India – Privacy, profit and control #Aadhaar

by- Usha Ramanathan

Is privacy dead? These are strange times when this is treated as a reasonable inquiry. Or even as rhetorical, not needing any serious response: of course, it is dead. Let it be laid to rest, and let the ambitions of control, commerce and profit be pursued unhindered. The conversation about privacy has been deliberately turned on its head.

About half a decade ago, as technologies were developed that could make huge profits out of personal data, and when state and corporate control of people began to emerge as clear political and commercial possibilities, we began to get asked: why do you want a right to privacy? Why would you ask for privacy if you have done no wrong? Corollary: if you have done wrong, why should you be allowed to hide? The real question, however, was: why did we have guilt thrust on us if we asserted the right to privacy? Who was it that wanted the privacy right to disappear?

In 2013, Edward Snowden gave us a graphic narrative. What he introduced us to was a surveillance state that was collecting large amounts of personal information about anyone they could get their metaphorical hands on. A secret court, with secret hearings, issuing secret orders authorising the collection of information about whole populations from whatever source they could tap.

Even before Snowden warned us that the state was trying to erase the right to privacy and we needed to beware, the UID project had already begun to roll out another narrative. A project that was launched as intending to provide those in poverty with a means of identifying themselves to the state so that they could get their entitlements soon became something entirely different. Three words that were used to describe the project spoke volumes: unique, ubiquitous, universal. Initially, we were led to think that each of us would acquire a unique identity through the project. It took a few years for it to become plain that it was not about a unique identity at all-for the biometrics on which such identity was based had been untested and is, in fact, failing with remarkable frequency in the field; it was about being identified by ‘user’ and ‘requiring’ agencies. The UID is a number attached to a biometric; but the biometrics often do not work. What is left is a number, which we are asked to seed in every database, facilitating profiling, tracking, labelling, tagging. Soon, it was not voluntary any more. Consent became irrelevant. And, from being marketed as an enabler for inclusion, it soon began to exclude those not on the database, those whose biometrics would not work, those without mobile phones, and those who refused to submit to the bullying and threats. By the time the Aadhaar Act was passed as a Money Bill in 2016, the focus had shifted from the citizen to the resident to the customer-hence e-KYC, with ‘C’ being customer. Companies-and Khosla Labs is one such-have joined the litigation asking that nothing be changed in either the law or the project as it is now, or else their businesses will fold up! Their business is all about our personally identifiable information.

This being the project, it is no wonder that the government declared in the Supreme Court, through the Attorney General, that the people of this country do not have a right to privacy. In August 2017, a bench of nine judges unanimously declared that privacy is not just a fundamental right but that the right to dignity, life and personal liberty would all be set at nought without the right to privacy. The UIDAI stubbornly refuses to acknowledge the problems with the project.

This project started off as an identity project; quickly morphed into an ‘identification’ project through the seeding of numbers in multiple databases; prodded the technology community to see its potential as ‘an identity platform on which many apps may be built’; and, very recently, has been projected as being a ‘universal infrastructure’ with ‘universal access’. It should cause no surprise that Google, WhatsApp, Microsoft, Amazon, Facebook have all become eager to collect the UID number.

The universe of the UID has been expanding amidst coercion and threats. Demonetisation pushed the cashless agenda. Cashless is, of course, not just cashless, but also promoted as being paperless, ‘presenceless’, with e-sign, e-KYC, digital locker and a ‘consent architecture’, all of which ride on the UID infrastructure. The National Payment Corporation of India, and its product, the UPI or Unified Payment Interface, is based on the UID number. GSTN, the Goods and Services Tax Network, which is a private company handling all governmental data generated through the GST regime, has the UID number embedded with every GST return filed; and the prime minister has said that he wants them to create algorithms that will profile those in the MSME sector, and he will decide how to use that information. A medical insurance plan launched by the government has Nandan Nilekani working with a committee to leverage the UID number in the infrastructure that is being installed.

In the meantime, Nilekani, who has been leading from the front in gaining ubiquity for the UID project, GSTN, NPCI, cashless, vehicle tracking systems and more, has made another ambition clear. He calls it ‘trickle up’. Simply stated, most people in this country do not have wealth that they can spend in the market. They do, however, have what business wants, and that is data, about themselves-personal information. Services, including credit, will be provided only to those who leave digital footprints, and who will render themselves visible to technology controllers and agencies. The personal information will trickle up and create business and profits for those who gather this information and make products and services that they will then put in the market.

There is a striking similarity between this imagination and the social credit system that is in place in China. The social credit system uses digital presence, activity and inactivity to assess how acceptable or otherwise each individual is. Who your friends are, what their habits and propensities are, how they speak of the government and what they think is funny, whether they are rebellious or complaisant; and all that they garner will determine their rating. That will decide what they will be allowed to do, including the class of travel by train. Those who have little or no activity on the networks that allow them to be tracked and profiled will not escape the net; they will simply fall outside it, disentitling them from most of civil life.

It is this rampant takeover of all our information, and the collaboration between the state and business interests, that is raising the pitch about the possible end of privacy.

Facebook and Cambridge Analytica have kindly presented us with another view of privacy invasions. It is now plain that privacy policies do not say much, and are understood even less. When there is a breach of privacy, we may not even know it, nor understand its implications. In this case, Facebook provides the platform on which we park our information, and Cambridge Analytica uses it to manipulate people, for a price. This is not about privacy. This is about business without ethics, and without boundaries.

In these strange times, governments and businesses see the potential for control, and profit, in denying the right to privacy even as a constitutional court likens privacy to liberty, dignity and autonomy. People stand somewhere in between, unsure how to defend themselves from the allegation that interest in privacy is a sign of guilt.