When Parash, an HIV-positive man, went to a government hospital in Delhi a few months ago to get his medication, he was turned away.
He did not have an Aadhaar, a biometric identity card with a unique identification number issued by the Indian government.
The 27-year-old had earlier showed his driver’s license or voter card to get his anti-retroviral therapy (ART) drugs at a charity, but the hospital did not accept these as proof of identity. They insisted on his Aadhaar.
“The medications are my lifeline. I have other government IDs – passport, driver’s license, a voter ID, but without Aadhaar, I am nothing to the state,” said Parash, who declined to give his last name.
India launched Aadhaar, now the world’s biggest biometric database, in 2009 to streamline welfare payments and reduce wastage in public spending.
Since then, the government of Prime Minister Narendra Modi has been keen to mandate the use of Aadhaar for everything from filing income taxes to the registration of mobile phone numbers and booking railway tickets.
Campaigners and technology experts have raised concerns about privacy and the safety of the data, the susceptibility of biometrics to failure, and the misuse of data for profiling or increased surveillance.
Aadhaar is now mandatory for welfare, pension and employment schemes, despite a 2014 Supreme Court ruling that it cannot be a requirement for welfare programs.
Parash suspects his experience is not an isolated case.
“I have heard of others – sex workers and transgender people – who have been denied ART because they did not have Aadhaar or because they did not want to give (their data) because they are scared of being outed and linked to other databases,” he said.
More than 1 billion people of India’s 1.25 billion population have been issued the 12-digit Aadhaar, which uses personal data, fingerprints and iris scans to identify them.
“An eco-system is being created where we don’t have control of our own data and where a single identifier – the Aadhaar – links all databases and becomes a tool for profiling and surveillance,” said Reetika Khera, an associate professor at the Indian Institute of Technology in New Delhi.
“There is rampant interlinking of discrete databases without data protection,” she told the Thomson Reuters Foundation.
An Aadhaar, which means “foundation” in Hindi, speeds up transactions such as opening bank accounts and getting new mobile phone contracts, doing away with middlemen and potential fraudsters, the government says.
Banks, mobile services companies and airlines can access parts of the Aadhaar database to verify identities.
Companies could also share information on a person’s spending and consumption habits, for example, and link the data to public records like the electoral register.
The government can use the data without the consent or knowledge of individuals to profile and monitor them, said Khera.
Some of India’s most vulnerable people – including migrants and the elderly – are at risk of being excluded if they are unable to prove their identity, said Usha Ramanathan, a lawyer.
“The state is making Aadhaar ubiquitous and putting pressure on people to prove their identity, forcing even those who otherwise have no digital presence to leave a digital footprint,” she said.
“It is not just a violation of privacy, it is the creation of a surveillance state: everyone is being forced to get this number, and every agency is becoming an agent for the state.”
There have been reports of biometrics failing when fingerprints have faded, and of deaths linked to denial of subsidized food when verification failed.
There have also been reports of security breaches, but the Unique Identification Authority of India (UIDAI), which oversees the program, said Aadhaar is “fully safe and secure and there has been no data leak or breach”.
India’s top court in August ruled individual privacy is a fundamental right and part of the freedoms guaranteed by the constitution.
The court’s landmark ruling also recognized “informational privacy” as part of the right to privacy and asked the government to put in place a robust data protection framework.
While the ruling was seen as a setback for the rollout of Aadhaar, the information technology minister said it affirmed the government’s view that privacy is subject to “reasonable restrictions”.
Last month, the ministry for information technology released a draft data protection law to prevent misuse of personal information, which also suggested grounds under which such data can be processed without consent.
But in addition to a comprehensive data protection law, Aadhaar must be made voluntary, as it was originally intended, said Mishi Chaudhary, a technology lawyer.
“People should not be forced to do this. We need privacy, not just for those of us who understand what it is about, but also for people who don’t understand what they are giving up for certain services,” she said.
“I don’t want to live in a panopticon, where even the FedEx guy can ask for my Aadhaar number,” she said, pointing to China’s social credit system as an example of the dystopian future that India could be headed toward with Aadhaar.
The Chinese system, due to become mandatory in 2020, rates daily activities to create a score of trustworthiness that could determine if a person is eligible for a mortgage or a job.
Meanwhile, some countries are reining in their digital identity systems, with Estonia – seen as a leader in providing government services online – suspending 760,000 national ID cards last month to fix a security flaw.
Any data protection law in India must ensure an individual’s constitutional rights are protected, said Nishant Shah, co-founder of think tank Centre for Internet & Society.
“Data touches every part of our life, and has a material impact on how we live and love and die,” he said.
“As long as we think of data as property, we must constantly find ways of regulating and protecting it, and reconcile ourselves to the fact that it’s a commodity. With digital IDs, we have no agency,” he said.
For people like Parash, who was denied his life-saving medication because he does not have an Aadhaar, and for others who do not want to surrender their data to the state, another option must be considered, Shah said.
“If we were to think of right to data as an inalienable right, like the right to dignity, then even if we voluntarily give it, we could be sure that it can’t be used for purposes that violate our dignity,” he said.
“The ones who are hurt most by its extraction are often the most vulnerable,” he said.