A Question of Identity : What Should Aadhaar Be Like ?

​A national identity scheme has long-term and large-scale implications to the welfare of the people, efficiency of governance and law enforcement, individuals’ fundamental right to privacy and national security. Motivated by several issues surfaced by the implementation of Aadhaar, and several privacy and security concerns that have been pointed out, we develop a (non-exhaustive) list of ​technical guidelines for national identity schemes. We observe that the current Aadhaar design significantly deviates from these guidelines, strongly suggesting that to address the root causes of the issues that have manifested so far, many parts of the system require major redesign. We also put forth several ​policy guidelines, which we believe are crucial to the success of a national identity scheme in India. Digital technology is a powerful tool, and India, like any other modern nation, can ill afford to keep away from exploiting the promises it offers. Yet, one needs to wield this technology with caution, like a scalpel rather than a sledge hammer, especially when it is applied at a national scale and affects millions of the poorest and most vulnerable. One should also bear in mind that any cyber infrastructure that is being developed today will become targets for cyber warfare in the future. Developing a secure and privacy preserving national ID scheme presents an unprecedented challenge for which no amount of expertise will be excessive. In this whitepaper we offer an analysis of some fundamental principles that such a system should aim for, based in no insignificant way on lessons drawn from the current Aadhaar experiment and the lively debate that it has resulted in. Document Outline: ​We start by articulating a few fundamental expectations we have, on an identification system that is being put in place by the government. We go on to consider how the current Aadhaar system fares with respect to these expectations. Rather than attempt to fix individual issues, we identify a list of high-level ​technical design guidelines ​that address broad classes of issues. The current design is seen to significantly violate these guidelines. (We do not provide an alternate solution here, but in a forthcoming companion whitepaper we shall describe a * Sorted alphabetically. Email: ​{soumen,damani,mp,krithi,br,sudarsha}@cse.iitb.ac.in candidate scheme that adheres to these guidelines.) We also provide several policy guidelines geared towards creating a robust Aadhaar ecosystem. Basic Premises National identity schemes have been seen as tools for inclusion of marginalized groups, improving transparency and increasing the efficiency of administration. Social inclusion is indeed one of the 1 most prominently stated motivations for implementing Aadhaar. On a related note, “right to 2 identity” in the form of birth registrations has been considered a fundamental right of a child, and a 3 key ingredient in their well-being. As such, we expect enabling social inclusion to be the primary 4 focus of a national identity scheme. An identity scheme is also seen as a tool to prevent identity fraud. Identity fraud is a growing concern, especially in today’s age of digital transactions. It could take the form of identity theft (impersonation) or creating false identities, for gaining access to an individual’s resources or for evading law enforcement while carrying out various other illegal activities. The perpetrators as well as victims of identity fraud can be individuals, criminal organizations, corporations or even nation states. An effective identity scheme could help in the fight against this growing malaise by making impersonation harder and traceability better. On the other hand, incorporating an identity scheme into day-to-day transactions of people incurs costs that should be carefully controlled. Specifically, it should not lead to denying or disrupting access to essential services and critical infrastructure; this applies equally to the disruption caused in the normal course of the scheme’s operation, and that caused by active attacks that exploit any vulnerabilities that the identity scheme created. Further, such a scheme should not violate individuals’ fundamental right to privacy, and legitimate needs for anonymity. Again, this applies equally to possible privacy violations in the normal course of operation, and potential violations due to security breaches. To reiterate, we shall expect a good identity scheme to ​simultaneously meet the following requirements: ● It should be a tool for improving inclusiveness, empowering the disenfranchised, and improving the efficiency of administration. ● It should not disrupt access to essential services, nor create vulnerabilities that can be exploited to cause such disruption. 1 World Bank’s “​Identity for Development​” initiative estimates that over a billion people worldwide are unable to prove their identities and ​argues that “achieving inclusive development ... requires a sustained effort to address the world’s identification gap.” 2 ​The UIDAI website summarizes the Aadhaar identity platform as enabling “the Government of India to directly reach residents of the country in delivery of various subsidies, benefits and services....” 3 E.g., Article 7(1) of the UN ​Convention on the Rights of the Child​. 4 According to ​UNICEF “Registering children at birth is the first step in securing their recognition before the law, safeguarding their rights, and ensuring that any violation of these rights does not go unnoticed.”