13770 - Only a new law that addresses concerns can save Aadhaar - The Print

Only a new law that addresses concerns can save Aadhaar

MADHAV KHOSLA and ANANTH PADMANABHAN 29 June, 2018

The Aadhaar challenge captures a number of procedural issues that are unrelated to the merit of the scheme | Manisha Mondal/ThePrint.in

There are procedural and substantive issues plaguing the scheme, from rights violations to excessive delegation to the UIDAI.

As the country awaits the Supreme Court’s verdict on Aadhaar in a few weeks, there is a set of various challenges to the biometric architecture that has been built. These include the money bill question, pre-2016 enrolments, exclusions, constitutional rights, and excessive delegation. Here, we focus on how the Supreme Court should address them.

The money bill question

The Supreme Court has long reviewed actions that even lie within the domain of Parliament. Examples are cases relating to parliamentary privileges and the anti-defection law, where finality is given to action of the Speaker of the Lok Sabha, but some review of the action is possible. This review is limited, and includes select grounds such as illegality and colourable exercise of power. The court should affirm its authority to review whether or not the Aadhaar Act could have been passed as a money bill.

The Act relates to several matters outside Article 110 of the Constitution. Importantly, coverage outside Article 110 (such as the extension of the service to private actors) is not incidental to the scheme. If the court does not want to strike down the law entirely on the ground that it was invalidly enacted as a money bill, it must at the very least limit the law to schemes involving the Consolidated Fund of India. In this way, the law can be partially upheld. All other applications, from private authentication to building a stack using Aadhaar data, must go through both houses of Parliament.

Pre-2016 enrolments

Even though pre-2016 enrolments stand on shaky legal foundations, we must recall that the Supreme Court did not intervene when the data was being collected. At that stage, the court passed interim orders focussing on the alleged voluntariness of the scheme.

We now know that the voluntariness argument is meaningless, because if the scheme is linked to important benefits, it is not actually voluntary. But there is now a different argument before the court: the validating clause, Section 59.

Given that the court did not intervene earlier (though the argument before it was different), we do not believe that it should call for the destruction of the data. However, it should provide specific limitations on future actions of retroactivity, and secondly, it should declare that validating pre-2016 enrolments must also imply that any legal claims and violations, though rooted in the 2016 Act, must also apply to data handling prior to 2016.

Exclusions

As we have noted, the law does not seem to permit arbitrary exclusions. Safeguards to deal with exceptional situations have come into being, and while future empirical data may suggest otherwise – in which case, a challenge can always emerge – at this stage, the law and notifications do not seem to raise an Article 14 equal protection violation.

Constitutional rights

The Puttaswamy case alerts us to the risks of mass data collection. Minimal data is not merely about the gathering of limited information. It is also about keeping the application of a data programme to a minimum, because data by its very nature is a recombinant asset. A right may not be absolute, but any intrusion of a right cannot be arbitrary.

In this case, three features raise major concerns about the effective regulation of data under Aadhaar: the meta-data provides considerable information to enable abuse; an identity can be easily matched across schemes; and external penetration into the system through multi end-points risks data security.

To address these, the court must limit the use of Aadhaar. The greater the uses, the greater the chance for arbitrariness. We have already noted that, to allow for Aadhaar to exist given its money bill origins, it must be limited to schemes involving expenditure from the Consolidated Fund. To meet the rights-based challenges, it should be further limited to schemes where the state can show clear evidence of revenue loss through duplication. The issue of storage of authentication records noted previously also needs to be addressed.

Excessive delegation

While Indian law has often been relaxed on excessive delegation from Parliament to the executive or a regulatory agency, the Aadhaar Act seems to take matters to an entirely new level. Sections 23 and 54, in particular, put in place a scheme where large portions of the policy behind Aadhaar is determined by the UIDAI rather than Parliament. The extensive regulations that have followed the Act testify to this abdication of core legislative functions.

At the very least, both these provisions must be struck down, and Parliament itself must frame the policy behind Aadhaar. The policy must be part of a new law that Parliament enacts. The legal issue here is obvious enough: it links to an essential element of parliamentary government. But we should also note the dangers of such excessive delegation: it means that so much of what we are basing our judgments on with regard to Aadhaar (its promise and its problems) can be altered by way of a mere notification.

The Aadhaar challenge thus captures a number of procedural issues that are unrelated to the merit of the scheme: the fact that it was enacted as a money bill, the fact that the delegation to UIDAI is excessive. However, on the substance of the scheme as well, important questions arise, and only a new law that addresses these procedural and substantive concerns, from the appropriate amount of delegation to limiting the application of the scheme, should be able save the Aadhaar project.

This is the fourth piece in a four-part series covering the legal challenge to Aadhaar. The previous pieces can be read here, here and here.

Madhav Khosla, co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. His Twitter handle is @M_Khosla. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148.

13758 - Another Aadhaar challenge Supreme Court must address: Excessive delegation - The Print

Another Aadhaar challenge Supreme Court must address: Excessive delegation

MADHAV KHOSLA and ANANTH PADMANABHAN 28 June, 2018

The Aadhaar Act does not provide for any review of UIDAI’s functioning | Manisha Mondal/ThePrint

The issue here is one of procedure: which body has the authority to pass what kinds of rules.

One of the debates about Aadhaar is over the problem of excessive delegation. The legislature often delegates law-making power to the executive, including to regulatory agencies. Such delegation cannot be excessive – Parliament cannot give up its law-making power on fundamental issues, like the balancing of rights.

The doctrine of excessive delegation is closely associated with the rule of law, because the rule of law consists of three components: rule creation, rule application, and rule execution. Excessive delegation bundles these components. The issue here is one of procedure: which body has the authority to pass what kinds of rules.

The excessive delegation challenge to Aadhaar relates to the management and usage of the scheme, especially Sections 7, 8, 23, 28, 32, 50 and 54 of the Aadhaar Act. A reading of these provisions shows that the legislative policy on the management and application of Aadhaar data and safeguards present have been left to the UIDAI, with minimal guidelines. The state’s response to this was straightforward: that the Act had provided enough guidance, both in terms of objectives and principles.

How does one adjudicate such a contest? Delegation is ubiquitous, and excessive delegation is impermissible. But when does delegation become excessive?

In the state’s defence, the Supreme Court has been neither clear nor stringent on this matter in recent years. The threshold that it has set is embarrassingly low. But there are two ways to think about this matter. The first is to closely examine the subject matter at hand. In a case involving fundamental rights, for example, Parliament should perform more rather than less. The second query, as captured by the classic case In re Delhi Laws Act (1951), the question is whether the legislature has sufficiently determined “the legislative policy”.

In this case, the seriousness of the subject matter is incontrovertible. The question is whether the legislative policy has been laid down by Parliament.

Gaps in the policy

In some respects, the policy is clear; for example, Section 7, which specifies services where the expense relates to the Consolidated Fund of India.

In others, however, gaps emerge. For example, Section 23, which empowers the UIDAI to “develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform authentication thereof under this Act”. The development rather than implementation of policy by the UIDAI seems like a clear violation. Section 32, covered in our previous piece, too leaves an important policy decision relating to the storage of data with the UIDAI.

These instances are not glaring but matters seem different with Section 28, which leaves the UIDAI with complete direction to determine policy matters relating to security and confidentiality, and Section 54, which seems like a residual provision of sorts. Section 54 has 24 entries, authorising regulating on matters ranging from enrolment to authentication to sharing. As per Section 54(x), “regulations may provide for … any other matter which is required to be, or may be, specified, or in respect of which provision is to be or may be made by regulations”. This provision is, quite simply, self-validating. As such, it is a clear case of excessive delegation. Indeed, it seems to be a case of excessive delegation by definition.

The problem of excessive delegation becomes even more serious if one considers the structure of the UIDAI. The Aadhaar Act does not provide for any review of UIDAI’s functioning (apart from a complete supersession of the body by the Union) and mechanisms for accountability are all internal. Section 47(1), Aadhaar Act, states that “No court shall take cognisance of any offence punishable under this Act, save on a complaint made by the authority or any officer or person authorised by it”.

The state’s answer to this was, in part, persuasive. It rightly argued that Indian constitutionalism has been remarkably flexible on the structure of regulatory agencies. SEBI, for example, performs some degree of legislative, executive, and judicial functions.

But the state’s answer only resolves the problem of bundling and external oversight; it does not solve the problem of excessive delegation because the leeway given to regulatory agencies with regard to bundling and oversight takes place in the context of delegation that cannot be excessive. Even though Section 55 of the Act stipulates that regulations must be laid before Parliament, this addresses the issue of accountability to Parliament, but it does not address the issue of delegation from Parliament.

There are thus five different challenges to Aadhaar that the Supreme Court must address: (a) its enactment as a money bill; (b) the validation of pre-2016 enrolments; (c) enrolment errors; (d) constitutional rights; (e) excessive delegation.

This is the third piece in a four-part series covering the legal challenge to Aadhaar. The first two parts can be read here and here.

Madhav Khosla, co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. His Twitter handle is @M_Khosla. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148.

13752 - The Aadhaar challenge: 3 features that put constitutional rights at risk - The Print

Thursday, 28 June, 2018

• Opinion

The Aadhaar challenge: 3 features that put constitutional rights at risk

MADHAV KHOSLA and ANANTH PADMANABHAN 27 June, 2018

Even if the state can interfere with a constitutional right based on some legitimate state interest, the intrusion can’t be arbitrary.

The Indian Constitution, like several others, guarantees a set of rights against the state. The nature of rights is not that they are absolute, but that intrusions must satisfy certain conditions – and these conditions and intrusions are being tested in the debate over Aadhaar.

One important condition is that even if the state can interfere with a right based on some legitimate state interest, the intrusion cannot be arbitrary. The reason is simple enough: if the state can violate my right at any time, then what is the point of that right?

Arbitrary intrusions may take many forms. One kind of arbitrary intrusion is the absence of checks and balances on state power, because such absence allows the state to intrude upon a right without clear and effective boundaries.

A major set of legal concerns relating to Aadhaar involve this argument. The concerns may be borne out by three features of the scheme:

1. UIDAI only stores information about the use of Aadhaar for authentication, but not the reason for the authentication. For example, it knows Arun used his Aadhaar number at an Airtel store without knowing why he used it, what his call records are, etc. (Section 32 of the Aadhaar Act).

2. The linking of Aadhaar with various schemes and services, both public and private (Sections 7, 8, and 57 of the Aadhaar Act).

3. The fact that as a result of such linking, there are several more end points in the system. That is, there are several more devices through which one authenticates one’s Aadhaar number, and there are also several intermediaries who provide such devices and connect them with the central server.

Inviting trouble?

The argument offered by the petitioners is that these three features invite trouble.

In the first instance, even though the UIDAI may not know why an individual used her/his Aadhaar number at an Airtel store, the very fact of authentication itself provides sufficient information. After all, one could reasonably presume that the individual wanted a new connection, and one would know the kinds of services to which an individual subscribes.

In this respect, Kapil Sibal’s submissions quite rightly underlined the dangers of even simply the “meta-data”. A further point brings this out. In practice, the UIDAI enters into agreements with requesting entities (say, Airtel), under which it issues letters of appointment specifying the purposes for which the entity is using Aadhaar authentication. From this itself, it is evident that UIDAI knows the purpose for which authentication occurs.

In the second and third instances, the problem is two-fold.

First, if the data is linked to several services, and the details of the services to which it is linked are public, then a person could potentially try to access an individual’s records from the different services and put them together to form a somewhat complete picture of the individual. It is true that this could already be done in a non-Aadhaar world by various identifiers, but Aadhaar makes it easy to find an individual’s records; I don’t need to access the main UIDAI server if I can match records across different services.

The second problem is that the greater the number of end points and intermediaries, the greater is the risk of technical penetration of the system. The chances for data breaches go up substantially.

State response misses the point

The state offered two kinds of responses to this. The first was simply that these imagined scenarios were violations of the Aadhaar Act, and that any law can suffer violations. This is, however, a poor argument. Any law, it is true, can suffer violations, and this is precisely why state action must have checks and guidelines to see that violations are limited, and arbitrary state power is prevented. Precisely this reasoning has led to courts providing checks and guidelines in cases involving police powers.

The real question, then, is whether the Aadhaar Act sufficiently mitigates against the risks of the three features mentioned above. That it does so was the state’s second kind of response, exemplified by the presentation that the UIDAI CEO made before the Supreme Court. The CEO argued that Aadhaar involves one-way linking (“optimal ignorance”), a federated database, and the collection of only minimal data.

This response is fair, but it misses the point — that in practice, getting around the existing guidelines seems easy enough, especially in the case of the first point. The UIDAI may be, in theory, “ignorant”, but it does not take very much for it or for an external party to become knowledgeable. This means that the constitutional rights in question are, as Shyam Divan argued, hollowed out.

Which rights are affected?

The rights in question here – of the state gaining access to my private activities and storing my information without sufficient security – are not only the right to privacy (now firmly accepted as implicit in Articles 19 and 21 of the Constitution) but also the right to equality in Article 14 (because any potential use of the data through aggregation can result in unlawful differential treatment of individuals).

We can see that the argument that privacy is not absolute relates to a different issue. The question, here, isn’t whether the state’s intrusion into privacy is per se allowed. As the court recently noted in the privacy judgment (Puttaswamy), the question is also whether the intrusion is arbitrary.

Here, moreover, the intrusion seems vulnerable on another ground, namely it is overbroad. Sections 7 and 8 of the Aadhaar Act specify that the scheme is for authentication. But Section 32 allows the preservation of authentication records. As Meenakshi Arora noted in her submissions, the reason for this retention of data is not specified.

Why not require that there is erasure of records? Some dynamic data may need brief storage for technical reasons (like a computer cookie), but Section 32’s broad wording (allowing the UIDAI to “maintain authentication records in such manner and for such period as may be specified by regulations”) seems troublesome.

If Aadhaar is about authentication at any given time, why is the storage of one’s authentication history necessary? This feature, moreover, suffers from a further and different legal problem – excessive delegation – to which our next piece shall turn.

This is the second piece in a four-part series covering the legal challenge to Aadhaar. Read the first and the third part here and here.

Madhav Khosla, co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. His Twitter handle is @M_Khosla. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148.

12246 - Aadhaar push heightens privacy concerns - Hindu Businessline

Aadhaar push heightens privacy concerns

• MADHAV KHOSLA

• ANANTH PADMANABHAN

     Fingerspell The bumpy road ahead for the Aadhaar number

The pressure to link Aadhaar to various databases has picked up. This is despite the SC raising in-principle reservations

October 24, 2017:  

The Supreme Court’s recent verdict (Justice Puttaswamy v Union of India) affirming the right to privacy has been followed by a frenetic state effort to link multiple identification numbers and welfare programmes with the nation’s controversial biometric programme, Aadhaar. This attempt to present a fait accompli of sorts when the constitutional challenge to Aadhaar comes up for hearing is not a new development; the linking between Aadhaar and Permanent Account Numbers used for taxation purposes is a case in point.

Yet, the SC verdict has put both linking and enrolment efforts on overdrive. Even private actors have stepped on the accelerator; not a day goes by without messages from banks and telecom companies asking customers to link Aadhaar with bank accounts and cell numbers, respectively. But amidst all the bustle, what are Aadhaar’s realistic chances of survival post-Puttaswamy?

Privacy as a right

One might begin to answer this by exploring the exceptions to the right to privacy that the verdict recognises. There are enough exceptions in Justice Chandrachud’s verdict to facilitate data mining and open data platforms for good governance. 

Importantly, however, such applications hinge on data anonymisation — keeping out personalised details that help identify specific individuals forming part of the big data set — for their constitutional acceptability.

While benefits of Big Data may be immense in offering policy guidance and informing policy choices, the presence of legal safeguards on the privacy of individuals will be critical in assessing their validity. On this point, the Government will turn to the Aadhaar Act 2016 for its support.

The statute does indeed contain provisions to combat fears of excessive surveillance, including Section 28 of this Act which places responsibility on the UIDAI to ensure the security of identity information and authentication records of individuals. 

Despite such provisions, however, the fear of a digital panopticon is real for the simple reason that desirous individuals need not necessarily approach the UIDAI to form a complete picture of the various services availed by a citizen.

The authentication records also exist in government offices, ration shops and other service centres from where welfare benefits are disbursed to citizens. In fact, the data leakages ailing Aadhaar have all occurred thus far from similar end-points where personnel in charge of our data have little training and less interest in keeping such authentication records confidential.

The data leakages, in fact, are telling not only because they challenge the mantra that the programme is technologically safe, and not only because they simply represent a state programme that contains flaws and operates below expectations in practice, but because the nature and upshot of the leakages calls into question the safeguards on which the legitimacy of the programme rests.

Other concerns

Further the UIDAI’s role poses serious institutional and rule of law concerns. On the one hand, it is the custodian of the Central Identities Data Repository. On the other, it is also the data regulator. As the custodian of data, it decides the level of access to Aadhaar data needed for purposes of authentication and the authentication agencies contracted to do so. It receives service fees for permitting private bodies to conduct such authentication, thereby aligning its incentives in the direction of widespread access to Aadhaar data for authentication purposes.

But as a regulator, it is tasked with deciding on how to deal with data breaches. Thus, we have a body that has minimal incentive to report or act upon data breaches because a vulnerable database architecture does not bode well for either its financial or power incentives as a data custodian. Any breach is, plainly put, a challenge to its authority.

These design flaws may well jeopardise the Aadhaar project. To overcome them, the State could potentially rely on another important exception contained in the Chandrachud verdict, preventing the diversion of scarce public resources to undeserving impostors. This has, in some ways, been the central justification for relying on biometric data for identification and authentication purposes, and without which none of the privacy worries may have arisen in the first place.

This is so because biometrics cannot be altered unlike passwords. Also, recent technological advances have made them easily replicable from photographs and even mirror reflections. Ominous as it sounds, we all are walking repositories of highly vulnerable and immutable passwords which hold the key to our national identities and state-subsidised benefits. So, whether such deeply private information can be relied on to prevent scarce public resources from dissipation will depend, in the final analysis, on the checks that are put in place.

Structural issues

Some of these checks are found in Justice Chandrachud’s opinion itself, while other judges have also weighed in on how we might best balance the right to privacy with permissible exceptions. A first requisite is the existence of a law governing the deprivation of privacy interests. This is important because a great many enrolments were carried out between 2011-16, prior to the enactment of the Aadhaar Act. If the SC bench hearing the Aadhaar challenge were to take this seriously, coupled with the impermissibility of a waiver of fundamental rights as per an earlier pronouncement of the Court in Basheshar Nath v Commr. Of Income Tax, millions of Aadhaar enrolments may be annulled.

The other important check arises from how far the State could go even when there is a law in place that furthers a legitimate state interest. In Justice Chandrachud’s view, the means adopted by the legislature must be “proportional to the object and needs sought to be fulfilled by the law.” Justice Chelameswar acknowledges the possibility of certain privacy claims that deserve the strictest scrutiny.

Statutory inroads upon such claims can be made only when there is a “compelling State interest” and a “narrow tailoring” of the law to achieve the objective. Considering the use of biometrics as part of Aadhaar, and the complete absence of any volition on the citizen’s part in deciding whether, and towards which schemes, she must part with such information, there is a strong case for this stricter standard to be applied when evaluating its legality.

This brings us to a final matter, namely the role of consent-based architecture in protecting the private authentication solutions built on the citizen database. Justice Chandrachud places emphasis on the role of consent in the shaping of privacy but identifies other principles, including transparency, regarding data transfer and use, and non-discrimination, as critical for a robust data protection regime.

The consent principle also misses the forest for the trees, as it places the onus on individuals acting within the bounded rationality of their lives to decide on issues of larger systemic risk. Hopefully, the SC shall rely on Justice Chandrachud’s diktat to refrain from utilising citizen data for extraneous purposes outside the realm of legitimate state interest, and place an embargo on the private authentication agenda.

Khosla is a Junior Fellow at the Harvard Society of Fellows. Padmanabhan is a Fellow at Carnegie India. This article is by special arrangement with the Center for the Advanced Study of India, University of Pennsylvania

11723 - The Three Sins of Aadhaar - Open The Magazine

The Three Sins of Aadhaar

by Ananth Padmanabhan

Ananth Padmanabhan is a fellow at Carnegie India, working at the intersection of law, technology and policy. These are his personal views and do not reflect the institution’s position on this subject

In praise of the private Indian

HAVING STARTED IN 2010 with the objective of identifying residents using biometric markers, the Aadhaar experiment has grown in size and scale over the years. Not only has it has ignited our collective imagination, it has been contested at the Supreme Court as an intrusion of our privacy. Its technology design, which permits private entities to read its database for the authentication of customers, and its supporting legal framework, which places the Unique Identification Authority of India (UIDAI) in a unique position as the custodian and regulator of the Aadhaar database, have come under the judicial scanner.

On first glance, Aadhaar appears to renew the classic debate between the ‘constructive’, largely represented by engineers and technocrats, and the ‘critical’, as civil society actors, NGOs and public- interest motivated lawyers often get branded. 

Can constitutional principles be sacrificed at the altar of development to achieve the greater common good? 

Should an experiment that’s particularly promising for a country where data is currently sparse, and pilferage through duplicate identities extensive, be shot down on principles under the guise of indeterminate values such as privacy and personhood? 

Many stakeholders have previously been caught in similar crossfires of public reasoning, involving trade-offs between outcomes and principles. Think of big dams, infrastructure and mining projects, and other growth and developmental initiatives. But when contending with control over personal data—an intangible, non-rivalrous, inexhaustible commodity—our perception of rights, wrongs, benefits, and harms stand altered. The conflict, in reality, is between two designs for dominance: the design of privacy and the solution architecture of Aadhaar. 

To examine this conflict, we must first identify the design offered by the idea of privacy, before turning to the substantive concerns that Aadhaar invites.

An influential early work, The Right to Privacy (1890), co-authored by Samuel Warren and Louis Brandeis, was a response to the immediate technological advances of the time that strengthened an intrusive press. The authors, building upon the psychological insight that an individual’s self-image suffers greatly when private and personal information is disclosed, distilled the individual’s general right to be let alone as being at stake across diverse factual scenarios. In a perfect illustration of how law, much like technology, chisels its own unique design, the authors introspected on possible limitations of this right too, including the publication of matter that is of ‘public or general interest’.

William Prosser’s four-way classification followed in 1960, leading to a re-design of the broader ‘right to be let alone’ into four categories of wrongs: intrusion upon seclusion; public disclosure of private facts; presentation in false light; and wrongful appropriation of a person’s identity or attributes. Though this model, based on individual control over personal information, has come under strain by the technological onslaught, particularly the rise of online social media companies and ‘big data’ driven business models, the robustness of privacy lies in its ability to adapt to changing circumstances. Privacy by design (PbD) serves as a wonderful example of this flexibility and dynamism inherent in the very concept. Developed in the mid-90s as part of a Canadian response to informational privacy challenges, particularly within the technology context, PbD offers important guidelines for products to build privacy into their solution architecture. A critical feature of this design is the emphasis on privacy as a default position, which means that the purpose for which personal information is collected is made clear right when the data is gathered; its collection is limited to the extent necessary for achieving this underlying purpose; and user privacy is guaranteed through multiple mechanisms including prior consent, an accurate and up-to-date database, transparent practices that inform the user about data use, sharing, and disclosure, and effective grievance redressal mechanisms. In addition, PbD prioritises an ex-ante preventive strategy to safeguard private data over ex-post remedial fixes, thereby mandating inbuilt systems to anticipate privacy invasion beforehand and strong security measures through the entire data lifecycle.

Privacy today has thus evolved much beyond a philosophical construct to offer, by way of design principles, a rather clear set of dos and don’ts. Today, the privacy challenge to Aadhaar compels us to reframe the debate from ‘constructive’ versus ‘critical’ into a tussle between two competing, concrete and equally plausible designs: Aadhaar’s solution architecture and non-negotiable privacy design features. Because the Indian Constitution enshrines privacy as a basic right, for reasons advanced here, the technology design has to necessarily fit within the parameters of the legal and architectural design mandated by its values.

Before examining the place that privacy occupies within India’s constitutional set-up, it is important to dispel doubts regarding its relevance to India’s cultural ethos. Recent frontal attacks on the grounds that privacy is an imported and ambiguous concept warrant this diversion. A few hypotheticals would suffice to refute this specious argument. Consider the state mandating that certain communities are more inclined to a life of crime and hence must have cameras installed in their living rooms; or directing a corporation or venture fund to share contractual and client information so that smaller players could learn and develop new business models. Regardless of the factual basis behind such moves, they would shock reasonable nothing-to- hide Indians precisely because we, like any other society, cherish a conception of the inviolable private sphere. The real dilemma, therefore, is not whether we understand or value privacy, but whether the legal design for safeguarding privacy, outlined above, is a constitutional barrier stopping the Government from deploying a particular technology design.

Privacy, at its core, entails a set of values which its design features are meant to safeguard. One such foundational value is the distinction between private and public zones; ‘a man’s home is his castle’, as they say

But the Union, and some states, have relied on earlier Supreme Court verdicts to contend that privacy protection is not an independent fundamental right. The decisions cited, MP Sharma vs Satish Chandra (1954) and Kharak Singh vs State of UP (1962), were outcomes of a judicial philosophy espousing a narrower construction of rights—one largely abandoned after the experience of Emergency excesses. The former case involved a search and seizure operation, pursuant to a legally obtained warrant, conducted on various business locations of a promoter group suspected of embezzling funds. The specific constitutional violation alleged, infringement of the right against self-incrimination, was far removed from the privacy claims emerging from the right to life under Article 21 of the Constitution. It is within this context that the Court noted the absence of a fundamental right to privacy, to which the search and seizure regulations would be subject. The latter case involved a dacoity suspect against whom there was no evidence for a conviction, but the police nonetheless opened a ‘history-sheet’ and carried out surveillance operations and domiciliary visits. Interestingly, the Court, while negating the right to privacy and upholding surveillance as a mechanism to gather data, held that domiciliary visits were unconstitutional. The majority reasoned that ‘personal liberty’ under Article 21 was broad enough to prevent ‘an unauthorised intrusion into a person’s home and the disturbance caused to him thereby’—a classic application of the very right denied in the context of surveillance. When read along with subsequent apex court verdicts that showed a more liberal acceptance of privacy values, the more accurate picture that emerges is not one of blanket denial of the right but an acceptance of some of its design features and a rejection of others, depending on the facts at hand.

Yet, this assertion still does not address why certain privacy design features, even those recognised in the OECD guidelines, should find constitutional sanctity in India. There are two responses to this. Restrictions imposed on a right ought to be reasonable, and when gauging the same, both substantive and procedural aspects of the law in question must be examined from the perspective of the nature of the right alleged to be infringed, the underlying purpose of the restrictions imposed, the extent and urgency of the targeted problem, the dispropor- tion of the imposition, and prevailing socio-economic conditions. This classic exposition of reasonableness, laid down in State of Madras vs VG Row (1952), continues to guide courts. From the vantage point of this balancing exercise, privacy’s design features act as sufficient checks to ensure that inroads therein do not unreasonably breach the privacy right.

Additionally, privacy, at its core, entails a set of values which its design features are meant to safeguard. One such foundational value is the distinction between private and public zones; ‘a man’s home is his castle’, as they say. As a corollary, the state has no business as a general matter in an individual’s private dealings, till situations that import ‘public-ness’—the commission of crimes an oft-mentioned example—occur as part of such dealings. Individuals must also be empowered to take measures suitable to protect their privacy, as it forms an integral part of the very concept. When particular solution architectures, broadly conceived to include the technology design, its functioning and supporting legal frameworks, fail to meet privacy’s design features, there is cause for veritable apprehension that the values themselves are at risk. Both these concerns—that is, a misalignment with specific design requirements and challenges to deeper privacy values—show up on a close examination of Aadhaar’s solution architecture.

As matters stand, anyone prying open the Aadhaar black box—strictly a reference to the promised manna of deep learning tools for governance—is immediately confronted with two objections. These are the fait accompli objection, seeking strength from its high enrolments, resources expended, and, as a last-minute throwaway, the recent inclusion of a legal framework with a soon-to-come data protection law; and the go after Google objection, which tries to divert citizen ire towards private technology giants that use our data for predictive analytics and product suggestions.

Aadhaar Act envisages UIDAI as the custodian of data and effective response mechanism for data breaches. The individual is virtually a nonentity as there exist no mechanisms for even sharing information on data breaches

The first objection is strong in terms of practicality, though never in principle. I will, however, take Aadhaar’s present solution architecture for granted, lay to rest past violations, alleged and actual (in all fairness conceding that some have now been addressed), and contend with persisting privacy challenges. The second is unimaginative and deployed to obfuscate graver threats. Google lacks the might of the state or a sanctions regime to lend heft to its diktat. Even discarding this Hobbesian conception for a moment, when Google goes bad, we turn to the state. When the state goes bad, our options are limited if any at all. Having addressed these objections, let us now superimpose Aadhaar’s solution architecture over privacy’s grand design and examine if it passes muster. I will focus on three serious issues. The first two are not factual realities at the moment, but their very real possibility of occurrence is reason enough for the Supreme Court to compel important modifications to Aadhaar’s solution architecture. The third is true as of now, and deserves immediate rectification.

l. The digital panopticon: Our digital selves, when both converging and diverging from our real selves, offer deep insights on who we are, our personal preferences and choices, and most importantly, how we think. Foucault’s ‘panopticon’, though conceptualised as a physical object, has much to offer this virtual world and its design. The Aadhaar technology and architecture document (2014) displayed self-awareness of the all-seeing, all-knowing, big brother and resultantly advocated a ‘minimalistic approach to data’ and a ‘federated model’ with one-way linkage. In simple terms, existing identities such as passport and PAN numbers would not be captured within Aadhaar. Instead, these systems would add Aadhaar to their database and link it ‘one way’ to Aadhaar.

Providing assurance through this design, Aadhaar numbers have been ‘seeded’ into multiple databases today. The legal framework (Aadhaar Act, 2016) also assures that the UIDAI shall protect authentication information, with some national security exceptions. However, this is rendered meaningless because the higher the seeding, more the number of ‘requesting entity’ databases where authentication records exist, and less the need for the state to approach the UIDAI at all. In fact, the Aadhaar (Authentication) Regulations mandate that in case of any investigation involving authentication related frauds or disputes—a far cry from national security—the requesting entities shall provide access to their records to ‘any authorised investigation agency’. What this does, in practice, is making the state’s job a lot easier when it wants to track individual behaviour. All it needs is the one identity tag present in all these databases: the Aadhaar number, and unidirectional linkage does nothing to then prevent the state from forming an accurate picture of the individual through a mosaic of digital authentication crumbs from multiple sources. And a state that reveals its awareness of where one went to buy rations, attend to medical needs, and get their children schooled, all at one go, is far more fearsome than one bumbling with assorted files.

Topping this fear, upon declaration of a public emergency, or on the subjective opinion that UIDAI has been unable to discharge its functions, the Central Government can simply supersede its authority (section 48 of the Act).

2. Leaky data dam: Right from its Strategy Overview (2010), the Aadhaar project has revealed a preference for building revenue models around our private data by providing authentication services to private entities. While optimisation is generally good, it is risky business when biometric data—which one cannot change, unlike passwords—is involved. The number of Authentication User Agencies (AUAs) and their sub-agencies, spread across the country, that digitally communicate with the UIDAI’s Central Identity Data Repository (the Aadhaar data dam) is a source of much worry, as also their hectic scaling up of such services.

The state’s response has been three- fold: consent architecture, suitable contractual arrangements with AUAs, and strong security measures. The first and second are irrelevant because systemic risks are seldom factored in by individual consent-givers or contractors. The AUA Standard Template Agreement (Clause 7.2) waves a monetary penalty stick at AUAs, but waives any responsibility on the part of UIDAI itself (Clause 5.1 read with Recital E), thus leaving the policing of the system, in effect, to private entities. The third is not convincing enough when the communicating endpoints are too many, with no real background checks on sub-agencies or control over endpoint gadgets floating around. As a thumb rule, the larger the number of endpoints, higher the risk of injecting malware into the system. When state benefits and subsidies are closely tied to data stored in that system, the benefits to startup innovators from Aadhaar authentication are not comfort enough.

3. The regulatory custodian: The Aadhaar Act envisages UIDAI as both the custodian of Aadhaar data and effective response mechanism for data breaches. Indeed, UIDAI, not the citizen, gets notified of data breaches, and then decides how best to proceed. No grievance redressal mechanism exists for individuals affected by such a breach. The individual is virtually a nonentity in the statutory scheme as there exist no mechanisms for even sharing information on data breaches with the aggrieved. Considering UIDAI’s mandate as custodian, its incentives are hardly aligned with admitting security vulnerabilities in public. This makes the ‘consent architecture’ redundant, because meaningful consent cannot ever be built upon imperfect information, particularly when such information can only be realistically known to the Authority and errant AUAs, and not the end-user.

Revisiting the fait accompli objection, one is pushed to probe whether the Supreme Court can achieve anything meaningful using the ‘privacy’ hook when much water has flown under the Aadhaar bridge. The answer, refreshingly, is that the Court can still mandate important design modifications that make Aadhaar fit within the constitutional scheme. First, the Court must consider reading down Section 7 of the Aadhaar Act, which mandates Aadhaar for any ‘service’ for which funds are drawn from the Consolidated Fund. The mandate must only be for specific subsidies and welfare programmes that rely on programmatic identification cards, not services generally made available to taxpayers. As a corollary, the number must be directed to be delinked from other records such as PAN cards. Second, the Court must provide an opt- out mechanism for all individuals who wish not to avail of such subsidies. Third, the Court must direct an independent regulator, with constitutional status and no supersession risks, to be immediately constituted, along with strong grievance redressal measures and breach notification mechanisms that empower and inform the public. Fourth, the Court must immediately freeze all authentication services offered to private entities. Fifth, the Court must insist on a detailed framework to regulate the examination of authentication records at the service provider end when the Aadhaar number is seeded into specific welfare programmes.

The Silicon Valley ethos of ‘too big to fail’ and ‘lean startups’ do not always work—especially not for a national identification project, where nothing can be left to scale, chance, or improvisation. Privacy’s grand design must kick in to force changes to Aadhaar’s solution architecture. Its ability to do so has implications beyond our biometric data, shaping the role and (un)acceptability of state presence in our private affairs.