A new tech start-up recently launched a home page with one of the more frightening images on the internet. At first glance it is a wide-angle street scene shot in black & white at a busy market. But some individuals in that tableau are singled. Target boxes underneath their faces list their Aadhaar numbers, names, mobile numbers, emails, residential addresses, dates of birth, etc, with some salient details blanked out.
The start-up calls itself a “trust bureau”. It is a private B2B concern, which offers to verify employees and clients for its customers. It says it can do ID checks, verify PAN, check police records, employment history, registered vehicles, etc., by linking individuals’ data, documents and “incidents” to their 12-digit Aadhaar numbers. These checks would be consent-based: The target employee/applicant would sign a form allowing data verification and also input one-time passwords (delivered to registered mobiles) to the UIDAI database for authentication.
Such a service is a natural commercial spin-off from the new e-KYC (Know Your Customer) procedure leveraging Aadhaar. Aadhaar is increasingly used for opening bank accounts, buying new mobile SIMs, etc. It saves the hassle of submitting tonnes of photocopies. The verification can be done on the spot. The target can simply authenticate and authorise UIDAI to share the Aadhaar data in electronic, secure (encrypted and digitally signed) fashion.
Anybody can enrol as an agent verifying e-KYC. The Application Programming Interface or API for the Aadhaar e-KYC service is publicly available from the UIDAI and enrolment as an agent is simple. The e-KYC process allows agencies (KYC User Agencies and KYC Service Agencies as they are known) to access Aadhaar data (after taking the concerned individual’s consent).
The data available include the above details, plus photographs encoded and stored in base-64 digital format. Given excellent facial recognition programs and off-the-shelf image converters, a digital photo can be instantly converted and compared to databases of base-64 images. The KYC agency can also do a physical visual comparison.
In theory, the Aadhaar database returns only “yes/no” responses to queries. In practice, the individual who gives his or her consent for such a verification is asked to submit the data, along with a digital snapshot, (and perhaps, a little more data such as her mother’s maiden name) for verification. The agency then queries the UIDAI to verify that all the data submitted checks out.
The agency then owns a parallel, verified database tied to the Aadhaar number. Eventually, it will have a large database. It’s possible that an agency will pool a parallel database with other parallel databases put together by other agencies. Then such an agency will be able to trawl public pictures downloaded from wherever, and recognise random people and tie mugshots to Aadhaar data.
Given access to location information (mobile service providers have this 24x7 real-time) or credit card information (banks, credit card providers have this), more detail may be added. Given location and credit card information (the IRCTC has both), and medical information (health care services have this too), even more detail is possible.
Mobile service providers, banks, etc., have KYC data for hundreds of millions. Building really huge parallel databases tied to Aadhaar is very feasible. Off the record, it is whispered that such databases are already available.
That information can be used and misused for a large range of activities. Arguably, it is not even illegal to create such a database (though specific uses may be criminal). There is no specific privacy law, or data privacy law in India to stop such data being traded, or used. Location is not even recognised as personal data under Indian law.
The government has even argued in the Supreme Court that individuals don’t have a fundamental right to privacy. In 1984, George Orwell dreamt up the concept of a dictatorship that worked on surveillance. But Orwell was a tech-incompetent. The dystopian reality of 2017 goes a long way beyond everything that he imagined, way back in 1948.
The start-up calls itself a “trust bureau”. It is a private B2B concern, which offers to verify employees and clients for its customers. It says it can do ID checks, verify PAN, check police records, employment history, registered vehicles, etc., by linking individuals’ data, documents and “incidents” to their 12-digit Aadhaar numbers. These checks would be consent-based: The target employee/applicant would sign a form allowing data verification and also input one-time passwords (delivered to registered mobiles) to the UIDAI database for authentication.
Such a service is a natural commercial spin-off from the new e-KYC (Know Your Customer) procedure leveraging Aadhaar. Aadhaar is increasingly used for opening bank accounts, buying new mobile SIMs, etc. It saves the hassle of submitting tonnes of photocopies. The verification can be done on the spot. The target can simply authenticate and authorise UIDAI to share the Aadhaar data in electronic, secure (encrypted and digitally signed) fashion.
Anybody can enrol as an agent verifying e-KYC. The Application Programming Interface or API for the Aadhaar e-KYC service is publicly available from the UIDAI and enrolment as an agent is simple. The e-KYC process allows agencies (KYC User Agencies and KYC Service Agencies as they are known) to access Aadhaar data (after taking the concerned individual’s consent).
The data available include the above details, plus photographs encoded and stored in base-64 digital format. Given excellent facial recognition programs and off-the-shelf image converters, a digital photo can be instantly converted and compared to databases of base-64 images. The KYC agency can also do a physical visual comparison.
In theory, the Aadhaar database returns only “yes/no” responses to queries. In practice, the individual who gives his or her consent for such a verification is asked to submit the data, along with a digital snapshot, (and perhaps, a little more data such as her mother’s maiden name) for verification. The agency then queries the UIDAI to verify that all the data submitted checks out.
The agency then owns a parallel, verified database tied to the Aadhaar number. Eventually, it will have a large database. It’s possible that an agency will pool a parallel database with other parallel databases put together by other agencies. Then such an agency will be able to trawl public pictures downloaded from wherever, and recognise random people and tie mugshots to Aadhaar data.
Given access to location information (mobile service providers have this 24x7 real-time) or credit card information (banks, credit card providers have this), more detail may be added. Given location and credit card information (the IRCTC has both), and medical information (health care services have this too), even more detail is possible.
Mobile service providers, banks, etc., have KYC data for hundreds of millions. Building really huge parallel databases tied to Aadhaar is very feasible. Off the record, it is whispered that such databases are already available.
That information can be used and misused for a large range of activities. Arguably, it is not even illegal to create such a database (though specific uses may be criminal). There is no specific privacy law, or data privacy law in India to stop such data being traded, or used. Location is not even recognised as personal data under Indian law.
The government has even argued in the Supreme Court that individuals don’t have a fundamental right to privacy. In 1984, George Orwell dreamt up the concept of a dictatorship that worked on surveillance. But Orwell was a tech-incompetent. The dystopian reality of 2017 goes a long way beyond everything that he imagined, way back in 1948.
Twitter: @devangshudatta
One subscription. Two world-class reads.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%