Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Sunday, May 13, 2018

13521 - Aadhaar hearing: Highlights from 38 days of Supreme Court's 2nd longest hearing in history - First Post

Aadhaar hearing: Highlights from 38 days of Supreme Court's 2nd longest hearing in history
News-Analysis Anirudh Regidi May 13, 2018 11:39 AM IST

Editor's note: For the past four months, cyberlaw expert and certified information privacy professional Asheeta Regidi has been following the proceedings of the Aadhaar case in the Supreme Court for tech2. As we approach the judgment in this, the second-longest hearing in the history of the Supreme Court, here's a glance at the major arguments made over the past 38 days of hearings.

JAN 24, 2018
The arguments against Aadhaar before the Supreme Court continued today, with senior counsel Shyam Divan presenting arguments against the Aadhaar system

Reuters
FEB 2, 2018
Issues raised on day 6 included the unconstitutionality caused by the centralization of data from the Aadhaar system, the legal basis of Aadhaar, and the veracity of the UIDAI and governmental claims on the savings through Aadhaar.


Reuters
FEB 7, 2018
The Bench observed that this exclusion caused by Aadhaar is a ground for violation of Article 14, the right to equality, indicating grounds for its unconstitutionality.

FEB 9, 2018
The petitioners argued that there can be a voluntary ID card system without authentication data that would not be used to collect data.

FEB 20, 2018
For the Aadhaar Act to be constitutional, the petitioners argued that it firstly needs to meet the tests of substantive and procedural reasonableness.

FEB 23, 2018
The petitioners first continued with their arguments since Day 11 on dignity as a protected facet of Article 21 of the Constitution

FEB 23, 2018
On Day 13 of the Aadhaar hearings yesterday, senior counsel Gopal Subramaniam concluded his arguments for the petitioners.

MARCH 07, 2018
On Day 14 of the Aadhaar hearings, senior counsel Arvind Datar commenced his arguments on behalf of the petitioners.

MARCH 8, 2018
On Day 15 of the Aadhaar hearings, senior counsel Arvind Datar concluded his arguments for the petitioners, and senior counsel P. Chidambaram commenced his.

MARCH 15, 2018
Senior counsel KV Vishwanath commenced his first argument on Section 59 that grants validity to all the acts of the government prior to the passing of the Aadhaar Act in 2016

MARCH 16, 2018
The issues raised included that the entire Aadhaar project is beyond the Act’s objectives, the excessive data collection under KYR+ and State Resident Data Hubs (SRDHs)

MARCH 21, 2018
Issues raised were lack of proportionality and purpose, limitation with the large-scale collection and retention of data under the Aadhaar Project.

MARCH 22, 2018
The primary argument was on how the benefits of Aadhaar through providing a right to life with dignity to the poor, outweighed the right to privacy.

MARCH 23, 2018
Discussing the set up of the Aadhaar system, he stated that 9000 crores had been invested by the government in setting up and operationalizing the UIDAI

MARCH 28, 2018
The issue of data breaches from points other than the CIDR was also raised. Also, the Bench refused to extend the deadline for Section 7 benefits.

APRIL 4, 2018
The Aadhaar Act, the Attorney General argued, is a just, fair, and a reasonable law. The motive of Aadhaar was in the larger public interest

APRIL 6, 2018
The Attorney General argued that the Aadhaar regime had to be assessed based on what it was, and not on hypothetically what it could be.

APRIL 11, 2018
Additional Solicitor General Tushar Mehta commenced his arguments on the Aadhaar-PAN linkage under Section 139AA of the Income Tax Act.

APRIL 12, 2018
Additional Solicitor General Tushar Mehta continued his arguments on the Aadhaar-PAN linkage and commenced his arguments on Aadhaar-Bank Account linkage

APRIL 13, 2018
Senior counsel Rakesh Dwivedi commenced his arguments, arguing that the surveillance possibilities discussed by the petitioners were ridiculous and mere rhetoric.

APRIL 18, 2018
The Bench, while discussing apprehensions of misuse of data, observed that a blinkered view of reality could not be taken while dealing with Aadhaar.

APRIL 19, 2018
The Bench observed that the lack of choice with the means of identification indicated a lack of proportionality with the restriction imposed.

APRIL 20, 2018
Further, he discussed the reasonable expectation of privacy with respect to the data collected under the Aadhaar Act.

APRIL 25, 2018
Returning to the issue of metadata, he argued that Aadhaar only involved the collection of limited technical data. He argued that this was needed to exercise control over the REs.

APRIL 26, 2018
The Aadhaar project had the support of two governments, since it had been commenced when the Congress was in power.

APRIL 27, 2018
Senior counsel Neeraj Kishan Kaul on behalf of the Digital Lenders Association of India and others also argued that the private sector should be allowed to use Aadhaar.

MAY 3, 2018
The Attorney General then continued his arguments on the money bill issue, arguing that Aadhaar was, at its core, a money bill and that Section 57 was just an ancillary provision.

MAY4, 2018
Shyam Divan argued that the State’s expert report conceded that location data could be tracked via Aadhaar, thus establishing surveillance in a fundamental form.

MAY 10, 2018
The senior counsel Gopal Subramaniam commenced his rejoinder, arguing that the State cannot place the burden of its failures on the individual.



Challenges to the Aadhaar Act and its surveillance implications raised before SC

Petitioners argue on centralisation of data and challenge Aadhaar’s claims on savings

Petitioners argue that Aadhaar is an RTI Act for the State and violates right against self-incrimination

Petitioners argue for a voluntary ID card system that does not collect user data

Aadhaar is architecturally unconstitutional, argue the petitioners

Petitioners argue that Aadhaar violates dignity by objectifying and depersonalizing an individual

Petitioners seek compensation for starvation deaths and extension of March 31st deadline

Mandatory linking of Aadhaar with bank accounts violates the 'Right to Equality', argue petitioners

Day 15 saw arguments on Aadhaar as a money bill, interim orders for NEET registrations were also passed

De facto mandatory nature of Aadhaar results in unconstitutional and indirect coercion, argue petitioners

Entire Aadhaar project is beyond the stated objectives of Aadhaar Act, argue petitioners

Petitioners conclude their arguments on 'the number of the beast' Aadhaar, highlighting various issues

Political liberties cannot be foregone for economic and social justice, states the Bench

UIDAI’s presentation discusses Aadhaar enrolment, updation and authentication processes in detail

Supreme Court expresses concerns with data breaches, Aadhaar security and profiling

Petitioners question UIDAI on verification of residency requirement, de-duplication rejections and authentication failures

Bench criticises the argument that Aadhaar can prevent bank frauds and terrorists from acquiring mobile numbers

Additional Solicitor General argues Aadhaar-PAN linkage enables deduplication, prevents fraud and widens the tax base

Not necessary to prove least possible invasion of privacy, argues Additional Solicitor General

Senior counsel calls surveillance possibilities as mere rhetoric, says fingerprint data is only relevant for palmistry

Counsel argues that Aadhaar is more secure than a data protection law, SC disagrees

Supreme Court questions why both right to privacy and right to food cannot be secured under the Constitution

Senior counsel Rakesh Dwivedi argues that balancing between rights is a symbol of justice

Senior counsel Rakesh Dwivedi argues that the UIDAI is constantly improving and upgrading its systems

Aadhaar has the support of two governments, argues the State

The Act is a well balanced law of which a few provisions should be struck down, argues advocate Gopal Sankaranarayanan

Attorney General argues that Aadhaar is fundamentally a money bill to which Section 57 is an ancillary provision

People must have a choice in the unstoppable march towards technology, argue petitioners

Is the Aadhaar Act compliant with the first five words of the Constitution, 'We the People of India', asks senior counsel

Lack of integrity in Aadhaar enrolment and authentication

Representational image. News18
The arguments against Aadhaar began with the assertion that data collection was happening in the absence of a law, that personnel were not qualified to collect and handle sensitive data and that the biometric process itself was unreliable. Fingerprints can be cloned and iris scanners bypassed.
To add to this, it was argued that firstly, the collection of biometric information is itself a violation of the fundamental right to bodily integrity. Further, it was argued that the receipt of government benefits on the conditional waiver of constitutional rights is unconstitutional.
On day 7 of the hearings, an affidavit by a cybersecurity expert was presented, which stated that enrolment centres were illegally retaining biometric data, a fact that neither the UIDAI and the people were aware of. The affidavit also enumerated six ways of hacking Aadhaar.
Petitioners also pointed out the leakage of data compromises the system.
On day 13 of the hearing, petitioners made the argument that people cannot be asked to give their biometrics if criminality of proof of offence hasn’t been proved.
Further, it is currently assumed that biometrics were captured properly the first time. A failure to authenticate later is seen as an attempt at duplicity.
It was also pointed out that the UIDAI didn’t have ownership of the software involved in biometric data collection, further putting the Aadhaar system at risk. The Aadhaar Act requires complete ownership.
On day 18, petitioners argued that the use of uncertain and unproven biometric technology was a violation of Articles 14 and 21, and that a thumbprint and iris scan are both not unique and changeable.
Test of validity
The petitioners argued that there was no law for data collection prior to 2016. Therefore, Aadhaar violated the privacy of citizens without any legal basis for doing so.
They also argued that the large-scale collection and storage of data did not meet the “test of proportionality”. In other words, the petitioners are arguing that the ends (efficient disbursal of welfare benefits) did not justify the means (breaching the right to privacy of a billion plus citizens).
The petitioners argued that when the potential for harm is overwhelming, the standards of scrutiny for the Act enabling the harm must be higher, and Aadhaar does not meet these standards.
Retrospective validation of Aadhaar
While Aadhaar was launched in 2009, it was only given a legal basis in 2016. This, argue the petitioners, is significant because informed consent cannot be assumed in retrospect. The fundamental right to privacy cannot be violated in retrospect.
India is a nation that’s governed by law, argue the petitioners, not by people. Depriving a person of life or liberty is only possible with the authority of the law. To add to this, Aadhaar was enforced in direct violation of several Supreme Court orders mandating that Aadhaar be voluntary.
On day 12 of the hearing, the Bench agreed, stating that while an absence of law could be supplemented in retrospect, a breach of law could not be validated in retrospect.
On the validity of Section 59 as a validating provision
Section 59 of the Aadhaar Act retrospectively validates the acts of the government prior to 2016, when the Aadhaar Act was passed. The bench stated that while the section does not grant retrospective validity to the acts of the govt, it deems them to have been done after the passing of the Act. The petitioners questioned if it was even possible to have such a provision. They also argued that since Section 59 only deems the Act to be valid from 2016 as opposed to 2009, the act is invalid.
They also argued that trying to correct the absence of a law and the absence of safeguards in retrospect, as Section 59 attempts to do, cannot be legal. For example, the collection of data before 2016 happened without informed consent, which cannot be retrospectively assumed.

On Aadhaar Act passing as a money bill
Petitioners argued that Section 7 of the Aadhaar Act (which establishes the link with Aadhaar as a money bill), was not essential to the Act. An amendment to the Food Securities Act would have sufficed, they argued.
Without Section 7, Aadhaar cannot be treated as a Money Bill and would only establish a new mode of identification. It was argued that Section 7 gives too much power to the State or a private entity to deny any other form of authentication. It was also noted that the Section 7 was in direct violation of an earlier Supreme Court order, making the mandating of Aadhaar an impermissible executive exercise.
On day 15, Senior Counsel Arvind Datar argued that for Aadhaar to be classified as a money bill, it would have to be bound by its Statement of Objects. Since private parties are allowed to use Aadhaar (as per Section 57 of the Aadhaar Act), the Bench observed that the Act then loses its nexus with a money bill.
The petitioners pointed out that the Rajya Sabha had recommended the deletion of Section 57 and the provision of an opt-out clause.
The primary argument against the passing of Aadhaar as a money bill, however, is that a bill so passed bypasses the Rajya Sabha and the president. This, it was argued, requires very careful and strict interpretation to classify a given bill as a money bill.

Representational image.

Aadhaar as a surveillance tool
The petitioners further argued that Aadhaar could be used as a surveillance tool and that secret surveillance had the ability to undermine a democracy. More importantly, there is a need to protect the future generations from such surveillance. They also argued that while surveillance by a private entity like Google existed, Google was an optional service. To add to that, surveillance by the State can cause much greater harm.
The Supreme Court countered some of the Aadhaar-surveillance arguments with an observation that similar data collection happens when a person uses an iPhone or an ATM.
The Bench also asked how data collection via Aadhaar was different from data collection via a PAN card linked to the Income Tax department, say. The petitioners explained that the problem with Aadhaar was the centralisation of data collection. Data that was normally in silos was now in one place, making it much simpler to track an individual. Ultimately, they argued that it’s not even about data collection, but about an architecture that enables pervasive surveillance.
Kapil Sibal went so far as to call Aadhaar an RTI tool (Right to Information) for the State for information on citizens.
The Bench here pointed out that the Aadhaar Act cannot be questioned on its potential for misuse. The petitioners countered that given the amount of information that was being taken by the State, surveillance was a reality.
On day 9 of the Aadhaar hearing, petitioners brought up the 2011 destruction of the UK ID card database, a biometric database that was found to be too intrusive and thus, unconstitutional. The petitioners further argued that Aadhaar is even more intrusive because it also collects metadata, not just biometrics (as defined by Regulation 26).
On day 10, petitioners pointed out that information is knowledge, information which, in silos, amounted to nothing. They also pointed to the high valuation of WhatsApp, which was based entirely on its potential to generate information on its users. A nationalised ID is fine as long as it is private and not in a centralised database.
On day 11, they argued that Aadhaar cannot survive in the absence of a data protection law, given that it treats data as property.
On day 12, the Bench raised the question of privacy vs national security. The Bench noted that the State has a legitimate interest in monitoring the web to secure the nation against cyberattacks and terrorist activities. The petitioners countered that Aadhaar was dealing with an entire population, not terrorists. Also, the stated purpose of the Aadhaar Act is not that of surveillance.
Pointing to the case of Szabo vs Hungary, petitioners argued that a system of secret surveillance set up on the grounds of defending democracy, entails a risk of undermining or even destroying democracy.

Responsibility and redressal
It was also argued that there is no redressal mechanism in place for dealing with violations because of or related to Aadhaar. The UIDAI took no responsibility for the data while still going ahead and funding the SRDHs (State Resident Data Hub) without any sort of statutory approval.
The petitioners argued that sharing of data with the SRDH was illegal and impermissible under the Aadhaar Act. They also pointed out that there was no evidence that third parties like SRDHs and registrars destroyed biometric data, as they should have done once the Aadhaar Act was passed.

Challenging the State’s claims about Aadhaar
The government’s claims of Rs 17,000 crores in savings via MNREGA and LPG subsidy via Aadhaar were challenged, with the petitioners claiming that the actual numbers were nearer the Rs 220 Crore mark. A World Bank report claiming $11 billion in savings due to Aadhaar was also brought into question, with petitioners bringing up the fact that a senior World Bank official resigned over issues with data integrity. Petitioners also pointed out that some of the savings could also be attributed to previous schemes.
They pointed out that any law cannot violate a fundamental right in retrospect.
The petitioners argued that the goverment assumed that identity fraud was the only cause of leakages. They claimed that the government used older reports to make assessments and that the State would otherwise be unable to present any evidence to justify the infringement of rights as a result of enforcing Aadhaar.
It was also argued that the scope of Aadhaar was being extend far beyond the scope of the Act.

A man goes through the process of eye scanning for the Unique Identification (UID) database system, also known as Aadhaar. Reuters.

If you don’t have Aadhaar, you’re a crook
Petitioners argued that Aadhaar was premised on the assumption that India is a “nation of knaves”. If you don’t have Aadhaar, you’re a crook, and this leads to a breakdown of trust between the nation and its residents, they argued.
Petitioners also brought up the issues of starvation deaths and other such examples, all of which were caused by Aadhaar-linkage failures. Even school children were denied attendance because their fingerprints didn’t match.

Nobody has been excluded because of Aadhaar
The petitioners argued that since the Aadhaar project was causing more exclusion than inclusion, it was unconstitutional and a violation of Article 14, the right to equality. The Bench argued that exclusion was happening right now due to factors like infrastructure or old age, which can be remedied via upgrades. When it was pointed out that exclusion was happening right now, the State countered saying that nobody has been excluded due to the lack of Aadhaar.
The State argued that the Act has provisions for people who do not have Aadhaar or are unable to provide biometric data. The Petitioners countered that there are very real issues on the ground and that reading out the provisions of the Act is not a solution.
Petitioners later pointed out that the government violated the doctrine of unconstitutional conditions. A person cannot be denied benefits and entitlements solely for want of an identity. Infrastructure issues aside, it is unconstitutional for the State to mandate only one form of identity.
They also argued that while it was reasonable to prove status in order to receive benefits, everyone has a right to prove status in a reasonable manner.

Violation of dignity
An important argument against Aadhaar, according to the petitioners, is that of the violation of dignity of an individual, which is unconstitutional. To support this, petitioners cited several examples. They pointed out that a member of a marginalised section of society shouldn’t be exposed as marginalised, that silos of information cannot be aggregated and that a person has a right to control their personality. The surveillance potential of Aadhaar directly affects that last right.
They also pointed to the Jeeja Ghosh vs UoI judgement where it was ruled that dignity forms a significant facet of the right to life and liberty.
According to the petitioners, by enforcing Aadhaar, the State is operating on the assumption that everyone is an imposter, which is unconstitutional. They also argued that simply assuming that the poorest of the poor were making ghost cards to pilfer rations is to pass a moral judgement against them.
Further, it was argued that the Aadhaar Act objectifies and depersonalises an individual. Citing the case of S and Marper vs UK, it was pointed out that even a reasonable apprehension of surveillance can cause a chilling effect.

Aadhaar as a voluntary ID system
Section 57 of the Aadhaar Act has been the basis for making Aadhaar mandatory for various purposes. Petitioners argued that the section could only be constitutional when Aadhaar was treated as a voluntary ID document. The Bench was sceptical of this argument.
Petitioners pointed to Israel’s Smart ID system, which uses smart cards and biometric authentication, but lacks any identifying information. Petitioners argued that the Aadhaar must be voluntary, that it must not collect data and that people have a right to alternatives.
The Bench, the petitioners argued, must decide if the people live in a country where the people have choice, or where the State is the arbiter of that choice. By being forced to enrol for Aadhaar, the people were being forced to barter their constitutional rights.
On day 14 of the hearing, senior counsel Arvind Datar argued that even the RBI (Reserve Bank of India) does not mandate the use of Aadhaar as the sole means of KYC. The RBI, in fact, specifies at least six other documents as valid, including passport, driving license, PAN card, etc. The RBI rules at the time stood in direct violation of the update to the Prevention of Money Laundering Act (PMLA).

The Bench stated that the poor had an equal right to privacy. Reuters.
NOTE: The RBI recently passed an order stating that it is mandatory to link Aadhaar with bank accounts. This will be subject to the Supreme Court’s decision on Aadhaar, however.
The PMLA rule requiring that a bank account be blocked because it isn’t linked to Aadhaar is draconian, argued the petitioners, adding that the fact that Aadhaar is meant to be voluntary to begin with means that the PMLA rule is unconstitutional.
On day 18, the validity of mandatory eKYC as issued by the Department of Telecom (DoT) was brought into question and a request to extend the deadline was put in.
They also pointed to the US Social Security Number (SSN) system. In 1974, the US senate voted that an individual would have the right to refuse to show his SSN and that no federal agency could deny the provision of any benefit for that reason. In the case of Aadhaar, it is not possible for an individual to survive without it.
It was also argued that the livelihood of the people could not be made dependent on a system that was inherently probabilistic and faulty. Petitioners also pointed out that the rate of authentication failure in Rajashtan and Jharkhand was 37 percent and 49 percent respectively.
Later, the petitioners argued that the state has very limited powers to impose compulsions by law. Aadhaar does not qualify. They added that the State failed to justify the infringement of the right to life and liberty.

Protecting privacy
It was pointed out to the bench that while banks were linking Aadhaar to bank accounts, ostensibly for the prevention of money laundering, NCPI was making the data available to third parties. The petitioners also noted that SRDHs had no restriction on the data collection on an individual, though Rahul Dwivedi, Senior Counsel on behalf of the State of Gujarat, pointed out that all SRDH data was erased once the Aadhaar Act was passed.
They also indicated that the definition of biometric and core biometric information was open-ended. New forms of such data could be added via regulation. This could even extend to the creation of DNA databanks.
Deactivation or cancellation of Aadhaar only happens at the discretion of the UIDAI. There is no prescribed procedure to safeguard this power.
Disclosure of the personal information of an individual is also permitted, but only the UIDAI is required to be heard, not the individual whose data is at stake.
It was also argued that the Aadhaar Act was drafted on the assumption that privacy was not a fundamental right and is, therefore, an unbalanced Act.
Another issue is that of proportionality. The petitioners argued that the State could not prove that Aadhaar was necessary because there were no other alternatives. The State, after all, didn’t try alternate systems like smart cards, food coupons, etc.
On day 18, the issue of KYR+ (Know Your Resident) was raised. Where only demographic and identity information was to be collected under the Aadhaar Act, KYR+ was being used to collect and link PAN card, bank account numbers, education, religion and caste details.
They argued that inherently personal nature of the data means that protection must be ensured. If that level of protection is not ensured, then the State cannot take the data. Several example of the State’s inability to protect this data were then cited.

Concluding arguments
On day 19 of the hearings, the petitioners presented their concluding arguments:

Retention of metadata enables precise profiling: It was argued that the collection of metadata was a violation of fundamental rights and that the data could be used to create precise profiles on the private lives of individuals.

The menace of surveillance: Surveillance, even the apprehension of it, strikes at the freedom of communication and is an interference into people’s rights to respect for private life and correspondence.

Protection of future generations: Aggregation of data, as admitted to by the State and the UIDAI, is sufficient to indicate the religion, class, social status, income and education level, medical history and reproductive preferences of an individual. What protection is there to prevent the abuse of this data and is its collection even necessary or permitted?

Issues with the Aadhaar Act: The Act lacks proportionality, purpose and limitations on scale and retention of data. Provisions for the destruction of records do not exist and neither does a provision for alternative forms of identification.

Aadhaar is not the least intrusive method for authentication: Even if there is a compelling interest to identify people accurately, the least intrusive method must be used to achieve this. This is not Aadhaar. It was, in fact, suggested that a credit card like system be used, where biometrics are stored on the card itself. This could be faster, more accurate, more secure and less intrusive.

The irrationality of the Aadhaar project: Aadhaar is arbitrary and violative of the right to equality (Article 14). It is also irrational because biometrics are inherently unreliable. The lack of an opt-out facility and no option is given to citizens to control their data.

A child cannot consent to enter into contracts. Reuters
A child cannot consent or enter into contracts: Aadhaar is a violation of child rights because a child is not legally permitted to give consent. Children’s privacy is also granted under the Indian Constitution. A child’s right to education can also not be made subject to Aadhaar.

Religious objections to Aadhaar as the ‘beast’: Petitioners cited an example where a Christian family objected to Aadhaar on the grounds that they believed that Aadhaar was the mark and number of the ‘beast’, which exercised authority over people and forced all to worship it. The family believed that Aadhaar being made mandatory made it impossible for people to continue with their lives. Aadhaar, thus, violates the freedom of religion.

Gender requirement affects transgender persons: Transgender people will find it difficult to acquire identity documents, making acquiring Aadhaar impossible. People are thus excluded and denied benefits, which is a violation of the right to equality and privacy.
NRIs unable to file taxes or acquire SIMs: In another example of exclusion, it was shown that NRIs are not eligible for Aadhaar, making it difficult to acquire a SIM or file taxes.

So ended day 1-19 of the Aadhaar hearings.
On day 20 of the hearings, the State commenced its arguments in defence of Aadhaar.

Aadhaar security
Attorney General KK Venugopal argued that “tremendous effort” had gone into securing Aadhaar. He offered a PowerPoint presentation by the CEO of UIDAI on the security of Aadhaar, which included the fact that the CIDR servers, which were protected by a wall “13 feet long and 5 feet wide.” Later, the State shared more details on the security of its data centres, including the presence of X-Ray equipment and biometric authentication.
He argued that Aadhaar was a “serious effort” to insulate deserving beneficiaries from the effects of corruption.
The State argued that Aadhaar was random, baring no link to the person for whom it was generated. They added that the number could never be re-issued and that it wasn’t linked to citizenship. They also pointed out that data sharing could only happen with consent.

A woman goes through the process of finger scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre in New Delhi, India. Image: Reuters
The issue of foreign companies owning Aadhaar software was brought up. The State here claimed that only the software for matching biometrics was from foreign companies and that those companies did not have access to Aadhaar data. The response, of course, doesn’t address the possibility that data could be stolen.
The State asserted that authentication happens in silos and that biometric data was never shared, and neither was purpose, location and transaction data collected.
No opt-out mechanism: The UIDAI CEO confirmed that there would be no opt-out mechanism under the Aadhaar Act. People only had the option to lock biometrics.
The State also claimed that matching with biometrics happens on a 1:1 basis and that it was thus, not probabilistic in nature. However, on day 29 of the hearings, the State argued that nothing in the world was deterministic. The Bench then questioned how a probabilistic system could be allowed to affect fundamental rights.

Sacrificing privacy for benefits
The AG argued that corruption and middlemen have diverted Rs 1,000 Crore or more of funds. Aadhaar is meant to address this. He argued that alternatives, including smart cards, were considered and rejected as unsuitable and that, in fact, Aadhaar was designed to have the least possible violation of privacy.
He even argued that Aadhaar enrolment was voluntary before the Act was passed, removing any question of violation of privacy. Aadhaar ensures the right to life and to live with dignity, he argued.
While the AG argued that both sides were fighting for the protection of the rights to life and to dignity, the Bench noted that the AG’s argument seemed to be that the right to privacy must give way to distributive justice. The Bench also asserted that individual rights cannot be made subordinate to distributive justice.
The AG claimed that no individuals claimed to have been excluded and that it was mainly NGOs making such claims. The Bench disagreed.
In addition to this, the State argued that the poor have a right to live without hunger, to which the Bench countered that the poor also have a right to privacy. The State then claimed that Aadhaar enabled the right to food, livelihood and pensions.
Another argument by the State was that poverty was a violation of human rights. The State then asked that the choice here is between a right to life and a right to privacy. The State went on to argue that official identification was a fundamental human right.
Regarding traceability, UIDAI stated that it did not track IP address and GPS location, but that it did record AuA code, ASA code (Authentication Service Agency)m unique device code and the registered device code used for authentication.
When asked about the open-ended nature of the definition of biometrics, the State admitted that the definition could extend to blood, urine and DNA samples, but that this expansion could be subject to judicial review. The Bench countered that this was false. The UIDAI has been given the power to decide what’s to be included and only the Parliament can disapprove or the rules. This, said the Bench, amounted to excessive delegation.

Aadhaar. Getty
The petitioners had argued that Aadhaar was treating people as terrorists. To this, the State responded saying that airlines screen passengers as an administrative service as a measure to safeguard the public. They argued that Aadhaar was serving a similar purpose. The Bench was not convinced by this argument, however.
The State cited several earlier cases where the right to privacy was held to be subordinate to other, larger public interests.
Another argument presented by the State was that there was no need to look for the ‘least intrusive’ when something is overwhelmingly in the public interest.

Aadhaar and bank accounts: The State claimed that the amendment to the PMLA rules mandating Aadhaar linking with bank accounts was necessary to prevent impersonation. They also stated that rendering unlinked bank accounts non-operational was not a violation of the right to property as it amounted to a reasonable restriction on the right. The Bench did not accept this and asked how the PMLA rules authorise the freezing of bank accounts and asked whether it was authorised under law.
When the Bench further questioned the State as to how a validly opened bank account could be frozen under PMLA, the State explained that this was done to prevent money laundering and to curb terrorist activity.
The State argued that people strive to be recognised, as a matter of dignity and pride. The Bench countered that in the absence of choice of identity, there was an absence of proportionality with Aadhaar.
The State argued that privacy was a small price to pay for ensuring life itself. It was also stated that privacy is the strongest in the inner sanctum of the mind, but shrinks as you move outside into the world. Next, the State argued that in the public sphere, the right to privacy is diluted. The entire Aadhar project, he argued, is in the public sphere. The reasonable expectation of privacy varies according to context.

Misuse of harvested data
On day 21 of the hearings, the State argued that enrolment collects minimal data and that mobile numbers and email IDs were optional. The State also argued that enrolment agencies were subject to high quality security standards.
When asked about why 49,000 enrollers were deregistered (as opposed to the 30,000 agencies currently in operation), the State responded that corruption, improper data collection and failure to meet standards were to blame. The State was also asked if the blacklisted enrollers were blacklisted for data breaches. The State responded with a statement that the enrollers lacked the qualifications to tamper with enrolment software. Private enrolment agencies are being phased out, added the state.
Regarding data breaches, the State stated that reported data breaches only referred to compromised data breaches and not the CIDR, which has never been breached. To this the Bench pointed out that unless there is protection against all forms of data breaches, Aadhaar will remain a problem.
The Bench asked about Authentication User Agencies (AuAs) and whether they could record and monetise data. The State claimed that AuAs were prohibited from doing so, which failed to address the Bench’s concern that the State had no control over AuAs and their ability to share data.

Representational image. Reuters
When asked about the misuse of authentication records, the State said that collecting data on the purpose of authentication was prohibited.
However, when the Bench later asked if Authentication logs were kept with authentication or requesting entities, the State answered in the affirmative, but that such entities were regularly audited.
The State later noted that demographic information on PAN card holders was being collected since 1989 and that fingerprint data was also collected. The Bench was quick to point out that only the left thumb impression was taken, and only when people could not sign the form. There was also no authentication.

Fingerprinting citizens: The AG discussed proportionality with respect to collection of fingerprints. He cited several American judgements in support of arguments that fingerprinting was only a minor inconvenience and minimally intrusive, and that it did not carry the presumption of criminality. He also argued that the violation of dignity was non-existent.
The State further argued that while it was possible that biometric data could be extended to DNA and eventually misused, it was entirely speculative and that it wasn’t the court’s job to speculate on ‘dramatic Hollywood fantasies.’ The Bench countered that the issue with the collection of biometrics was that only the UIDAI had the power to define biometric information, which is a failure to meet proportionality requirements.
The State also pointed to a case where the CBI approached the Bombay High Court to obtain biometrics from the UIDAI for an investigation. The UIDAI refused to do so without the affected individual’s consent.
Interestingly, the State argued that it could already surveil people if needed, and that Aadhaar would not be necessary for that. The State claimed that the petitioners were using ‘rhetoric’ to rubbish Aadhaar.
The Bench observed that technology enabled mass surveillance and cited the case of election tampering via Facebook. The State countered that they did not have the algorithms to profile users like Facebook, and that Section 33 of the Aadhaar Act makes the acquisition or implementation of such a system illegal. They also argued that authentication metadata reveals very little.
The State also added that there was no possibility of surveillance via the CIDR, and instead the CIDR was completely necessary in order to avoid fake and duplicate entities.
Other arguments by the State included claims that citizens are not concerned about privacy and that fingerprints are only relevant to palmistry. The Bench countered that the issue was about storing the information in a centralised database. The State claimed that since the data was encrypted and secure, storing in a centralised database wasn’t an issue.
Despite provisions for data sharing in the Act, the State argued that information was shared only for authentication. When the Bench pointed out that REs (requesting entities) are aware of the reason for authentication and could share the data themselves, the State argued that the same data could be acquired by other means. The State also argued that Aadhaar was more secure than any data protection law. A statement the Bench disagreed with.

The need for a unique identity
While the Bench agreed that a unique ID was necessary, it questioned whether a less intrusive method could not have been provided and why there was a need to centralise and aggregate the data, especially when considering the risks.
The State argued that alternatives were unworkable and that CIDR is necessary for transactions, a point that the Bench once again disagreed with.
Smart Cards, said the State, did not ensure uniqueness. Their argument was that a single person could have multiple smart cards from different entities but the same biometrics. They argued that this was why a centralised database was needed.
The World Bank’s ID4D report was cited in support for the need of a unique identity and the crucial role it plays in the access of basic welfare services.
The UIDAI CEO argued that existing IDs have limitations both in terms of scope and geographically. He argued that Aadhaar was an easy-to-acquire, nationally verifiable digital identity.

On the assumption of consent
The State argued that prior to 2016, Aadhaar was voluntary, so those who applied consented by default. However, the Bench pointed out that the consent was only for acquiring Aadhaar, not for surrendering their data or commercialisation. The Bench also questioned whether informed consent could even be assumed.
While the petitioners pointed out that children cannot legally give consent for anything, let alone Aadhaar, the State claimed that all legal compliance was taken care of. The State also noted that only photographs of infants were collected and that biometrics would be collected at age 5 and 15.
For Aadhaar to be voluntary, the Bench observed that informed consent, purpose limitation and security were essential. The State tried to argue yet again that Aadhaar was voluntary, but the Bench countered that at the time Aadhaar was voluntary, there was no law and hence, no protection of rights. The Bench also noted that the initial enrolment forms did not contain provisions on the issue of collecting biometrics, which means that there was no informed consent.
The Attorney General argued that Section 57 merely allows the existing infrastructure to be used for other purposes so long as the purposes are legitimate.

On the scope and validity of Section 7
When defining Section 7, the Bench asked why pensions were included. Section 7 specifically deals with welfare and subsidies where as pension is an entitlement, a right. The State argued that since the pension was drawn from the Consolidated Fund of India (CFI), it had to be included.
When asked about exclusions, the State claimed that the Aadhaar Act specifies mechanisms for people who cannot authenticate.
The State argued that denial based on Aadhaar was not possible because under Section 7, Central and State agencies which require Aadhaar are required to provide enrolment services. The State also pointed out that a ration card could be used to avail NFSA (National Food Security Act) benefits in the absence of Aadhaar.
The State also noted that the Central govt had the power to replace the identification on which a benefit is to be obtained.

The cost vs benefit argument
The State claimed that Rs 9,000 Crore was invested in setting up and operationalising Aadhaar. According to various sources, the returns are claimed to be as high as 52.85 percent. It must be noted here that economist Reetika Khera disputed the claim, stating that the analysis was based on “unrealistic assumptions” and “outdated data.”
The State argued that Aadhaar was not a casual undertaking and was unprecedented in scope. The Bench pointed out that effort doesn’t answer the constitutional challenges to Aadhaar. They also questioned the 7-year gap between enforcing Aadhaar and enacting the Act.
According to the state, updating biometrics isn’t an issue because it can be done at enrolment centres. This statement does skirt around the Bench’s question regarding the technological illiteracy of several Indians.
Regarding exclusion, the State explained that a user is notified on an authentication failure. The Bench still pressed that this could lead to exclusion, to which the state responded that there were circulars stating that no one should be denied services over a failure to authenticate.
The State did admit that 100 percent authentication wasn’t possible. On day 23, the UIDAI CEO admitted that the figures for authentication failure stood at 8.54 percent for iris-based authentication and 6 percent for fingerprint-based authentication.

Prevention of bank fraud and limiting access to SIM cards: Aadhaar, it has been claimed, will prevent bank fraud and control terrorism by limiting the access to SIM cards. The Bench pointed out that bank fraud isn’t caused by multiple identities. The Bench also noted that terrorists were not likely to apply for SIM cards themselves, so forcing an entire population to link SIM cards was neither proportional nor justified.
The reasonable expectation of privacy, the State argued, could only be judged by considering the ‘totality of circumstances’. In this regard, Aadhaar’s invasion of privacy was minimal, argued the State.
The State claimed that the mandatory Aadhaar-PAN linking resulted in the discovery of 11.35 lakh fake PAN cards. The Bench did note that while fake PAN cards were being weeded out, the ingenuity required to make fake PAN cards could easily apply to the creation of fake Aadhaar cards. To this it was stated that no system is fool proof.
The advantage of Aadhaar, it was claimed, was that a person would have to come in person to claim entitlements. This was described as a revolutionary step as fingerprinting enabled deduplication. The Bench, here, observed that this may not be the best model, since the individual should not be a supplicant and instead the State has a duty to provide him with benefits.

The validity of Aadhaar
The State argued that Aadhaar fulfilled the tests laid down in the Puttaswamy judgement for a reasonable restriction on the right to privacy and that Aadhaar collected the least possible amount of data required.
The lawyers argued that like the RTI (Right to Information) Act, Aadhaar is an example of a reasonable restriction of privacy in the larger public interest. They argued that Aadhaar was necessary to prevent black money and money laundering, and that the Court could not second-guess the intent of the legislature. The Aadhaar Act, thus, passes the test of proportionality and the ends justified the means.
KK Venugopal for the State later argued that since all other means of authentication had been exhausted, Aadhaar passed the test for proportionality.
Binoy Viswam judgement: An important argument made in defence of Aadhaar involced the Aadhaar-PAN case. The State argued that the Binoy Viswam judgement, which held that there was a rational nexus between Section 139AA and the objectives sought to be achieved, satisfied the requirement for proportionality.
The State argued that the defects in a law must first be sought to be resolved rather than struck down.
The State later argued that Aadhaar was, in pith and substance, a money bill, and ancillary provisions in relation to appeal, revision, etc., which are needed to make the Act complete, do not fall outside the ambit of Article 110 of the Constitution (which defines a money bill).

Aadhaar. Getty.
Rejoinders from the petitioners
The petitioners commenced rejoinders on day 33 of the hearings.
The petitioners pointed to technical evidence previously submitted which prove that Aadhaar could be used for surveillance. They also noted that biometric data was accessible to some third-party vendors, and that the leakage of verification logs could result in the formation of forged identification. The Bench countered that it wasn’t possible to have perfect privacy and that some loss is expected in the digital world.
Petitioners also argued that UIDAI’s presentation showed surveillance at various levels and that every biometric device had traceability. They argued that this would have a chilling effect on a person’s conduct.
On the issue of balancing rights, the petitioners argued that people should have a choice and that if the Court recognises Aadhaar as a vehicle for surveillance, it would have to be expressly rejected. The Bench here observed that the march towards technology is inexorable, and no court or government can stop this. Shyam Divan then argued that choice and options are a part of democracy, and people should be allowed a choice in this issue.
Petitioners also pointed out that there was no verification during enrolment, and hence no proof that documents submitted were genuine. Aadhaar, they argued, was thus essentially a self-declaration system of verification, which no one in the government has verified. In such a scenario, Aadhaar cannot stop terrorism.
They also pointed out that Aadhaar doesn’t verify if a person is an illegal immigrant, directly violating a court order that said that Aadhaar should not be given to illegal immigrants.
Petitioners also noted that banks and telecom companies were seeding an individual’s Aadhaar with their bank accounts and telephone numbers without their permission. Diwan further argued that the biometrics of almost 100 crore individuals were collected by the UIDAI without statutory or other written authority.
It was also pointed out that the original Aadhaar notification made no mention of biometrics and that Section 7 should not be mandatory for children and a few other such entities.
Divan then argued that Aadhaar, as a whole, has increased the coercive power of the State against the individual and that it circumvents constitutional protections.
Senior counsel Gopal Subramaniam argued that a crucial question was on how to handle acts of misfeasance and malfeasance in the delivery of public services. The government, he argued, cannot place the burden of its own failures on the people. He argued that if a law has the effect of disempowering people, and impairing the identity guaranteed to them by the Constitution, then it must fall.
Petitioners argued that if the purpose of Section 7 was to further the dignity of an individual, as argued by the State, this could not be done by making it conditional.
Subramaniam pointed out that there was no evidence that the stated purpose of achieving seamless delivery through the Act, was being achieved. In fact, the only evidence available is that of exclusion. The Aadhaar Act, he argued, is not an instrumentality to deliver services, but was a means of identification.
On turning to the issue of lack of oversight of requesting entities, the Bench observed that an Act like Aadhaar needs a hierarchy of regulators, who are absent.
Further, under Section 7, the terms ‘grant of subsidies, benefits and services’ are expressions of condescension, instead of being treated as an entitlement. The counsel argued further that Section 7 had virtually been interpreted to be mandatory as opposed to discretionary, making citizens subservient to it.
The Aadhaar Act, the petitioners argued, needs to be struck down completely as it fails the tests laid down in the Puttaswamy case, there was no legitimate aim since the real aim differs from the purported one, there was no law when Aadhaar was implemented, and there is no proportionality.
Aadhaar cannot be a Money Bill, and can at most be a financial bill under the Constitution, argued the petitioners. The court, they argued, cannot save an Act so fundamentally unconstitutional as to be passed without the participation of the Rajya Sabha and without the assent of the President.
They further argued that Aadhaar could never be used to resolve problems like black money and money laundering since the sources of such money is different. These issues, he argued, were being used as a ruse to collect people’s biometrics.
Section 57, the petitioners argued, should be completely removed from the Aadhaar Act.

Updated Date: May 13, 2018 11:39 AM