By NT Balanarayan on Mar 24th, 2014 | 1 Comment
In a big blow to the Unique Identification Authority of India (UIDAI), Supreme Court today ruled that Aadhaar cannot be mandatory for any government service. It also announced that the organisation cannot share Aadhaar details of any individual with government agencies without getting consent from the person for the same.
The petitioners told the three-judge bench headed by Justice BS Chauhan that the project violates right to privacy and that it was not backed by any statute, thus compromising national security.
They also argued that “biometrics” is an unreliable and untested technology and public funds were being channeled to private enterprises without sufficient validation.
The Indian government has not yet succeeded in passing the National Identification Authority of India bill, that would have legalised Aadhaar and its use for direct cash benefits. It had earlier approved Rs 3,436.16 crore for Phase IV of the UID (Aadhaar card) scheme in May 2013. This fund includes Rs 1,600 crore to cover the cost of enrolling an additional 40 crore residents, Rs 490 crore updation services, Rs 1,049 crore for printing and dispatch of Aadhaar letters and Rs 247.16 crore towards additional cost for construction of buildings for headquarters, data centers and non-data centers of UIDAI.
The court had passed an interim order last year stating that Aadhaar cards should not be mandatory for social services, after a PIL was raised by Karnataka High Court judge KS Puttaswamy. He claimed that various state governments had linked social benefits to Aadhaar and that this had resulted in many people losing these benefits. Besides this, the PIL also claimed that the UID was violating Article 21 – “Protection of life and personal liberty: No person shall be deprived of his life or personal liberty except according to procedure established by law.” To get an Aadhaar card, one has to submit biometric details such as finger printing and iris scan.
The Centre, UIDAI and three oil PSUs – IOCL, BPCL and HPCL had then filed affidavits with the apex court seeking modification of its order. That being the case, Nandan Nilekani the former head of UIDAI project seems pretty pleased with the decision.
Happy to learn that the Hon'ble Supreme Court has upheld the principle of data privacy that the UIDAI has emphasised for #Aadhaar all along!
Chances of errors: UDIAI had announced earlier this month that it had issued 60 crore Aadhaar numbers. Though the number of sign-ups is pretty impressive, it is not clear how many of those have errors. UIDAI itself rejected Aadhaar numbers of 30 lakh people in Orissa a few days back because of errors and there have been several claims of Aadhaar cards with incorrect photos. One of the key points of Aadhaar is that it would be impossible for one person to get more than one Aadhaar card, but that myth too has been busted. These are just the cases that have been reported so far and there is no clear number that has been verified by a third-party on the number of errors that have cropped up in the project.
How this will affect CMS, India’s PRISM: There was the possibility of the government using Aadhaar data in its Centralised Monitoring Agency (CMS) as part of its surveillance efforts. Now that the Supreme Court has told UIDAI not to share the data with any government agency without explicit permission from the person, it’s not clear how the government will go about it.
That said, it is worth remembering that UIDAI had approached the apex court after the Goa high court ordered it to share biometric details of everyone who is enrolled in Goa with the Central Bureau of Investigation (CBI).
What abut financial sector?
UIDAI has been trying to highlight the advantages of Aadhaar in financial services, with Nandan Nilekani saying in October last year that the authority will introduce P2P payments using Aadhaar in two months. However, it has been a no show till now, may be because not enough people have linked bank accounts with Aadhaar to make it work as planned.
Reserve Bank of India has been trying to enforce the inclusion of biometric sensors in all new credit card swiping machines to enable use of Aadhaar-based biometric authentication while making card-based payments. This move has been questioned by MP Rajeev Chandrasekhar and by banks who felt it was being rushed and implemented without understanding the implication it has on banks.
With the new ruling it’s not clear what happens to this RBI circular. Why would banks invest so much money in setting up costly infrastructure for a service that not many people may use? Biometric based transaction will be most helpful in rural areas, where education levels are lower, but are banks really willing to invest so much money on building the infrastructure there?
Schemes where state government made Aadhaar card mandatory
- Brihanmumbai Municipal Corporation (BMC) employees had not received their salary for the month of December 2012 due to lack of UID card. The salary was stopped as per instructions from municipal commissioner Sitaram Kunte and additional municipal commissioner Manisha Mhaiskar. BMC had asked their staffers to get the aadhaar card back in 2011. However, BMC has now given them an extension of two months to get the UID card and have paid their salary for the month of December 2012.
- The revenue department experimented with mandating UID number or an enrollment slip for availing any of the 20 services offered by the revenue department.
- The Bombay High Court had suggested to the state government to consider linking ration cards with Aadhaar cards to tackle the menace of bogus and duplicate ration cards.
- The Ministry of External Affairs had advised all Passport Issuing Authorities to accept Aadhaar letter as Proof of Address and Photo identity. The ministry hopes this will makes passport documentation less cumbersome.
- Maharashtra government had planned to launch the Aadhaar-linked liquefied petroleum gas (LPG) subsidy project in Mumbai.
- Reserve Bank of India advised all banks to include biometric sensor in all new credit card swiping machines, to enable use of Aadhaar-based biometric authentication.
The Aadhaar scheme was launched in the hope of eliminating those who are undeserving of the subsidies. Various state governments had launched couple of schemes such as Direct cash transfer. However, Aadhaar card poses a privacy risk as it collects biometric data. If this data is compromised somehow, which by the way is not that difficult these days, there’s no way citizens could do anything to change it. Biometric data is not like a password, where you can change it if it’s compromised.
Also read: Who Owns The UID Database?
Who Owns The UID Database? – Usha Ramanathan
Those enrolling on the UID database have not been informed that their data is to yield profit for the UIDAI, Rs 288.15 crore a year and its only investor, the government, does not even own the data. How many in the government are even aware of this investing of ownership in an entity that continues to remain deliberately undefined and opaque
The Unique Identification Authority of India (UIDAI) was set up by an executive notification dated 28 January 2009. As per the notification, the Planning Commission was to be the nodal agency “for providing logistics, planning and budgetary support” and to “provide initial office and IT infrastructure”. As part of its “role and responsibilities”, the UIDAI was to “issue necessary instructions to agencies that undertake creation of databases, to ensure standardisation of data elements that are collected and digitised and enable collation and correlation with UID and its partner databases”. It was to “take necessary steps to ensure collation of the National Population Register (NPR) with the UID”. And, the UIDAI “shall own and operate” the UID database.
In July 2009, Nandan Nilekani was appointed as the chairman of the UIDAI, representing a lateral entry of a person from the private sector into the government, with the rank of a Cabinet minister.
The UID project proceeded without a law, despite the seriousness of privacy and security concerns till, caving in to public pressure, a draft Bill was prepared by the UIDAI in June 2010; and it was not till December 2010, after the project had begun to collect resident data, that this Bill was introduced in Parliament. The Bill stayed close to the framework for corporate control over databases that was later enunciated in the report of Technology Advisory Group on Unique Projects (TAG-UP) of which Mr Nilekani was the chair, and which gave its report in January 2011.
The Bill to give statutory status to the UIDAI was roundly rejected by the Parliamentary Standing Committee on Finance in December 2011. The Parliamentary Committee recommended that both the Bill and the UID project be sent back to the drawing board. There has been no effort since to reintroduce the Bill. Every time the UIDAI is confronted with questions about the legality of its enterprise, its officers assert that the executive order of 28 January 2009 is the legal instrument from which they derive their authority; and that order makes them the ‘owner’ of the database.
In the context of the UID project:
• Residents from whom the data is being collected have not been informed that the government is not the owner of the data, or of the database; nor what the legal status of the ownership by the UIDAI will mean for the citizen/resident;
• the UIDAI set up a Biometrics Standards Committee in September 2009, which gave its report in December 2009. Its report reveals that the UIDAI intended to “create a platform to first collect identity details of residents, and subsequently perform identity authentication services that can be used by government and commercial service providers”;
• the “UIDAI Strategy Overview”, in April 2010, estimated that it would generate Rs288.15 crore annual revenue through address and biometric authentication once it reaches steady state, where authentication services for new mobile connections, PAN cards, gas connections, passports, LIC policies, credit cards, bank accounts, airline check-in, would net this profit. Those enrolling on the UID database have not been informed that their data is to be yield profit for the UIDAI; they were perhaps expected to read up from the UIDAI website
• as set out in the TAG-UP report, the data we think we are giving to the government is to end up on the database of what will be in the nature of a private company once it reaches steady state.
(Dr Usha Ramanathan is an independent law researcher on jurisprudence, poverty and rights)
These excerpts have been reproduced here with permission from MoneyLife
Share this:
