Aadhaar Hearings: Counsel argues that Aadhaar is more secure than a data protection law, SC disagrees

The Bench, while discussing apprehensions of misuse of data, observed that a blinkered view of reality could not be taken while dealing with Aadhaar.

On Day 29 of the Aadhaar Hearings on 17 April, senior counsel Rakesh Dwiwedi continued his arguments on behalf of the UIDAI. He argued that Aadhaar was strictly for the purpose of authentication, and any provisions of the Act which the Court was concerned out should be read down to this end. He further argued that no data protection law could give as much protection as the Aadhaar Act. The Bench, while discussing apprehensions of misuse of data such as the Cambridge Analytica incident, observed that a blinkered view of reality could not be taken while dealing with Aadhaar.

Aadhaar Hearings: Counsel argues that Aadhaar is more secure than a data protection law, SC disagrees

A woman goes through the process of finger scanning for the Unique Identification (UID) database system, also known as Aadhaar. Image: Reuters

Correct defects instead of striking down the law

The arguments were commenced with discussing the presumption of constitutionality, that the defects in a law must first be sought to be resolved, instead of striking the law down. From this, the issues with the Aadhaar Act were discussed.

Aadhaar is strictly for authentication

First, it was argued that under the Aadhaar Act, the sharing and use of information was strictly for the purpose of authentication. Section 29 of the Aadhaar Act, which allows the sharing of identity information, with the exception of core biometric information, for the purposes of the Aadhaar Act, must also similarly be restricted by the Court to authentication. A narrow interpretation of this Section, it was argued, could address any surveillance concerns.

The risk of data sharing by REs

The Bench, here pointed that even if the UIDAI was unaware of the purpose of authentication, the requesting entity would. To this, it was argued that, in the example of authentication at Apollo hospitals, the hospital would remain unaware of whether the person had visited the hospital for a check-up or to buy medicines.

The Bench, here, pointed out that such information could still be shared by the requesting entity itself if not by the UIDAI. For instance, the information that a person visited hospitals 122 times in the last 6 months is information that is of interest to pharmaceutical companies and also insurance companies.

No data protection law can give as much protection as Aadhaar

To this, it was argued that such information could also be acquired directly through a visit to the hospitals, and there was no need for Aadhaar for this. When the Bench pointed out the dangers with such data collection in view of the absence of a data protection law, it was argued that 100 percent data protection was impossible. What was possible is reasonable, just and fair data protection.

Further, no data protection law could give as much protection as Aadhaar. The Bench disagreed, terming this as an exaggeration. To this, it was argued that Aadhar was not designed to allow aggregation and data analysis, and if the Bench was still concerned with this, it could give an interpretation of the law that prevents this.

Cambridge Analytica is irrelevant to Aadhaar

On the argument that the apprehensions of misuse with Aadhaar are not real, the Bench observed that there were very real apprehensions of misuse, and even elections could be manipulated using data. To this, it was argued that the Cambridge Analytica issue was irrelevant, since Aadhaar did not involve any learning algorithms like Facebook and Google, but merely involved matching algorithms. The Bench, to this, observed that the concern wasn’t so much with controlling the UIDAI, but with its interface with the world outside. The Bench also observed that a blinkered view to reality could not be taken.

Mandatory Aadhaar under Section 57

Next turning to Section 57 of the Aadhaar Act, which allows even private parties to make Aadhaar mandatory, it was argued that anyone could not become a requesting entity. For example, a company like Dominos would be questioned by the UIDAI if it asked to become a requesting entity.

The Bench here, first questioned the purpose behind opening Aadhaar platforms to private players. To this, it was argued that the private/public divide was reducing, with private parties entering many fields constituting public functions. Further, such activities w.r.t Aadhaar were in any case funded by the UIDAI. In addition, private parties performing public functions would open them up to writ jurisdiction.

Further, a body corporate using Aadhaar must have privacy policies in place. The UIDAI’s actions against misuse by Airtel and Axis Bank were cited.

A man goes through the process of eye scanning for the Unique Identification (UID) database system, also known as Aadhaar, at a registration centre in New Delhi, India, January 17, 2018. Picture taken January 17, 2018. REUTERS/Saumya Khandelwal - RC1F67907F80

A man goes through the process of eye scanning for the Unique Identification (UID) database system, also known as Aadhaar, at a registration centre in New Delhi. Reuters

UIDAI not bound to offer authentication services

Further, it was argued that the requirement of a law or contract under Section 57 was an important limitation. The State Resident Data Hubs, it was argued, were destroyed due to this. On the Bench asking if once there was a contract, the UIDAI was bound to offer authentication services, it was argued that there must be a contract, and the UIDAI was required to permit it. The Bench, however, observed that there was nothing in Section 57 which grants such discretion to the UIDAI. The Bench, further disagreed with the argument that such discretion flows from the Act itself.

Examine Aadhaar linking on a case by case basis

The Bench also questioned how Aadhaar went from being an entitlement or voluntary, to becoming a mandate. To this, it was argued that Aadhaar linking must be examined on a case by case basis. It was also argued that as far as the UIDAI was concerned, Aadhaar was an entitlement. It is mandatory only under Section 7, and for all other purposes its use is consensual.

Security requirement under IT Act

Next, it was argued that the provisions of the Information Technology Act govern Aadhaar as well, and this imposed the requirement for the technology to be reasonably secure. He argued that there were strict provisions for enforcement under the IT Act, and further, the CIDR had been declared to be critical information infrastructure under the IT Act.  It was also argued that 5 levels of biometric checks had to be crossed before the servers could be reached, and since there was no connection to the internet, the software could not be tinkered with.

New biometric information must meet certain criteria

Next, the issue of excessive delegation under the Aadhaar Act was raised. On the issue of biometric information, it was argued that new forms of biometric information could be included only if it meets the requirements of being non-intrusive, a mode of identification, as well as capable of instant authentication. DNA, for instance, cannot be simply added to the biometric information with the UIDAI.

Revolutionary nature of Aadhaar

The advantage of Aadhaar, it was argued, was that now the person claiming entitlements (say foodgrains) was now required to directly appear in person before the distributor. This prevented others from collecting a person’s entitlements on their behalf. This further prevented the distributor himself from denying a person his entitlements. This was described as a revolutionary step. For this, it was argued, fingerprints were a huge safeguard, thus preventing other IDs from being used. Further, the fingerprinting enabled deduplication.

Nothing in the world is deterministic

Next turning to the issue of the probabilistic nature of Aadhaar authentication, it was argued that nothing it the world is deterministic, and probability governs people everywhere. The Bench, here, questioned how a probabilistic system could be allowed to affect fundamental rights. The Bench further, noted that exclusion was a fact. To this, it was argued that these were implementation problems which needed to be resolved.

Sources of arguments include Livetweeting of the case by Gautam Bhatia, Prasanna S and SFLC.in.

You can read our complete coverage of the Aadhaar Supreme Court case below.

Why SC needs to look into technical evidence of Aadhaar’s surveillance capabilities

Will State give citizens rights only if they agree to be tracked forever, asks lawyer Shyam Divan

Coalition for Aadhaar: A collective of private companies wants to ensure that Aadhaar ID and related services continue to be offered

Petitioners argue on centralisation of data and challenge Aadhaar’s claims on savings

Petitioners argue for a voluntary ID card system that does not collect user data

Petitioners argue that receipt of govt benefits cannot be at the cost of compromising fundamental rights

Aadhaar is architecturally unconstitutional, argue the petitioners

Petitioners argue that Aadhaar violates dignity by objectifying and depersonalizing an individual

Petitioners seek compensation for starvation deaths and extension of March 31st deadline

Section 7 exception in Supreme Court’s interim order greatly affects people’s constitutional rights

Entire Aadhaar project is beyond the stated objectives of Aadhaar Act, argue petitioners

Petitioners conclude their arguments on 'the number of the beast' Aadhaar, highlighting various issues

Aadhaar hearing: Political liberties cannot be foregone for economic and social justice, states the Bench

Aadhaar hearing: UIDAI’s presentation discusses Aadhaar enrolment, updation and authentication processes in detail

Aadhaar hearing: Supreme Court expresses concerns with data breaches, Aadhaar security and profiling

Aadhaar hearing: Petitioners question UIDAI on verification of residency requirement, de-duplication rejections and authentication failures

Aadhaar hearing: Attorney General argues that pervasive collection of fingerprints meets proportionality requirements

Aadhaar hearing: Bench criticises the argument that Aadhaar can prevent bank frauds and terrorists from acquiring mobile numbers

Aadhaar hearing: Additional Solicitor General argues Aadhaar-PAN linkage enables deduplication, prevents fraud and widens the tax base

Aadhaar hearing: Not necessary to prove least possible invasion of privacy, argues Additional Solicitor General

 

The author is a lawyer and author specializing in technology laws. She is also a certified information privacy professional.

Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.





Top Stories


also see

science