Against Facebook-Aadhaar linking

The case for linking Aadhaar with social media accounts, has become mainstream, following the filing of a transfer petition in the Supreme Court by Facebook. Aadhaar linkage to Social Media is being is supported by many panelists on TV, proposing it for a solution for fake news, trolling, and generally for regulating behavior online. Our take in response to some of the comments being made:

1. On the idea that Social Media accounts should be linked to Aadhaar

MediaNama’s take:

1. Violation of the Supreme Court verdict on Aadhaar: The Supreme Court explicitly struck down Section 57 of the Aadhaar Act, which enabled private parties to link Aadhaar to Social Media. Thus, unless a Supreme Court bench with more than 5 judges overturns that verdict, no government or court can order Aadhaar linking of social media accounts.
2. This idea isn’t even being considered: Please note, this particular plea for linking, was made in the Madras High Court by Antony Rubin. The Madras High Court itself has said that the Aadhaar linkage with Social Media is not possible. As per our report, even the Attorney General of India K.K. Venugopal, who represented the State of Tamil Nadu in the Supreme Court in this case said that linking of Aadhaar with Social Media isn’t being considered, saying “That is not the focus now. It is now about cybercrime.” Notes from those proceedings here.
3. Do you really want private parties, including Facebook, to get Aadhaar numbers? In the absence of a privacy law, data is easily accessible, shareable and purchasable. Companies like Facebook have a history of collecting data from across multiple sources to profile their users. Linking Aadhaar numbers will enable them to deduplicate multiple account usage, and allow some entities to buy other Aadhaar data (including leaked data) to profile users. This is, of course, despite the fact that it would be a violation of the Supreme Court verdict on Aadhaar.
4. How exactly will this be actioned? 
   • Will we be giving our Aadhaar numbers to different social media companies upon signing in or signing up? How will they verify the numbers as authentic?
   • Which Social Media companies will be chosen? Who will decide which Social Media companies?
   • How will they define Social Media? If Zomato has reviews, is that covered? What about Amazon product reviews? Or messaging inside a game?
   • Who will define Social Media? The courts? The government? If it is any messaging service with over 5 million users, will Clash of Clans, a game with messaging, also need to do KYC? What about PUBG?
   • Will the government or platforms stop people from signing up for social media if they don’t give Aadhaar numbers? Will accounts from India be deactivated if not linked?
   • How will messaging and social media services address the situation of people using a VPN to sign up, like they do in China?
   • How will Social Media platform/Facebook verify which accounts are from India? How will they verify that the Aadhaar numbers given are accurate? Anyone can generate an Aadhaar number using the Verhoeff algorithm. What if someone claims my Aadhaar number? Aadhaar data has been all over the web. What’s the grievance redressal process there?
   • Will Social Media accounts be held liable for unlinked accounts? What if a foreigner targets India with misinformation or abuse? Will the government force everyone across the globe to get Aadhaar numbers if they want to use Facebook? OR will they look to block non Indian accounts from being visible in India? How will this even work?

2. “Linking accounts with Aadhaar will reduce misuse of social media”:

MediaNama’s take:

1. Misuse isn’t only from India, and foreign actors will continue to spread misinformation: It is true that there is misinformation as well as misuse on Social Media, and it spreads quickly. The bizarre approach that India has to tech policy is that it thinks that it is the entire universe that is the Internet. How will the government prevent misuse from outside India by linking Aadhaar to social media? Read this fascinating case study.
2. There is misinformation from verified accounts: verification and real names do not stop the spread of targeted misinformation: it is engineered to appeal to peoples beliefs, and they fall for it, and have the reach to spead it. People fall for misinformation all the time. One significant example here. Have they been prosecuted? Can they be prosecuted even when identified?
3. Incorrect information isn’t illegal: Anyone remember the Prime Minister of India citing a WhatsApp forward on national television during demonetisation, that he saw that even beggars were using card swiping machines, albeit as a joke? How do you distinguish between misinformation and satire? How will verification address that?

3. On identification needs of law enforcement: “Facebook doesn’t give details of particular IDs, location details to the police”… “Complaints by police are not being responded to by social media platforms”…”The IT Act is valid, but how do you arrest someone if you cant trace them?”.

MediaNama’s take:

You can’t solve for police and law enforcement incompetence by violating privacy and regulating social media companies. We’re trying to solve problems of police incompetence and capacity through courts.

1. Law enforcement agencies have alternatives but there are competence issues:There is a legal process available for law enforcement agencies to get access to data. That MLATs process is complex and cumbersome because legal requirements for access to data have to hold up in the court of law in the US. Law enforcement agencies in India have capacity issues and procedural issues. Things are even more cumbersome when local police doesn’t know how to use the process. Quite often, they fail because forms are not filled properly, or requests for data are frivolous or not legitimate and would violate privacy.
2. Law enforcement agencies want disproportionate access to data: They’re used to getting data by just calling up or sending a letter. From a senior Delhi Police official to MediaNama: “Investigations aren’t directed at one thing from the very beginning. We reach the actual culprit after going through so many people and so much information, linking them together, drawing inferences”. The solution for tracking some people is not tracking everyone. Identifying and tracking everyone is disproportionate, and a violation of the right to privacy. Thankfully, India isn’t a police state: we aren’t forced to walk around with our IDs on us at all times. Where’s the protection against disproportionate demands by law enforcement agencies? Even though the draft data protection doesn’t restrict data collection by law enforcement agencies, they still want all access to data from all private parties.
   

   Traceability requests should be subject to judicial scrutiny, and proportionate. Mass data scraping to find a needle in a haystack is disproportionate and should be illegal.

3. Government often makes frivolous data requests: Where’s the protection against frivolous requests in India? Requests from government can also be for reasons that they have no business asking for data for. For example, a comment at a recent discussion I was at: “Someone from the government asked us for attendance records for a girl. We sat on it. We got lots of calls. Then we found out that they were looking for these records because of a marital alliance, and they wanted to understand whether that girl has good character. We lied and said we don’t have this data. So there needs to be a framework [for data requests]. We will give information when it is serious.” If you talk to policy professionals, they’ll tell you how companies get calls from local police stations asking for data on accounts. Police doesn’t follow process or do the requisite paperwork, and make informal, often illegal requests for data.
4. In case of WhatsApp, good old policework can also work: The police can go through multiple hops in case of some messages to trace it back to the originating number. KYC is already done for mobile numbers. Many Facebook accounts have verification in terms of mobile numbers and email addresses.
5. National security concerns can be managed in other ways:
   • Online, when there is a national security threat, our intelligence agencies have the tools to address threats via disinformation campaigns, and have the ability to shut them down. Traceability will not address the spread of disinformation.
   • From a National Security perspective, targeted surveillance is already possible. NSO Group, as was demonstrated earlier this year, has tools for breaking end to end encryption, as well as scraping data from multiple services. There needs to be proportionality, and not create a situation where every SHO can demand information on users from social media companies. This is not to say that we support the usage of spyware, but we’re pointing out that the ability exists.
6. There are proportionate solutions for national security and law enforcement:
   1. On Social Media: content takedowns and account suspensions are proportionate responses to misinformation on social media. Here’s a great example of this.
      
   2. On messaging: WhatsApp itself has instituted several measures to address misinformation. They’ve done educational campaigns in India, and ran ads against misinformation on radio. They’ve reduced forwarding limits substantially to address velocity of the spread of misinformation; introduced a forwarding sign to indicate forwarded messages; allowed people to control whether they can be added to groups. There’s more that they can do, but it’s difficult to stop the spread of messages that people believe to be true.

4. On the comment on TV that “Social Media is like TV and print media, and accountability needs to be affixed. Facebook needs to do KYC”, and “If you are speaking on a public platform, you cannot have privacy.”

1. TV and print media don’t do KYC for the external folks who write for them.
2. Social Media is not like TV and print media. It is not broadcast, and in some instances there is publishing, some instances there’s messaging to another person, in some instances, there is messaging to a group of people. Some part is public, some part is private.
3. You can have privacy on public platforms any anonymity is important: (for example, in print, sources can be kept private, and on TV, there are anonymous interviews with the person being interviewed not shown at times). That often depend on whether anonymity is needed to protect the individual. Social media platforms are often used for dissent in countries where anonymity protects those vulnerable.

5. On the comments related to misuse: “People are making multiple profiles, and most are being used for galat kam (misuse). We need to shut the profiles that do galat kam“.

1. Multiple social media profiles are not illegal:
2. “Galat kam” needs to be defined and responses need to be specific for specific concerns. If people are watching pornography, the state has no right (and frankly, no intent) to interfere. If there is child pornography, then social media platforms need to help government address that. If there is defamation, then cases need to be filed, and law enforcement needs the competence to address these complaints. If people are being duped, then there are laws to address that. Law has to be based on the idea that most people are law abiding, and exceptions have to be addressed through lawful means. You don’t create legislation to punish everyone for the usage by exceptions.

6. On the comment “But there is traceability for mobile operators”: 

MediaNama’s take:

• Mobile service provisioning is a licensed activity, and KYC is enforceable there because of the license. Is there going to be licensing of social media platforms? Which platforms will the government license?
• The fact that most social media profiles are linked to mobile numbers for which KYC is done, should mean that it should be relatively easy for the police to identify users.

7. On the comment that “Linking Aadhaar number is not a privacy violation, because you’re only giving a number, not personal details.”

MediaNama’s take:

• Read the Supreme Court verdict on Aadhaar, especially the part related to Section 57 being struck down. The problem is with of Aadhaar being used by private parties to profile citizens.

8. On the comment “Let social media platforms modify their platform for India”, “WhatsApp can modify its platform for allowing users to be traced” and “Can WhatsApp not tell us how often a particular message is being forwarded in a particular area?”:

MediaNama’s take:

• WhatsApp is built to not collect data on users, and to have ambiguity around the origin of a message shared between two users if it is intercepted, so as to protect user privacy. It doesn’t collect data on how often a particular message is being forwarded in a particular area. Changing these things will mean it will have to change its platform globally, just because of an Indian government demand. Will India now start dictating how products are built globally? This is an unreasonable ask.
• We cannot do traceability without breaking end to end encryption. Removing end to end encryption, or even in case of other platforms, allowing encryption only when decryption keys are available with the government makes everyone less secure, and this has a chilling effect on speech and harms privacy disproportionately.

Any exploits or vulnerabilities introduced can be misused by others. You cannot make people secure by making them more vulnerable.

• Remember BBM? Who uses it now? Breaking privacy will lead to users switching to other private platforms. Will every messaging service be forced to bring in traceability? What about email, then? And email using PGP keys? There are messaging apps which allow you to use your own PGP key. How will they prevent usage of those? Users, and indeed terrorists, will switch to other platforms.

Note: Any other points? Leave a comment and add them and update the post. Any counterpoints? Leave a comment and I’ll try and address them and update the post.

Important: This post is being written under CC-BY license. Please feel free to crosspost with credit and a link to MediaNama, and credit to the author