Anirudh Regidi Sep 25, 2018 18:34 PM IST
Editor's Note: This copy was published on 22 June, 2018. It is being republished in light of the Supreme Court's verdict on the constitutionality of Aadhaar likely being pronounced tomorrow. For the past four months, cyberlaw expert and certified information privacy professional Asheeta Regidi has been following the proceedings of the Aadhaar case in the Supreme Court for tech2. As we approach the judgment in this, the second-longest hearing in the history of the Supreme Court, here's a glance at the major arguments made over the past 38 days of hearings.
Lack of integrity in Aadhaar enrolment and authentication
The arguments against Aadhaar began with the assertion that data collection was happening in the absence of a law, that personnel were not qualified to collect and handle sensitive data and that the biometric process itself was unreliable. Fingerprints can be cloned and iris scanners bypassed.
To add to this, it was argued that firstly, the collection of biometric information is itself a violation of the fundamental right to bodily integrity. Further, it was argued that the receipt of government benefits on the conditional waiver of constitutional rights is unconstitutional.
On day 7 of the hearings, an affidavit by a cybersecurity expert was presented, which stated that enrolment centres were illegally retaining biometric data, a fact that neither the UIDAI and the people were aware of. The affidavit also enumerated six ways of hacking Aadhaar.
Petitioners also pointed out the leakage of data compromises the system.
On day 13 of the hearing, petitioners made the argument that people cannot be asked to give their biometrics if criminality of proof of offence hasn’t been proved.
Further, it is currently assumed that biometrics were captured properly the first time. A failure to authenticate later is seen as an attempt at duplicity.
It was also pointed out that the UIDAI didn’t have ownership of the software involved in biometric data collection, further putting the Aadhaar system at risk. The Aadhaar Act requires complete ownership.
On day 18, petitioners argued that the use of uncertain and unproven biometric technology was a violation of Articles 14 and 21, and that a thumbprint and iris scan are both not unique and changeable.
Test of validity
The petitioners argued that there was no law for data collection prior to 2016. Therefore, Aadhaar violated the privacy of citizens without any legal basis for doing so.
They also argued that the large-scale collection and storage of data did not meet the “test of proportionality”. In other words, the petitioners are arguing that the ends (efficient disbursal of welfare benefits) did not justify the means (breaching the right to privacy of a billion plus citizens).
The petitioners argued that when the potential for harm is overwhelming, the standards of scrutiny for the Act enabling the harm must be higher, and Aadhaar does not meet these standards.
Retrospective validation of Aadhaar
While Aadhaar was launched in 2009, it was only given a legal basis in 2016. This, argue the petitioners, is significant because informed consent cannot be assumed in retrospect. The fundamental right to privacy cannot be violated in retrospect.
India is a nation that’s governed by law, argue the petitioners, not by people. Depriving a person of life or liberty is only possible with the authority of the law. To add to this, Aadhaar was enforced in direct violation of several Supreme Court orders mandating that Aadhaar be voluntary.
On day 12 of the hearing, the Bench agreed, stating that while an absence of law could be supplemented in retrospect, a breach of law could not be validated in retrospect.
On the validity of Section 59 as a validating provision
Section 59 of the Aadhaar Act retrospectively validates the acts of the government prior to 2016, when the Aadhaar Act was passed. The bench stated that while the section does not grant retrospective validity to the acts of the govt, it deems them to have been done after the passing of the Act. The petitioners questioned if it was even possible to have such a provision. They also argued that since Section 59 only deems the Act to be valid from 2016 as opposed to 2009, the act is invalid.
They also argued that trying to correct the absence of a law and the absence of safeguards in retrospect, as Section 59 attempts to do, cannot be legal. For example, the collection of data before 2016 happened without informed consent, which cannot be retrospectively assumed.
On Aadhaar Act passing as a money bill
Petitioners argued that Section 7 of the Aadhaar Act (which establishes the link with Aadhaar as a money bill), was not essential to the Act. An amendment to the Food Securities Act would have sufficed, they argued.
Without Section 7, Aadhaar cannot be treated as a Money Bill and would only establish a new mode of identification. It was argued that Section 7 gives too much power to the State or a private entity to deny any other form of authentication. It was also noted that the Section 7 was in direct violation of an earlier Supreme Court order, making the mandating of Aadhaar an impermissible executive exercise.
On day 15, Senior Counsel Arvind Datar argued that for Aadhaar to be classified as a money bill, it would have to be bound by its Statement of Objects. Since private parties are allowed to use Aadhaar (as per Section 57 of the Aadhaar Act), the Bench observed that the Act then loses its nexus with a money bill.
The petitioners pointed out that the Rajya Sabha had recommended the deletion of Section 57 and the provision of an opt-out clause.
The primary argument against the passing of Aadhaar as a money bill, however, is that a bill so passed bypasses the Rajya Sabha and the president. This, it was argued, requires very careful and strict interpretation to classify a given bill as a money bill.
Aadhaar as a surveillance tool
The petitioners further argued that Aadhaar could be used as a surveillance tool and that secret surveillance had the ability to undermine a democracy. More importantly, there is a need to protect the future generations from such surveillance. They also argued that while surveillance by a private entity like Google existed, Google was an optional service. To add to that, surveillance by the State can cause much greater harm.
The Supreme Court countered some of the Aadhaar-surveillance arguments with an observation that similar data collection happens when a person uses an iPhone or an ATM.
The Bench also asked how data collection via Aadhaar was different from data collection via a PAN card linked to the Income Tax department, say. The petitioners explained that the problem with Aadhaar was the centralisation of data collection. Data that was normally in silos was now in one place, making it much simpler to track an individual. Ultimately, they argued that it’s not even about data collection, but about an architecture that enables pervasive surveillance.
Kapil Sibal went so far as to call Aadhaar an RTI tool (Right to Information) for the State for information on citizens.
The Bench here pointed out that the Aadhaar Act cannot be questioned on its potential for misuse. The petitioners countered that given the amount of information that was being taken by the State, surveillance was a reality.
On day 9 of the Aadhaar hearing, petitioners brought up the 2011 destruction of the UK ID card database, a biometric database that was found to be too intrusive and thus, unconstitutional. The petitioners further argued that Aadhaar is even more intrusive because it also collects metadata, not just biometrics (as defined by Regulation 26).
On day 10, petitioners pointed out that information is knowledge, information which, in silos, amounted to nothing. They also pointed to the high valuation of WhatsApp, which was based entirely on its potential to generate information on its users. A nationalised ID is fine as long as it is private and not in a centralised database.
On day 11, they argued that Aadhaar cannot survive in the absence of a data protection law, given that it treats data as property.
On day 12, the Bench raised the question of privacy vs national security. The Bench noted that the State has a legitimate interest in monitoring the web to secure the nation against cyberattacks and terrorist activities. The petitioners countered that Aadhaar was dealing with an entire population, not terrorists. Also, the stated purpose of the Aadhaar Act is not that of surveillance.
Pointing to the case of Szabo vs Hungary, petitioners argued that a system of secret surveillance set up on the grounds of defending democracy, entails a risk of undermining or even destroying democracy.
Responsibility and redressal
It was also argued that there is no redressal mechanism in place for dealing with violations because of or related to Aadhaar. The UIDAI took no responsibility for the data while still going ahead and funding the SRDHs (State Resident Data Hub) without any sort of statutory approval.
The petitioners argued that sharing of data with the SRDH was illegal and impermissible under the Aadhaar Act. They also pointed out that there was no evidence that third parties like SRDHs and registrars destroyed biometric data, as they should have done once the Aadhaar Act was passed.
Challenging the State’s claims about Aadhaar
The government’s claims of Rs 17,000 crores in savings via MNREGA and LPG subsidy via Aadhaar were challenged, with the petitioners claiming that the actual numbers were nearer the Rs 220 Crore mark. A World Bank report claiming $11 billion in savings due to Aadhaar was also brought into question, with petitioners bringing up the fact that a senior World Bank official resigned over issues with data integrity. Petitioners also pointed out that some of the savings could also be attributed to previous schemes.
They pointed out that any law cannot violate a fundamental right in retrospect.
The petitioners argued that the goverment assumed that identity fraud was the only cause of leakages. They claimed that the government used older reports to make assessments and that the State would otherwise be unable to present any evidence to justify the infringement of rights as a result of enforcing Aadhaar.
It was also argued that the scope of Aadhaar was being extend far beyond the scope of the Act.
If you don’t have Aadhaar, you’re a crook
Petitioners argued that Aadhaar was premised on the assumption that India is a “nation of knaves”. If you don’t have Aadhaar, you’re a crook, and this leads to a breakdown of trust between the nation and its residents, they argued.
Petitioners also brought up the issues of starvation deaths and other such examples, all of which were caused by Aadhaar-linkage failures. Even school children were denied attendance because their fingerprints didn’t match.
Nobody has been excluded because of Aadhaar
The petitioners argued that since the Aadhaar project was causing more exclusion than inclusion, it was unconstitutional and a violation of Article 14, the right to equality. The Bench argued that exclusion was happening right now due to factors like infrastructure or old age, which can be remedied via upgrades. When it was pointed out that exclusion was happening right now, the State countered saying that nobody has been excluded due to the lack of Aadhaar.
The State argued that the Act has provisions for people who do not have Aadhaar or are unable to provide biometric data. The Petitioners countered that there are very real issues on the ground and that reading out the provisions of the Act is not a solution.
Petitioners later pointed out that the government violated the doctrine of unconstitutional conditions. A person cannot be denied benefits and entitlements solely for want of an identity. Infrastructure issues aside, it is unconstitutional for the State to mandate only one form of identity.
They also argued that while it was reasonable to prove status in order to receive benefits, everyone has a right to prove status in a reasonable manner.
Violation of dignity
An important argument against Aadhaar, according to the petitioners, is that of the violation of dignity of an individual, which is unconstitutional. To support this, petitioners cited several examples. They pointed out that a member of a marginalised section of society shouldn’t be exposed as marginalised, that silos of information cannot be aggregated and that a person has a right to control their personality. The surveillance potential of Aadhaar directly affects that last right.
They also pointed to the Jeeja Ghosh vs UoI judgement where it was ruled that dignity forms a significant facet of the right to life and liberty.
According to the petitioners, by enforcing Aadhaar, the State is operating on the assumption that everyone is an imposter, which is unconstitutional. They also argued that simply assuming that the poorest of the poor were making ghost cards to pilfer rations is to pass a moral judgement against them.
Further, it was argued that the Aadhaar Act objectifies and depersonalises an individual. Citing the case of S and Marper vs UK, it was pointed out that even a reasonable apprehension of surveillance can cause a chilling effect.
Aadhaar as a voluntary ID system
Section 57 of the Aadhaar Act has been the basis for making Aadhaar mandatory for various purposes. Petitioners argued that the section could only be constitutional when Aadhaar was treated as a voluntary ID document. The Bench was sceptical of this argument.
Petitioners pointed to Israel’s Smart ID system, which uses smart cards and biometric authentication, but lacks any identifying information. Petitioners argued that the Aadhaar must be voluntary, that it must not collect data and that people have a right to alternatives.
The Bench, the petitioners argued, must decide if the people live in a country where the people have choice, or where the State is the arbiter of that choice. By being forced to enrol for Aadhaar, the people were being forced to barter their constitutional rights.
On day 14 of the hearing, senior counsel Arvind Datar argued that even the RBI (Reserve Bank of India) does not mandate the use of Aadhaar as the sole means of KYC. The RBI, in fact, specifies at least six other documents as valid, including passport, driving license, PAN card, etc. The RBI rules at the time stood in direct violation of the update to the Prevention of Money Laundering Act (PMLA).
NOTE: The RBI recently passed an order stating that it is mandatory to link Aadhaar with bank accounts. This will be subject to the Supreme Court’s decision on Aadhaar, however.
The PMLA rule requiring that a bank account be blocked because it isn’t linked to Aadhaar is draconian, argued the petitioners, adding that the fact that Aadhaar is meant to be voluntary to begin with means that the PMLA rule is unconstitutional.
On day 18, the validity of mandatory eKYC as issued by the Department of Telecom (DoT) was brought into question and a request to extend the deadline was put in.
They also pointed to the US Social Security Number (SSN) system. In 1974, the US senate voted that an individual would have the right to refuse to show his SSN and that no federal agency could deny the provision of any benefit for that reason. In the case of Aadhaar, it is not possible for an individual to survive without it.
It was also argued that the livelihood of the people could not be made dependent on a system that was inherently probabilistic and faulty. Petitioners also pointed out that the rate of authentication failure in Rajashtan and Jharkhand was 37 percent and 49 percent respectively.
Later, the petitioners argued that the state has very limited powers to impose compulsions by law. Aadhaar does not qualify. They added that the State failed to justify the infringement of the right to life and liberty.
It was pointed out to the bench that while banks were linking Aadhaar to bank accounts, ostensibly for the prevention of money laundering, NCPI was making the data available to third parties. The petitioners also noted that SRDHs had no restriction on the data collection on an individual, though Rahul Dwivedi, Senior Counsel on behalf of the State of Gujarat, pointed out that all SRDH data was erased once the Aadhaar Act was passed.
They also indicated that the definition of biometric and core biometric information was open-ended. New forms of such data could be added via regulation. This could even extend to the creation of DNA databanks.
Deactivation or cancellation of Aadhaar only happens at the discretion of the UIDAI. There is no prescribed procedure to safeguard this power.
Disclosure of the personal information of an individual is also permitted, but only the UIDAI is required to be heard, not the individual whose data is at stake.
It was also argued that the Aadhaar Act was drafted on the assumption that privacy was not a fundamental right and is, therefore, an unbalanced Act.
Another issue is that of proportionality. The petitioners argued that the State could not prove that Aadhaar was necessary because there were no other alternatives. The State, after all, didn’t try alternate systems like smart cards, food coupons, etc.
On day 18, the issue of KYR+ (Know Your Resident) was raised. Where only demographic and identity information was to be collected under the Aadhaar Act, KYR+ was being used to collect and link PAN card, bank account numbers, education, religion and caste details.
They argued that inherently personal nature of the data means that protection must be ensured. If that level of protection is not ensured, then the State cannot take the data. Several example of the State’s inability to protect this data were then cited.
On day 19 of the hearings, the petitioners presented their concluding arguments:
Retention of metadata enables precise profiling: It was argued that the collection of metadata was a violation of fundamental rights and that the data could be used to create precise profiles on the private lives of individuals.
The menace of surveillance: Surveillance, even the apprehension of it, strikes at the freedom of communication and is an interference into people’s rights to respect for private life and correspondence.
Protection of future generations: Aggregation of data, as admitted to by the State and the UIDAI, is sufficient to indicate the religion, class, social status, income and education level, medical history and reproductive preferences of an individual. What protection is there to prevent the abuse of this data and is its collection even necessary or permitted?
Issues with the Aadhaar Act: The Act lacks proportionality, purpose and limitations on scale and retention of data. Provisions for the destruction of records do not exist and neither does a provision for alternative forms of identification.
Aadhaar is not the least intrusive method for authentication: Even if there is a compelling interest to identify people accurately, the least intrusive method must be used to achieve this. This is not Aadhaar. It was, in fact, suggested that a credit card like system be used, where biometrics are stored on the card itself. This could be faster, more accurate, more secure and less intrusive.
The irrationality of the Aadhaar project: Aadhaar is arbitrary and violative of the right to equality (Article 14). It is also irrational because biometrics are inherently unreliable. The lack of an opt-out facility and no option is given to citizens to control their data.
A child cannot consent or enter into contracts: Aadhaar is a violation of child rights because a child is not legally permitted to give consent. Children’s privacy is also granted under the Indian Constitution. A child’s right to education can also not be made subject to Aadhaar.
Religious objections to Aadhaar as the ‘beast’: Petitioners cited an example where a Christian family objected to Aadhaar on the grounds that they believed that Aadhaar was the mark and number of the ‘beast’, which exercised authority over people and forced all to worship it. The family believed that Aadhaar being made mandatory made it impossible for people to continue with their lives. Aadhaar, thus, violates the freedom of religion.
Gender requirement affects transgender persons: Transgender people will find it difficult to acquire identity documents, making acquiring Aadhaar impossible. People are thus excluded and denied benefits, which is a violation of the right to equality and privacy.
NRIs unable to file taxes or acquire SIMs: In another example of exclusion, it was shown that NRIs are not eligible for Aadhaar, making it difficult to acquire a SIM or file taxes.
So ended day 1-19 of the Aadhaar hearings.
On day 20 of the hearings, the State commenced its arguments in defence of Aadhaar.
Attorney General KK Venugopal argued that “tremendous effort” had gone into securing Aadhaar. He offered a PowerPoint presentation by the CEO of UIDAI on the security of Aadhaar, which included the fact that the CIDR servers, which were protected by a wall “13 feet long and 5 feet wide.” Later, the State shared more details on the security of its data centres, including the presence of X-Ray equipment and biometric authentication.
He argued that Aadhaar was a “serious effort” to insulate deserving beneficiaries from the effects of corruption.
The State argued that Aadhaar was random, baring no link to the person for whom it was generated. They added that the number could never be re-issued and that it wasn’t linked to citizenship. They also pointed out that data sharing could only happen with consent.
The issue of foreign companies owning Aadhaar software was brought up. The State here claimed that only the software for matching biometrics was from foreign companies and that those companies did not have access to Aadhaar data. The response, of course, doesn’t address the possibility that data could be stolen.
The State asserted that authentication happens in silos and that biometric data was never shared, and neither was purpose, location and transaction data collected.
No opt-out mechanism: The UIDAI CEO confirmed that there would be no opt-out mechanism under the Aadhaar Act. People only had the option to lock biometrics.
The State also claimed that matching with biometrics happens on a 1:1 basis and that it was thus, not probabilistic in nature. However, on day 29 of the hearings, the State argued that nothing in the world was deterministic. The Bench then questioned how a probabilistic system could be allowed to affect fundamental rights.
Sacrificing privacy for benefits
The AG argued that corruption and middlemen have diverted Rs 1,000 Crore or more of funds. Aadhaar is meant to address this. He argued that alternatives, including smart cards, were considered and rejected as unsuitable and that, in fact, Aadhaar was designed to have the least possible violation of privacy.
He even argued that Aadhaar enrolment was voluntary before the Act was passed, removing any question of violation of privacy. Aadhaar ensures the right to life and to live with dignity, he argued.
While the AG argued that both sides were fighting for the protection of the rights to life and to dignity, the Bench noted that the AG’s argument seemed to be that the right to privacy must give way to distributive justice. The Bench also asserted that individual rights cannot be made subordinate to distributive justice.
The AG claimed that no individuals claimed to have been excluded and that it was mainly NGOs making such claims. The Bench disagreed.
In addition to this, the State argued that the poor have a right to live without hunger, to which the Bench countered that the poor also have a right to privacy. The State then claimed that Aadhaar enabled the right to food, livelihood and pensions.
Another argument by the State was that poverty was a violation of human rights. The State then asked that the choice here is between a right to life and a right to privacy. The State went on to argue that official identification was a fundamental human right.
Regarding traceability, UIDAI stated that it did not track IP address and GPS location, but that it did record AuA code, ASA code (Authentication Service Agency)m unique device code and the registered device code used for authentication.
When asked about the open-ended nature of the definition of biometrics, the State admitted that the definition could extend to blood, urine and DNA samples, but that this expansion could be subject to judicial review. The Bench countered that this was false. The UIDAI has been given the power to decide what’s to be included and only the Parliament can disapprove or the rules. This, said the Bench, amounted to excessive delegation.
The petitioners had argued that Aadhaar was treating people as terrorists. To this, the State responded saying that airlines screen passengers as an administrative service as a measure to safeguard the public. They argued that Aadhaar was serving a similar purpose. The Bench was not convinced by this argument, however.
The State cited several earlier cases where the right to privacy was held to be subordinate to other, larger public interests.
Another argument presented by the State was that there was no need to look for the ‘least intrusive’ when something is overwhelmingly in the public interest.
Aadhaar and bank accounts: The State claimed that the amendment to the PMLA rules mandating Aadhaar linking with bank accounts was necessary to prevent impersonation. They also stated that rendering unlinked bank accounts non-operational was not a violation of the right to property as it amounted to a reasonable restriction on the right. The Bench did not accept this and asked how the PMLA rules authorise the freezing of bank accounts and asked whether it was authorised under law.
When the Bench further questioned the State as to how a validly opened bank account could be frozen under PMLA, the State explained that this was done to prevent money laundering and to curb terrorist activity.
The State argued that people strive to be recognised, as a matter of dignity and pride. The Bench countered that in the absence of choice of identity, there was an absence of proportionality with Aadhaar.
The State argued that privacy was a small price to pay for ensuring life itself. It was also stated that privacy is the strongest in the inner sanctum of the mind, but shrinks as you move outside into the world. Next, the State argued that in the public sphere, the right to privacy is diluted. The entire Aadhar project, he argued, is in the public sphere. The reasonable expectation of privacy varies according to context.
Misuse of harvested data
On day 21 of the hearings, the State argued that enrolment collects minimal data and that mobile numbers and email IDs were optional. The State also argued that enrolment agencies were subject to high quality security standards.
When asked about why 49,000 enrollers were deregistered (as opposed to the 30,000 agencies currently in operation), the State responded that corruption, improper data collection and failure to meet standards were to blame. The State was also asked if the blacklisted enrollers were blacklisted for data breaches. The State responded with a statement that the enrollers lacked the qualifications to tamper with enrolment software. Private enrolment agencies are being phased out, added the state.
Regarding data breaches, the State stated that reported data breaches only referred to compromised data breaches and not the CIDR, which has never been breached. To this the Bench pointed out that unless there is protection against all forms of data breaches, Aadhaar will remain a problem.
The Bench asked about Authentication User Agencies (AuAs) and whether they could record and monetise data. The State claimed that AuAs were prohibited from doing so, which failed to address the Bench’s concern that the State had no control over AuAs and their ability to share data.
When asked about the misuse of authentication records, the State said that collecting data on the purpose of authentication was prohibited.
However, when the Bench later asked if Authentication logs were kept with authentication or requesting entities, the State answered in the affirmative, but that such entities were regularly audited.
The State later noted that demographic information on PAN card holders was being collected since 1989 and that fingerprint data was also collected. The Bench was quick to point out that only the left thumb impression was taken, and only when people could not sign the form. There was also no authentication.
Fingerprinting citizens: The AG discussed proportionality with respect to collection of fingerprints. He cited several American judgements in support of arguments that fingerprinting was only a minor inconvenience and minimally intrusive, and that it did not carry the presumption of criminality. He also argued that the violation of dignity was non-existent.
The State further argued that while it was possible that biometric data could be extended to DNA and eventually misused, it was entirely speculative and that it wasn’t the court’s job to speculate on ‘dramatic Hollywood fantasies.’ The Bench countered that the issue with the collection of biometrics was that only the UIDAI had the power to define biometric information, which is a failure to meet proportionality requirements.
The State also pointed to a case where the CBI approached the Bombay High Court to obtain biometrics from the UIDAI for an investigation. The UIDAI refused to do so without the affected individual’s consent.
Interestingly, the State argued that it could already surveil people if needed, and that Aadhaar would not be necessary for that. The State claimed that the petitioners were using ‘rhetoric’ to rubbish Aadhaar.
The Bench observed that technology enabled mass surveillance and cited the case of election tampering via Facebook. The State countered that they did not have the algorithms to profile users like Facebook, and that Section 33 of the Aadhaar Act makes the acquisition or implementation of such a system illegal. They also argued that authentication metadata reveals very little.
The State also added that there was no possibility of surveillance via the CIDR, and instead the CIDR was completely necessary in order to avoid fake and duplicate entities.
Other arguments by the State included claims that citizens are not concerned about privacy and that fingerprints are only relevant to palmistry. The Bench countered that the issue was about storing the information in a centralised database. The State claimed that since the data was encrypted and secure, storing in a centralised database wasn’t an issue.
Despite provisions for data sharing in the Act, the State argued that information was shared only for authentication. When the Bench pointed out that REs (requesting entities) are aware of the reason for authentication and could share the data themselves, the State argued that the same data could be acquired by other means. The State also argued that Aadhaar was more secure than any data protection law. A statement the Bench disagreed with.
The need for a unique identity
While the Bench agreed that a unique ID was necessary, it questioned whether a less intrusive method could not have been provided and why there was a need to centralise and aggregate the data, especially when considering the risks.
The State argued that alternatives were unworkable and that CIDR is necessary for transactions, a point that the Bench once again disagreed with.
Smart Cards, said the State, did not ensure uniqueness. Their argument was that a single person could have multiple smart cards from different entities but the same biometrics. They argued that this was why a centralised database was needed.
The World Bank’s ID4D report was cited in support for the need of a unique identity and the crucial role it plays in the access of basic welfare services.
The UIDAI CEO argued that existing IDs have limitations both in terms of scope and geographically. He argued that Aadhaar was an easy-to-acquire, nationally verifiable digital identity.
On the assumption of consent
The State argued that prior to 2016, Aadhaar was voluntary, so those who applied consented by default. However, the Bench pointed out that the consent was only for acquiring Aadhaar, not for surrendering their data or commercialisation. The Bench also questioned whether informed consent could even be assumed.
While the petitioners pointed out that children cannot legally give consent for anything, let alone Aadhaar, the State claimed that all legal compliance was taken care of. The State also noted that only photographs of infants were collected and that biometrics would be collected at age 5 and 15.
For Aadhaar to be voluntary, the Bench observed that informed consent, purpose limitation and security were essential. The State tried to argue yet again that Aadhaar was voluntary, but the Bench countered that at the time Aadhaar was voluntary, there was no law and hence, no protection of rights. The Bench also noted that the initial enrolment forms did not contain provisions on the issue of collecting biometrics, which means that there was no informed consent.
The Attorney General argued that Section 57 merely allows the existing infrastructure to be used for other purposes so long as the purposes are legitimate.
On the scope and validity of Section 7
When defining Section 7, the Bench asked why pensions were included. Section 7 specifically deals with welfare and subsidies where as pension is an entitlement, a right. The State argued that since the pension was drawn from the Consolidated Fund of India (CFI), it had to be included.
When asked about exclusions, the State claimed that the Aadhaar Act specifies mechanisms for people who cannot authenticate.
The State argued that denial based on Aadhaar was not possible because under Section 7, Central and State agencies which require Aadhaar are required to provide enrolment services. The State also pointed out that a ration card could be used to avail NFSA (National Food Security Act) benefits in the absence of Aadhaar.
The State also noted that the Central govt had the power to replace the identification on which a benefit is to be obtained.
The cost vs benefit argument
The State claimed that Rs 9,000 Crore was invested in setting up and operationalising Aadhaar. According to various sources, the returns are claimed to be as high as 52.85 percent. It must be noted here that economist Reetika Khera disputed the claim, stating that the analysis was based on “unrealistic assumptions” and “outdated data.”
The State argued that Aadhaar was not a casual undertaking and was unprecedented in scope. The Bench pointed out that effort doesn’t answer the constitutional challenges to Aadhaar. They also questioned the 7-year gap between enforcing Aadhaar and enacting the Act.
According to the state, updating biometrics isn’t an issue because it can be done at enrolment centres. This statement does skirt around the Bench’s question regarding the technological illiteracy of several Indians.
Regarding exclusion, the State explained that a user is notified on an authentication failure. The Bench still pressed that this could lead to exclusion, to which the state responded that there were circulars stating that no one should be denied services over a failure to authenticate.
The State did admit that 100 percent authentication wasn’t possible. On day 23, the UIDAI CEO admitted that the figures for authentication failure stood at 8.54 percent for iris-based authentication and 6 percent for fingerprint-based authentication.
Prevention of bank fraud and limiting access to SIM cards: Aadhaar, it has been claimed, will prevent bank fraud and control terrorism by limiting the access to SIM cards. The Bench pointed out that bank fraud isn’t caused by multiple identities. The Bench also noted that terrorists were not likely to apply for SIM cards themselves, so forcing an entire population to link SIM cards was neither proportional nor justified.
The reasonable expectation of privacy, the State argued, could only be judged by considering the ‘totality of circumstances’. In this regard, Aadhaar’s invasion of privacy was minimal, argued the State.
The State claimed that the mandatory Aadhaar-PAN linking resulted in the discovery of 11.35 lakh fake PAN cards. The Bench did note that while fake PAN cards were being weeded out, the ingenuity required to make fake PAN cards could easily apply to the creation of fake Aadhaar cards. To this it was stated that no system is fool proof.
The advantage of Aadhaar, it was claimed, was that a person would have to come in person to claim entitlements. This was described as a revolutionary step as fingerprinting enabled deduplication. The Bench, here, observed that this may not be the best model, since the individual should not be a supplicant and instead the State has a duty to provide him with benefits.
The validity of Aadhaar
The State argued that Aadhaar fulfilled the tests laid down in the Puttaswamy judgement for a reasonable restriction on the right to privacy and that Aadhaar collected the least possible amount of data required.
The lawyers argued that like the RTI (Right to Information) Act, Aadhaar is an example of a reasonable restriction of privacy in the larger public interest. They argued that Aadhaar was necessary to prevent black money and money laundering, and that the Court could not second-guess the intent of the legislature. The Aadhaar Act, thus, passes the test of proportionality and the ends justified the means.
KK Venugopal for the State later argued that since all other means of authentication had been exhausted, Aadhaar passed the test for proportionality.
Binoy Viswam judgement: An important argument made in defence of Aadhaar involced the Aadhaar-PAN case. The State argued that the Binoy Viswam judgement, which held that there was a rational nexus between Section 139AA and the objectives sought to be achieved, satisfied the requirement for proportionality.
The State argued that the defects in a law must first be sought to be resolved rather than struck down.
The State later argued that Aadhaar was, in pith and substance, a money bill, and ancillary provisions in relation to appeal, revision, etc., which are needed to make the Act complete, do not fall outside the ambit of Article 110 of the Constitution (which defines a money bill).
Rejoinders from the petitioners
The petitioners commenced rejoinders on day 33 of the hearings.
The petitioners pointed to technical evidence previously submitted which prove that Aadhaar could be used for surveillance. They also noted that biometric data was accessible to some third-party vendors, and that the leakage of verification logs could result in the formation of forged identification. The Bench countered that it wasn’t possible to have perfect privacy and that some loss is expected in the digital world.
Petitioners also argued that UIDAI’s presentation showed surveillance at various levels and that every biometric device had traceability. They argued that this would have a chilling effect on a person’s conduct.
On the issue of balancing rights, the petitioners argued that people should have a choice and that if the Court recognises Aadhaar as a vehicle for surveillance, it would have to be expressly rejected. The Bench here observed that the march towards technology is inexorable, and no court or government can stop this. Shyam Divan then argued that choice and options are a part of democracy, and people should be allowed a choice in this issue.
Petitioners also pointed out that there was no verification during enrolment, and hence no proof that documents submitted were genuine. Aadhaar, they argued, was thus essentially a self-declaration system of verification, which no one in the government has verified. In such a scenario, Aadhaar cannot stop terrorism.
They also pointed out that Aadhaar doesn’t verify if a person is an illegal immigrant, directly violating a court order that said that Aadhaar should not be given to illegal immigrants.
Petitioners also noted that banks and telecom companies were seeding an individual’s Aadhaar with their bank accounts and telephone numbers without their permission. Diwan further argued that the biometrics of almost 100 crore individuals were collected by the UIDAI without statutory or other written authority.
It was also pointed out that the original Aadhaar notification made no mention of biometrics and that Section 7 should not be mandatory for children and a few other such entities.
Divan then argued that Aadhaar, as a whole, has increased the coercive power of the State against the individual and that it circumvents constitutional protections.
Senior counsel Gopal Subramaniam argued that a crucial question was on how to handle acts of misfeasance and malfeasance in the delivery of public services. The government, he argued, cannot place the burden of its own failures on the people. He argued that if a law has the effect of disempowering people, and impairing the identity guaranteed to them by the Constitution, then it must fall.
Petitioners argued that if the purpose of Section 7 was to further the dignity of an individual, as argued by the State, this could not be done by making it conditional.
Subramaniam pointed out that there was no evidence that the stated purpose of achieving seamless delivery through the Act, was being achieved. In fact, the only evidence available is that of exclusion. The Aadhaar Act, he argued, is not an instrumentality to deliver services, but was a means of identification.
On turning to the issue of lack of oversight of requesting entities, the Bench observed that an Act like Aadhaar needs a hierarchy of regulators, who are absent.
Further, under Section 7, the terms ‘grant of subsidies, benefits and services’ are expressions of condescension, instead of being treated as an entitlement. The counsel argued further that Section 7 had virtually been interpreted to be mandatory as opposed to discretionary, making citizens subservient to it.
The Aadhaar Act, the petitioners argued, needs to be struck down completely as it fails the tests laid down in the Puttaswamy case, there was no legitimate aim since the real aim differs from the purported one, there was no law when Aadhaar was implemented, and there is no proportionality.
Aadhaar cannot be a Money Bill, and can at most be a financial bill under the Constitution, argued the petitioners. The court, they argued, cannot save an Act so fundamentally unconstitutional as to be passed without the participation of the Rajya Sabha and without the assent of the President.
They further argued that Aadhaar could never be used to resolve problems like black money and money laundering since the sources of such money is different. These issues, he argued, were being used as a ruse to collect people’s biometrics.
Section 57, the petitioners argued, should be completely removed from the Aadhaar Act.
Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.