Finally, it is the verification process that is employed in a   related data publicly available.
           variety of use-cases. This verification can be of two kinds -   The Aadhaar Act does not expressly vest the ownership of
           authentication and eKYC.  The authentication  services   the collected demographic and biometric data  with the
           respond  with  a  “yes”  or  “no”  answer  to  the  Aadhaar   UIDAI. However, its  website  clarifies that the “data
           number  holder’s claim of identity and  no personal   pertaining to residents is held by UIDAI  as a trustee
           information is shared in the process  with the querying   /custodian”. UIDAI’s control over the collected data is
           entity. On the other  hand, electronic know-your-customer   further demonstrated by the fact that the individual
           functionality or eKYC allows  authorized  users to seek a   providing her information does not have the option to exit
           person’s identity information (but not their biometric   from the  system (although she can request access to her
           information) from the Aadhaar database. The UIDAI rules   information).
           allow the authorized eKYC agencies to keep the collected
           data in their records and use it for the purpose of delivering   Irrespective of the issue of ownership, the sensitivity of the
           their services.                                    information and scope for its misuse demands that UIDAI,
                                                              as its custodian, deal with this data in a highly controlled
           The list of agencies that  have already adopted Aadhaar-  manner. Privacy and data protection concerns demand that
           based authentication systems includes Government benefit   an individual’s  Aadhaar number; the demographic or
           transfers and e-governance initiatives, banks and financial   biometric information collected during the enrollment
           service providers, telecom companies, and digital certifying   process; or authentication records of a person should not be
           agencies. As of April 2016, UIDAI reported over 1.5 billion   released publicly, by UIDAI, its enrolment partners or the
           authentication  transactions and over 84  million eKYC   authorized users of its authentication and eKYC systems.
           transactions (PIB, 2016 [1]). These figures are  known to   Accordingly, the  Aadhaar  Act casts an obligation on the
           have multiplied since. In the latter half of the financial year
           2016-17, a monthly average of 139 million people were   UIDAI to ensure the confidentiality of the identity
           estimated to be authenticating themselves  using  Aadhaar   information and authentication records of individuals.
           (IDinsight, 2017 [11]). Similarly, the  number of eKYC   Subject to certain exceptions, the law also specifically bars
                                                              UIDAI  from revealing any information stored in its
           transactions have also risen dramatically, primarily through
           UIDAI’s encouragement of eKYC driven  financial    database or authentication records to any person. The
                                                              authority  is also restricted from collecting or maintaining
           inclusion and its use in telecom services.         any information about the purpose of authentication. These
           In September, 2016, a new telecom player, Reliance Jio,   provisions put some basic restrictions on the information
           entered the Indian market employing Aadhaar eKYC as its   that can legitimately and legally be released in the public
           primary mode of verifying and enrolling new subscribers. It   domain by UIDAI.




                                                          – 14 –
   25   26   27   28   29   30   31   32   33   34   35