(This is the fourth and concluding part of Anand Venkat’s guest post series interrogating the factual foundations of the Aadhaar judgment. It is also the concluding essay in this blog’s coverage of the Aadhaar judgment (for now). We will be putting up a round-up shortly).
In this final part on the analysis of the Aadhaar judgement, we touch upon how the Majority judgement handled the arguments on data security in relation to the Aadhaar data, and contrast it with the minority opinion of Chandrachud J.
Are data leaks harmful for the people involved? The SC did not want to consider this question at all, and punted it to the currently pending case in Delhi HC (Page 250, footnote):
A challenge to the Aadhaar project for violation of IT Act and Rules has been filed in the Delhi High Court in the matter of Shamnad Basheer v UIDAI and Ors. Therefore, we are not dealing with this aspect, nor does it arise for consideration in these proceedings.
It was argued extensively before the court that the data collected during Aadhaar enrolment includes not just demographic data and biometrics, but also additional information, such as religion and caste, which was explicitly forbidden by the Aadhaar Act; and furthermore, this additional information was sent to the various State Resident Data Hubs (SRDHs).
However the Majority did not engage with the evidence, and instead merely cited the Aadhaar Act. It neither declared the collection of additional information in variance with the Aadhaar Act as illegal, nor did it want to deal with the information stored in SRDHs, obtained during enrollment (Page 274, Para 193).
Section 2(k) specifically provides that Regulations cannot include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history. Thus, sensitive information specifically stand [sic] excluded.
It also concluded that as per the powerpoint presentation by the UIDAI CEO, which is not part of the affidavit, that location information was not collected (page 541):
We have recorded in detail the powerpoint presentation that was given by Dr. Ajay Bhushan Pandey, CEO of the Authority, which brings out the following salient features: (i) During the enrolment process, minimal biometric data in the form of iris and fingerprints is collected. The Authority does not collect purpose, location or details of transaction.
By doing so, it chose to ignore the affidavits filed by Manindra Agarwal on UIDAI’s behalf, that breach of verification logs will result in the leakage of location data. The minority opinion however, explicitly refers to the affidavit and declares that: (page 886).
The report indicates that it is possible through the Aadhaar database to track the location of an individual. The Aadhaar database is different from other databases such as PAN Card or driving license. The Aadhaar database is universal and contains the biometrics of an individual. The threshold to scrutinize the effects of this database is therefore much higher as compared to that of other databases.
And once all the contradictions were resolved by selectively ignoring the factual claims made by the petitioners (and also supported by affidavits filed in support of UIDAI), the Majority then proceeded to declare that (page 274, para 194):
We find that Section 32 (3) of the Aadhaar Act specifically prohibits the authority from collecting, storing or maintaining, either directly or indirectly any information about the purpose of authentication. The proviso to Regulation 26 of Authentication Regulations is also to the same effect. Thus, the principle of data minimization is largely followed.
An important question in cyberspace is how to classify personal data as sensitive or non-sensitive. It must be noted a priori that this classification depends upon the context. For instance, my true name might reveal my religion, which could be used to harm me in a conflict zone, but would be entirely harmless elsewhere. Similarly, fingerprint and facial scans, freely obtainable through photography, could be harmless if shared without associated identity information, but could be deadly for public anonymity in authoritarian regimes.
Once again, the Majority is oblivious to this basic distinction, when it proclaims that (page 273, para 193):
Demographic information, both mandatory and optional, and photographs does [sic] not raise a reasonable expectation of privacy.
On the other hand, Chandrachud J.’s minority judgement correctly notes that (page 778, para 148):
Section 29(1) of the Aadhaar Act expressly states that ‘core biometric information can never be shared with anyone for any reason whatsoever or be used for any purpose other than generation of Aadhaar numbers and authentication under this Act’. However, this provision which seemingly protects an individual’s core biometric information from being shared is contradicted by Section 29(4)253 of the Act, the proviso to which grants UIDAI the power to publish, display or post core biometric information of an individual for purposes specified by the regulations. The language of this section is overbroad and which could lead to transgressions and abuse of power. Moreover, sub-sections 29(1) and (2), in effect, create distinction between two classes of information (core biometric information and identity information), which are integral to individual identity. Identity information requires equal protection as provided to core biometric information.
While the UIDAI made the claim that all biometric data is encrypted, the Majority went further and made the astonishing claim that the encrypted data was also sent to the CIDR immediately. The offline enrolment client, however, does not do that, in order to facilitate enrollments done in places where internet connectivity is non-existent.
Furthermore, the UIDAI also claimed that the entire Aadhaar enrolment eco-system is foolproof, because within few seconds of the biometrics having been collected by the enrolling agency, the said information would transmitted the Authorities/CIDR (in an encrypted form), and go beyond of the reach of the enrolling agency.
Chandrachud J.’s minority judgement, however notes correctly that encryption was not even mandated in the initial stages (page 772)
In the ‘Aadhaar Handbook for Registrars 2013’ (“2013 Handbook”), it was stated that “UIDAI has defined security guidelines for the storage of biometric data”. While it is indicated in the handbook that guidelines for storage were defined by UIDAI, it is evident that this took place only after 2010 before which the registrars were functioning without guidelines mandating how the biometric data was to be kept secure.
Hacking and Hope
During the course of the hearing, the counsel for the petitioners, Mr. Divan, pointed out various attacks on the CIDR. And one of them was the UP Aadhaar hack case, which was not only part of the oral record, but related FIRs around these attacks were part of the written submissions by Mr. Grover as well. This is how the Court responded:
It may, however, be mentioned that of late certain reports have appeared in newspapers to the effect that some people could hack the website of CIDR, though it is emphatically denied by the UIDAI. Since there are only newspapers reports to this effect which appeared after the conclusion of hearing in these cases and, therefore, parties could not be heard on this aspect, we leave this aspect of the matter at that with a hope that CIDR would find out the ways and means to curb any such tendency.
It is possible to argue that the above paragraph refers not to the petitioners’ submissions, but to a later HuffPost article on data breaches. However it does not change the reality that the Majority did not engage with materials provided by the petitioners through affidavits, written submissions and also police first investigation reports filed by the police themselves.
How do you analyze the impact of a technological regime on the Constitution? That was the heart of the question in the Aadhaar challenge. There are always unknown positives and unknown negatives when a new technology is rolled out. The court was asked to make a comparative analysis between the two, and come up with a decision.
The typical process used is a cost-benefit analysis (which, under constitutional review, is further refined and made more rigorous by taking into account rights violations, as part of the proportionality standard). However until today, the State has not even engaged in such a exercise, for it would instantly show that the costs far outweigh the benefits, on all – economic, technological and data security – angles. Instead, the State denied the very existence of costs, and stated and the benefits were immense, without a shred of evidence.
The Majority opinion, however has done something even more astonishing. It has refused to engage with factual claims on these aspects made by the Petitioners, and then went to declare that Aadhaar is unhackable and foolproof, based on the submissions of the State. By doing so, it also set the template for future litigations. All the state has to do, henceforth, when it rolls out technological regimes that are untested and have huge implications to the population, is to ensure that it
- Rolls them out at scale.
- Uses any means necessary to ensure the roll out.
- Ignores any previous court orders barring it from the roll out.
- Denies all harmful effects of the technology on the ground.
- Makes up evidence about the benefits.
- And also makes a powerpoint presentation to the court, when challenged on these aspects.
The Majority opinion on Aadhaar showed that this strategy might well succeed. However, the dissenting opinion by Chandrachud J indicates that there might yet be hope for a future Court to have an intelligent factual debate about the intersection of technology, freedom and state.
In the interim, people can continue to die, crucified on “the unproven plea of exclusion of some”, submitted as evidence or in affidavits. After all, the dead don’t speak, and even if they do, the court won’t listen.