Given the fears raised by various privacy advocates, the Aadhaar Bill has done well to categorically say “no core biometric information, collected or created under this Act shall be shared with anyone for any reason whatsoever or used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. That, indeed, was what Aadhaar was meant for—a way to ensure there was no theft in, say, subsidised rations and that these were delivered only to those whom they were meant for. As the database developed, other innovative uses for it were discovered like eKYC, DigiLocker, money transfers and, by all accounts, there is another lot of innovation waiting to be built upon this database.
The clauses that allow information to be shared under certain circumstances, however, need a closer look as it appears they can be abused. As in all such cases including phone tapping, the Bill says a court order will be required for sharing of information either in response to some police case or when national security demands it. This is where the potential problem comes in, more so since a district judge’s order is considered good enough. If data is sought on, say, whether a person used his Aadhaar biometrics at a particular location—‘authentication records’, in jargon—that may still be permissible, though with very strict checks. But a plain reading of Section 33(2) suggests that the information that can be revealed includes ‘identity information’ which, in the section on definitions, is said to include a person’s ‘Aadhaar number, his biometric information and his demographic information’. This is clearly a drafting lapse since the last thing the government wants is to have backdoors that allow biometric information of people to be accessed by anyone, including intelligence agencies—vital as national security is, Aadhaar is not meant to be a substitute for a fingerprint database of criminals or a crutch around which a case against a terrorist can be built. Indeed, Apple’s contention in its fight with the FBI over breaking into a terrorist’s phone is precisely that once a backdoor is created, there is no saying who else will enter it. Aadhaar can be used to bring about many productivity-enhancing changes, but they all revolve around the database being impenetrable. By anyone, at any time.