Note: Think of this as the part two of a piece I wrote earlier titled “The Aadhaar Act: Why You Should Panic”, which I recommend you read because the passing of the Aadhaar Act is where it all begins and splits into chaotic threads full of problems.

Another recommended read is a piece titled “The Power of Babus”, which talks about how bureaucrats use rules and regulations to basically do a job they aren’t supposed to do: legislate.

To understand the many issues surrounding privacy and Aadhaar, give a listen to the Newslaundry podcast “Let’s Talk About: Privacy” by yours truly.

Because as Dirk Gently of Dirk Gently’s Holistic Detective Agency said, “Everything is connected”.

via GIPHY

The Aadhaar Act was passed back in March 2016 by Parliament. Since then, we’ve witnessed a crazy amount of aggression to implement the Unique ID system in whatever way possible. The Supreme Court told the government that Aadhaar cannot be mandatory, but the government is making it mandatory for many many schemes and services anyway. (Here’s an epic glorious list.)

Every single day, there are reports of citizen data leaks by government websites, both at the state and central level. This data includes bank account details, information on caste, religion, income levels, addresses and much much more. The Act specifically states that revealing such data is illegal and those doing so shall be punished. However, it turns out that despite these many leaks, not a single person from the government has been held accountable. Yet.

Then there is another host of problems concerning biometric authentication failures. Aadhaar is becoming more of an exclusionary tool than an enabler. People who are supposed to get welfare and subsidy are not able to get it because they face errors while authenticating fingerprints. And the fun part is that the government is not giving out any data on how successfully it is using Aadhaar to deliver services.

As you can see, the problems are many. The flaws are on multiple levels. Aadhaar is now tied up with so many government schemes and services that if it fails, the services that are dependent on it also fail.

The UID project is stuck to everything like a leech, sucking life-blood out of policy. It is like a cancer that spreads uncontrolled and destroys every part of the body. (Yes, I get quite dramatic while talking about Aadhaar.)

But one little thing that seems to be escaping everyone’s attention is how, at the very basic levels, the Aadhaar Act is flawed (as I had written earlier) and how the government has cleared regulations based on this flawed Act. The main Act is like a cracked, crumbling foundation. On top of it, a building of rules and regulations is being built with utmost hurry, without caring about how these laws will affect citizens.

via GIPHY

Did I say ridiculous?

Wait…I meant unconstitutional. It is unconstitutional.

“As may be specified by regulations”

(I’ve written in detail about what regulations are here but let me quickly recap because I know how lazy we all are. LOL.)

If you look at the main Aadhaar Act, you will encounter this particular phrase about 44 times:

What this means is that after the Act is passed by Parliament, our government, with the help of some very efficient bureaucrats, will fill in the tiny details related to the Act.

Like what defines, “biometric information”. For now, a citizen needs to give her photographs, fingerprint and iris scans to get an Aadhaar. BUT, if the government decides tomorrow that DNA will be part of the “biometric information”, all it needs to do is clear a simple regulation and notify it in the Gazette. So EZ.

I’m not saying this, the Finance Minister said this on record:

Parliament can challenge passed regulations. But it has been done only a handful number of times in the history of Parliament. You know why? Because nobody reads the regulations once they appear in the gazette!

via GIPHY

So, simply put, the Aadhaar Act allows the executive to make changes in 40+ areas related to Aadhaar. And whatdoyaknow, they did exactly that! Multiple times.

For simplicity’s sake, we’re going to focus only on the regulations passed on 14 September 2016. Also because they’re the motherload. (Read them here.)

Sub-sub-regulations

It’s almost comical how this whole thing is unfolding. The main Aadhaar Act says that details will be “specified by regulations”. But the regulations also say that details will be specified later.

27 times!

Not kidding.
Few examples:

So the whole story goes something like this…

Step 1: Government proposes Aadhaar Bill in Lok Sabha.

Step 2: Lok Sabha passes Aadhaar Bill (as a Money Bill. LOL), President assents and it becomes a law.

Step 3: Rajya Sabha watches on helplessly.

Step 4: Under the Aadhaar Act, details of how the implementation will be done is given by the government in September 2016. (Even though the implementation of Aadhaar without any law has already been happening for ages now. Which is quite weird tbh.)

Step 5: In these regulations, which are supposed to lay out every single detail regarding Aadhaar, the government says they will specify more details in another set of sub-regulations in the future.

Step 6: ….

Step 7: PROFIT.

This whole thing is arbitrary, unconstitutional and creates a third layer of delegation. This also means that these sub-sub-regulations will never come before Parliament for consideration. It’s important to point out that for all of these regulations, no consultation process, which is mandatory, was held.

The government had over six months from the passing of the Aadhaar Bill to hold public consultations and make a draft set of regulations available. Instead, it made press statements about issuing regulations and then suddenly issued them in the Gazette of India in September.

Sigh.

e-KYC: Know Your Cattle

When the Aadhaar scheme was first implemented way back in January 2009, it was supposed to be a yes/no authentication system. The only job of the card was to confirm whether a person is indeed that person, after verifying their biometrics. That’s it.

Now, well, it’s become a whole new monster. It allows various entities to access and pull out data from the Aadhaar server after taking the consent of a citizen. It’s called e-KYC (Know Your Customer).

And, you guessed it, it’s all because of these regulations.

Sneaky sneaky!

This is how you get a Jio SIM in under five minutes. You put your finger on that scanner, which implies that you have given consent for Jio to take your data, and all your basic e-KYC data will then be given to Jio. With e-KYC you’re sharing almost the entire demographic data with even private companies. These companies have also been misusing this system quite cleverly.

Experts say that e-KYC is the mechanism that enables private companies to build their own parallel databases. The government keeps saying there haven’t been any data breaches. However, e-KYC makes such data breaches unnecessary, because they just hand all the demographic data on a platter to all manner of persons including private businesses.  

It needs to be clarified what kind of data will be given via e-KYC though. According to the regulations, specifically, caste and religion and other sensitive information will not be a part of the demographic information.

UIDAI: Deactivating Citizens Based On A WhimTM

This is by far the creepiest one.

In these regulations, there is a particular section that talks about circumstances where an Aadhaar number can be deactivated.

It lists out things like errors while collecting data, repeated false biometric matches, incorrect photographs and so on.

But, it ends quite ominously, with this one sentence:

Uhh… any other case as deemed appropriate!? That’s the most blanket rule ever.

Imagine a scenario where they make Aadhaar compulsory for banking. You are going about your daily business and get the news that your dog has fallen really ill. Your vet demands that he be paid first to operate on it.

You scramble to the bank to get the money, put your fingers on the machine aaand… *AUTHENTICATION ERROR*

You’re like, “What the heck?! Gimme my money! My dog is dying!”
Bank be like, “Nope. It’s the rule boss. No Aadhaar, no banking.”
You’re like, “BUT MY DOG IS DYING!”

Bank be like, “We’re all going to die one day.” ¯\_(ツ)_/¯

You are bloody frustrated and you want to find out what happened to your Aadhaar. Why was it giving an error? Were the fingerprints not matching? What happened to your data?

According to the regulations, the UIDAI is supposed to inform you about why your number was deactivated by SMS or email or tele-calling or letter or through any other means deemed fit:

So you get a call from a sweet sounding lady who says, “We deactivated your number because according to regulation under clause 28 (f) THE AUTHORITY DEEMED IT WAS APPROPRIATE.”

“But what does that even mean!?” you scream at the sweet lady in a non-sweet manner. Your dog is dying after all.

Sweet lady responds: “As per our rules, you can contact our grievance redressal mechanism to find out more. Here, take the call centre number.”

Yep. You heard that right. The grievance redressal mechanism is basically just a call centre.

The regulations do not specify what happens after the complaint is logged and noted down. There is no requirement for this call centre to inform the citizen about what is the status of the complaint or when the number will be reactivated. It is not specified whether you, whose dog is still dying, can get any answers at all from UIDAI.

You will call the number and get the same sweet sounding lady who will note down your complaint and say “Thank you for contacting us. Have a nice day.”

No matter how much you scream, “MY DOG IS DYING! WTF! HELP!” The robotic UIDAI lady (which is probably an AI operated auto-answering machine coz… technology), will have no answers. If you file a Right to Information request, it will take a while and the UIDAI might not even give you an answer.

Oh, and your dog is dead. You can’t take out any money and are starving. You aren’t able to pay rent and are evicted from your house. You become homeless and die in a corner somewhere, a mere statistic in the great government database of statistics.

(Hey, I didn’t say it’s going to be a happy ending just because I involved your pet dog in this scenario. Life is hard, you know.)

It’s a bit messed up, no?

This whole Act, which has regulations within regulations, has become a labyrinth that is so difficult to understand. While we scratch our heads regarding what the heck is going on, the government continues to issue Aadhaar cards without giving a single bother and making it mandatory for pretty much everything.

I just hope they stop this crazy business, plz. If Aadhaar being forced means citizens not being able to go about their daily lives, it is time to be worried.

via GIPHY
(Special mention for some awesome lawyers for helping me decrypt this and understand its implications: Apar Gupta, Raman Cheema, Ananta Sharma and Prasanna S)

The author can be contacted on Twitter @Memeghnad