Blockchaining Aadhar?

The Supreme Court has just passed a landmark judgement, where the Right to Privacy has been termed as a fundamental right under the Indian Constitution. In some sense, this becomes the seventh fundamental right that Indians have, the other six being the right to equality, right to freedom, right against exploitation, right to freedom of religion, cultural and educational rights, and right to constitutional remedies.

This is really a very big deal, since Fundamental Rights were put in the constitution because they were considered essential for the development of the personality of every individual, and to preserve human dignity. Also, these rights were protected against any amendment by an Act of Parliament. The fact that the Court has accorded Privacy such an esteemed place in our Constitution is very significant and has multiple ramifications.

Heated conversations have already begun in newsrooms and newspapers on these ramifications: the LGBTQ status, the ‘beef ban’, the data that mobile companies and social networks collect and keep, 66A of the IT Act, among other things. But, perhaps, no other impact area is being discussed as much as what it does to the poster child of the government: Aadhar, and the Unique Identification Authority of India.
Let me clarify my position up-front: Every country needs an Identity system, and this is even more true in the case of a large, heterogenous entity of more than a billion people which is India. Having a unique, immutable identity associated with every citizen is vital for governance and security. This is important to pass on benefits – subsidies, insurance, educational and medical benefits, etc. Identiy is also vital to ensure that people do not misuse the system with duplication, e.g. of PAN Cards, licenses and other such documents. That is why banks, telcos, and everyone else has the concept of KYC (Know Your Customer). For the Government to have ‘one-KYC-to-rule-them-all’, or a National Identity System is critical, and far more efficient than having multiple ones.

In this respect, Aashar has been a phenomenal initiative, both in conception and executing. More than a billion Indians have a unique identity now, with both their basic demographics and biometrics recorded in a secure, central database. This has already started yielding major benefits. Aadhar has made getting passports, mobile services, bank accounts and many other such services much faster. Kotak and DBS, among others, have started offering near-instant bank accounts, Jio offers instant data connections. PAN cards and driving licenses are being de-duplicated, resulting in massive fraud prevention. The fact that Aadhar along with Bank Accounts (Jan Dhan) and Mobile phones is being opened-up as a platform, creating the JAM Stack or the India Stack, is a huge leap forward in its utility. Large and small companies can sit on this stack, and use the identity, connectivity, banking and payment (UPI) infrastructure to create massive products and services, and simplify existing ones considerably.

Nevertheless, there has been a huge amount of scepticism and debate on the safety and security of the Aadhar database. There are fears that Chinese (or any other) hackers will hack into the database. There are even greater fears that any government or authority with malevolent intent will have access to the personal information and location of every Indian citizen, and therefore the ability to inflict extreme surveillance and targeted damage. The government claims that the UIDAI database is in a central server with super tight security, protected by best-in-class cryptography. There are strong laws around what can be accessed and by whom, for example biometric information is always anonymised. Having said that, these concerns, howsoever paranoid, are real. Unfortunately, hackers are always ahead of the game, and have broken into the super-secure systems like the NSA in the US, and Britain’s NHS. And what is to prevent a government or a dictator to amend the laws and go after its own citizens, using this targeted information?

That is where we come to Blockchain. We have discussed this technology often, and to revise: it is a distributed database shared among a network of computers, all of which must approve a transaction before it can be recorded. So, it is essentially a universal ledger of digital records (or identity)—one that’s shared between various parties. It can only be updated by consensus of a majority of the participants. And, once entered, information can never be erased.

Now, if Aadhar was built on a Blockchain platform (and, to the best of my knowledge, it is yet not), most of the concerns could be assuaged. The database would be immensely difficult to hack: besides getting around the state-of-the-art cryptographic protection, the hackers would need to hack into multiple nodes or servers, rather than just one. The distributed consensus nature of the blockchain would prevent malicious attacks, until 51% of the nodes would be compromised. Similarly, a properly designed Aadhar-on-blockchain would potentially allay the ‘surveillance’ fear: think of the blockchain having multiple nodes – the UIDAI, a Court, a few ministries, Parliament, or any other such entity. For any data to be compromised or any malevolent attempt to happen, again multiple entities would have to agree to it and authenticate it, rather than one central authority! Again, but its very nature, all records will be immutable and for a record to be changed, the entire blockchain would need to be compromised, which is difficult to do. The system could harness other benefits of blockchains, like Smart Contracts for example, to execute certain events automatically.
I am sure that there are perhaps large technology challenges to be addressed for this to happen, but these would be surmountable. One could make a large private or permissioned Blockchain, for example, which would be custom built to requirements. While Blockchain is an emerging technology, it is almost tailor made for massive applications like this one, and many countries have embraced this by putting assets and identity on blockchains. Estonia, while a tiny country, in fact, has all assets and identities on a blockchain network, and markets itself as ‘a country as a service’!

Aadhar is a very important and critical initiative. It must not be weakened by the privacy doubts surrounding it, or by the fear of vulnerability to its hacking. We must wrest the initiative that the Supreme Court judgement gives us. Let’s seriously explore Blockchain and see what we can retrofit, or perhaps even think of Aadhar 2.0 on a Blockchain.

Blog Comments

Thanks for bringing this topic up. While right to privacy is important, it should not outweigh the benefits of national databases. Hence the right to accountability of data is even more important and the blockchain can help address this. It can ensure data safety and also keep record of who has accessed it. This makes malicious use almost impossible. Such a system could probably become a central standard for user data accountability.

Thanks. For more posts, please see http://www.jaspreetbindra.com

Leave a Comment