Aadhaar hearing: Aadhaar has the support of two governments, argues the State

On Day 33 of the Aadhaar hearings on Wednesday, senior counsel Rakesh Dwivedi completed his arguments for the UIDAI. In an important turn of events, he admitted that the Supreme Court had never directed the mandatory verification of mobile phones via Aadhaar.

Representational image. Reuters.

Representational image. Reuters.

He also argued extensively on the security of the data with Requesting Entities. After this, Additional Solicitor General Tushar Mehta made a submission w.r.t Aadhaar-Bank account linking. Senior counsel Jayant Bhushan then directed the Court’s attention to the new KYC norms issued by the RBI. Lastly, counsel Gopal Sankarnarayan commenced his arguments.

On the collection of authentication data by REs

Rakesh Dwivedi commenced with arguing that the UIDAI had adequate control over the Requesting Entities (REs). He argued that the data with the REs was segregated, with no means of aggregating the data, since there are over 300 REs. When questioned by the Bench on the collection of data by an individual RE, Dwivedi cited Vodafone as an example. He argued that Vodafone wouldn’t be able to make much use of the authentication data, and further would be unable to track any individual.

Vodafone, for instance, could conduct targeted advertising via this data, but this was already being done even without Aadhaar based data. Further, he argued that Vodafone would have a lot more demographic data on an individual than the UIDAI, and moreover, it was not subject to the many regulations and penal consequences as applicable to Aadhaar.

Aadhaar being solely targeted for data collection

Next, he cited the example of data collection by banks, showing a credit card statement to indicate the extent of information a bank has on an individual. He argued that this data being collected by banks and telecom companies was not being questioned, and Aadhaar was the sole target.

He further argued that there is no difficulty in getting information on a person from Google. He also cited the example of BigBasket, arguing that the company was aware of a person’s food habits based on what he buys. Google and Facebook, he argued, processed a tremendous amount of data on individuals, but Aadhaar did not use algorithms of that nature.

A woman goes through the process of finger scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre in New Delhi, India. Image: Reuters

A woman goes through the process of finger scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre in New Delhi, India. Image: Reuters

No way to surveil people via Aadhaar based authentication

He further argued that the collection and transfer of data by REs was doubtful, and further these do not have authentication records. He quoted Regulation 18 of the Aadhaar (Authentication) Regulations, 2016, which require an RE to maintain logs of authentication transactions, but do not allow the retention of the PID Block, or the Personal Identity Data element, which includes biometric, demographic and OTP information. He, further, pointed to a list of entities which require one time authentication and those that require authentication for each transaction. Based on this, he argued that there was no way to conduct 24x7 surveillance of people.

Licensing of an RE

On the issuing of control over the RE, Dwivedi argued that the RE was required to buy the authentication device from a vendor, who was under the control of the UIDAI w.r.t both the hardware and the software. The data on the device is also encrypted and then sent to the CIDR. Further, the device is STQC certified. Lastly, the RE itself is audited by an information systems operator. On clearing all these parameters, an RE is licensed.

The metadata collected, he argued, was to validate that the data is coming in from a proper, UIDAI licensed RE. Thus, the metadata enables fraud management and verification.

The REs, further, themselves had a data vault, which is only under the control of trusted people. Apart from the audit prior to licensing, the REs are also audited annually, as well as on a random basis by the UIDAI. Authentication Service Agencies are also similarly audited.

A man goes through the process of eye scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre. Image: Reuters

A man goes through the process of eye scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre. Image: Reuters

Authentication data with REs is encrypted

Returning again to the issue of security, he argued that the encryption by the authentication device was immediate, time-stamped, and required two sets of keys. Transmission itself, required signing by a private key. Moreover, storage of the PID block was prohibited, and further, there was no permission to transmit demographic information.

He also pointed to the penal consequences under Aadhaar for violation of any of the provisions. Further, he asserted that the Central government had no access to Aadhaar information, since the UIDAI was an autonomous body.

Aadhaar-SIM linking founded on Telegraph Act

Lastly, Dwivedi turned to the issue of Aadhaar SIM linking, citing the Supreme Court’s Lokniti Foundation judgment, and the recommendation of the TRAI to link Aadhaar with SIM cards. He also cited the notification of the Department of Telecom, which ordered the re-verification process through eKYC. Section 4 of the Telegraph Act, he argued, gave the Central government the exclusive power to stipulate such license conditions to the licensees (such as the TSPs). Further, he argued that Aadhaar-SIM linking was essential to ensure that the SIM card was given to the person who actually applied for it.

The Bench, here pointed out that the Supreme Court in the Lokniti Foundation case never ordered that the reverification be carried out via Aadhaar based ekYC. Dwivedi agreed to this, admitting that the eKYC process had been adopted on the recommendation of TRAI, which had been made even before the Lokniti order came out. He further submitted that the legal basis to link Aadhaar with SIM cards arose from the government’s power under Section 4 of the Telegraph Act. Further, the measure was reasonable in the interest of national security.

Aadhaar system has the support of two governments

Dwivedi then summed up his arguments, arguing that there was no possibility of surveillance via the CIDR, and instead the CIDR was completely necessary in order to avoid fake and duplicate entities. The Aadhaar system, he argued, stood the test of Article 21, and did not involve the violation of the right to privacy. Further, the Aadhaar project had the support of two governments, since it had been commenced when the Congress was in power.

Aadhaar-bank linking passes Article 300A test

Additional Solicitor General Tushar Mehta then made a submission that Aadhaar passed the muster of Article 300A, or the right to property, w.r.t Aadhaar-Bank account linking. This is because as per this article, no person can be deprived of his property except by the ‘authority of law’, and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules) which directed the linking, amounted to the ‘authority of law’.

A statutory rule, he argued, was akin to ‘law’ for the purposes of Article 300A. Further, it was not possible to amend the parent Act, the Prevention of Money Laundering Act (PMLA), each time a new rule is to be put in place, because of which rule making powers were granted.

New KYC norms

Senior counsel Jayant Bhushan then commenced his arguments, drawing the attention of the Court to the KYC Directions of the Reserve Bank of India, now amended to mandate Aadhaar based identification.  He argued that under the PMLA as well as the PML Rules, REs were required to follow certain customer identification procedures while undertaking transactions. The RBI, in exercise of its powers under the Banking Regulation Act, 1949, saw it fit to amend and issue the new directions.

Lastly, counsel Gopal Sankarnarayan commenced his submissions on the validity of the Aadhaar Act.

Sources of arguments include Livetweeting of the case by SFLC.in and LiveLaw Reports.

The author is a lawyer and author specializing in technology laws. She is also a certified information privacy professional.

Why SC needs to look into technical evidence of Aadhaar’s surveillance capabilities

Lack of governmental ownership of CIDR’s source code can have serious consequences

Will State give citizens rights only if they agree to be tracked forever, asks lawyer Shyam Divan

Coalition for Aadhaar: A collective of private companies wants to ensure that Aadhaar ID and related services continue to be offered

Petitioners argue on centralisation of data and challenge Aadhaar’s claims on savings

Petitioners argue for a voluntary ID card system that does not collect user data

Petitioners argue that receipt of govt benefits cannot be at the cost of compromising fundamental rights

Aadhaar is architecturally unconstitutional, argue the petitioners

Petitioners argue that Aadhaar violates dignity by objectifying and depersonalizing an individual

Petitioners seek compensation for starvation deaths and extension of March 31st deadline

Section 7 exception in Supreme Court’s interim order greatly affects people’s constitutional rights

Entire Aadhaar project is beyond the stated objectives of Aadhaar Act, argue petitioners

Petitioners conclude their arguments on 'the number of the beast' Aadhaar, highlighting various issues

Aadhaar hearing: Political liberties cannot be foregone for economic and social justice, states the Bench

Aadhaar hearing: UIDAI’s presentation discusses Aadhaar enrolment, updation and authentication processes in detail

Aadhaar hearing: Supreme Court expresses concerns with data breaches, Aadhaar security and profiling

Aadhaar hearing: Petitioners question UIDAI on verification of residency requirement, de-duplication rejections and authentication failures

Aadhaar hearing: Attorney General argues that pervasive collection of fingerprints meets proportionality requirements

Aadhaar hearing: Bench criticises the argument that Aadhaar can prevent bank frauds and terrorists from acquiring mobile numbers

Aadhaar hearing: Additional Solicitor General argues Aadhaar-PAN linkage enables deduplication, prevents fraud and widens the tax base

Aadhaar hearing: Not necessary to prove least possible invasion of privacy, argues Additional Solicitor General

Aadhaar hearing: Counsel argues that Aadhaar is more secure than a data protection law, SC disagrees

Aadhaar hearing: Supreme Court questions why both the right to privacy and right to food cannot be secured under the Constitution

Aadhaar hearing: Senior counsel Rakesh Dwiwedi argues that the UIDAI is constantly improving and upgrading its systems


Updated Date: May 11, 2018 10:20 AM