On Aadhaar Authentication and Linking, the Supreme Court Barely Scratched the Surface

The majority judgment includes a half-hearted examination of exclusion concerns, inconsistencies in Aadhaar linking orders and an unclear legal roadmap when it comes curbing private interests.

Courts are guided by the adage that no innocent should be punished even if the guilty walk away free. A similar high standard was needed when allowing Aadhaar as a system of biometric authentication and identification.

Sadly, the Supreme Court’s majority judgment appears to have accepted submissions put forth by the Unique Identification Authority of India (UIDAI) on issues of security while glossing over its well-documented failures. It certainly does not dwell on what prompted the Aadhaar agency to blacklist 49,000 Aadhaar enrolment operators, a fact brought on record by petitioners.

Reports of security breaches are a dime-a-dozen these days and hence the judgment will not put to rest the validity of the system despite the apex court’s stamp of approval. Justice Ashok Bhushan’s judgment presumes improvement over time in the probabilistic identification by Aadhaar. While the judge’s optimism perhaps stems from the UIDAI’s submission, it is a proposition that remains largely unsupported by strong evidence.

Justice Sikri’s judgment reproduces UIDAI’s submission including the line “authentication failures do not mean exclusion or denial from subsidies, benefits or services” since they are required to provide “for exception handling mechanisms”.

The funny thing is that, theoretically-speaking, making such a claim was beyond the remit of UIDAI, which is a body there merely creates and authenticates biometric data.

Even state-owned user agencies and their competence was not evaluated in the course of this hearing. With much fanfare in the past, UIDAI has enrolled handicapped/ elderly in their homes as a publicity exercise, but is entirely silent on mechanism ensuring access to linked services.

The Supreme Court has apparently accepted the Aadhaar agency’s submission that “only in an unlikely scenario where both iris and fingerprint cannot be used for authentication, the mobile number is one of the methods for authentication”, failing which “… the requesting entities have to provide their own exception and backup mechanism”.

The focus on authentication failure presumes the ability to reach the point of authentication. The judgment needed to engage more with inability to travel to an authentication point or the likelihood that a person owns a functional mobile that is always in areas with top-notch mobile connectivity. In glossing over authentication issues, it also presumes ability to contest any exclusion in appropriate forum.

This decision therefore will encourage yet another form of majoritarianism if the onus is not reversed and duty is cast on the state as a whole to first put systems designed for the least-endowed – in terms of competence to travel to authentication point, the ability to withstand impact of failure of Aadhaar authentication, the ability to produce biometrics of type demanded, any failure in certain services automatically triggering an ameliorative step –  before mandating Aadhaar-linkages in an essential service.

True inclusion may require allowing good neighbourhood arrangement – in villages, often a neighbourhood child collected the ration for elderly people living alone against the person’s card. The existing system does not handle the problems of disabled and the aged living alone amongst the poor – those unable to seek authentication subsequent to doorstep issuance of Aadhaar. These issues needed more attention.

Seventeen lakh elderly, widows and differently abled persons in Jharkhand who qualify for social security pensions are reportedly denied entitlement. Credit: Right to Food Campaign

Aadhaar for food and education

Past verdicts have held that the right to food is enshrined in the fundamental right to life. The right to food has been the subject matter of public interest litigation before the Supreme Court since 2001.

It is odd then that when it comes to food and education, the position on Aadhaar differs.

On education, the apex court has taken a life cycle approach – ousting Aadhaar in school enrolment and for public exams and entrances. Nevertheless, this same decision misses a life-cycle approach in the case of right to food. Cooked mid-day meals served in schools as an incidence of school enrolment cannot require Aadhaar, but distribution of grains to indigent, disabled parents, grandparents and neighbours from the same social strata will.

Two fundamental rights have been dealt differently by this five-judge bench. The fundamental right to food has wider reach than right to education even. 75% of the rural population and 50% percent of the urban population is covered. The Mahatma Gandhi National Rural Employment Guarantee Act, 2005 (MNREGA) was also an off-shoot of the right to food movement – except its method is vide cash transfer. Where ever the marginalised have been excluded from food safety net services, they have resignedly accept it. They have neither the knowledge, resources or time needed to reverse it.

Before administering any test of proportionality in the case of food safety net, the need was to evaluate the extent of diversion, leakage, sub-standard quality, adulteration, short-measurement and the impact of each aspect on Consolidated Fund of India; how much of this negative impact Aadhaar can and does really plug? The state’s figures on savings from weeding out of ghost beneficiaries are in the aggregate, not provided village wise/ locality wise, that could have enabled primary researchers to represent the ground truth and nor presented as proportion of total losses. No reconciliation was attempted between the findings of petitioners and aggregate figures of the state.

In a country that still sees starvation deaths, it is acutely disappointing that the Supreme Court did not upfront put the onus of ensuring non-exclusion – at least in case of fundamental right to food and primary health – on the state and not left it contingent to litigation by concerned citizens on behalf of indigent, less educated fellow citizens.

Before claiming savings on account of Aadhaar aided identification of ghost-beneficiaries, in the least, duty needed to be cast concomitantly on UIDAI and authorities to get ground-truthing by an independent person/ agency (not grain dealer/ official) before entitlement to a mere 5kg per person/month is taken away. Sadly, even the food safety net services linked to fundamental right to life did not deserve special status in the court’s pronouncement, even though bank and mobile operations did.

The SC’s rebuke on Aadhaar being made all-pervasive needed to be expanded by indicating areas where in its views it is not valid, irrespective of savings claimed and may not be allowed even vide legislation. The court has instead limited itself to examining the existence and provisions of the Aadhaar Act in light of fundamental rights defined in the Constitution.

The SC’s rebuke on Aadhaar being made all-pervasive needed to be expanded by indicating areas where in its views it is not valid, irrespective of savings claimed . Credit: PTI

Dizzying inconsistency on what can or can’t be linked

After the judgment by Supreme Court, Aadhaar cannot be made mandatory for bank accounts (it is however not clear if it includes fixed deposits; bank lockers are also exempted for now), mobile, mobile wallets and perhaps also insurance, airlines tickets i.e. sectors with significant presence of private sector.

This is because section 57 of Aadhaar Act that gave backing to various body-corporate and person’s demand for Aadhaar was struck down as too sweeping. All this is likely to be a short-lived reprieve. The primary objection of the court was lack of legal basis for several uses of Aadhaar. The state, emboldened by Section 139AA of Income Tax Act having passed muster with the majority of the judges of the Supreme Court and the conclusion that Aadhaar security is not compromised, will seek to pass slew of laws to legitimise use of Aadhaar for various purposes including by private entities.

On some matters, the judgment does not appear internally consistent to the layman. For instance, the court upholds furnishing Aadhaar for tax returns but not for bank or financial institution-linked transactions.

Justice D.Y. Chandrachud sums up the conundrum well: “The imposition of a uniform requirement of linking Aadhaar numbers with all account based relationships proceeds on the presumption that all existing account holders as well as every individual who seeks to open an account in future is a potential money-launderer”.

By the same logic, PAN-Aadhaar linkage also proceeds on a comparable logic that every PAN card holder is a tax evader and becomes law abiding taxpayer once Aadhaar is linked.

When Section 139AA of Income Tax Act and Prevention of Money Laundering Act both primarily mandate the same core action, it is difficult to understand how the logic for Aadhaar-bank account linkage and Aadhaar-PAN linkage can then differ or what justifies upholding one, but not the other. Both being statute backed provisions, unless the court clarifies the distinction between the two, there can be no legitimate half-way house of allowing one but not the other. This is a fit matter for seeking a review of court’s pronouncement on both these matters.

The demise of PAN card as a self-contained identity therefore appears imminent. Credit: PTI

The demise of PAN card as a self-contained identity therefore appears imminent. The primary grouse of Aadhaar opponents is that Aadhaar is now made mandatory for all income tax returns/claiming refund too. The court’s decision has in effect made PAN into a biometric-linked identity hence, there will be little reason for continuing PAN as a distinct identity in the future.

After March 2019, if not earlier, all PAN cards will be backed by Aadhaar.

Section 139AA of Income Tax Act has been upheld in its entirety. The provision is not limited to identifying yourself once to the Department of Income Tax by linking PAN and Aadhar, but requires a continuing duty to identify yourself in each return. The provision goes beyond authentication. This also makes your Aadhaar available to every chartered accountant or Tax Return Preparer you consult, including to their army of temporary assistants and article clerks, who will also know your mobile number, have access to your biometric and thus unknown attendant risks will continue. The Central Board of Direct Taxes (CBDT) can make amends to the ITR forms – but there is no duty cast by the court to do so. This needs to be demanded by those filing income tax returns.

What does the road ahead look like?

For now, to re-establish good faith, the UIDAI must demonstrate compliance by retracting access to its database to private entities with immediate effect to those held ineligible or it is guilty of contempt of court.

If use of Aadhaar by private entities is enabled through fresh legislation, the difference will be it is no more UIDAI’s discretion to weigh if it should initiate penal process or not. Citizens need to monitor timely amendment of the relevant clause (Section 47) and issuance of statutory rules on right of victim to initiate both action under criminal law and allow parallel action to seek compensation.

However any effort to give UIDAI the first right to complain – and only on its failing the right devolving to – should be actively contested. Such provision existed in employment laws on gratuity/ dismissal to the determinant of the workers till the SC amended the provision.

UIDAI’s role as an administrator of the system and duty to initiate action on noticing any breach would be a separate process.

The UIDAI will also have to educate Aadhaar applicant a right of refusal to share information with other entities as the default option or permit it on case-to-case basis. There cannot be any a la carte consent.

Subsequent changes in course of the hearing like closure of centres and opening of Aadhaar enrolment centres in the premises of banks remain un-examined. The judgment therefore does not engage with the question whether any specific location can automatically grant real legitimacy or security to the enrolment exercise. Who is appointed to collect data in these banks – is he a regular staff, what is his relation with the bank, what is his antecedents – what if the person is a private person, perhaps owner or employee of any of the agencies black-listed by UIDAI is not known.

Justice Chandrachud in his dissenting opinion has flagged concerns on contract between UIDAI and foreign corporations as not adequate for protecting national security. While section 57 was struck down, section 7 was upheld and existing contracts within India too need to be examined.

The state collecting and storing data on a domain it owns via its own proprietary software through private collectors poses problems.

The state collecting and storing data on a domain it owns via its own proprietary software through private collectors poses problems. Credit: Pixabay/PTI

1) The Sarathi and Vahan website of the department of surface transport handles driving licence and vehicle registration. The sites are sub-domains of National Informatics Centre (NIC) but at each district and regional transport offices, they are operated by contractual staff recruited by NIC with ability to attach any devices. The task of issuing smart card for driving licence or vehicle is farmed out to private entities operating apparently seamlessly within these same offices. This model must be examined in detail since vide Motor Vehicle Act, Aadhaar linkage is being mandated and can become the model for other legislative provisions.

2) A similar issue exists in case of registration of property transactions, wills etc. In most states, the e-registration portal, even if it has a .gov.in extension, is operated by contractual staff deputed by a private agency.

3) It is also apparent that website like the MNREGA dashboard, the insurance regulator’s site are similarly managed by contractual staff hired from different agencies.

4) The finance departments of several State governments like Chhattisgarh proudly display Skoch award for their finance portal, but are similarly managed by contractual staff, supervised by one NIC personnel.

These sites solicit Aadhaar details as a part of the process of identification and not merely for “authentication”. Most of the above user department of the state do not have a senior or competent software-literate person in-house and even where NIC is involved, it retains minimal supervision while farming out operation and maintenance to staff hired through contractors. In their bid to reduce liability for offering permanent service, the security of the data may be compromised.

Worse, there are private entities which not only run state-owned portals, but have actually created the site, own the domain name (even if it is named after the state), own both the software and its source code. In states like Jharkhand, the domain name and portal of municipal bodies created for collecting holding tax/ municipal plot revenue (some even using .com extension) are actually owned by a private company and only accessible through its proprietary software.

Attempts at flagging this issue to state governments and heads of municipal bodies have not brought any change. While such use may appear to be legitimately by “state”, in reality, the entire operation is now in violation of section 57 of Aadhaar Act. All such contracts need to be cancelled and portals must be immediately transferred to the state-owned NIC and operated by regular staff, if needed, hired for this purpose.

The arrangement between state and the private entities must be examined in light of section 57 of Aadhaar Act being struck down. Aadhaar holders must resist indiscriminate sub-contracting of the handling of their information. At the minimum, the contractual arrangement for handling of citizen data in full has to be put in the public domain in compliance with Right to Information Act to enable scrutiny of the terms. Contracts have become the norm across India, but the standards imposed are different. Indian Space Research Organisation also hires contractual staff but they impose strict vigil and regulate extent of access in its premise, use of mobile phone, use of personal data backup system and laptops and confiscates them at its entrance gate.

A comparable system must be demonstrated and regularly adopted by user departments with right to access and update Aadhaar information.

Where needed, an immediate duty must be cast on the state to cease and desist from operating facilities with poor oversight by it. Such a requirement may also put brakes on state’s enthusiasm to over extend Aadhaar into every domain.

Shaswati Ghose is a solicitor with interests in access to justice, issues centred on equitable development, insurance and ethics.