A new tech start-up recently launched a home page with one of the more frightening images on the internet. At first glance it is a wide-angle street scene shot in black & white at a busy market. But some individuals in that tableau are singled. Target boxes underneath their faces list their Aadhaar numbers, names, mobile numbers, emails, residential addresses, dates of birth, etc, with some salient details blanked out.
The start-up calls itself a “trust bureau”. It is a private B2B concern, which offers to verify employees and clients for its customers. It says it can do ID checks, verify PAN, check police records, employment history, registered vehicles, etc., by linking individuals’ data, documents and “incidents” to their 12-digit Aadhaar numbers. These checks would be consent-based: The target employee/applicant would sign a form allowing data verification and also input one-time passwords (delivered to registered mobiles) to the UIDAI database for authentication.
Such a service is a natural commercial spin-off from the new e-KYC (Know Your Customer) procedure leveraging Aadhaar. Aadhaar is increasingly used for opening bank accounts, buying new mobile SIMs, etc. It saves the hassle of submitting tonnes of photocopies. The verification can be done on the spot. The target can simply authenticate and authorise UIDAI to share the Aadhaar data in electronic, secure (encrypted and digitally signed) fashion.
Anybody can enrol as an agent verifying e-KYC. The Application Programming Interface or API for the Aadhaar e-KYC service is publicly available from the UIDAI and enrolment as an agent is simple. The e-KYC process allows agencies (KYC User Agencies and KYC Service Agencies as they are known) to access Aadhaar data (after taking the concerned individual’s consent).
The data available include the above details, plus photographs encoded and stored in base-64 digital format. Given excellent facial recognition programs and off-the-shelf image converters, a digital photo can be instantly converted and compared to databases of base-64 images. The KYC agency can also do a physical visual comparison.
In theory, the Aadhaar database returns only “yes/no” responses to queries. In practice, the individual who gives his or her consent for such a verification is asked to submit the data, along with a digital snapshot, (and perhaps, a little more data such as her mother’s maiden name) for verification. The agency then queries the UIDAI to verify that all the data submitted checks out.
The agency then owns a parallel, verified database tied to the Aadhaar number. Eventually, it will have a large database. It’s possible that an agency will pool a parallel database with other parallel databases put together by other agencies. Then such an agency will be able to trawl public pictures downloaded from wherever, and recognise random people and tie mugshots to Aadhaar data.
Given access to location information (mobile service providers have this 24x7 real-time) or credit card information (banks, credit card providers have this), more detail may be added. Given location and credit card information (the IRCTC has both), and medical information (health care services have this too), even more detail is possible.
Mobile service providers, banks, etc., have KYC data for hundreds of millions. Building really huge parallel databases tied to Aadhaar is very feasible. Off the record, it is whispered that such databases are already available.
That information can be used and misused for a large range of activities. Arguably, it is not even illegal to create such a database (though specific uses may be criminal). There is no specific privacy law, or data privacy law in India to stop such data being traded, or used. Location is not even recognised as personal data under Indian law.
The government has even argued in the Supreme Court that individuals don’t have a fundamental right to privacy. In 1984, George Orwell dreamt up the concept of a dictatorship that worked on surveillance. But Orwell was a tech-incompetent. The dystopian reality of 2017 goes a long way beyond everything that he imagined, way back in 1948.
The start-up calls itself a “trust bureau”. It is a private B2B concern, which offers to verify employees and clients for its customers. It says it can do ID checks, verify PAN, check police records, employment history, registered vehicles, etc., by linking individuals’ data, documents and “incidents” to their 12-digit Aadhaar numbers. These checks would be consent-based: The target employee/applicant would sign a form allowing data verification and also input one-time passwords (delivered to registered mobiles) to the UIDAI database for authentication.
Such a service is a natural commercial spin-off from the new e-KYC (Know Your Customer) procedure leveraging Aadhaar. Aadhaar is increasingly used for opening bank accounts, buying new mobile SIMs, etc. It saves the hassle of submitting tonnes of photocopies. The verification can be done on the spot. The target can simply authenticate and authorise UIDAI to share the Aadhaar data in electronic, secure (encrypted and digitally signed) fashion.
Anybody can enrol as an agent verifying e-KYC. The Application Programming Interface or API for the Aadhaar e-KYC service is publicly available from the UIDAI and enrolment as an agent is simple. The e-KYC process allows agencies (KYC User Agencies and KYC Service Agencies as they are known) to access Aadhaar data (after taking the concerned individual’s consent).
The data available include the above details, plus photographs encoded and stored in base-64 digital format. Given excellent facial recognition programs and off-the-shelf image converters, a digital photo can be instantly converted and compared to databases of base-64 images. The KYC agency can also do a physical visual comparison.
In theory, the Aadhaar database returns only “yes/no” responses to queries. In practice, the individual who gives his or her consent for such a verification is asked to submit the data, along with a digital snapshot, (and perhaps, a little more data such as her mother’s maiden name) for verification. The agency then queries the UIDAI to verify that all the data submitted checks out.
The agency then owns a parallel, verified database tied to the Aadhaar number. Eventually, it will have a large database. It’s possible that an agency will pool a parallel database with other parallel databases put together by other agencies. Then such an agency will be able to trawl public pictures downloaded from wherever, and recognise random people and tie mugshots to Aadhaar data.
Given access to location information (mobile service providers have this 24x7 real-time) or credit card information (banks, credit card providers have this), more detail may be added. Given location and credit card information (the IRCTC has both), and medical information (health care services have this too), even more detail is possible.
Mobile service providers, banks, etc., have KYC data for hundreds of millions. Building really huge parallel databases tied to Aadhaar is very feasible. Off the record, it is whispered that such databases are already available.
That information can be used and misused for a large range of activities. Arguably, it is not even illegal to create such a database (though specific uses may be criminal). There is no specific privacy law, or data privacy law in India to stop such data being traded, or used. Location is not even recognised as personal data under Indian law.
The government has even argued in the Supreme Court that individuals don’t have a fundamental right to privacy. In 1984, George Orwell dreamt up the concept of a dictatorship that worked on surveillance. But Orwell was a tech-incompetent. The dystopian reality of 2017 goes a long way beyond everything that he imagined, way back in 1948.
Twitter: @devangshudatta
To read the full story, Subscribe Now at just Rs 249 a month
Already a subscriber? Log in
Subscribe To BS Premium
MONTHLY₹8/day
₹249
Renews automatically
SMART ANNUAL₹5/day
₹1699₹1999
Opt for auto renewal and save Rs. 300 Renews automatically
ANNUAL₹6/day
₹1999
What you get on BS Premium?
-
Unlock 30+ premium stories daily hand-picked by our editors, across devices on browser and app. -
Pick your 5 favourite companies, get a daily email with all news updates on them. '%3E%3Cg id='Artboard-Copy' transform='translate(0 0.012)'%3E%3Cg id='_126115' transform='translate(0 0)'%3E%3Cpath id='Path' d='M17.537 1.487a.473.473 0 0 0-.467.477v12.67A2.4 2.4 0 0 1 14.7 17.06H3.3A2.4 2.4 0 0 1 .933 14.634V.966H14.587v12.29a.467.467 0 0 0 .933 0V.489a.473.473 0 0 0-.467-.477H.467A.473.473 0 0 0 0 .489V14.63a3.346 3.346 0 0 0 3.3 3.382H14.7A3.346 3.346 0 0 0 18 14.63V1.965a.467.467 0 0 0-.462-.478Z' transform='translate(0 -0.012)' fill='%23c4132a'%3E%3C/path%3E%3Cpath id='Path-2' d='M12.676 3.955a.478.478 0 1 0 0-.955H2.508a.478.478 0 1 0 0 .955Z' transform='translate(0.124 0.166)' fill='%23c4132a'%3E%3C/path%3E%3Cpath id='Path-3' d='M12.676 13H2.508a.478.478 0 1 0 0 .955H12.672a.478.478 0 1 0 0-.955Z' transform='translate(0.124 0.768)' fill='%23c4132a'%3E%3C/path%3E%3Cpath id='Shape' d='M2 6v5.371a.484.484 0 0 0 .467.5H7.531a.484.484 0 0 0 .467-.5V6a.484.484 0 0 0-.467-.5H2.467A.484.484 0 0 0 2 6Zm.933.5H7.066v4.375H2.933Z' transform='translate(0.122 0.317)' fill='%23c4132a'%3E%3C/path%3E%3Cpath id='Path-4' d='M12.321 5.5H8.967a.478.478 0 1 0 0 .955h3.354a.478.478 0 1 0 0-.955Z' transform='translate(0.517 0.317)' fill='%23c4132a'%3E%3C/path%3E%3Cpath id='Path-5' d='M12.321 8H8.967a.478.478 0 1 0 0 .955h3.354a.478.478 0 1 0 0-.955Z' transform='translate(0.517 0.467)' fill='%23c4132a'%3E%3C/path%3E%3Cpath id='Path-6' d='M12.788 10.977a.473.473 0 0 0-.467-.477H8.967a.478.478 0 1 0 0 .955h3.354a.471.471 0 0 0 .467-.478Z' transform='translate(0.517 0.617)' fill='%23c4132a'%3E%3C/path%3E%3C/g%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Full access to our intuitive epaper - clip, save, share articles from any device; newspaper archives from 2006.
Preferential invites to Business Standard events.
Curated newsletters on markets, personal finance, policy & politics, start-ups, technology, and more.
Need More Information - write to us at assist@bsmail.in