Identity Project

Despite the comparisons, India's Aadhaar project is nothing like America's Social Security Number

It has more uses and fewer safeguards.

From food rations to marriage certificates, entrance exams to train ticket concessions, mobile phone cards to banking, Indians are now being asked to produce a 12-digit Aadhaar number to access both government and private sector services.

This number is connected to their fingerprint and iris scans that are stored in a centralised database. As of September 2016, this database held the demographic and biometric information of more than 105 crore people – more than 80% of India’s population, and three times the population of the United States.

India’s Unique Identification project is the world’s largest biometrics-based identity programme. Initially, the project had a limited aim – to stop theft and pilferage from India’s social welfare programmes by correctly identifying the beneficiaries using their biometrics. But now, the use of Aadhaar is expanding into newer areas, including business applications.

As the uses of Aadhaar proliferate, what are the rewards and risks?

Over the next week, a special series on Scroll.in will take a closer look at the many dimensions of Aadhaar, from its use for social welfare, to its expansion in the private sector, to concerns over privacy and data violations.

First, a quick comparison with the Social Security Number of the United States. The nine-digit number, which is used widely by government agencies in the US, is seemingly as ubiquitous as Aadhaar. It is often used as an example of an advance economy successfully doing something similar to India’s unique identity project. But there are important differences between the two, starting with the fact that the Social Security Number is, well, not an identity number.

Aadhaar is an identification number. Social Security Number is not.

The Social Security Number has its origins in the years of the Great Depression. During this period of economic recession in the US, the Roosevelt government launched the “New Deal”, a series of programmes to provide relief and employment to the poor.

In 1936, under the Social Security Act, it began using a nine-digit number, the Social Security Number, to track the earnings of workers and compute the amount of social security benefits to be credited to their accounts.

Over the years, the ease of using the number led more government agencies to incorporate it in their records. In 1961, for instance, the Internal Revenue Service began using the Social Security Number for taxpayer identification, similar to the Permanent Account Number in India.

With no legal restrictions on use of the Social Security Number by private companies, several businesses such as credit bureaus started asking individuals for their Social Security Number and storing it.

But in 1977, the Carter administration clarified that while it may used to be verify whether an individual had the legal permit to work, the Social Security Number could not serve as an identification document.

The Social Security Administration website states in a 2009 bulletin: “The card was never intended to serve as a personal identification document that is, it does not establish that the person presenting the card is actually the person whose name and SSN appear on the card.”

By contrast, Aadhaar has been designed as a single, universal, digital identity number that any registered entity, whether public or private, can use to “authenticate” an Indian resident. Anyone who has lived in India for 182 days can enroll in Aadhaar for proof of identity, while only citizens and those authorised to work in the US can obtain a Social Security Number.

Aadhaar authenticates a person. The Social Security Number does not.

Aadhaar authenticates a person by matching his or her demographics or biometrics with the records in its database. The government says this will help prevent identity fraud – for example, no one will be able to collect wages or food subsidies in another person’s name.

The Social Security Number was never intended for authentication purposes and has not been built to do this on a national scale. It matches a name and associated Social Security Number against its records only in limited circumstances, such as before issuing a replacement Social Security Number, or establishing a claims record.

It “does not verify an individual’s identity”, notes the Social Security Administration website, explaining the verification methods.

Aadhaar captures biometrics. The Social Security Number does not.

Aadhaar collects biometrics, which include the scan of all fingerprints, face and the iris of both eyes. Aadhaar Act’s section 2(g) states that “other biological attributes” may be collected in the future, a provision that was intensely debated in Parliament.

The elderly and the poor is India have hardened, wrinkled hands.
The elderly and the poor is India have hardened, wrinkled hands.

In contrast, when the Social Security Number was created in the 1930s, the US government decided not to collect fingerprints. “The use of fingerprints was associated in the public mind with criminal activity, making this approach undesirable,” notes the Social Security Administration website. The Social Security Number is thus printed on a small paper card and does not carry even a photograph.

In recent years too, the Social Security Administration has restrained from collecting biometrics of residents. In 2007, when the Intelligence Reform and Terrorism Prevention Act asked the SSA to improve the security of Social Security Number cards, the SSA considered adding the holder’s photograph or biometrics to the card but eventually decided against it.

“A biometric identifier, such as a fingerprint, can be an effective and highly accurate way to establish the identity of an individual, but it can also facilitate a much higher degree of tracking and profiling than would be appropriate for many transactions,” said Marc Rotenberg, the president of Electronic Privacy Information Center, a research organisation, in a testimony to the House of Representatives.

He added: “The problems that will arise when biometric identifiers are compromised are severe. What will happen at the point that your biometric identifiers no longer identify you?”

Around 2011, American authorities considered introducing a new biometrics-linked identity card for work authorisation for residents. Called the Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment or BELIEVE card, it aimed capture fingerprints or scans of veins on the back of hands.

BELIEVE card supporters presented it as necessary for immigration reform but many opposed it. “We pointed out that a biometrics ID system would be expensive, intrusive and ineffective, and requiring such an ID card would fundamentally transform the information demands the US government places on its citizens,” said Michael Froomkin, a professor of law at Miami University.

Ultimately, the proposal was dropped.

Aadhaar links databases. The Social Security Number does not.

One of the key concerns around Aadhaar is that the government has “seeded”, or introduced the number in multiple databases, which makes it easier for government agencies to converge personal information of individuals across databases.

Millions of Aadhaar numbers have been linked to the bank records, ration lists, educational records, and telecom documents of individuals. New analytical data techniques mean this “big data” could reveal much more about a person than standalone data could in the past.

The PRS Legislative Research has pointed out the Aadhaar Act of 2016 does not specifically prohibit law enforcement and intelligence agencies from using the Aadhaar number to search various datasets. This could lead to inappropriate profiling and innocent individuals identified incorrectly as potential threats by law agencies could face harassment.

There is no seeding done using the Social Security Number. Federal agencies and private entities that collect the Social Security Number for a specific service store the number at the organisational level. The US government has cautioned against the use of the Social Security Number as a single, unique identifier.

For instance, the Department of Homeland Security in 2007 directed its officials: “Department of Homeland Security programs shall not collect or use an SSN as a unique identifier; rather, programs shall create their own unique identifiers to identify or link information concerning an individual.” The Department of Defence removed SSNs from military identity cards by 2011, and instead issued departmental-level IDs.

The emphasis is on using different identifiers for specific purposes, to reduce the risks associated with a single identifier.

Aadhaar does not have privacy safeguards quite in the same way as the Social Security Number.

In response to growing concerns over the accumulation of massive amounts of personal information, the US government passed the Privacy Act of 1974. The law was passed in recognition of the dangers of the widespread use of Social Security Numbers as universal identifiers.

Subsequently, the Computer Matching and Privacy Protection Act of 1988 tightened regulation, by providing for the establishment of Data Integrity Boards at each agency.

India does not have a privacy law either at the national or state level. As per section 8 of the Aadhaar Act, requesting agencies are required to obtain the consent of individuals before collecting their identity information and inform them of what information will be shared. But as per section 47, a person whose information is collected and shared without their consent cannot invoke the criminal penalty. The Act says such a complaint can only be made by Unique Identification Authority.

Further, when the Unique Identification Authority of India authenticates the identity of individuals against the Aadhaar database, it generates millions of authentication logs every day, containing the request received, the response, and the metadata related to the transaction.

The Authority retains the authentication data for six months, and archives it for five years. It also requires the requesting entities – both public agencies and private companies – to maintain the logs, including the Aadhaar number, for two years, and then archive it for five years, and even longer in case of a court order.

Experts caution against the retention of data for such long periods. Data breaches could potentially violate people’s privacy. In 2014, European Union’s highest court ruled that data retention is illegal.

Aadhaar is designed to be used by private companies. The Social Security number was not, but its use by the private sector has led to identity theft.

Identity theft affects over 90 lakh Americans every year.

Over the years, commercial enterprises, particularly in the financial services sector, have created a system of files containing the personal and financial information of a majority of the American adult population, based on their Social Security Numbers. This information is sold and traded freely, in some instances leading to identity theft, particularly of elderly pensioners and students. Privacy expert Rotenberg has described financial companies as “among the strongest opponents of SSN restrictions.”

A major government report on privacy in 1973 said that legislation should be adopted prohibiting use of the Social Security Number “for promotional or commercial purposes”.

In most states, legally, an individual is required to provide their Social Security Number to a business only if the transaction requires so under Internal Revenue Service or federal Customer Identification Program rules. A few states such as Colorado, Arizona and California have passed laws that restrict the disclosure and use of the Social Security Number by private actors.

In contrast, Aadhaar has been designed for use by both public and private entities. Billionaire software entrepreneur Nandan Nilekani, who is the founder chairperson of Unique Identification Authority of India, while explaining the differences between Aadhaar and the Social Security Number, said Aadhaar had been designed “as an open platform on which you can build applications”.

In a foreword to a Credit-Suisse report, he noted that the use of Aadhaar by the financial sector could open up a $600 billion business opportunity.

The Unique Identification Authority of India has already entered into agreements with a number of companies providing authentication and identification services using Aadhaar as a platform.

Aadhaar functioned without a legal framework till recently. The Social Security Number was created through a law.

Since its inception, the Social Security Number has been governed by the Social Security Act of 1935.

In contrast, the Aadhaar project functioned without a legal framework for seven years since it was launched by the United Progressive Alliance government in 2009. It was run under an executive order, which meant Parliament had no oversight over it.

An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns. In March 2016, the National Democratic Alliance government passed the Aadhaar Act as a Money Bill, bypassing the Rajya Sabha – a move that was widely criticised.

The use of Aadhaar is expanding. The use of the Social Security Number is getting restricted.

The Privacy Act of 1974 makes it unlawful for a governmental agency in the US to deny a right, benefit, or privilege merely because the individual refuses to disclose his Social Security Number, except when disclosure is required by federal statute.

Section 7 of the Act provides that any agency requesting an individual to disclose his Social Security Number must “inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it.”

Given privacy concerns over the use of Social Security Numbers, governments have passed several laws and orders since 1996 to restrict and limit its use and collection.

The Social Security Administration website says state entities have begun to delete Social Security Numbers on electronic public records. An executive order of 1943 that required federal agencies to use the Social Security Number when establishing a system of permanent account numbers was rescinded by an Executive Order, which made such use optional in 2008.

Several US states have also passed laws. New York and West Virginia have statutes that limit the use of the Social Security Number as a student identity number. Kentucky allows students to opt out of the use of Social Security Numbers. Arizona law requires companies to give a right to users to opt out. California prohibits businesses from printing Social Security Numbers on bills, and companies must notify individuals in case of data breaches.

The Intelligence Reform and Terrorism Prevention Act of 2004 prevented the printing of Social Security Numbers on driver licenses and other government- issued identity cards. A 2015 law prohibited the inclusion of Social Security Numbers on Medicare cards, though this has not yet been achieved.

In contrast, since the first Aadhaar number was issued in 2010, the government in India has tried to link maximum schemes and benefits to Aadhaar, pausing briefly when the Supreme Court issued orders restricting the government from making Aadhaar compulsory.

The Supreme Court passed at least six orders since 2013 saying the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number.

But under section 7 of the Aadhaar Act, the government can ask a resident to produce Aadhaar for any “benefit, subsidy or service”, which has made the ambit of the project very wide. Now even private companies have incorporated the Aadhaar number in their systems.

The current trajectories of two ubiquitous numbers – Aadhaar and the Social Security Number – appear to be in opposite directions.

We welcome your comments at letters@scroll.in.
Sponsored Content  BY 

As India turns 70, London School of Economics asks some provocative questions

Is India ready to become a global superpower?

Meaningful changes have always been driven by the right, but inconvenient questions. As India completes 70 years of its sovereign journey, we could do two things – celebrate, pay our token tributes and move on, or take the time to reflect and assess if our course needs correction. The ‘India @ 70: LSE India Summit’, the annual flagship summit of the LSE (London School of Economics) South Asia Centre, is posing some fundamental but complex questions that define our future direction as a nation. Through an honest debate – built on new research, applied knowledge and ground realities – with an eclectic mix of thought leaders and industry stalwarts, this summit hopes to create a thought-provoking discourse.

From how relevant (or irrelevant) is our constitutional framework, to how we can beat the global one-upmanship games, from how sincere are business houses in their social responsibility endeavours to why water is so crucial to our very existence as a strong nation, these are some crucial questions that the event will throw up and face head-on, even as it commemorates the 70th anniversary of India’s independence.

Is it time to re-look at constitution and citizenship in India?

The Constitution of India is fundamental to the country’s identity as a democratic power. But notwithstanding its historical authority, is it perhaps time to examine its relevance? The Constitution was drafted at a time when independent India was still a young entity. So granting overwhelming powers to the government may have helped during the early years. But in the current times, they may prove to be more discriminatory than egalitarian. Our constitution borrowed laws from other countries and continues to retain them, while the origin countries have updated them since then. So, do we need a complete overhaul of the constitution? An expert panel led by Dr Mukulika Banerjee of LSE, including political and economic commentator S Gurumurthy, Madhav Khosla of Columbia University, Niraja Gopal Jayal of JNU, Chintan Chandrachud the author of the book Balanced Constitutionalism and sociologist, legal researcher and Director of Council for Social Development Kalpana Kannabiran will seek answers to this.

Is CSR simply forced philanthropy?

While India pioneered the mandatory minimum CSR spend, has it succeeded in driving impact? Corporate social responsibility has many dynamics at play. Are CSR initiatives mere tokenism for compliance? Despite government guidelines and directives, are CSR activities well-thought out initiatives, which are monitored and measured for impact? The CSR stipulations have also spawned the proliferation of ambiguous NGOs. The session, ‘Does forced philanthropy work – CSR in India?” will raise these questions of intent, ethics and integrity. It will be moderated by Professor Harry Barkema and have industry veterans such as Mukund Rajan (Chairman, Tata Council for Community Initiatives), Onkar S Kanwar (Chairman and CEO, Apollo Tyres), Anu Aga (former Chairman, Thermax) and Rahul Bajaj (Chairman, Bajaj Group) on the panel.

Can India punch above its weight to be considered on par with other super-powers?

At 70, can India mobilize its strengths and galvanize into the role of a serious power player on the global stage? The question is related to the whole new perception of India as a dominant power in South Asia rather than as a Third World country, enabled by our foreign policies, defense strategies and a buoyant economy. The country’s status abroad is key in its emergence as a heavyweight but the foreign service officers’ cadre no longer draws top talent. Is India equipped right for its aspirations? The ‘India Abroad: From Third World to Regional Power’ panel will explore India’s foreign policy with Ashley Tellis, Meera Shankar (Former Foreign Secretary), Kanwal Sibal (Former Foreign Secretary), Jayant Prasad and Rakesh Sood.

Are we under-estimating how critical water is in India’s race ahead?

At no other time has water as a natural resource assumed such a big significance. Studies estimate that by 2025 the country will become ‘water–stressed’. While water has been the bone of contention between states and controlling access to water, a source for political power, has water security received the due attention in economic policies and development plans? Relevant to the central issue of water security is also the issue of ‘virtual water’. Virtual water corresponds to the water content (used) in goods and services, bulk of which is in food grains. Through food grain exports, India is a large virtual net exporter of water. In 2014-15, just through export of rice, India exported 10 trillion litres of virtual water. With India’s water security looking grim, are we making the right economic choices? Acclaimed author and academic from the Institute of Economic Growth, Delhi, Amita Bavisar will moderate the session ‘Does India need virtual water?’

Delve into this rich confluence of ideas and more at the ‘India @ 70: LSE India Summit’, presented by Apollo Tyres in association with the British Council and organized by Teamworks Arts during March 29-31, 2017 at the India Habitat Centre, New Delhi. To catch ‘India @ 70’ live online, register here.

At the venue, you could also visit the Partition Museum. Dedicated to the memory of one of the most conflict-ridden chapters in our country’s history, the museum will exhibit a unique archive of rare photographs, letters, press reports and audio recordings from The Partition Museum, Amritsar.

This article was produced by the Scroll marketing team on behalf of Teamwork Arts and not by the Scroll editorial team.