Final hearings in the Supreme Court on the constitutional validity of Aadhaar—the biometrics-linked, 12-digit Unique identification (UID) number project—entered their second week as they continued on 23 and 24 January 2018.
On the third and fourth day of the hearing, senior counsel Shyam Divan, representing the petitioners challenging Aadhaar, pointed to several sections of the Aadhaar Act of 2016 that were problematic and potentially unconstitutional, including the way the Act itself was passed as a Money Bill.
On 24 January, Divan specified five heads under which the Aadhaar Act was being challenged.
The first challenge is under the head of surveillance.
Elaborating on this, Divan presented two affidavits by security personnel as well as technical evidence from different parts of the world to show how the architecture of Aadhaar enabled surveillance.
Reading out the first affidavit from one Mr Samir Keleker, Divan said, “The project facilitates real time and non real time tracking of UID holders. It is quite easy to know the place and type of transaction every time authentication takes place. This would allow the UIDAI or any other party to track behaviour.”
“UIDAI recommends that each Point of Service Device register itself with UIDAI and get a unique ID. This method of uniquely identifying every device further makes the task of tracking location easier,” the affidavit read. “If army personnel are using Aadhaar to take salary, and the system is hacked, there could be national security issues.”
Divan then read Mr J D’Souza’s affidavit, “I have conducted demonstrations to show the unreliability of biometrics. One demonstration was before UIDAI officials themselves. They were shown the ease with which fingerprints can be replicated.”
“I have examined multiple fingerprint machines. They can be tampered with to capture biometric data before the point of encryption. This called a ‘skimmer’”, said the second affidavit.
“These machines that are not manufactured indigenously. The machine code and source code is not known to UIDAI. There may be backdoor or Trojan Horse feature that can be used for data mining without UIDAI knowing. There are serious national security implications… Data collected over an individual’s lifetime can become a tool of political blackmail. This can compromise even constitutional functionaries.”
Jan Chrysler had recently cracked the iPhone biometrics systems and also iris recognition,” the affidavit mentioned. Divan went on to give other instances of technical evidence that proved such an architecture could enable surveillance.
The second head was violation of privacy.
There was violation of privacy between 2010 and 2016, prior to the Act, and the violation continues even after the Aadhaar Act. The citizen is being forced to report her activities to the State through the electronic trail she leaves behind, but the citizen has the right to maintain control over personal information in a digital society.
The third head was limited government. Divan said the Constitution was not about the power of the State but about limits to that power. Aadhaar allows the state to completely dominate an individual because it makes profiling possible.
The fourth head is that the Aadhaar legislation was not a Money Bill, even though it was passed as such. However, this point will be argued by senior advocates Arvind Datar and Kapil Sibal.
The fifth head, said Divan, was that the Act violated Articles 14 and 21, as there was no informed consent nor any opt-out option. The UIDAI has no direct relationship with the data collecting agencies, and the collected and stored data was not safe.
Divan said the concept of a central database – the Central Identities Data Repository (CIDR), a government agency that stores and manages the data collected under Aadhaar – where all data is stored in one place could pave the way for authoritarianism. When Justice Chandrachud asked who maintained the CIDR, Divan replied that specific details about the CIDR was not in public domain because of natural security concerns. When Justice Chandrachud asked whether the source code was with the UIDAI, Divan said it was proprietary and not with UIDAI.
On 23 January, the five-judge Constitution Bench posed a number of questions for the petitioners to address in their arguments.
Justice Chandrachud had asked, “You have argued so far that the entire Aadhaar programme is unconstitutional. There is another facet of this – that there are some bottlenecks in the programme that can be ameliorated. Will you argue on that?”
Divan replied, “No, I will only mention that aspect. There are websites publishing huge numbers of Aadhaar cards. There is a concern regarding being protected from extensive profiling. Whether it is constitutional remains to be determined. Surely a democracy entails some amount of trust in the citizens. There are two aspects here – one, not to procure the Aadhaar at all, or secondly, not mandate the usage of Aadhaar everywhere and allow alternative ID proofs.”
The judge then raised the question that citizens’ relationships with private entities was being tracked even in the absence of Aadhaar, so what made Aadhaar the problem? But he said he did not want the question answered right away.
Senior advocate Kapil Sibal had also joined in the discussion on the third day of the hearing.
“There is no such thing as a secret in this world. The concern is regarding the compulsion to share information of a sensitive nature. But also to what extent can the State seek information from me under one umbrella?” Sibal asked the bench.
He gave instances where taxi service providers were demanding Aadhaar and a single woman had been asked by her employer to provide Aadhaar.
Responding to arguments about how Aadhaar enabled profiling, Justice Chandrachud said, “The concern regarding profiling is fine. But is that not helped by restriction on the use of data for a specific purpose?”
But Sibal replied that thanks to Section 57 and other provisions of the Aadhaar Act, any private entity could ask for Aadhaar.
Divan said, “There is a huge difference between state and private agencies. The State is entitled to exercise a definite amount of power over the citizens. Also, it is the obligation of the State to safeguard the privacy interests of the citizens from itself as well as the private entities. If the Act is upheld as being constitutional, by virtue of the electronic trail, profiling and authentication records, it will be possible to know where one is at any point of time throughout his life.”
Divan also pointed out that as per Section 47 of the Act, an enrolled individual could not make a complaint about any offence punishable under the Act, only the UIDAI or any officer authorised by it could do so.
The point about Section 57 of the Act also came up, as it allows the Aadhaar number to be used for establishing the identity of an individual for any purpose as may be required by any law or contract to that effect.
When Justice Sikri said data was not leaked by merely giving one’s Aadhaar number.
Divan noted that, “…one is being required to give their Aadhaar number to several persons. That, combined with the other information already available to them, can be used to build a complete profile. And sometimes, one has no choice, like in the instance of taxi service providers cited by Mr. Sibal.”
Justice Chandrachud said citizens were also required to submit their PAN at various places, but Divan said the Aadhaar number was linked to one’s biometric data.
Justice Chandrachud said that the data was confined to the CIDR. Divan replied, “Let us say, for example, for obtaining a new telephone connection, some company requires fingerprints. The prints can be skimmed from the reader, removed and collected. And this is being done.”
Divan had begun his arguments quoting various aspects of the privacy judgement delivered on 24 August 2017, when a nine-judge Constitution Bench of the Supreme Court had declared privacy a Fundamental Right.
“The entire Aadhaar project entails invasiveness and breaches. The scheme is unbecoming of a liberal, democratic society. The statute protects the programme, and hence, even the Act is bad,” Divan said.