Technology has created the potential to record, collate, converge, retrieve, mine, share, profile and otherwise conjure with data. Data is the new property. The Unique Identification Authority of India (UIDAI), with its push to enrol the whole Indian resident population, signals the emergence of an information infrastructure facilitated by the government — it finances the “start up,” and uses its authority to coerce people to get on to the database, and then handed over to corporate interests when it reaches a “steady state.”
Allowing private entry
The UIDAI was set up by an executive notification dated January 28, 2009. The Planning Commission was the nodal agency “for providing logistics, planning and budgetary support” and to “provide initial office and IT infrastructure.” As part of its “role and responsibilities,” the UIDAI was to “issue necessary instructions to agencies that undertake creation of databases, to ensure standardisation of data elements that are collected and digitised and enable collation and correlation with UID [Unique Identification Number/Aadhaar] and its partner databases.” It was to “take necessary steps to ensure collation of NPR [National Population Register] with UID”. And, the UIDAI “shall own and operate” the UID database.
When the state holds data it collects in its transactions with its residents, it holds the data in a fiduciary capacity. It does not own the data.
The framework for ownership of data was set out by the Nandan Nilekani-chaired Technology Advisory Group for Unique Projects (TAG-UP), which gave its report in January 2011. While the Nilekani committee directly addressed five projects — Goods and Services Tax Network, Tax Information Network, Expenditure Information Network, National Treasury Management Agency and the New Pension System — it recommended that the suggested framework “be more generally applicable to the complex IT-intensive systems which are increasingly coming to prominence in the craft of Indian public administration.”
As understood by TAG-UP, the government has two major tasks: policymaking and implementation. Implementation is weak, and rather than spend time finding correctives, the committee found in this an opportunity for private business interests. So, TAG-UP suggested the setting up of National Information Utilities (NIUs).
“NIUs would be private companies with a public purpose: profit-making, not profit maximising.” The government would have “strategic control,” that is, it would be focused on how it would achieve the objectives and outcomes, leaving the NIU “flexible” in its functioning. Total private ownership should be at least 51 per cent. The government should have at least 26 per cent shares. Once it reaches steady state, the government would be a “paying customer.” As a paying customer, “the government would be free to take its business to another NIU”; though, given the “large upfront sunk-cost, economies of scale, and network externalities from a surrounding ecosystem (and what this means is not explained any further), NIUs are ... essentially set up as natural monopolies.” To get a buy-in from the bureaucracy, “in-service officers” are to be deployed in the NIUs and are to be given an allowance of 30 per cent of their remuneration.
Government as customer
“Once the rollout is completed,” the Nilekani committee blithely states, “the government’s role shifts to that of a customer.”
In sum, what emerges from the TAG-UP report is this: governmental data and databases are to be privatised through the creation of NIUs which will then “own” the data. NIUs will be natural monopolies. NIUs will use the data and the database for profit-making and not profit-maximising, and the definition of these terms are indeterminate.
Government will support the NIUs through funding them till they reach a steady state, and by doing what is needed to gather the data and create the database using governmental authority. Once the NIU reaches steady state, the government will reappear as the customer of the NIU. Government officers will be deployed in NIUs and be paid 30 per cent over their salaries, which, even if the report does not say it explicitly, is expected to forge loyalties and vested interests. The notion of holding citizens’ data in a fiduciary capacity cedes place to the vesting of ownership over citizens’ data in an entity which will then have the government as their customer.
This notion of private companies owning our data has not been discussed with state governments, nor with people from whom information is being collected.
We might have treated the TAG-UP report as another report without a future; except, in the Budget presented by Mr. Pranab Mukherjee as Finance Minister in March 2012, he announced that the “GSTN (Goods and Sales Tax Network) will be set up as a National Information Utility.” The NIU was not explained to Parliament, and no one seems to have raised any questions about what it is.
There is disturbing evidence that the UIDAI provided the basis for the NIU. The report is littered with references to the UIDAI, and suggests that the way the UIDAI has been functioning is a model for the NIU. The Biometrics Standards Committee set up by the UIDAI in September 2009 and which gave its report in December 2009 declared that the UIDAI intended to “create a platform to first collect identity details of residents, and subsequently perform identity authentication services that can be used by government and commercial service providers.” The “UIDAI Strategy Overview,” in April 2010, estimated that it would generate Rs.288.15 crore in annual revenue through address and biometric authentication once it reaches a steady state, where authentication services for new mobile connections, PAN cards, gas connections, passports, LIC policies, credit cards, bank accounts and airline check-in, would net this profit. Till then, it is to be funded by the government. Once that stage is reached, it will be a private, profit-making entity and the government, like other commercial service providers, will become its customer.
Data for a price
Mr. Nilekani calls it “open architecture”; that is, applications can be thought up as the business grows; there are no limits or contours within which it should be used. He has repeatedly described the UID as a unique number, which will be universal and ubiquitous; the latter two indicate that, despite being marketed as voluntary, all activities and services are intended to be made dependent on the UID for all persons, ensuring steady business for the enterprise. The UID enrolment form has a column for “information sharing consent.” This will allow the UIDAI to part with the data, both demographic and biometric, for a price. This explains why there has been so little enthusiasm for a law on the subject. A Bill was introduced in Parliament close to two years after the project was started. When the Parliamentary Standing Committee rejected the Bill and the project in December 2011, the law was consigned to oblivion.
The UIDAI will be a business entity, governed by the Companies Act; not bound by a law that will recognise the fiduciary role of the state, and which will facilitate, and not penalise, a citizen for not having an identity document or number.
The 2009 notification that set up the UIDAI says that the UIDAI is to “take necessary steps to ensure collation of NPR with UID.” Registering in the NPR is compulsory under the Citizenship Act and the Citizenship Rules of 2003. Although biometrics is not within the mandate of the NPR, they have also been collected in the process of building up the NPR database. So, the data mandated to be given to the NPR is being handed over to the UIDAI to become the property of the UIDAI, and we don’t even know it!
(Usha Ramanathan is an independent law researcher and has been following the policy and practices of the UIDAI since 2009.)