The government will keep a record of all the services and benefits availed using the Aadhaar number for seven years, say new rules, prompting fears that the database could be used for surveillance.
The Unique Identification Authority of India (UIDAI), which issues the 12-digit biometric identity to all Indian residents, will be required to preserve its record of verification of an Aadhaar number for the duration.
“This is an unprecedented centralised data retention provision,” said Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society.
UIDAI chief executive officer ABP Pandey said the concerns were exaggerated. The agency was keeping records in case a dispute arose over a transaction.
The information will be retained online for two years and another five years in the offline archives, say the rules notified in September.
Users will be able to check the records but only for two years.
This restriction won’t apply to security agencies. Pandey, however, said the records would not be available to them without a district judge’s permission.
But, Hindustan Times found that the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.
“Once Aadhaar becomes mandatory for all services, it can be used by benign and malignant actors to conduct a 360-degree surveillance on any individual,” Abraham said.
This is how the system, which will need millions of fingerprint-reading machines, works.
Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.
The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail LPG subsidy, cheap ration and even passport, a day against a capacity to verify 100 million requests daily.
“You can think of it as Natgrid Plus,” Abraham said, a reference to the National Intelligence Grid being built by the government.
A one-stop database for counter-terrorism agencies, Natgrid will collate information real time from databases of various agencies such as bank, rail and airline networks.
“…we do not record the purpose for which an authentication request was received but only the details of the agency that sent it,” UIDAI’s Pandey said.
But seven years is a long time. Only a select category of government files are kept for longer than five years.
Asked about two-year deadline for users, Pandey said it would have been a logistic nightmare to let people access the records once the information was offline.
The Supreme Court has a ruled that Aadhaar is not a must for availing welfare schemes and is to decide if collecting biometric data for the 12-digit number infringed an individual’s privacy.