The recent Supreme Court judgement on Aadhaar closes one contentious chapter of its short existence and opens others at the same time. While Aadhaar is here to stay, the 1.25 billion dollar question remains: in what capacity? While the government can mandate its use for collecting taxes and distributing benefits, it is less clear what the judgement means for its other applications, including in the financial sector. We believe that India can draw lessons from the United States in this particular regard.
Aadhaar and social security numbers: Now in similar situations?
Pity the poor US Social Security Number (SSN)—ever since its creation in 1935 it has been pulled in different directions, with some initiatives seeking to expand its scope towards that of a national identifier (the US has no such identifier) and others working to constrain it closer to the original mandate of helping to administer the social security system. This is very similar to the options in front of Aadhaar at this juncture.
At the risk of oversimplification, there are now three categories of applications for the SSN: 1) those where its use is legally mandated—mostly related to benefits and taxes or to financial integrity, including the required reporting of large transactions; 2) a range of other government agencies and functions which can request the SSN but must explain why and how the data will be used; and 3) private businesses that can choose to ask for it but that have no legal authority to require it. Refusal to provide a SSN cannot result in the denial of benefits—except where law says that it can. In response to concerns that the number not proliferate, many states have restrictions on collecting or distributing it. For some purposes, only the last four digits may be recorded. Most recently, to reduce its ubiquity and the volume of mail that includes the number, Medicare has replaced it with a new alphanumeric identifier, linked at the back-end to the SSN.
Why might the debate on the SSN be of interest for Aadhaar? While debate will continue on the precise meanings of its 1,400 page ruling, the Supreme Court decision places Aadhaar in a rather similar situation. It is confirmed as legal, together with its mandated role in the critical areas of benefits and tax administration. Beyond this, some argue that it should be prohibited, others that it should be permitted as an option, even if not legally mandated as a condition of service. However, the parallel between the SSN and Aadhaar is not complete because of the very different capabilities of the two systems.
Like the Aadhaar, the SSN is used as an identifier but it is also often taken as proof, or at least evidence, of identity. Unauthorized access to SSNs therefore heighten concerns over identity theft—a very real concern considering that 16.7 million people were victims of identity theft in 2017. Both identity theft and privacy concerns fuel the drive to limit the proliferation of the SSN. Indeed, it can be argued that considering its weakness as proof of identity (issued on a printed card with no security features), it should not be used for this purpose at all. The less the better—there is no argument for using the SSN where the objective is not to facilitate the linking of personal information.
The privacy concern for Aadhaar is exactly the same as for the SSN: that it can be used link personal information across diverse databases—leading to the same concern over proliferation. But the use of Aadhaar as proof of identity is very different, since that relies on the biometric data held by the Unique Identification Authority of India (UIDAI). As long as this remains secure, Aadhaar provides strong remote authentication of a type that the US and many other countries are still grappling to provide, and at low cost relative to alternatives. The case for using Aadhaar in a voluntary mode outside its mandated functions must therefore rest heavily on this feature. It therefore seems that the wider value proposition for Aadhaar rests largely on its ability to authenticate users without identifying them through the Aadhaar number, addressing a core concern raised by privacy advocates in their petitions to the Supreme Court in the Aadhaar case.
Other advanced ID systems work in this way. One example is Austria, where information from the customer’s ID card (the Source PIN) is cryptographically combined with data that identifies a service provider (the agency identifier) to create a sector-specific token PIN (the SS-Pin) that is used as the customer identifier by the service provider. This tokenization of identity means that records cannot be combined across sectors using the SS-Pins. Only the Source-PIN Authority can generate SS-Pins without the card, and this is subject to the provisions of Austria’s Data Privacy Law.
Aadhaar has a similar capability to tokenize identity, although it has not been widely rolled out. The first stage involved the introduction earlier in 2018 of the Virtual ID (VID), a 16-digit number that users can generate to replace the use of their 12-digit Aadhaar number. Users can change their VIDs at will, but can only have one VID at a time. Only the UIDAI can reconstruct the Aadhaar number from the VID.
Less understood than the “front-end” VID is the “back-end” tokenization of the Aadhaar. When an individual authenticates successfully through an agency, either using the UID or the VID, the UIDAI response includes a “UID token” that is a function of both the individual’s Aadhaar and the agency identifier. Only the UIDAI can generate this token, which can then play the role of the SS-Pin in the Austrian example. The user may never be aware of the token but the agency, or provider, can use it as a substitute for the Aadhaar in its customer records. If the user chooses to use the VID, the agency, or provider therefore has no knowledge of the Aadhaar number.
This capability has to be a large part of its value proposition outside of its mandated uses, following the Supreme Court decision. Moving forward it seems that there are several priorities for the government.
One priority is to consider carefully where tokenization should be mandatory or voluntary (in cases where UID authentication is permitted to be an option). It may not be feasible to require all users to get a VID but it could be compulsory for certain categories of agencies, service providers and firms to maintain records in tokenized form. The system will only be used for authentication if convenient and cheap and one wonders how this will play out for entities without sophisticated digital capacity. The “UID token” is somewhat unwieldy, but it would not be difficult to imagine mapping the token into different, customized, customer-ID systems.
Another priority would be to embark on an extensive communications drive to explain the complex topic of tokenization of identity and its relationship to the VID. This may be a little easier than it seems, since people are already familiar with nicknames and various forms of salutation—e.g., Joe, Joseph, Mr. Smith, Uncle or Grandpa (or their Indian equivalents). In a tokenized system, one is Joe to the health sector, Mr. Smith to the airline and Grandpa to the pension agency.
A third priority should be to ensure strong protections against reversing tokenization. The credibility of such a system is only as good as that of the agency administering it. Something to focus on in the prospective Data Privacy Law.