The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Thursday, April 26, 2018

13363 - Aadhaar hearing: Senior counsel Rakesh Dwiwedi argues that the UIDAI is constantly improving and upgrading its systems - First Post

News-Analysis Asheeta Regidi Apr 25, 2018 18:50 PM IST

On Day 32 of the Aadhaar hearings, senior counsel Rakesh Dwiwedi continued his arguments on behalf of the state. First, he argued that the reasonable expectation of privacy, in terms of permissible invasions of the right to privacy, was not subject to the standard of the least intrusive invasion, as argued by the petitioners. Instead, the standard was whether the invasion was proportional to the state's purpose for which it (the invasion) was being made.

He further disputed the applicability of many of the foreign judgments cited by the petitioners in support of their arguments. Lastly, the issue of metadata was discussed, where he argued that the metadata collected was in relation to the machine, and not the person.

No reasonable expectation of privacy in the public sphere
Dwiwedi commenced his arguments for the day with a discussion on the reasonable expectation of privacy. He first quoted a judgment from the Constitutional Court of South Africa, which found that privacy is the strongest in the inner sanctum of the mind, but shrinks as you move outside into the world. Based on this, he questioned if private life is entitled to protection outside the home, since there, people often given up their privacy. He further argued that in Europe, the concept of a reasonable expectation of privacy was not considered by the Courts, making US and UK laws and judgments more relevant in the Indian context.

Next, it was argued that in India there is a need for innovation and development of knowledge, along with the right to privacy. The correct test, he argued, was therefore not whether the invasion of privacy was least intrusive, but whether it was proportional to the purpose sought to be achieved. To emphasise the purpose sought to be achieved through Aadhaar, he quoted from the Puttaswamy judgment, arguing that ensuring that welfare benefits are not dissipated is a vital state interest.

Expectation of privacy varies according to the context
Next, he argued that in the public sphere, the right to privacy is diluted. The entire Aadhar project, he argued, is in the public sphere. Privacy concerns or reasonable expectation of privacy, further, could not be attached to information collected via Aadhaar, like demographic information and photographs. He further argued that since at the requesting entity level, the entities and the information in them are dispersed and decentralised, these don’t deserve the same level of protection as the CIDR storing centralised information.
The Bench, here, observed that core biometric information has higher privacy concerns, but this does not imply that there are no concerns with other information. Dwiwedi agreed, stating that his point was that the reasonable expectation of privacy varies according to context.

Applicability of EU and US judgment
Next, he argued that 120 countries use biometric information, and nineteen European countries use biometric ID cards. Neither the Court of Justice of the European Union nor the European Court of Human Rights ever expressed any issued with such biometric cards.

Further, he argued that there was no need to refer to European laws for tests on proportionality for an invasion of privacy since this had already been developed by the Indian Supreme Court in the case of State of Madras v. VG Row. The Supreme Court, he argued, has never accepted the proposition that a restriction of fundamental rights must be the least intrusive one.

He also cited the US judgment of Ohio v. Akron, which dealt with disclosure requirements to authorities in relation to abortions, and Doe v. Reed, which dealt with the disclosure of signatures on a referendum campaign. Further, he cited the UK judgment of Wood v. Commissioner of Police, which held that taking of photographs in itself does not violate privacy.

Marper case supports the case for the State
Further, Dwiwedi also argued that the ECHR’s judgment in S and Marper v. UK, which had been quoted extensively by the petitioners, was actually in support of the State’s arguments. He argued that in Marper, it was held that whether retention of data raises privacy concerns depends on the context. He further argued that Marper had been decided in a very specific context, which was different from Aadhaar.

First, a difference had been drawn out between collection of fingerprints and the collection of DNA. DNA collection was held to be an issue because it contained non-neutral information. Fingerprint collection was also held to be non-neutral when collected in the context of crime. Aadhaar, it was argued, does not deal with the collection and retention of data in the context of crime, and also does not involve the collection of DNA. Further, he argued that Marper discussed appropriate safeguards, not 100 percent safeguards.

He also argued that most of the cases cited by the petitioners were similarly, in the context of crime or about censuses, and therefore inapplicable in the context of Aadhaar.
Aadhaar only collects limited technical metadata
Dwiwedi next turned to the issue of metadata. He argued that the cases cited by the petitioners, such as the Digital Rights Ireland case, involved the large-scale storage of metadata which bore no relation to any State purpose, unlike the metadata collected via Aadhaar. The metadata being collected in the cases cited, he argued, was a lot more intrusive. The U.S. v. Jones case, additionally, dealt with GPS systems, which is not used in Aadhaar.

He argued that Aadhaar, instead, only involved the collection of limited technical data. He argued that the need for the collection of metadata arose due to the need to exercise control over the REs. Further, no data was collected on the location or purpose of a transaction, but merely on the system. The Bench observed that the metadata collection was of the machine, but not of the person.

Adequate safeguards and data collection
Considering that surveillance and similar concerns with privacy invasions were cited by the petitioners with respect to the metadata collection in Aadhaar, he then cited the Supreme Court’s judgment in G. Sundarrajan v. Union of India. This case dealt with the setting up of a nuclear power plant in Kundankulam. He argued that here, the Court held that apprehensions of a Fukushima like incident should not prevent the setting up of the power plant. The Court found that the power plant would help guarantee the right to life and that there were adequate safety measures in place.

Based on this, he argued that this case establishes that safeguards can be read into Article 21. Further, with respect to the CIDR, this case establishes that the standard to be applied to the safety measures must be of ‘adequate’ safety measures, and not of zero risk. Further, constant vigilance will be required to ensure safety. In the case of Aadhaar, he argued, the UIDAI was constantly improving and upgrading its safety measures.
He further argued that a similar position had been adopted by the US Supreme Court in NASA v. Nelson. The US, he argued, had discarded the standard of the least restrictive invasion. He further argued that as per this case, the possibility of a data breach was not a ground to strike down the collection of data.

Aadhaar completely bars the sharing of data
To emphasise the protection of data in the case of Aadhaar, he argued, there is a bar on the sharing of data, and the data with the REs is completely dispersed. He argued that in Aadhar, further, there was consent for the data collection, and also a bar on using the data for anything other than authentication. He argued that if there are data breaches, they should be pointed to the UIDAI.

Next, he pointed out that the data protection law will be in place by May. The Court, here, pointed out that an area that requires consideration is remedies for data breaches. The counsel pointed to the Information Technology Act and Section 43A Act as remedies, and to the actions taken against Airtel, etc. The EU’s General Data Protection Regulation, he argued, dealt with balancing the free flow of data with data protection, while Aadhaar, dealt not with free flow, but no flow of data.
The arguments will continue on 25 April.

Sources of arguments include LiveTweeting of the case by Gautam Bhatia and Prasanna S.

You can read our complete coverage of the Aadhaar Supreme Court case below

The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.