(New York) – The Indian government’s mandatory biometric identification project, Aadhaar, could lead to millions of people being denied access to essential services and benefits in violation of their human rights, Amnesty International India and Human Rights Watch said today. The large-scale collection of personal and biometric data, and linking it to a range of services, also raises serious concerns about violations of the right to privacy.
The government should order an independent investigation of the concerns raised about Aadhaar, and cease targeting journalists and researchers who expose vulnerabilities in security, privacy, and protection of data, the organizations said.
“Making an Aadhaar card a prerequisite to access essential services and benefits can obstruct access to several constitutional rights, including the rights of people to food, healthcare, education and social security,” said Aakar Patel, executive director at Amnesty International India. “The government has a legal and moral obligation to ensure that nobody is denied their rights simply because they don’t have an Aadhaar card.”
The Aadhaar project is run by the Unique Identification Authority of India (UIDAI), a statutory body of the Indian government set up in 2009. It collects personal and biometric data such as fingerprints, facial photographs, and iris scans, and issues 12-digit individualized identity numbers. Aadhaar was initially meant to be voluntary, aimed at eliminating fraud in government welfare programs and giving people a form of identification.
However, the Aadhaar Act of 2016 and subsequent notifications and licensing agreements dramatically increased the scope of the project, making Aadhaar enrollment mandatory for people to access a range of essential services and benefits including government subsidies, pensions, and scholarships. It has also been linked to services such as banking, insurance, telephone, and the internet.
Shops providing subsidized food grains as part of the government’s public distribution system to people living in poverty have denied supplies to eligible families because they did not have an Aadhaar number, or because they had not linked it to their ration cards – which confirm their eligibility, or because the authentication of their biometrics such as fingerprints failed. Local human rights groups and media have reported some cases in which people starved to death as a result. Poor internet connectivity, machine malfunction, and worn out fingerprints such as those of older people or manual laborers have further exacerbated the problem of biometric authentication.
According to activists in Rajasthan state, between September 2016 and June 2017, after the Aadhaar authentication was made mandatory, at least 2.5 million families were unable to get food rations. In October 2017, the central government instructed states not to deny subsidized food grains to eligible families merely because they did not have an Aadhaar number, or had not linked their ration cards to it. However, reports of denied benefits continue.
Children without Aadhaar cards are at risk of being denied free meals in government schools, while others have been denied enrollment in government schools despite the Right to Education Act guaranteeing free and compulsory education to all children ages 6 to 14. Students are also increasingly finding it difficult to receive government scholarships without Aadhaar numbers. Hospitals in Haryana state insist on newborn babies being enrolled in Aadhaar before giving them birth certificates. Aadhaar numbers are also demanded to issue death certificates. In some cases, people living with HIV/AIDS have decided to stop getting medical treatment or medicines when forced to submit Aadhaar numbers to get healthcare benefits because they fear their identities will be disclosed. Many persons with disabilities have been denied benefits because they were unable to obtain Aadhaar numbers.
The government’s expansion of the Aadhaar project and efforts to make it mandatory for essential services directly violate Supreme Court orders. In August 2015, the Supreme Court, in an interim order, said that Aadhaar enrollment was “not mandatory” and should not be a condition to obtain any benefits otherwise due to a citizen, and also restricted its use to a few government programs. A five-judge bench will start hearing the final arguments on the legality of Aadhaar on January 17.
Right to Privacy
In August 2017, the Supreme Court stated that the right to privacy was part of the constitutional right to life and personal liberty, in response to government arguments in Aadhaar-related petitions that privacy was not a fundamental right. The right to privacy is also protected under the International Covenant on Civil and Political Rights (ICCPR), to which India is a party.
Several reports have shown that the Aadhaar system is vulnerable to data breaches and leaks. In January 2018, the Tribune newspaper reported that unrestricted access to the personal details of people enrolled in Aadhaar could be purchased for less than US$10 from racketeers. The UIDAI responded by filing a criminal complaint, naming the reporter and the newspaper, prompting widespread condemnation by civil society groups.
In 2017, millions of Aadhaar numbers, along with people’s personal information, including bank accounts, were published by government websites. The government has repeatedly dismissed reports of such leaks saying “mere display of demographic information cannot be misused without biometrics,” emphasizing that biometric information is safe. However, experts say companies could store biometric data at the time of enrollment or authentication for a transaction, and biometric data once stolen is compromised forever.
These fears proved real in February 2017, when UIDAI filed a criminal complaint against three companies alleging illegal transactions using stored biometric data. However, a month later, the UIDAI sought to downplay the breach and when an entrepreneur wrote an article illustrating how stored biometric information under Aadhaar could be misused, UIDAI filed a criminal complaint against him.
Following the Tribune story in January 2018, the government said it would address concerns about privacy rights violations by introducing temporary “virtual IDs” for Aadhaar holders to use in certain situations without revealing their Aadhaar numbers. However, the strategy does not effectively address data protection concerns.
The government claims to have issued 1.1 billion Aadhaar numbers to residents in India, not limited to citizens, making it one of the biggest biometric databases in the world. The government’s push for mandatory enrollment and its efforts to link the Aadhaar number to a wide range of services raises grave concerns that it could disproportionately interfere with the right to privacy for millions of people. It has also prompted fears of increased state surveillance, with the convergence of various databases making it easier for the government to track all information about specific individuals, and to target dissent. These fears are heightened by the absence of laws to protect privacy and data protection in India, and the lack of adequate judicial or parliamentary oversight over the activities of intelligence agencies.
Transparency and Accountability
Certain provisions of the Aadhaar Act and subsequent regulations also raise concerns regarding transparency and accountability. The law prevents anyone other than the UIDAI from approaching the courts in case of a breach or violation of the law. It also fails to set up an adequate or effective grievance redressal system. The ICCPR requires countries to ensure that anyone whose rights or freedoms are violated has an effective remedy.
Aadhaar regulations allow the government to deactivate an Aadhaar number for various reasons including for “any other case requiring deactivation as deemed appropriate” by the UIDAI, leaving the broad wording open to misuse. Also, the government is not required to give any prior notice before deactivating an Aadhaar number, which could violate natural justice principles and also put access to essential services at risk. Between 2010 and 2016, the government deactivated 8.5 million Aadhaar numbers, saying it was for reasons provided for under the law.
Aadhaar does not allow anyone enrolled under it to opt out or withdraw. Aadhaar regulations do not require the authorities to inform an Aadhaar number holder if their information has been shared or used without their knowledge or consent.
“It is ironic that a 12-digit number aimed to end corruption and help the poor has become the very reason many have been deprived of fundamental rights,” said Meenakshi Ganguly, South Asia director at Human Rights Watch. “There are legitimate concerns about privacy, surveillance, or just misuse of personal information, and the government should address these problems instead of coercing people to enroll and link existing services to Aadhaar.”