How safe is the data collected for Aadhaar cards? Credit: Reuters/Mansi Thapliyal
Hillary Clinton’s use of private email servers, the alleged Russian hacking of the Democratic National Congress’s servers, the possible plundering of 500 million Yahoo! accounts, the Aadhaar case and Snowden’s disclosures on NSA spying are developments that dramatically demonstrate that while technology is growing by leaps and bounds, the law unfortunately has not kept pace.
Technology now has a profound impact on every sphere of the life of the aam aurat (common woman) – changes to Facebook or Whatsapp rules impact her social and personal life, foreign countries hack and leak a political party’s information in order to influence her vote and the outcome of elections, and foreign cyber-terrorism directly impacts her life and security. And so, the ubiquitous nature of cyber technology can no longer be addressed by simplistic legal solutions or a single Act or regulation. In other words, passing one ‘Information Technology Act’ or adding a few sentences to the country’s old penal code to address cyber crimes is not an adequate legal response to address technology and its dramatic impact on various spheres of life, ranging from the exercise of democratic rights to physical security.
Yet we use this oversimplified approach and apply outmoded legal tools to address technology, even though we can clearly see these old percepts are sorely inadequate. In recognition of digital technology’s transformative effect on a person’s personal and democratic rights, it is now vital for the law to create and be imbued by new jurisprudence. This task can longer be put off, because at risk are the cherished rights to security and life.
World’s largest biometric database
The Aadhaar case – and its treatment by the Supreme Court and the government – is a classic case in point. The Aadhaar project is the world’s largest identification number project and is creating a database of biometric (photographs, fingerprints and iris scans) and demographic (name, date of birth and address) information. Similar to the US’s social security number, the objective is to implement a 12-digit unique identity number for all of India’s residents.
The legislative history
In 2009, the Congress-led UPA government created the Unique Identification Authority of India (UIDAI), a central agency to implement Aadhaar, a project with an estimated budget of Rs 6678.32 crore ($990 million). In 2010, Manmohan Singh-led government introduced the National Identification Authority of India Bill in order to provide statutory backing for the UIDAI and to give legal effect to Aadhaar. The Bill did not become a law because the parliamentary standing committee on finance, led by the BJP’s Yashwant Sinha, rejected it. Ostensibly, the Bill was rejected because of the project’s high cost and concerns regarding national security, privacy and duplication of the National Population Register’s activities. Purportedly, the Aadhaar project’s ambition to enroll every “resident” of the country, rather than every “citizen” was also a concern.
In 2016, as part of the new budget, the BJP-led NDA government dropped its prior opposition and resurrected the Aadhaar (dropping an “a” in the name as well). Finance Minister Arun Jaitley introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill in the Lok Sabha as a ‘money Bill’ on March 3, 2016. In India, similar to the UK and its Westminster system (and in contrast to the US’s appropriations bills), a money Bill will become an Act so long as the Lok Sabha passes it. Article 110 of the constitution states that the Rajya Sabha may make recommendations to the Lok Sabha (but does not provide the Upper House with the power to amend) a money Bill and return the same to the Lok Sabha within 14 days. It remains the Lok Sabha’s prerogative to accept or reject the recommendations.
In the case of the Aadhaar Bill, though the Rajya Sabha proposed a few amendments and returned the bill to the Lok Sabha, the Lok Sabha rejected these proposed changes and passed it on March 16, 2016. On this date, the Act would have become the law but for the Congress challenging the vires of this Act in the Supreme Court.
The Supreme Court saga: Is Aadhaar a money Bill?
On April 6, 2016, former union minister Jairam Ramesh filed a writ petition challenging the vires or legality of the 2016 Act, on the grounds of procedural irregularity and violation of the right to privacy. About the first, it was alleged that the Rajya Sabha (where the BJP does not have a majority) opposed the Aadhaar Act and so, it would not have been passed if introduced as a regular Bill. The government then classified this a money Bill solely to subvert Rajya Sabha opposition.
Several constitutional experts have pointed out that Aadhaar did not fit within the definition of money Bill in article 110 and so use of article 110 was improper. Article 110 was intended solely to cover the imposition, repeal, remission, alteration or regulation of taxation or the imposition for the payment of debt or other financial purposes of charges on the Consolidated Fund. Senior counsel Arvind Datar had earlier (in January 2016, in the context of the Insolvency and Bankruptcy Bill, 2015) bemoaned the government’s use of article 110 to pass a number of legislations, bypassing the Rajya Sabha.
Article 110(3) of the constitution states in the event of a dispute, the Lok Sabha speaker’s decision is final. Attorney General Mukul Rohatgi pointed to this provision to state that this decision to classify the Bill as a money Bill was not open to judicial review. Former finance minister and senior counsel P. Chidambaram, former law minister Kapil Sibal and former solicitor general Mohan Parasaran (appearing on behalf of Ramesh/the petitioners) argued as follows: proposing the Aadhaar as a money Bill was a colourable exercise of power and the government’s actions violated the rule of law and the basic structure of the constitution, and hence was subject to judicial review. On April 25, Chief Justice T.S. Thakur found Chidambaram’s argument sufficient to seek the attorney general’s opinion and referred the matter to a larger bench. This bench consisting of Chief Justice Thakur, Justices Banumati and U.U. Lalit too held the issues raised by the Aadhaar case merited review by the Supreme Court.
In May, this bench asked both sides to provide submissions on whether or not judicial review is permissible under article 110 and hearings have not yet occurred (though posted for oral hearings in July and September). Several experts have opined that article 110(3) does not preclude judicial review based on different lines of reasoning. Many scholars argue from the standpoint of constitutional balance – this power should not be misused by the government or allowed to denude the power of other organs and constitutional bodies such as the Rajya Sabha. Ramesh, the petitioner in the case, additionally pointed out the Speaker only has the power “to certify” a money Bill as such and it remains the government’s prerogative to classify one as such and hence, the latter is subject to judicial review. Moreover, the Ramesh also amended his petition to include additional grounds, including that the allegation the Aadhaar violates the right to privacy. Notably, in Justice Puttaswamy (Retd.) v. Union of India, a constitution bench of the Supreme Court is already looking into the privacy question behind Aadhaar. Essentially, the Supreme Court had already referred the matter to a five-judge bench to decide on the vires of the Aadhaar on the grounds that it violates the right to privacy. Intriguingly, though the Supreme Court combined a number of cases challenging the Aadhaar project to be heard simultaneously (along with Justice Puttaswamy), the court has not included Ramesh’s petition to this batch.
The Supreme Court’s verdict on whether or not article 110(3) limits judicial review will be particularly interesting. In the past decade and a half, the Supreme Court of India has crafted of new jurisprudence on judicial review. Since 2010 the Supreme Court under several chief justices from S.H. Kapadia onward, in a slew of high-profile cases – 2G spectrum, coalgate, appointment of the chief vigilance commissioner, has reinvented judicial review, as I have argued elsewhere. The Supreme Court has repeatedly said though they did not have the power to and would not review the government’s decision, they had the power to examine whether the government considered the right materials in arriving at its decision and used this tool to adroitly strike down a number of colourable or corrupt political decisions. Conceivably, applying this principle, the Chief Justice Thakur-led bench too could intervene in the Aadhaar article 110 challenge, if it so elects. However, in contrast to Chief Justices Kapadia and Lodha, for instance, Chief Justice Thakur tends to be more thoughtful and deliberative on the issues that he selects to assert vis-à-vis the government. Once he chooses the issue, it is worth remembering few chiefs have been as candid as he has – case in point, when he asked the government to explain the delay in filling judicial vacancies. Hence, with less than a quarter remaining before this chief demits office (in January 2017), Chief Justice Thakur’s decision in this case remains intriguing from a legacy perspective too.
Right to privacy: Determined by the number of judges on a bench?
This brings us to the argument that Aadhaar violates the right to privacy and hence, ought to be struck down as unconstitutional. Both the Aadhaar Bills, the Congress’s 2010 version and the BJP’s 2016 version, have been challenged as violating the right to privacy. Unfortunately instead of delving into the factual aspects such as, the type of information being collected, whether the government has taken adequate security measures to protect its citizens’ biometric data and the real risks posed by hacking from China or Pakistan, the legal aspect of whether the right to privacy is a fundamental right has achieved primacy. As the Aadhaar cases are weaving their way through the Supreme Court halls, this constitutional question has been further reduced to whether more recent cases (recognising a right to privacy) can overrule past decisions (albeit made by larger judge benches).
The 2010 Bill was first challenged in Justice Puttaswamy (Retd.) v. Union of India. Many petitioners filed petitions challenging the vires of the Act and these cases were grouped for joint hearing along with the Justice Puttaswamy case. Essentially, the petitioners asserted that collecting such biometric data violates the right to privacy. The two arguments for the constitutional basis for privacy rights were as follows: some petitioners argued that the right to privacy is implied under article 21 whereas other petitioners submitted that it was derived from other fundamental rights.
Famously, Rohatgi argued there was no fundamental right to privacy in India. In support, he relied on two Supreme Court decisions in 1954 and 1963 (M.P. Sharma and Kharak Singh respectively). Rohatgi further claimed the few cases creating a right to privacy (Guru Gobind Singh v. State of MP, 1972, R. Rajagopal v. Union of India (or the Auto Shankar case), 1994 and PUCL v. Union of India, 1997) were decided by smaller, two or three judge benches (in contrast to the eight and six judge benches in the cases denying a right to privacy). On this basis, Rohatgi and senior counsel K.K. Venugopal argued there was divergence in legal opinion, which ought to be resolved by a larger or five-judge constitutional bench. And so, the three-judge bench of Justices Chelmeswar, S.A. Bobde and C. Nagappan referred the matter to a larger bench.
If Rohatgi’s only objection to the recent precedent – as recorded in the judgment – was on the basis that the earlier 1954 and 1963 decisions denying a right to privacy were decided by larger benches, then how is a five judge constitutional bench the solution? The 1954 and 1963 decisions were decided by eight- and six-judge benches respectively, and if Rohatgi believes the Supreme Court cannot overrule its old decisions with the common smaller benches of today, then how would a five judge bench resolve this impasse? Noteworthy, in recent years, partly to accommodate its immense case load, the Indian Supreme Court justices scarcely sit as large benches and mostly sit as two or three judge benches to enable more number of courts to function. This is in contrast with the US Supreme Court, for instance, where the entire court sits together to hear matters. Admittedly, in its early years as a republic when constitutionalism was still taking root, larger benches of the India Supreme Court were constituted to decide on cases. Eleven- and 13-judge benches as seen in I.C. Golaknath and Keshavananda Bharati are now unheard of. In this context, to peg a constitutional argument solely on bench size is rather strange.
Nevertheless, the question before the five-judge constitutional bench was framed as follows:
“[T]o give a quietus to the kind of controversy raised in this batch of cases once for all, it is better that the ratio decidendi of M.P. Sharma (supra) and Kharak Singh (supra) is scrutinized and the jurisprudential correctness of the subsequent decisions of this Court where the right to privacy is either asserted or referred be examined and authoritatively decided by a Bench of appropriate strength.”
The Supreme Court saga part II: contempt proceedings
The legal pitch has been further complicated by the government actions violating the Supreme Court order and consequent contempt petitions filed in September. Though the legality of the project and the Act is under review, various government agencies have begun to insist upon the Aadhaar card, in direct contravention of the government’s assurances at the Supreme Court as shown in the timeline below.
Facts matter
Unfortunately, the legal and political discussion on Aadhaar has subsumed the debate and put the factual analysis on the backburner, jeopardising privacy and security. There has been little to no attention paid to what is the nature of information being collected or what are the security measures the government is taking to safeguard the data from hackers or what happens in the event of a security breach.
First, India is choosing to collect and store the biometric and demographic information of its citizens, creating a massive database. Creating such a large database will naturally attract hackers, particularly dangerous in the context of India’s significant conflicts with China and Pakistan. Indeed, after the surgical strikes in 2016, there have been many reports of the cyber war between India and Pakistan, including when several Indian government sites such as the National Green Tribunal, Bihar State Electronics Development Commission and others were hacked and defaced. In 2015 alone, according to Wikipedia, over three billion user entries were compromised (totalling to 707 million records, and over 1,600 websites’ databases were breached).
In light of the above, a second and related question arises – how does the government intend to safeguard the personal information of its citizens and massive database that the government is creating? In other words, what are the design, architecture and security measures the government has selected and built in order to prevent hacking and stealing of its citizens’ critical personal data from the world’s largest database that the government has chosen to create?
The only information available so far is Nandan Nilekeni’s (the first UIDAI chairperson) assurance that all the data is stored in encrypted form: “The data is encrypted at the highest 2048 bit encryption, which takes 1000s of years to crack and it is what the government notifies it as minimum security standard.” PKI-2048 and AES-256, the “highest available public key cryptography encryption” is being used, according to the UIDAI. Hence, even if any computer or data is stolen, without the code, it will not be decipherable.
However, there are two serious flaws to the above argument. One, while the encryption may cover “data storage,” the data remains vulnerable during “transfers,” for instance. Initially, the government assured the Aadhaar will not be linked to any other database. However, many departments have since been linking the Aadhaar to their databases; such linking creates a door for potential hackers. For instance, the Election Commission began linking electoral rolls to the Aadhaar database and only suspended it in August 2015 after the Supreme Court’s orders. Similarly, UIDAI offers an “e-KYC” option whereby there is the option to digitally transmit the data with third parties (albeit, those registered as service providers with UIDAI). Conceivably, this may be very convenient but it creates an opening which hackers can exploit. To date, the government has announced intentions to link it to systems to obtain LPG, subsidised commodities or the public distribution system, MNREGA, tribal welfare schemes, scholarships and passports – though it is unclear how many will involve “seeding” or mere insertion of the Aadhaar number and which ones will be linked or have the systems exchange data. Moreover, the government also contemplates consumers accessing this via ATMs, which has already been the source of data breach in India.
Two, technology and hacking prowess is changing dramatically everyday. For instance, it is predicted there will be a “quantum computer” in the next ten years. According to the NewYorker, this “new type of machine” would, “on its first day of operation, be capable of cracking the Internet’s most widely used codes.” According to scientists, it is unclear which security measures, if any will be impregnable against the quantum computer; negating Nilekeni’s argument.
Experts at technology majors such as Google and the NSA agree that hacking has taken so many sophisticated forms that protection can no longer be addressed with traditional anti-virus programmes or patches. Viewed in this light, the laissez-faire approach to information security and the consequences for individuals is unnerving.
Conclusion
There are a number of ways in which such information can be misused – terrorists could utilise the biometric information to gain access to India’s high security military information or masquerade as an Indian when placing bombs in New York. This unthinking approach is particularly alarming, when India is China’s key geographical rival and China, for instance has an established record of hacking US and other countries’ databases such that in September 2015, Presidents Barack Obama and Xi Jinping entered into an accord to curb China’s military related cyber attacks on the US. But even the US was forced to stay silent on the theft of 22 million personal security files from the Office of Personnel Management and James Clapper, the director of National Intelligence, was asked to stop naming a specific country (China).
India’s decision to move forward with the identity card and biometric project also runs counter to the experience of other nations. Several nations such as the UK and France have scrapped such initiatives after initially starting them. In the UK, for instance, the then-home secretary (and now prime minister) Theresa May announced the end of the ID card project in 2010, citing the need to balance between “national security and civil liberties.” Similarly, Australia too in 2007 cancelled a health and social services access card, which it had started earlier. In France, in 2012 the Conseil Constitutionnel, the highest authority on the French constitution, evaluated a similar project and ruled the key provisions of the Identity Protection Act unconstitutional on the basis of privacy and inadequacy of security measures. The French legislation had interesting similarities to the Indian Act: it allow certain authorities to have access to the database for the purpose of criminal investigations and offered the convenience of allowing citizens who “consented” to be able to affix electronic signature and communicate their information electronically to third parties. The Conseil Constitutionnel held that the relevant article did “not specify either the nature of the “Data” through which these functions may be implemented or the guarantees ensuring the integrity or confidentiality of this data; that they do not define in any greater detail the conditions under which the persons implementing these functions are to be authenticated,…that accordingly, Parliament acted in excess of its powers; that accordingly Article 3 must be held unconstitutional.”
Clearly, the Supreme Court appears to be the final bastion. The problem so far has been, the 19th century notion of privacy – does the government have a right to collect data is being put forward to address the problem of 21st century technology. The question can no longer be ‘can the government collect data’, nor is it an individual vs state issue. Digital technology has transformed the world in which we live, work and play today. Hence, the question confronting governments today is: what are the steps the government is initiating to protect its citizens’ data from being stolen including by other foreign nations or nationals? Protecting citizens’ information, as the Aadhaar case ably demonstrates, affects identities, access to scholarships, minimum wage jobs, distribution of food-grains, cooking gas, bank accounts – and hence, cannot be overemphasised. Thus, privacy is no longer merely a negative notion limiting government action but contains a positive duty to protect citizens. A new jurisprudence of privacy is the need of the hour. Intriguingly, no country in the world has as yet coherently articulated this jurisprudence. Chief Justice Thakur’s Supreme Court and the Indian bar is uniquely positioned to break new ground today, question remains whether they will take the bull by its horns.
Aarthi S. Anand is a privacy and technology attorney at Wiggin and Dana LLP, New York and a Rhodes Scholar. The views expressed here are that of the author and do not reflect the views of the firm.