The protection of individual security and privacy is critical to building safe online systems, say Mitchell Baker and Ankit Gadgil.
Imagine your government required you to consent to ubiquitous stalking in order to participate in society -- to do things such as log into a WiFi hotspot, register a SIM card, get your pension, or even obtain a food ration of rice.
Imagine your government was doing this in ways your Supreme Court had indicated were illegal.
This isn’t some dystopian future, this is happening in India right now.
The government of India is pushing relentlessly to roll out a national biometric identity database called Aadhaar, which it wants India’s billion-plus population to use for virtually all transactions and interactions with government services.
The Indian Supreme Court has directed that Aadhaar is only legal if it’s voluntary and restricted to a limited number of schemes.
Seemingly disregarding this directive, Prime Minister Narendra Modi’s government has made verification through Aadhaar mandatory for a wide range of government services, including vital subsidies that some of India’s poorest citizens rely on to survive.
Vital subsidies aren’t voluntary.
Even worse, the government of India is selling access to this database to private companies to use and combine with other datasets as they wish. This would allow companies to have access to some of your most intimate details and create detailed profiles of you, in ways you can’t necessarily see or control.
The government can also share user data ‘in the interest of national security’, a term that remains dangerously undefined. There are little to no protections on how Aadhaar data is used, and certainly no meaningful user consent.
Individual privacy and security cannot be adequately protected and users cannot have trust in systems when they do not have transparency or a choice in how their private information will be used.
This is all possible because India currently does not have any comprehensive national law protecting personal security through privacy.
India’s attorney general has recently cast doubt on whether a right to privacy exists in arguments before the Supreme Court, and has not addressed how individual citizens can enjoy personal security without privacy.
We have long argued that enacting a comprehensive privacy and data protection law should be a national policy priority for India. While it is encouraging to see the attorney general also indicate to the Supreme Court in a separate case that the government of India intends to develop a privacy and data protection law by Diwali, it is not at all clear that the draft law the government will put forward will contain the robust protections needed to ensure the security and privacy of individuals in India.
At the same time, the government of India is still exploiting this vacuum in legal protections by continuing to push ahead with a massive initiative that systematically threatens individuals’ security and privacy.
The world is looking to India to be a leader on internet policy, but it is unclear if Prime Minister Modi’s government will seize this opportunity and responsibility for India to take its place as a global leader in protecting individual security and privacy.
The protection of individual security and privacy is critical to building safe online systems. It is the lifeblood of the online ecosystem, without which online efforts such as Aadhaar and Digital India are likely to fail or become deeply dangerous.
One of Mozilla’s founding principles is the idea that security and privacy on the internet are fundamental and must not be treated as optional.
This core value underlines and guides all of Mozilla’s work on online privacy and security issues-including our product development and design decisions and policies, and our public policy and advocacy work.
The Mozilla Community in India has also long sought to empower Indians to protect their privacy themselves including through national campaigns with privacy tips and tools. Yet, we also need the government to do its part to protect individual security and privacy.
The Mozilla Community in India has further been active in promoting the use, development, and adoption of open source software. Aadhaar fails here as well.
The government of India has sought to soften the image of Aadhaar by wrapping it in the veneer of open source. It refers to the Aadhaar API as an ‘Open API’ and its corporate partners as ‘volunteers’.
As executive chairwoman and one of the leading contributors to Mozilla, one of the largest open source projects in the world, let us be unequivocally clear: There’s nothing open about this.
The development was not open, the source code is not open, and companies that pay to get a licence to access this biometric identity database are not volunteers.
Moreover, requiring Indians to use Aadhaar to access so many services dangerously intensifies the already worrying trend toward centralisation of the internet. This is disappointing given the government of India’s previous championing of open source technologies and the open internet.
Prime Minister Modi and the government of India should pause the further roll out of Aadhaar until a strong, comprehensive law protecting individual security and privacy is passed.
We further urge a thorough and open public process around these much-needed protections, India’s privacy law should not be passed in a rushed manner in the dead of night as the original Aadhaar Act was.
As an additional act of openness and transparency and to enable an informed debate, the government of India should make Aadhaar actually open source rather than use the language of open source for an initiative that has little if anything ‘open’ about it.
We hope India will take this opportunity to be a beacon to the world on how citizens should be protected.
(Baker is executive chairwoman of Mozilla and Gadgil is a Mozilla community member based in Pune)
