Senior Advocate Shyam Divan began Day 4 of the Aadhaar hearings with a dissection of Section 59 of the Aadhaar Act. This section validates all the actions undertaken by the UIDAI in the pre-legislation era between 2009 and 2016. However, as Mr. Divan pointed out, the Section applies solely to the actions undertaken by the Union Government through subsidiary entities – private registrars and enrolment agencies appointed by the UIDAI to collect citizen data and issue Aadhaars cannot be protected under Section 59.
To Justice Sikri’s interjection that the central government’s appointment of UIDAI validated its actions, Mr. Divan argued that the notification establishing the UIDAI might protect the actions of the central government in entering into the MoU, but cannot and does not cover the actions of the registrars. To this, Justice Chandrachud countered that the actions of the registrars could also be traced back to the MoU. In response, Mr. Divan pointed out that the actions of the Registrars cannot be construed to be the actions of the central government and, further, the enrolment agencies are not covered even under the MoUs. Therefore, the enrolments prior to the Act are not validated by Section 59. He stated that there could not be a retrospective validation of a violation of fundamental rights, particularly when such a violation was total in its effect.
Discussing how to deal with data breaches occuring prior to the act coming into force, Justice Chandrachud questioned whether Aadhaar was used by private players earlier, given that would not be retrospectively validated by “the legal fiction” of Section 59. Mr. Divan challenged the idea of retrospective validation on the grounds that informed consent is crucial, adding that there was the assumption that consent had been provided at all times, even prior to the Act. In the event the provision were to be upheld, it should be given the narrowest reasonable construction.
Mr. Divan proceeded to specify the heads of challenge to the Aadhaar Act (full note here):
- Violation of the Fundamental Right to Privacy
- Limited Government
- Impugned Act has been illegally passed as ‘Money Bill’
- Procedure followed violates Articles 14 and 21 (of the Constitution of India)
- Unreliability of biometrics and exclusion
- Illegal Object
- Democracy, Identity and Choice
- National Security and Personal Security
- Respondents’ Claims with respect to Financial Savings and Leakages are Inaccurate and Belied by Government Records
A discussion also ensued around the ownership of the Aadhaar data stored in the Central Identities Data Repository (CIDR), with Justice Chandrachud asking who maintains the CIDR. Shyam Divan replied that specific details about the CIDR are not in the public domain because of national security concerns. Justice Chandrachud further enquired whether the source code of the CIDR is with the UIDAI – Mr. Divan’s response – that the source code is proprietary and not with the UIDAI – drew a look of pure shock from Justice Chandrachud.
Shyam Divan contended that private enrolment agencies cannot be entrusted with the crucial task of ensuring informed consent. He said that the definition of “resident” is arbitrary and has no verification. He further argued that Section 7 is unconstitutional, because an individual’s entitlements cannot be made subject to compelling her to give up her constitutional rights. “It is both an unconscionable and unconstitutional bargain.” The individual has a right to remain free of monitoring as long as they have not violated any criminal law. Mr. Divan said that on cancellation of Aadhaar, the services will be disabled- “You can just switch off a person.”
Shyam Divan also read out the circumstances in which an Aadhaar number can be cancelled, with the last circumstance being “where it appears fraudulent to the authority.” Justice Sikri asked why Aadhaar shouldn’t be cancelled if it has been fraudulently obtained. Mr. Divan replied that the point is that you are giving that power. Justice Sikri said that that is only a case of an abuse of the power. Justice Khanwilkar said that there is a provision to rectify in cases of wrong cancellation.
Mr. Divan then submitted a compilation to the Court that deals with the issue of the circumstances in various jurisdictions where the taking of biometrics is considered reasonable and described provisions in the following Acts:
- Section 15 of the Census Act of 1948: the nature of protection accorded to census data. Records of census not open to inspection nor admissible in evidence.
- Section 7 of the Identification of Prisoners Act: provides for destruction of personal data if the prisoner is released without charge.
- Section 32A of the Registration Act: narrow purpose, taken one time, and is with one registry. This is an example of a legitimate purpose and done proportionately.
- Section 6 of the 1959 Bombay Habitual Offenders Act, the successor to the Criminal Tribes Act: palm impressions can be taken. But after five years, the registration of a “habitual offender” comes to an end.
Sham Divan asserted that all these acts are narrowly tailored, unlike the Aadhaar Act.
Shyam Divan continued his submissions with an explanation of the various challenges, starting with how the architecture of the Aadhaar Act enables surveillance. The CIDR retains the records. The State is empowered to collect records over the course of an individual’s lifetime. On the basis of aggregation, over time, the State acquires a profile of an individual, a community, a segment of society. He argued, “the Constitution does not permit a surveillance State.”
Every electronic device linked to the Internet has a unique number. In addition when the device is linked to CIDR, the devices exchange information. The device is assigned a specific ID at the first interaction. Thereafter, the transmission will be recognised as emanating from that device. A unique electronic path attaches to each transmission. This identifies the links through which the transmission is done. Each link is identifiable. It is technically possible to track every transaction. It is possible to track the location of every device in real time as well as the broad nature of the transaction.
Mr. Shyam Divan stressed that the extent and scope of the surveillance over time will deepen, and this is enabled by Section 57. He presented affidavits by security professionals Mr Samir Keleker and Mr JT D’Souza supporting this claim. He assured the Court that they have offered to come to Court and answer any questions that the Court may have.
Quotes from the first affidavit by Samir Kelekar (based on tweets by Gautam Bhatia):
“The project facilitates real time and non real time tracking of UID holders.”
“It is quite easy to know the place and type of transaction every time authentication takes place. This would allow the UIDAI or any other party to track behaviour.”
“UIDAI recommends that each Point of Service Device register itself with UIDAI and get a unique ID. This method of uniquely identifying every device further makes the task of tracking location easier.”
“There are other ways as well. No security is perfect. But biometrics are a problem because you can’t change them if lost or stolen or hacked.”
“If army personnel are using Aadhaar to take salary, and the system is hacked, there could be national security issues.”
Quotes from the second affidavit by JT D’Souza (Based on tweets by Gautam Bhatia):
“I have conducted demonstrations to show the unreliability of biometrics. One demonstration was before UIDAI officials themselves. They were shown the ease with which fingerprints can be replicated.”
“There may or may not be a GPS on the fingerprint device. GPS can be used to track location.”
“I have examined multiple fingerprint machines. They can be tampered with to capture biometric data before the point of encryption. This called a skimmer.”
“These machines that are not manufactured indigenously. The machine code and source code is not known to UIDAI. There may be backdoor or Trojan Horse feature that can be used for data mining without UIDAI knowing. There are serious national security implications.”
“Data collected over an individual’s lifetime can become a tool of political blackmail. This can compromise even constitutional functionaries.”
“Jan Chrysler recent cracked the IPhone biometric systems and also iris recognition.”
Justice Chandrachud asked to what extent the Court can go into questions of technical evidence and said that there is also a distinction between the existence of a mechanism and its abuse. He also asks if the distinction between fingerprints on your iPhone and Aadhaar is only of degree. He asked whether the Court should second-guess the decision of the executive government, especially when no system in the world is secure. Shyam Divan replied that the affidavits confirm that there is a complete mapping of the electronic path, which happens in real time, and that you can track the location.
Justice Chandrachud asked about tracking by Google Maps and other private corporations. Shyam Divan responded that real time tracking by the State, it is tantamount to a police State. The Constitution does not allow this. Google is not the Indian State, and the issue is one of consent. He cited the example of Stasi.
Justice Chandrachud said that he should have no objections to the State knowing whether he is paying his taxes. So there should be a distinction between collecting data and using it and asked if the use of data is limited to its purpose, then what the problem was with collection. He noted that we live in times of terrorism and money laundering and welfare expenditure, and this has to be balanced. He said that surveillance is about how data is used, not collected.
Senior Advocate Kapil Sibal said that the problem is of giving the State that kind of information. “Big Brother will have the information. He may use it and you won’t know it. By the time you do, he will become a bigger brother.” Mr. Divan agreed, saying that whole case is to prevent that situation where Big Brother is watching. He read several judgments in support of this:
- Justice Subba Rao’s dissenting opinion in Kharak Singh vs State of UP and others, which was endorsed in the privacy judgment as correct. (This was the first articulation of privacy in Indian constitutional history.). He read the parts of the judgment pertaining to the following:
- surveillance constricts life and liberty.
- “shadow of surveillance” engenders inhibitions upon people.
- District Collector vs Canara Bank (2005): This case involved bank raids and inspection of bank documents. Shyam Divan pointed to the part of the judgment that said “we are not living in a police raj.” ands tated this is exactly the point in this case.
- US Supreme Court judgment in US v Jones, wish involved a GPS and a warrant: Justice Sotomayor’s opinion that observed that you no longer need physical violations to infringe privacy. Shyam Divan read the part of the opinion that talks about how GPS data can reveal an entire profile of a person simply by knowing the places she visits. This can be mined years in the future. Because this is surreptitious, it evades scrutiny.
“The very awareness that the government is watching can chill speech and associational freedoms.” “Merely because you voluntarily disclose some information to some people for some time doesn’t mean you lose your privacy right over it.”
- Judgment of the ECHR in Sakharov vs Russia (summary on Wikipedia): This case involved interception of communications.
This concluded the day’s proceedings. The hearings will continue on Tuesday, 30/01, from 11.30 am.