Asheeta RegidiMay 11, 2018 10:21:44 IST
On Day 29 of the Aadhaar Hearings on 17 April, senior counsel Rakesh Dwiwedi continued his arguments on behalf of the UIDAI. He argued that Aadhaar was strictly for the purpose of authentication, and any provisions of the Act which the Court was concerned out should be read down to this end. He further argued that no data protection law could give as much protection as the Aadhaar Act. The Bench, while discussing apprehensions of misuse of data such as the Cambridge Analytica incident, observed that a blinkered view of reality could not be taken while dealing with Aadhaar.
Correct defects instead of striking down the law
The arguments were commenced with discussing the presumption of constitutionality, that the defects in a law must first be sought to be resolved, instead of striking the law down. From this, the issues with the Aadhaar Act were discussed.
Aadhaar is strictly for authentication
First, it was argued that under the Aadhaar Act, the sharing and use of information was strictly for the purpose of authentication. Section 29 of the Aadhaar Act, which allows the sharing of identity information, with the exception of core biometric information, for the purposes of the Aadhaar Act, must also similarly be restricted by the Court to authentication. A narrow interpretation of this Section, it was argued, could address any surveillance concerns.
The risk of data sharing by REs
The Bench, here pointed that even if the UIDAI was unaware of the purpose of authentication, the requesting entity would. To this, it was argued that, in the example of authentication at Apollo hospitals, the hospital would remain unaware of whether the person had visited the hospital for a check-up or to buy medicines.
The Bench, here, pointed out that such information could still be shared by the requesting entity itself if not by the UIDAI. For instance, the information that a person visited hospitals 122 times in the last 6 months is information that is of interest to pharmaceutical companies and also insurance companies.
No data protection law can give as much protection as Aadhaar
To this, it was argued that such information could also be acquired directly through a visit to the hospitals, and there was no need for Aadhaar for this. When the Bench pointed out the dangers with such data collection in view of the absence of a data protection law, it was argued that 100 percent data protection was impossible. What was possible is reasonable, just and fair data protection.
Further, no data protection law could give as much protection as Aadhaar. The Bench disagreed, terming this as an exaggeration. To this, it was argued that Aadhar was not designed to allow aggregation and data analysis, and if the Bench was still concerned with this, it could give an interpretation of the law that prevents this.
Cambridge Analytica is irrelevant to Aadhaar
On the argument that the apprehensions of misuse with Aadhaar are not real, the Bench observed that there were very real apprehensions of misuse, and even elections could be manipulated using data. To this, it was argued that the Cambridge Analytica issue was irrelevant, since Aadhaar did not involve any learning algorithms like Facebook and Google, but merely involved matching algorithms. The Bench, to this, observed that the concern wasn’t so much with controlling the UIDAI, but with its interface with the world outside. The Bench also observed that a blinkered view to reality could not be taken.
Mandatory Aadhaar under Section 57
Next turning to Section 57 of the Aadhaar Act, which allows even private parties to make Aadhaar mandatory, it was argued that anyone could not become a requesting entity. For example, a company like Dominos would be questioned by the UIDAI if it asked to become a requesting entity.
The Bench here, first questioned the purpose behind opening Aadhaar platforms to private players. To this, it was argued that the private/public divide was reducing, with private parties entering many fields constituting public functions. Further, such activities w.r.t Aadhaar were in any case funded by the UIDAI. In addition, private parties performing public functions would open them up to writ jurisdiction.
Further, a body corporate using Aadhaar must have privacy policies in place. The UIDAI’s actions against misuse by Airtel and Axis Bank were cited.
UIDAI not bound to offer authentication services
Further, it was argued that the requirement of a law or contract under Section 57 was an important limitation. The State Resident Data Hubs, it was argued, were destroyed due to this. On the Bench asking if once there was a contract, the UIDAI was bound to offer authentication services, it was argued that there must be a contract, and the UIDAI was required to permit it. The Bench, however, observed that there was nothing in Section 57 which grants such discretion to the UIDAI. The Bench, further disagreed with the argument that such discretion flows from the Act itself.
Examine Aadhaar linking on a case by case basis
The Bench also questioned how Aadhaar went from being an entitlement or voluntary, to becoming a mandate. To this, it was argued that Aadhaar linking must be examined on a case by case basis. It was also argued that as far as the UIDAI was concerned, Aadhaar was an entitlement. It is mandatory only under Section 7, and for all other purposes its use is consensual.
Security requirement under IT Act
Next, it was argued that the provisions of the Information Technology Act govern Aadhaar as well, and this imposed the requirement for the technology to be reasonably secure. He argued that there were strict provisions for enforcement under the IT Act, and further, the CIDR had been declared to be critical information infrastructure under the IT Act. It was also argued that 5 levels of biometric checks had to be crossed before the servers could be reached, and since there was no connection to the internet, the software could not be tinkered with.
New biometric information must meet certain criteria
Next, the issue of excessive delegation under the Aadhaar Act was raised. On the issue of biometric information, it was argued that new forms of biometric information could be included only if it meets the requirements of being non-intrusive, a mode of identification, as well as capable of instant authentication. DNA, for instance, cannot be simply added to the biometric information with the UIDAI.
Revolutionary nature of Aadhaar
The advantage of Aadhaar, it was argued, was that now the person claiming entitlements (say foodgrains) was now required to directly appear in person before the distributor. This prevented others from collecting a person’s entitlements on their behalf. This further prevented the distributor himself from denying a person his entitlements. This was described as a revolutionary step. For this, it was argued, fingerprints were a huge safeguard, thus preventing other IDs from being used. Further, the fingerprinting enabled deduplication.
Nothing in the world is deterministic
Next turning to the issue of the probabilistic nature of Aadhaar authentication, it was argued that nothing it the world is deterministic, and probability governs people everywhere. The Bench, here, questioned how a probabilistic system could be allowed to affect fundamental rights. The Bench further, noted that exclusion was a fact. To this, it was argued that these were implementation problems which needed to be resolved.
The author is a lawyer and author specializing in technology laws. She is also a certified information privacy professional.
Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.