Five key lessons Malaysia can learn from India's Aadhaar experience

Experts say that private players involved in building the ecosystem should be made to abide by the 'skin in the game' principle

Last week, a delegation of ministers and officials from the Malaysian government visited India to learn more about Aadhaar, to take forward the country's plan to put in place a similar identity-based architecture for implementing welfare schemes efficiently.

While it is commendable that a Southeast Asian tiger cub economy is keen on replicating an Indian system, it is worthwhile to note the differences between the two economies. For example, India’s per capita income of $1,964 (per capita GDP at constant 2010 US $) is almost one-sixth of Malaysia’s $11,521.

In this context, there are five critical takeaways from the Indian experience that Malaysia might not want to overlook.

The first is that the enormity and complexity of making Aadhaar an indispensable element of public welfare is real, owing to the number of persons it seeks to bring in the benefit fold, and the number and variety of schemes — toilets, electricity, old-age pension, food — that would use the digital identity.

The second pertains to making Aadhaar necessary for availing certain basic services, a move that has been at the receiving end of a lot of flak from its users in India. The third dwells on the costs and sophistication of the technological infrastructure required for the project, which directly dictates the efficacy of its use.

Fourthly, the extent and nature of private sector participation in the implementation and the use of public data by private players need to factor in privacy on the user data side, and accountability on the implementation side. The fifth aspect, which is structural and is all-encompassing, is the existence of a robust privacy and data protection ecosystem in place before its implementation.

While India needed more than a billion identities to be digitised, Malaysia would need about 30 million, which would make the exercise much less complex. Further, the latter already has a voluntary smart card project in which the person gets a card named Mykad, which can be used as a driving license, passport, or health insurance document, among other things.

In terms of the population it needs to service, Malaysia is placed at a better position. With more urbanisation, better access to electricity, data/internet and banking, Malaysians are better equipped to use a digital identity for their own benefit.

Further, if we look at two proxy indicators for health and sanitation, it is likely that while Aadhaar was majorly used to expedite access in India, a similar model would be used purely to improve governance in Malaysia.

The second challenge refers to making the ecosystem inert to errors of inclusion and exclusion, meaning that no one who needs the benefit should be excluded in enrolment, while nobody who doesn’t have the identity should be denied benefits. In India, the government gradually expanded the ambit of Aadhaar, and made it necessary to avail majority of the government schemes.

As a result, those who were the intended beneficiaries weren't actually benefitted in some cases, while those who did not want benefits, were subject to breach of privacy. One such case blew up into a controversy after a payments bank opened accounts using biometric data (fingerprints) without user permission, prompting the UIDAI to revoke its eKYC licence.

The second takeaway, therefore, is that the use-cases for the application of a digital identity to a public or private good must be clearly defined. A calendar with sufficient time for stakeholder discussions would prove more effective than simply making Aadhaar-like authentication incrementally mandatory for more and more services.

The Supreme Court recently carried out a course correction by striking down the mandatory clauses pertaining to telecom companies and banks, but upheld the mandatory requirement for income tax filing purposes.

The third challenge was visible at the enrolment stage. The Indian government had outsourced enrolment to a host of agencies. Remember the time when you went to Aadhaar help desk with your documents? Many of these so-called agencies were actually fly-by-night operators, whose engagement in the enrolment process spawned several ghost beneficiaries. The trouble is that most of these errors haven't been rectified, experts say.

As far as enabling data access for private players is concerned, the issue is about the mechanism for using the data for authentication. While biometrics is the mechanism in India right now, several tech professionals have voiced concern over its use.

The problems encountered in the use of biometrics, from the machine being unable to read the fingerprint to the ease with which biometrics can be compromised, suggest that alternatives for authentication could be looked at. A more secure ecosystem could be designed using smart cards and cryptography, said a tech entrepreneur who did not wish to be named.

“Let the government hold the public key, the Aadhaar number, and let the smart card hold the private key, namely the biometric information. The authentication using bio-info on the smart card is way more secure, and the actual biometric information, say, the fingerprint, would act as a third point of authentication when needed,” he said.

The third takeaway, therefore, is that private players involved in building the ecosystem should be made to abide by the ‘skin in the game’ principle. A small number of companies should take up the mantle in a competitive process, and should be held accountable for effective maintenance of the ecosystem. On data use, the introduction of smart cards as a new layer in authentication would protect privacy, which could be the fourth takeaway.

On privacy and data protection, the India experience has clearly demonstrated that in the absence of a robust legislative framework, data can be compromised quite easily.

The new masked Aadhaar, or the virtual ID, tries to nullify the risk for a user, since her entire Aadhaar number is not compromised. But this idea came after a lot of furore over the use of Aadhaar by private entities, which culminated in the Supreme Court striking it down. The India story thus shows that it is imperative to have the system of a masked identity number in place before its use for welfare schemes begins.

As the fifth takeaway, it is, therefore, more than imperative to enact privacy laws beforehand. Rather, as some experts told Business Standard, an Aadhaar-like system should come with a package, including privacy law and a dynamic data protection regime.