13770 - Only a new law that addresses concerns can save Aadhaar - The Print

Only a new law that addresses concerns can save Aadhaar

MADHAV KHOSLA and ANANTH PADMANABHAN 29 June, 2018

The Aadhaar challenge captures a number of procedural issues that are unrelated to the merit of the scheme | Manisha Mondal/ThePrint.in

There are procedural and substantive issues plaguing the scheme, from rights violations to excessive delegation to the UIDAI.

As the country awaits the Supreme Court’s verdict on Aadhaar in a few weeks, there is a set of various challenges to the biometric architecture that has been built. These include the money bill question, pre-2016 enrolments, exclusions, constitutional rights, and excessive delegation. Here, we focus on how the Supreme Court should address them.

The money bill question

The Supreme Court has long reviewed actions that even lie within the domain of Parliament. Examples are cases relating to parliamentary privileges and the anti-defection law, where finality is given to action of the Speaker of the Lok Sabha, but some review of the action is possible. This review is limited, and includes select grounds such as illegality and colourable exercise of power. The court should affirm its authority to review whether or not the Aadhaar Act could have been passed as a money bill.

The Act relates to several matters outside Article 110 of the Constitution. Importantly, coverage outside Article 110 (such as the extension of the service to private actors) is not incidental to the scheme. If the court does not want to strike down the law entirely on the ground that it was invalidly enacted as a money bill, it must at the very least limit the law to schemes involving the Consolidated Fund of India. In this way, the law can be partially upheld. All other applications, from private authentication to building a stack using Aadhaar data, must go through both houses of Parliament.

Pre-2016 enrolments

Even though pre-2016 enrolments stand on shaky legal foundations, we must recall that the Supreme Court did not intervene when the data was being collected. At that stage, the court passed interim orders focussing on the alleged voluntariness of the scheme.

We now know that the voluntariness argument is meaningless, because if the scheme is linked to important benefits, it is not actually voluntary. But there is now a different argument before the court: the validating clause, Section 59.

Given that the court did not intervene earlier (though the argument before it was different), we do not believe that it should call for the destruction of the data. However, it should provide specific limitations on future actions of retroactivity, and secondly, it should declare that validating pre-2016 enrolments must also imply that any legal claims and violations, though rooted in the 2016 Act, must also apply to data handling prior to 2016.

Exclusions

As we have noted, the law does not seem to permit arbitrary exclusions. Safeguards to deal with exceptional situations have come into being, and while future empirical data may suggest otherwise – in which case, a challenge can always emerge – at this stage, the law and notifications do not seem to raise an Article 14 equal protection violation.

Constitutional rights

The Puttaswamy case alerts us to the risks of mass data collection. Minimal data is not merely about the gathering of limited information. It is also about keeping the application of a data programme to a minimum, because data by its very nature is a recombinant asset. A right may not be absolute, but any intrusion of a right cannot be arbitrary.

In this case, three features raise major concerns about the effective regulation of data under Aadhaar: the meta-data provides considerable information to enable abuse; an identity can be easily matched across schemes; and external penetration into the system through multi end-points risks data security.

To address these, the court must limit the use of Aadhaar. The greater the uses, the greater the chance for arbitrariness. We have already noted that, to allow for Aadhaar to exist given its money bill origins, it must be limited to schemes involving expenditure from the Consolidated Fund. To meet the rights-based challenges, it should be further limited to schemes where the state can show clear evidence of revenue loss through duplication. The issue of storage of authentication records noted previously also needs to be addressed.

Excessive delegation

While Indian law has often been relaxed on excessive delegation from Parliament to the executive or a regulatory agency, the Aadhaar Act seems to take matters to an entirely new level. Sections 23 and 54, in particular, put in place a scheme where large portions of the policy behind Aadhaar is determined by the UIDAI rather than Parliament. The extensive regulations that have followed the Act testify to this abdication of core legislative functions.

At the very least, both these provisions must be struck down, and Parliament itself must frame the policy behind Aadhaar. The policy must be part of a new law that Parliament enacts. The legal issue here is obvious enough: it links to an essential element of parliamentary government. But we should also note the dangers of such excessive delegation: it means that so much of what we are basing our judgments on with regard to Aadhaar (its promise and its problems) can be altered by way of a mere notification.

The Aadhaar challenge thus captures a number of procedural issues that are unrelated to the merit of the scheme: the fact that it was enacted as a money bill, the fact that the delegation to UIDAI is excessive. However, on the substance of the scheme as well, important questions arise, and only a new law that addresses these procedural and substantive concerns, from the appropriate amount of delegation to limiting the application of the scheme, should be able save the Aadhaar project.

This is the fourth piece in a four-part series covering the legal challenge to Aadhaar. The previous pieces can be read here, here and here.

Madhav Khosla, co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. His Twitter handle is @M_Khosla. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148.

13758 - Another Aadhaar challenge Supreme Court must address: Excessive delegation - The Print

Another Aadhaar challenge Supreme Court must address: Excessive delegation

MADHAV KHOSLA and ANANTH PADMANABHAN 28 June, 2018

The Aadhaar Act does not provide for any review of UIDAI’s functioning | Manisha Mondal/ThePrint

The issue here is one of procedure: which body has the authority to pass what kinds of rules.

One of the debates about Aadhaar is over the problem of excessive delegation. The legislature often delegates law-making power to the executive, including to regulatory agencies. Such delegation cannot be excessive – Parliament cannot give up its law-making power on fundamental issues, like the balancing of rights.

The doctrine of excessive delegation is closely associated with the rule of law, because the rule of law consists of three components: rule creation, rule application, and rule execution. Excessive delegation bundles these components. The issue here is one of procedure: which body has the authority to pass what kinds of rules.

The excessive delegation challenge to Aadhaar relates to the management and usage of the scheme, especially Sections 7, 8, 23, 28, 32, 50 and 54 of the Aadhaar Act. A reading of these provisions shows that the legislative policy on the management and application of Aadhaar data and safeguards present have been left to the UIDAI, with minimal guidelines. The state’s response to this was straightforward: that the Act had provided enough guidance, both in terms of objectives and principles.

How does one adjudicate such a contest? Delegation is ubiquitous, and excessive delegation is impermissible. But when does delegation become excessive?

In the state’s defence, the Supreme Court has been neither clear nor stringent on this matter in recent years. The threshold that it has set is embarrassingly low. But there are two ways to think about this matter. The first is to closely examine the subject matter at hand. In a case involving fundamental rights, for example, Parliament should perform more rather than less. The second query, as captured by the classic case In re Delhi Laws Act (1951), the question is whether the legislature has sufficiently determined “the legislative policy”.

In this case, the seriousness of the subject matter is incontrovertible. The question is whether the legislative policy has been laid down by Parliament.

Gaps in the policy

In some respects, the policy is clear; for example, Section 7, which specifies services where the expense relates to the Consolidated Fund of India.

In others, however, gaps emerge. For example, Section 23, which empowers the UIDAI to “develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform authentication thereof under this Act”. The development rather than implementation of policy by the UIDAI seems like a clear violation. Section 32, covered in our previous piece, too leaves an important policy decision relating to the storage of data with the UIDAI.

These instances are not glaring but matters seem different with Section 28, which leaves the UIDAI with complete direction to determine policy matters relating to security and confidentiality, and Section 54, which seems like a residual provision of sorts. Section 54 has 24 entries, authorising regulating on matters ranging from enrolment to authentication to sharing. As per Section 54(x), “regulations may provide for … any other matter which is required to be, or may be, specified, or in respect of which provision is to be or may be made by regulations”. This provision is, quite simply, self-validating. As such, it is a clear case of excessive delegation. Indeed, it seems to be a case of excessive delegation by definition.

The problem of excessive delegation becomes even more serious if one considers the structure of the UIDAI. The Aadhaar Act does not provide for any review of UIDAI’s functioning (apart from a complete supersession of the body by the Union) and mechanisms for accountability are all internal. Section 47(1), Aadhaar Act, states that “No court shall take cognisance of any offence punishable under this Act, save on a complaint made by the authority or any officer or person authorised by it”.

The state’s answer to this was, in part, persuasive. It rightly argued that Indian constitutionalism has been remarkably flexible on the structure of regulatory agencies. SEBI, for example, performs some degree of legislative, executive, and judicial functions.

But the state’s answer only resolves the problem of bundling and external oversight; it does not solve the problem of excessive delegation because the leeway given to regulatory agencies with regard to bundling and oversight takes place in the context of delegation that cannot be excessive. Even though Section 55 of the Act stipulates that regulations must be laid before Parliament, this addresses the issue of accountability to Parliament, but it does not address the issue of delegation from Parliament.

There are thus five different challenges to Aadhaar that the Supreme Court must address: (a) its enactment as a money bill; (b) the validation of pre-2016 enrolments; (c) enrolment errors; (d) constitutional rights; (e) excessive delegation.

This is the third piece in a four-part series covering the legal challenge to Aadhaar. The first two parts can be read here and here.

Madhav Khosla, co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. His Twitter handle is @M_Khosla. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148.

13752 - The Aadhaar challenge: 3 features that put constitutional rights at risk - The Print

Thursday, 28 June, 2018

• Opinion

The Aadhaar challenge: 3 features that put constitutional rights at risk

MADHAV KHOSLA and ANANTH PADMANABHAN 27 June, 2018

Even if the state can interfere with a constitutional right based on some legitimate state interest, the intrusion can’t be arbitrary.

The Indian Constitution, like several others, guarantees a set of rights against the state. The nature of rights is not that they are absolute, but that intrusions must satisfy certain conditions – and these conditions and intrusions are being tested in the debate over Aadhaar.

One important condition is that even if the state can interfere with a right based on some legitimate state interest, the intrusion cannot be arbitrary. The reason is simple enough: if the state can violate my right at any time, then what is the point of that right?

Arbitrary intrusions may take many forms. One kind of arbitrary intrusion is the absence of checks and balances on state power, because such absence allows the state to intrude upon a right without clear and effective boundaries.

A major set of legal concerns relating to Aadhaar involve this argument. The concerns may be borne out by three features of the scheme:

1. UIDAI only stores information about the use of Aadhaar for authentication, but not the reason for the authentication. For example, it knows Arun used his Aadhaar number at an Airtel store without knowing why he used it, what his call records are, etc. (Section 32 of the Aadhaar Act).

2. The linking of Aadhaar with various schemes and services, both public and private (Sections 7, 8, and 57 of the Aadhaar Act).

3. The fact that as a result of such linking, there are several more end points in the system. That is, there are several more devices through which one authenticates one’s Aadhaar number, and there are also several intermediaries who provide such devices and connect them with the central server.

Inviting trouble?

The argument offered by the petitioners is that these three features invite trouble.

In the first instance, even though the UIDAI may not know why an individual used her/his Aadhaar number at an Airtel store, the very fact of authentication itself provides sufficient information. After all, one could reasonably presume that the individual wanted a new connection, and one would know the kinds of services to which an individual subscribes.

In this respect, Kapil Sibal’s submissions quite rightly underlined the dangers of even simply the “meta-data”. A further point brings this out. In practice, the UIDAI enters into agreements with requesting entities (say, Airtel), under which it issues letters of appointment specifying the purposes for which the entity is using Aadhaar authentication. From this itself, it is evident that UIDAI knows the purpose for which authentication occurs.

In the second and third instances, the problem is two-fold.

First, if the data is linked to several services, and the details of the services to which it is linked are public, then a person could potentially try to access an individual’s records from the different services and put them together to form a somewhat complete picture of the individual. It is true that this could already be done in a non-Aadhaar world by various identifiers, but Aadhaar makes it easy to find an individual’s records; I don’t need to access the main UIDAI server if I can match records across different services.

The second problem is that the greater the number of end points and intermediaries, the greater is the risk of technical penetration of the system. The chances for data breaches go up substantially.

State response misses the point

The state offered two kinds of responses to this. The first was simply that these imagined scenarios were violations of the Aadhaar Act, and that any law can suffer violations. This is, however, a poor argument. Any law, it is true, can suffer violations, and this is precisely why state action must have checks and guidelines to see that violations are limited, and arbitrary state power is prevented. Precisely this reasoning has led to courts providing checks and guidelines in cases involving police powers.

The real question, then, is whether the Aadhaar Act sufficiently mitigates against the risks of the three features mentioned above. That it does so was the state’s second kind of response, exemplified by the presentation that the UIDAI CEO made before the Supreme Court. The CEO argued that Aadhaar involves one-way linking (“optimal ignorance”), a federated database, and the collection of only minimal data.

This response is fair, but it misses the point — that in practice, getting around the existing guidelines seems easy enough, especially in the case of the first point. The UIDAI may be, in theory, “ignorant”, but it does not take very much for it or for an external party to become knowledgeable. This means that the constitutional rights in question are, as Shyam Divan argued, hollowed out.

Which rights are affected?

The rights in question here – of the state gaining access to my private activities and storing my information without sufficient security – are not only the right to privacy (now firmly accepted as implicit in Articles 19 and 21 of the Constitution) but also the right to equality in Article 14 (because any potential use of the data through aggregation can result in unlawful differential treatment of individuals).

We can see that the argument that privacy is not absolute relates to a different issue. The question, here, isn’t whether the state’s intrusion into privacy is per se allowed. As the court recently noted in the privacy judgment (Puttaswamy), the question is also whether the intrusion is arbitrary.

Here, moreover, the intrusion seems vulnerable on another ground, namely it is overbroad. Sections 7 and 8 of the Aadhaar Act specify that the scheme is for authentication. But Section 32 allows the preservation of authentication records. As Meenakshi Arora noted in her submissions, the reason for this retention of data is not specified.

Why not require that there is erasure of records? Some dynamic data may need brief storage for technical reasons (like a computer cookie), but Section 32’s broad wording (allowing the UIDAI to “maintain authentication records in such manner and for such period as may be specified by regulations”) seems troublesome.

If Aadhaar is about authentication at any given time, why is the storage of one’s authentication history necessary? This feature, moreover, suffers from a further and different legal problem – excessive delegation – to which our next piece shall turn.

This is the second piece in a four-part series covering the legal challenge to Aadhaar. Read the first and the third part here and here.

Madhav Khosla, co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. His Twitter handle is @M_Khosla. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148.

12246 - Aadhaar push heightens privacy concerns - Hindu Businessline

Aadhaar push heightens privacy concerns

• MADHAV KHOSLA

• ANANTH PADMANABHAN

     Fingerspell The bumpy road ahead for the Aadhaar number

The pressure to link Aadhaar to various databases has picked up. This is despite the SC raising in-principle reservations

October 24, 2017:  

The Supreme Court’s recent verdict (Justice Puttaswamy v Union of India) affirming the right to privacy has been followed by a frenetic state effort to link multiple identification numbers and welfare programmes with the nation’s controversial biometric programme, Aadhaar. This attempt to present a fait accompli of sorts when the constitutional challenge to Aadhaar comes up for hearing is not a new development; the linking between Aadhaar and Permanent Account Numbers used for taxation purposes is a case in point.

Yet, the SC verdict has put both linking and enrolment efforts on overdrive. Even private actors have stepped on the accelerator; not a day goes by without messages from banks and telecom companies asking customers to link Aadhaar with bank accounts and cell numbers, respectively. But amidst all the bustle, what are Aadhaar’s realistic chances of survival post-Puttaswamy?

Privacy as a right

One might begin to answer this by exploring the exceptions to the right to privacy that the verdict recognises. There are enough exceptions in Justice Chandrachud’s verdict to facilitate data mining and open data platforms for good governance. 

Importantly, however, such applications hinge on data anonymisation — keeping out personalised details that help identify specific individuals forming part of the big data set — for their constitutional acceptability.

While benefits of Big Data may be immense in offering policy guidance and informing policy choices, the presence of legal safeguards on the privacy of individuals will be critical in assessing their validity. On this point, the Government will turn to the Aadhaar Act 2016 for its support.

The statute does indeed contain provisions to combat fears of excessive surveillance, including Section 28 of this Act which places responsibility on the UIDAI to ensure the security of identity information and authentication records of individuals. 

Despite such provisions, however, the fear of a digital panopticon is real for the simple reason that desirous individuals need not necessarily approach the UIDAI to form a complete picture of the various services availed by a citizen.

The authentication records also exist in government offices, ration shops and other service centres from where welfare benefits are disbursed to citizens. In fact, the data leakages ailing Aadhaar have all occurred thus far from similar end-points where personnel in charge of our data have little training and less interest in keeping such authentication records confidential.

The data leakages, in fact, are telling not only because they challenge the mantra that the programme is technologically safe, and not only because they simply represent a state programme that contains flaws and operates below expectations in practice, but because the nature and upshot of the leakages calls into question the safeguards on which the legitimacy of the programme rests.

Other concerns

Further the UIDAI’s role poses serious institutional and rule of law concerns. On the one hand, it is the custodian of the Central Identities Data Repository. On the other, it is also the data regulator. As the custodian of data, it decides the level of access to Aadhaar data needed for purposes of authentication and the authentication agencies contracted to do so. It receives service fees for permitting private bodies to conduct such authentication, thereby aligning its incentives in the direction of widespread access to Aadhaar data for authentication purposes.

But as a regulator, it is tasked with deciding on how to deal with data breaches. Thus, we have a body that has minimal incentive to report or act upon data breaches because a vulnerable database architecture does not bode well for either its financial or power incentives as a data custodian. Any breach is, plainly put, a challenge to its authority.

These design flaws may well jeopardise the Aadhaar project. To overcome them, the State could potentially rely on another important exception contained in the Chandrachud verdict, preventing the diversion of scarce public resources to undeserving impostors. This has, in some ways, been the central justification for relying on biometric data for identification and authentication purposes, and without which none of the privacy worries may have arisen in the first place.

This is so because biometrics cannot be altered unlike passwords. Also, recent technological advances have made them easily replicable from photographs and even mirror reflections. Ominous as it sounds, we all are walking repositories of highly vulnerable and immutable passwords which hold the key to our national identities and state-subsidised benefits. So, whether such deeply private information can be relied on to prevent scarce public resources from dissipation will depend, in the final analysis, on the checks that are put in place.

Structural issues

Some of these checks are found in Justice Chandrachud’s opinion itself, while other judges have also weighed in on how we might best balance the right to privacy with permissible exceptions. A first requisite is the existence of a law governing the deprivation of privacy interests. This is important because a great many enrolments were carried out between 2011-16, prior to the enactment of the Aadhaar Act. If the SC bench hearing the Aadhaar challenge were to take this seriously, coupled with the impermissibility of a waiver of fundamental rights as per an earlier pronouncement of the Court in Basheshar Nath v Commr. Of Income Tax, millions of Aadhaar enrolments may be annulled.

The other important check arises from how far the State could go even when there is a law in place that furthers a legitimate state interest. In Justice Chandrachud’s view, the means adopted by the legislature must be “proportional to the object and needs sought to be fulfilled by the law.” Justice Chelameswar acknowledges the possibility of certain privacy claims that deserve the strictest scrutiny.

Statutory inroads upon such claims can be made only when there is a “compelling State interest” and a “narrow tailoring” of the law to achieve the objective. Considering the use of biometrics as part of Aadhaar, and the complete absence of any volition on the citizen’s part in deciding whether, and towards which schemes, she must part with such information, there is a strong case for this stricter standard to be applied when evaluating its legality.

This brings us to a final matter, namely the role of consent-based architecture in protecting the private authentication solutions built on the citizen database. Justice Chandrachud places emphasis on the role of consent in the shaping of privacy but identifies other principles, including transparency, regarding data transfer and use, and non-discrimination, as critical for a robust data protection regime.

The consent principle also misses the forest for the trees, as it places the onus on individuals acting within the bounded rationality of their lives to decide on issues of larger systemic risk. Hopefully, the SC shall rely on Justice Chandrachud’s diktat to refrain from utilising citizen data for extraneous purposes outside the realm of legitimate state interest, and place an embargo on the private authentication agenda.

Khosla is a Junior Fellow at the Harvard Society of Fellows. Padmanabhan is a Fellow at Carnegie India. This article is by special arrangement with the Center for the Advanced Study of India, University of Pennsylvania