The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Monday, April 3, 2017

10924 - Is Aadhaar grounded in adequate law and regulations?

Is Aadhaar grounded in adequate law and regulations?

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ["the Aadhaar Act"], as the name suggests, aims at targeted delivery of subsidies, benefits and services by providing unique identity numbers based on an individual's demographic and biometric information. Enrollment into Aadhaar is, in principle, voluntary - both as per the Central Government's own stand and repeated orders of the Supreme Court since 2013. The Government has, however, slowly been linking government (and other services) to the Aadhaar card. Since January 2017, the Government has issued 22 notifications making Aadhaar mandatory for receipt of a range of services, ranging from the Mid-Day Meal scheme to maternity benefits. The Aadhaar number is likely to become a pre-requisite for filing income tax returns and applying for a PAN card.

As of March 2017, more than 1.1 billion individuals have been enrolled in the system and 4.9 billion authentication transactions have taken place. In the process, the Government has expanded the scope and coverage of Aadhaar while the Supreme Court has yet to decisively settle questions about constitutional challenge.

In this article, we ask if the legal foundations on which the Aadhaar operates match up to the requirements of a program that is likely to touch the lives of all citizens of India. Can we, as citizens of India, be satisfied that there are enough checks and balances in the functioning of Aadhaar? 

This is important as we have already started seeing implementation problems in the form of failure of biometric authentication, server and connectivity problems, cryptic error messages, and the irrevocability of the biometric, all of which have left the Aadhaar number holder and intended recipient of a subsidy without any remedy. As well, in the absence of an over-arching privacy law, our regulatory surveillance architecture is heavily weighted in favour of the State leading to the very real possibility of strengthening mass surveillance with little regard for the effect on individuals' rights to privacy

What should the legal framework provide?

A program such as Aadhaar, should be built on sound legal foundations. At the very least, the Aadhaar scheme should be able to guarantee first, good governance by the Unique Identification Authority of India ["UIDAI"], the statutory body responsible for the functioning of the Aadhaar system; second, privacy protection from the State and the private sector against the misuse of the Aadhaar number; third, security protection against data breaches; and fourth, an effective grievance redress mechanism against mistakes, deception, and abusive practices.

We evaluate the Aadhaar Act and the subsequent regulations on two issues namely their scope and ambit, and security standards. In a follow up article, we will focus on the privacy, accountability, and enforcement concerns that arise in the current legal framework. 

Concerns about the Aadhaar Act

In a recent paper, Towards a privacy framework for India in the age of the internet, we proposed a privacy framework that incorporated universally accepted privacy principles and analysed the Aadhaar Act against these benchmarks. Our critique of the Aadhaar Act focused on the lack of clarity surrounding the scope and ambit of the Act; the absence of any meaningful provisions on consent; the omission of privacy considerations; the role of private companies; and inadequate redress mechanisms. 

The Act leaves too much to be specified by the Regulations. For instance, the definition of biometric information [Section 2(g)], the procedure for sharing [Section 23(2)(k)], and publication [Section 29(4)] of an Aadhaar number holder's information are left to be specified by regulations. This causes uncertainty about the scope and ambit of the Aadhaar Act, apart from concerns about the lack of Parliamentary scrutiny over any subsequent Regulations. In fact, the constitutionality of the Act can be challenged on the ground that it delegates essential legislative functions, including important decisions on policy, to the Executive, and lacks sufficient control over its exercise (See Re Delhi Laws Act, AIR 1951 SC 332; Avinder Singh v State of Punjab, AIR 1979 SC 321; and Ajoy Kumar Banerjee v UOI on excessive delegated legislation). 

Concerns with the Aadhaar Regulations

In an attempt to address some of these criticisms, the Government, through the UIDAI, released detailed Regulations on enrollment, authentication, data security, and sharing of information in September 2016. These Regulations are also incomplete for two reasons.

Lack of clarity on the scope and ambit of the Regulations

As with the Act, the UIDAI, which was expressly tasked with notifying the Regulations under the Aadhaar Act, has failed to exercise such power delegated to it, causing further uncertainty about the working of the Act and the Aadhaar Scheme. The UIDAI, while notifying various regulations in September 2016, left multiple aspects of the functioning of the Aadhaar Scheme to be ``specified by the Authority'', i.e. to be specified by itself at a future undetermined date. 

For instance, the UIDAI was empowered under Section 23(2)(a) of the Act to "specify, by regulations, demographic information and biometric information required for enrollment and the processes for collection and verification thereof." However, Regulations 3(2) and 4(5) of the Enrollment Regulations leave the ``standards'' for collecting biometric and demographic information, required for enrollment, to be specified by the Authority for this purpose. Thus, despite being tasked with laying down the regulations to govern the enrollment and collection of demographic and biometric information, the UIDAI's own Enrollment Regulations leave the specification of such standards to be notified by itself at some point in the future.

Similarly, Regulation 13(2) of the Enrollment Regulations on the generation of Aadhaar numbers states The Authority shall process the enrollment data received from the Registrar, and after deduplication and other checks as specified by the Authority, generate the Aadhaar number. There is no guidance to the UIDAI on what kind of checks should be laid down, and principles that have to be followed in the interim, before further regulations are notified.

Through the four substantive regulations, the phrase specified by the Authority has been used 51 times (See Regulations 3(2), 4(5), 7(2), 8(2), 8(4), 11(2), 11(5), 13(2), 14(2), 17, 19(c), 20, 22(2), 23(5), 25(1), 29(2), 31(2), 32(1), 32(2), 32(3), 34 and Rules 17, 19, 22, 23, 24, 25, and 26 of the Code of Conduct in Aadhaar (Enrollment and Update) Regulations 2016; Regulations 6(2), 7(3), 12(1), 12(2), 12(4), 13(1), 14(1)(d), 16(8), 18(1)(c), 18(1)(d), 18(2), 19(1)(a), 19(1)(h), 22(2), 22(3), 23(2)(a), 28(3), and 28(4)(a) of the Aadhaar (Authentication Regulations); Regulations 4(2), 5(a), and 6(1) of the Aadhaar (Data Security) Regulations; and Regulations 4(1) and 4(2) of the Aadhaar (Sharing of Information) Regulations, 2016).

In some cases this may be justified because the standards relate to technical aspects such as the collection of information, the mode of updating residents' information, convenience fees, and certification processes; which may require a separate set of rules outside the regulations. However, important issues surrounding the enrollment, storing, and sharing of data -- issues that determine how our sensitive, personal information is collected, authenticated, stored, used, and shared with third parties -- have been left unspecified. This does not seem to have deterred the Government from pushing forward with the Aadhaar project.

The incompleteness of the various Regulations notified by the UIDAI underscores the lack of specificity in the working of the Act and the Regulations. The powers delegated to the UIDAI have in a sense been 'delegated' to its future self, to be notified when the UIDAI deems it appropriate. There is thus complete uncertainty about when, and whether, any future regulations will be notified by the UIDAI or whether the enrollment process will continue in this legal vacuum.

Lack of specification of security standards

The incompleteness of the Aadhaar Regulations is not limited to the Aadhaar (Enrollment and Update) Regulation. It extends to other Regulations as well, such as the Aadhaar (Data Security) Regulations. Notably, Section 23(2)(m) of the Aadhaar Act empowers the UIDAI to specify, by regulations, "various processes relating to data management, security protocols and other technology safeguards under this Act." Given the vast quantities of sensitive, personal data that is being stored in one centralised repository, one would imagine that the UIDAI would be quick in clarifying all the security protocols and technology safeguards. However, through Regulation 3(1) of the Data Security Regulation, the UIDAI does not lay out any specific measures for ensuring information security, instead only stating that: The Authority may specify an information security policy setting out inter alia the technical and organisational measures to be adopted by the Authority and its personnel, and also security measures to be adopted by agencies, advisors, consultants and other service providers engaged by the Authority, registrar, enrolling agency, requesting entities, and Authentication Service Agencies. 

Regulation 5(a) then further requires service providers engaged by the UIDAI to ensure compliance with such information security policy ``specified by the Authority''. Such a policy, to the best of our knowledge, has not yet been notified. 

Thus, despite the enactment of the Aadhaar Act and the notification of the Aadhaar (Data Security) Regulations 2016, the failure to notify/specify an information security policy has meant that the fear of identity theft remains. In fact, is only exacerbated in a country such as India, which does not have an adequate data protection regime, both in terms of the relevant legal provisions and effective enforcement mechanisms.


The Aadhaar regulations raise an important question on the consequences of a regulator's (UIDAI) failure to exercise the power that has been delegated to it, and to instead, postpone the specification of important standards/procedures to a future, undetermined time. In the meanwhile, the UIDAI is carrying on, and in fact, hastening, the process of enrollment, without any of these guidelines and processes having been notified. Thus, the various processes under the Act are happening in some sort of legal vacuum. This is a cause for worry.

Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi. We thank Anirudh Burman, Pratik Datta, Shubho Roy and Bhargavi Zaveri for useful discussions.