India's Unique Identity (UID) project is already the world’s largest biometrics identity program, and it is still growing. Almost 600 million people have been registered in the project database, which collects all ten fingerprints, iris scans of both eyes, a photograph, and demographic information for each registrant. Supporters of the project tout the UID, which is run by a government agency, as a societal game changer. The extensive biometric information collected, they argue, will establish the uniqueness of each individual, eliminate fraud, and provide the identity infrastructure needed to develop solutions for a range of problems. Detractors see these claims as hype, pointing out that despite the potential benefits, critical concerns remain about the UID’s legal and physical architecture as well as about unforeseen risks associated with the linking and analysis of personal data.
The most basic concerns regarding the UID project stem from the fact that biometric technologies have never been tested on such a large population. As a result, well-founded concerns exist around scalability, false acceptance and rejection rates, and the project’s core premise that biometrics can uniquely and unambiguously identify people in a foolproof manner. Some of these concerns are based on technical issues—collecting fingerprints and iris scans in the field, for instance, can be complicated when a registrant’s fingerprints are eroded by manual labor or her irises are affected by malnutrition and cataracts. Other concerns relate to the project’s federated implementation architecture, which, by outsourcing collection to a massive group of private and public registrars and operators, increases the chance for data breaches, error, and fraud.
Almost 600 million people have been registered in the UID, which collects fingerprints, iris scans, photographs, and demographic information.
Perhaps even more vexing are concerns regarding how the UID, which promises financial inclusion (by reducing the identification barriers to opening bank accounts, for example), might in fact lead to new types of exclusion for already marginalized groups. Members of the LGBT community, for instance, question whether the inclusion of the transgender category within the UID scheme is an attempt at inclusion, or a new means of listing and targeting members of their community for exclusion. More fundamentally, as more and more services and benefits are linked to the UID, the project threatens to exclude all those who cannot or will not participate in the scheme due to logistical failures or philosophical objections.
It is worth noting that the UID is not the only large data project in India. A slew of “Big Brother” projects exist: the Centralised Monitoring System (CMS), the Telephone Call Interception System (TCIS), the National Population Register (NPR), the Crime and Criminal Tracking Network and Systems (CCTNS), and the National Intelligence Grid (NATGRID), which is working to aggregate up to twenty-one different databases relating to tax, rail and air travel, credit card transactions, immigration, and other domains. The UID is intended to serve as a common identifier across these databases, potentially creating a massive surveillance state. It also facilitates an ecosystem where access to goods and services, from government subsidies to drivers’licenses to mobile phones to cooking gas, increasingly requires biometric authentication.
The UID project was originally promoted as voluntary, but the inexorable slippery slope toward compulsory participation has triggered a series of lawsuits challenging the legality of forced enrollment and the constitutionality of the entire project. In September 2013, India’s federal Supreme Court affirmed by way of an interim decision that the UID was not mandatory, that not possessing a UID should not disadvantage anybody, and that care should be taken to ensure that UIDs are not issued to illegal immigrants. This last stipulation is particularly thorny given that the Unique Identification Authority of India (UIDAI, the body in charge of the UID project) has consistently distanced the UID from questions of citizenship under the justification that it is a matter beyond their remit (i.e., the UID is open to residents, and is not linked to citizenship). The government moved quickly to urge a modification of the order, but the Supreme Court declined to do so and will instead release its final decision after it reviews a batch of petitions from activists and others. The UIDAI also argued before the Supreme Court that not making the UID mandatory has serious consequences for welfare schemes, but the court recently ordered the federal government and other authorities to delink the LPG cooking gas scheme from the UID. The media reported this as a considerable setback for the project, given that it was one of the most hyped links between the UID and services.
More recently, the UIDAI was approached by the Central Bureau of Investigation (CBI) to hand over biometric data of all residents of the state of Goa, in connection with the investigation of a rape case. The UIDAI refused, and was taken to court by the CBI. On appeal, the Supreme Court restrained the UIDAI from sharing biometric data with any other agency (without the written consent of the person). It also reiterated (in the same decision of March 24, 2014) that no person should be deprived of any service for lack of the UID if otherwise eligible or entitled, and went a step further, directing all authorities to modify their forms, circulars and other documentation so as not to requirethe UID.
These two decisions have largely been reported as the death knell of the scheme. However, other petitions are yet to be heard, and it remains to be seen whether the final decision of the court will uphold this position. The fact that the country’s largest ever general elections have just concluded further muddles things; it is unclear whether the new government will opt to continue with the project in its current shape, and whether the court will ultimately privilege voluntary self-determination of informationoverthe potential violations of privacy in making the program compulsory.
In the meantime, the UID project is effectively being implemented in a legal vacuum without support from the Supreme Court or Parliament. The Cabinet is seeking to rectify this and has cleared a bill that would finally provide legal backing for the UID program—its previous attempt was rejected by the Standing Committee on Finance in 2010. This bill was scheduled to come up for debate during the winter session of Parliament, but is yet to become law. The bill’s progress, along with the final decision of the Supreme Court, will have far reaching consequences for the UID project’s implementation and longevity, as well as for the relationship between India’s citizens and the state.
If fully implemented, the UID system will fundamentally alter the way in which citizens interact with the government by creating a centrally controlled, technology-based standard that mediates access to social services and benefits, financial systems, telecommunications, and governance. It will undoubtedly also have implications for how citizens relate to private sector entities, on which the UID rests and which have their own vested interests in the data. The success or failure of the UID represents a critical moment for India. Whatever course the country takes, its decision to travel further toward or turn away from becoming a “database nation” will have implications for democracy, free speech, and economic justice within its own borders and also in the many neighboring countries that look to it as a technological standard bearer.
The Indian government seems to envision big data as a panacea for fraud, corruption, and abuse, but it has given little attention to understanding and addressing the fraud, corruption, and abuse that massive databases can themselves engender. Including marginalized populations in the economy is a laudable goal for policy. The authorities do not, however, acknowledge that the matrix of identity and surveillance schemes it has implemented can create a privacy-invading technology layer that is not only a barrier to online activity but also to social participation writ large.
The lack of identification documents for a large proportion of the Indian population does need to be addressed. Whether the UID project is the best means to do this—whether it has the right architecture and design, whether it can succeed without an overhaul of several other failures of governmental institutions, and whether fixing the identity piece alone causes more harm than good—should be the subject of intense debate and scrutiny. Only through rigorous threat modeling and analysis of the risks arising out of this burgeoning “welfare industrial complex”can steps be taken to stem thepotential repercussions of the project not just for identity management, fraud, corruption, distributive justice, and welfare generally, but also for autonomy, openness, and democracy.
This essay is an updated version of a paper that originally appeared in Internet Monitor 2013: Reflections on the Digital World, published by the Internet Monitor project at Harvard’s Berkman Center for Internet & Society. It is licensed under a Creative Commons Attribution 3.0 Unported license.
Photograph: OperationASHA