Buzzfeed News 19 Jul 2017

Airbnb, Uber, And Ola may start using Aadhaar, India’s controversial biometric identity system 

by Pranav Dixit

Using the system would let the companies easily validate the identities of drivers and users. But experts say that the system isn’t foolproof, and has serious privacy risks.

Airbnb, the ride-hailing giant Uber, and its Indian rival Ola are exploring the option of adding Aadhaar, India’s controversial biometric identity system, to their products and services in the country, BuzzFeed News has learned. Uber and Ola are considering using Aadhaar to verify the identities of drivers, while Airbnb is exploring using the system to authenticate Indian hosts, sources at all three companies told BuzzFeed News. They spoke under the condition of anonymity because they were not authorized to speak on the matter.

India’s Aadhaar system is a centralized, government-sanctioned database containing fingerprints, iris scans, and demographic information, such as the names, dates of birth, genders, addresses, mobile numbers, of nearly 90% of India’s 1.3 billion people. It’s the first national ID database of this scale anywhere in the world. But it’s attracted scrutiny from critics who say it enables the government and private companies to mass surveil India’s residents and poses a serious threat to privacy, especially since India does not have any privacy or data protection laws.

Aadhaar’s creator Nandan Nilekani, an Indian billionaire and former CEO of IT services giant Infosys, has called it a “turbocharged version of the Social Security number”, a definition that critics disagree with because the Aadhaar number is intrinsically and permanently linked to fingerprints and iris scans unlike the Social Security number.

In February, Microsoft became the first Western company to announce that it would plug Skype Lite, a stripped down version of Skype, into the Aadhaar database, drawing criticism from India’s privacy activists.

Companies can use Aadhaar in two ways. The first one lets them use someone’s fingerprint or iris scans, or their 12-digit Aadhaar number, which is further validated with a one-time password sent to their mobile number to verify their identity. This is how Microsoft uses Aadhaar in Skype Lite. The second way lets them use a person’s Aadhaar-verified identity to download their demographic information from the Aadhaar database. Doing this saves companies time and money by eliminating cumbersome paperwork.

Airbnb is considering using Aadhaar to verify hosts’ identities on its platform in India and is currently testing it “with a limited universe of hosts,” an Airbnb spokesperson told BuzzFeed News. The spokesperson said no final decisions have been made. During the test, these hosts in India will have a choice as to whether they want to provide Aadhaar as their method of verification. “Identity verification is important to the safety and security of our community. We are exploring a number of different ways for our community in India to verify they are who they say they are, including potentially using Aadhaar,” the spokesperson said. This means that Airbnb will not actually collect users’ demographic information using their Aadhaar. The company will simply use their Aadhaar number to validate their identities against the Aadhaar database.

Ola and Uber are planning to use Aadhaar to verify drivers’ identities and collect their demographic data, since they want to have this information on file, sources told BuzzFeed News. According to sources at Ola, the company plans to make Aadhaar authentication mandatory for all new drivers who sign up for the platform starting on Wednesday. Sources also told BuzzFeed News that Ola’s existing drivers will need to start visiting Ola’s driver onboarding centers starting next week to scan their fingerprints and re-authenticate themselves using the Aadhaar system. Ola will terminate drivers who fail to do this by a yet-to-be-decided deadline, sources told BuzzFeed News.

Ola decided to validate its drivers’ identities after an Ola driver kidnapped a passenger for ransom in New Delhi on July 7, sources familiar with the matter said. According to reports, the driver signed up to drive for Ola using forged ID documents, making it hard for police to track him down. Ola hopes that mandating drivers to authenticate using their fingerprints would prevent this from happening again, said a source.

Ola did not respond to BuzzFeed News’ requests for comment.

A top Uber executive told BuzzFeed news in May that the company was “seriously looking” at onboarding drivers using Aadhaar. At that time, the executive said that Uber would not make Aadhaar authentication mandatory for its drivers in India. But it’s unclear how Uber’s plans for Aadhaar implementation in India have developed since then. Uber declined to respond to BuzzFeed News’ follow-up questions.

Validating identities and doing background checks for drivers has been an important part both Uber and Ola’s onboarding processes after media reports that Uber had done neither for a driver who raped a passenger in New Delhi in December 2014. The subsequent backlash forced both companies to step up driver verification standards. Both companies now require drivers in India to submit half a dozen documents, including a driver’s license and proof of address when they sign up to drive. Drivers are also subject to additional verification by local authorities to ensure they have no criminal records.

Using Aadhaar would help these companies speed up the identification process. But experts say that Aadhaar isn’t foolproof. “Aadhaar itself isn’t [robust] as proof of someone’s identity,” said Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, a volunteer-driven organization in Bangalore that works on online privacy and encryption issues in India. That’s because demographic data in the Aadhaar database is often only as good as the documents someone provides when signing up for an Aadhaar number in the first place. If you didn’t have existing documentation to validate your date of birth, name, or addresses — and millions of Indians don’t — placeholders and estimates are used to fill in those details against your Aadhaar number in the database. That makes Aadhaar a system that’s “fairly forgiving of the quality of documents,” said Jonnalagadda. In 2015, for instance, a man was able to get an Aadhaar card for his dog.

India’s Aadhaar project kicked off in 2009 and was envisioned as a voluntary identity system meant to crack down on identity fraud in the country’s notoriously corrupt welfare system. But over the years, an Aadhaar number has become effectively mandatory to access an increasing number of government services, such as getting subsidized foodgrain and paying taxes, as well as private services, such as signing up for cellphone service or opening a bank account. Critics say that Aadhaar enables the government to create a holistic profile of an individual because it is linked to databases owned by both the government and private companies. For example, Jio, India’s newest mobile carrier, has been using Aadhaar to quickly sign up new customers (and download their demographic data) using just their fingerprints.

“I think it’s problematic that such an extensive ecosystem is being built around Aadhaar, whether by Indian startups or Western companies, while a comprehensive privacy law remains non-existent in India,” said Anja Kovacs, director of the Internet Democracy Product, an organization that works on issues of free speech, democracy, and social justice on the internet in India.

Kovacs says that companies using Aadhaar to download people’s demographic data is particularly problematic because these new, privately controlled databases are full of sensitive information that could be compromised or stolen. Unlike the European Union that places companies under stringent data protection standards, there is no law in India that mandates companies from notifying customers about any privacy breaches. Earlier this month, the personal details of an undisclosed number of Jio customers were leaked onto the internet. Aadhaar numbers were not part of the data dump, but the leak showed that Jio’s databases are susceptible to hackers.

“The data we have given to the government is now spread across a number of private entities without any strong privacy protections being in place,” Kovacs told BuzzFeed News.

Uber and Ola did not respond to questions about whether they had systems in place to protect drivers’ demographic information.

On Wednesday, a panel of nine Indian Supreme Court judges will hear to decide if Indians have a fundamental right to privacy. The move was prompted by 20 pleas in the Supreme Court challenging the constitutional validity of Aadhaar.

Originally published in Buzzfeed News.