Journey From Civilian Application To Defence Application Of Aadhaar

Citing a letter from Department of Electronics & Information Technology, Ministry of Defence sent an Urgent/Top Priority Circular to Chief of the Naval Staff, Chief of the Army Staff and Chief of the Air Staff asking them to compulsorily ensure that all the employees enrolled for UID/Aadhaar Number. Another letter was sent by Ministry of Personnel, PG & Pensions Department of Personnel & Training to the Secretary Department of Defence Production asking him to introduce Aadhaar enabled Biometric Attendance System in the department of defence production. The system would enable an employee with an Aadhaar number to register his/her attendance (arrival/ departure) in the office through biometric authentication. It also says that a web based application software system will enable online recording of attendance and that the dash board relating to real time attendance and related statistics, can be viewed by everyone. Similar letters were sent to some 169 government agencies. This was done pursuant to a letter from Secretary, Department of Electronics & Information Technology.

The date of issuance of both the circular and the letter demonstrates that they are illegal and in violation of the Supreme Court’s orders. The first order of the Court making it voluntary was issued on of 23^rd September, 2013. It was reiterated on 26 November 2013. In a related case the Court passed an order dated 24 March, 2014 which reads as follows: “More so, no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled. All the authorities are directed to modify their forms/circulars/likes so as to not compulsorily require the Aadhaar number in order to meet the requirement of the interim order passed by this Court forthwith” in Unique Identification Authority of India (UIDAI) Vs Central Bureau of Investigation (CBI) case.

These orders remain valid even today because it has been reiterated by subsequent orders of the Supreme Court and High Courts. Is it the case that Court’s orders are not applicable to Ministry of Electronics & Information Technology, Ministry of Defence and Ministry of Personnel? If not then how else should one comprehend the blatant disregard of Court’s orders?

From the national security perspective, it is quite alarming that defence employees have been compelled to enrol for UID/Aadhaar despite Court’s categorical orders. Notably, two very senior former military officials of established technical and scientific competence have challenged the implementation of Aadhaar in the Supreme Court.

When questions were raised about this being a defence application of aadhaar contrary to the initial promise of it being a civilian application Department of Electronics and Information Technology (now Ministry of Electronics and Information Technology), responded stating, “Aadhaar is being used for Biometric Attendance System and this does not form part of Defence application”.

The fact is that the application of biometric Unique Identification (UID)/Aadhaar Number was restricted to ‘civilian application’ and was not meant for defence application. Central Government’s Biometrics Standards Committee had categorically stated that UID/Aadhaar’s is meant only for “civilian application” but the order on aadhaar enabled biometric attendance system has been extended to defence employees as well. Now the entire information of the employees working in the department of defence production, which will include related statistics, will be stored online and on cloud will be available to everybody. It cannot be said that application of UID/Aadhaar in the Department of defence production is in national interest because it is making defence employees visible to everyone on the computing cloud.

Government argues, “Attendance of Govt. employees is already being maintained and the Biometric Attendance System, maintained by the attendance.gov.in is just a digital equivalent of the age-old attendance register. This is part of contractual relationship between the Public Servant and the Employer, viz. the Government of India, wherein  the former has consented to/agreed to the terms of service and is therefore, contractually bound to follow the rules and regulations as specified for him by his/her employer.”

It will have us believe that there is no difference between “age-old attendance register” and UID/Aadhaar enabled Biometric Attendance System. Similar arguments have been advanced by the Attorney General in his submission before the Supreme Court. During the course of his submission he contended that Court’s employees are also subjected to biometric profiling based attendance implying that the day is not far when judicial officers and judges too will have to do the same.

What the concerned lawyers did not inform the Court that citing the Supreme Court’s orders, the Jammu & Kashmir High Court Bench of Chief Justice N Paul Vasanthakumar and Justice Ali Mohammad Magrey stayed a government order regarding the installation of Aadhaar Enabled Biometric System (AEBAS) in government departments to ensure the attendance of employees in their respective departments by its order dated October 4, 2016. Notably, this order was passed after the notification of Aadhaar Act, 2016 on September 12, 2016.

In order to comprehend the sophistry involved in averments regarding biometric attendance by Attorney General and Law, Electronics and Information Technology Minister, it is germane to recall the intervention of National Human Rights Commission (NHRC) in the case wherein Indian students in USA were made to wear biometric radio collars. NHRC ensured that the government acted to ensure that the human rights of students are protected. It is germane to note that radio collar is based on biometric data like voice print. If making Indian students wear biometric radio collar constitutes an act which Government of India admitted as an act of violation of human rights, indiscriminate biometric profiling is also an act of violation of human rights. As per Section 2 (G) of Aadhaar Act 2016, “biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Thus, it clearly includes biological attributes like voice print and DNA.

 If UID/Aadhaar enabled Biometric Attendance System is indeed a “digital equivalent” of “age-old attendance register”, why did NHRC and Ministry of External Affairs object to radio collar which can also be argued by sophists to be “digital equivalent”. If the “digital equivalent” means biometric equivalent as well then it makes DNA based identity and attendance will also be deemed equivalent to “age-old attendance register”. It is quite evident that such argument is deeply misleading.

There is a logical compulsion for withdrawing the letter and all consequential letters by which UID is made applicable to defence application i.e. Department of Defence Production in the interest of supreme national security. The coverage of defence employees under Aadhaar enabled Biometric Attendance System implies that  Aadhaar is being put to defence application contrary to government’s claims.

With regard to the issue related to national security, in Rajya Sabha, Minister of Electronics and Information Technology (MeitY) who is responsible for Unique Identification of Authority of India (UIDAI) gave an evasive reply when he was asked a question (Unstarred Question No-2792) on “Misuse of Aadhaar cards and data collected under UID scheme” by Dr. K.V.P. Ramachandra Rao. The extremely specific questions were: a) whether it is a fact that a Pakistani spy caught in New Delhi in October carried an Aadhaar card issued in his name? (b) if so, whether the system of issuing Aadhaar cards is faulty or lacks proper supervision; and (c) whether Government is assessing the possibility of misuse of Aadhaar cards and the data collected under the UID scheme?

The minister replied saying, “(a) to (c): UIDAI only issues Aadhaar to the residents of the country. Aadhaar is not a proof of citizenship or nationality.” It is classic example of an irrelevant response from the central government.

In his exemplary performance, the minister added, “The methodology approved for issuance of unique identity for every resident of the country involves use of certain basic demographic information combined with ten finger prints, both irises and photograph to uniquely identify a resident through a process of de-duplication.” His reply does not answer query about Pakistani spy caught in New Delhi in October who carried the 12-digit biometric unique identification (UID)/Aadhaar issued in his name.

The minister further said, “The demographic and biometric attributes of residents are collected by various agencies of the Central and the State Governments and others who, in normal course of their activities, interact with the residents. These entities are ‘Registrars’ of the UIDAI. The information is subsequently uploaded by these agencies to UIDAI where it undergoes a number of quality checks and biometric de-duplication before an Aadhaar is generated.”  This reply does not explain whether the system of issuing Aadhaar cards is faulty or lacks proper supervision.  It maintains studied silence about the role of foreign biometric de-duplication companies.

The minister said, “The verification procedure for demographic data submitted by the resident during enrolment includes supporting documents, introducer system and National Population Register process of public scrutiny. Major portion of the enrolment is document based. There are well defined lists of Proof of Identity (PoI) and Proof of Address (PoA). Under document based enrolment, a resident has to submit any of the PoI/PoA from the said list.”

He did not inform the Parliament that the then Chairman of UIDAI has been given ID Limelight Award at the ID WORLD International Congress, 2010 in Milan, Italy on 16th November wherein Safran Morpho (Safran group) was a key sponsor of the ID Congress. Its subsidiary, Sagem Morpho Security Pvt Ltd has been awarded contract for the purchase of Biometric Authentication Devices on February 2, 2011 by the UIDAI.

Coincidentally, in 2009 a similar award was given to the head of Pakistan’s National Database Registration Authority (NADRA) which successfully implemented a UID/Aadhaar like project, which has been shared with authorities in USA as per cables leaked by Wikileaks.

In such a backdrop, the question raised by Dr. K.V.P. Ramachandra Rao in Rajya Sabha about biometric Aadhaar issued to a Pakistani spy remains quite relevant from the point of national security.

It may be recalled that on July 30, 2010, in a joint press release, it was announced that “the Mahindra Satyam and Morpho led consortium has been selected as one of the key partners to implement and deliver the Aadhaar program by UIDAI (Unique Identification Authority of India).” This means that at least two contracts have been awarded to the French conglomerate led consortium. Is it a coincidence that Morpho (Safran group) sponsored the award to Chairman, UIDAI and the former got a contract from the latter?

It is apparent that UIDAI Chief was given the award "For being the force behind a transformational project ID project in India...and "to provide identification cards for each resident across the country and would be used primarily as the basis for efficient delivery of welfare services. It would also act as a tool for effective monitoring of various programs and schemes of the government."

It may also be noted that UIDAI awarded contracts to three companies namely, Satyam Computer Services Ltd (Mahindra Satyam), as part of a “Morpho led consortium”, L-1 Identity Solutions Operating Company and Accenture Services Pvt Ltd of US for the “Implementation of Biometric Solution for UIDAI” on July 30, 2010. Notably, L1 which had signed the contract agreement as a US based company (subject to USA’s Patriot Act) has been bought over by Safran Group after US Government’s national security clearance.

In his reply the minister claimed that “There are well defined processes and guidelines of Aadhaar enrolment that the Registrars and Enrolment Agencies are bound to follow. A proper deterring mechanism is in place discouraging any deviation from these laid down processes and guidelines. The complete trail of each and every enrolment is maintained. There is provision for concurrent evaluation of the Enrolment Centres.“  If that is indeed the case it must be revealed as to who allowed the provision of personal sensitive data of Indian residents to remain with the above mentioned foreign companies in the contract agreement compromising present and future national security.

In his reply the minister also claimed that “Aadhaar is generated after a number of quality checks and biometric de-duplication. Every attempt is made to ensure that fake/bogus enrolments are identified through quality checks and biometric de-duplication process, and rejected. In a miniscule number of cases, where an ineligible enrolment may slip through, there are provisions for taking action against the delinquent operator/supervisor/enrolment agency; financial penalties; and criminal proceedings by lodging of FIR, besides cancellation of such Aadhaars.”  This claim is factually incorrect. Recent flood of leaks has established that online UID/Aadhaar database, the Central Identities Data Repository (CIDR) of UIDAI is one of the most vulnerable databases in the world.

The making of CIDR is contrary to the principle of decentralisation in cybersecurity.  Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016) lists breaking into CIDR as an offence but this law criminalises a technological impossibility. In a bizarre act, it provides that only UIDAI can file a complaint when the data of a resident of India is misused or abused instead of the victim of abuse.

As per Section 47, “Courts will take cognizance of offences under this Act only upon complaint being made by the UIDAI or any officer authorised by it.” This deprives the victim of a right to file complaint although Section 34 of the Act provides that “Impersonating or attempting to impersonate another person by providing false demographic or biometric information will punishable by imprisonment of up to three years, and/or fine of up to ten thousand rupees.” Victims cannot file complaint even when someone changes or attempts to change any demographic or biometric information of an Aadhaar number holder by impersonating another person (or attempting to do so), with the intent of i) causing harm or mischief to an Aadhaar number holder, or ii) appropriating the identity of an Aadhaar number holder although it is punishable under Section 35.

Victims of abuse cannot file complaint in cases wherein collection of identity information is done by one not authorised by this Act, by way of pretending otherwise despite the fact that the Act makes it punishable under Section 36.  Unless authorized by UIDAI or any officer authorised by it, victims cannot file complaint even when there is “Intentional disclosure or dissemination of identity information, to any person not authorised under this Act, or in violation of any agreement entered into under this Act” under Section 37 although it is punishable.

Unless authorised by the UIDAI, the intentional acts like accessing or securing access to the CIDR; downloading, copying or extracting any data from the CIDR; introducing or causing any virus or other contaminant into the CIDR; damaging or causing damage to the data in the CIDR; disrupting or causing disruption to access to CIDR; causing denial of access to an authorised to the CIDR; revealing information in breach of (D) in Section 28, or Section 29; destruction, deletion or alteration of any files in the CIDR; stealing, destruction, concealment or alteration of any source code used by the UIDAI , will be punishable under Section 38. Even in such cases victims cannot file complaint without authorization by UIDAI.

Section 39 of the Act reads, “Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable”. Thus, it admits that such acts are possible and imminent but the Act does not empower the victims of such tampering or removal instead it empowers UIDAI.

While Section 40 makes “Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company)”, it is incomprehensible as to how a company or an individual feel deterred by such meager punishment when they can harvest big database of personal sensitive information which is admittedly a “national asset” and “rich asset”.

Section 43 of the Act visualize a situation wherein offences can be committed by a Company but they can be excused “if they can prove lack of knowledge of the offense or that they had exercised all due diligence to prevent it.” It also underlines the possibility of an offence committed by a Company with the consent, connivance or neglect of a director, manager, secretary or other officer of a company but they too can be excused if they can prove their ignorance, inability and inevitability.

In a stark admission of the involvement of foreign locations and persons, Section 44 states that the Act “will also apply to offences committed outside of India by any person, irrespective of their nationality, if the offence involves any data in the CIDR.” This is akin to what is happening in the case of Union Carbide Corporation, subsidiary of Dow Chemicals Company whose case is going in a Bhopal Court for the offences committed outside of India related to its Bhopal based pesticide plant.  The offences include decisions taken by it about not providing for safety in the plant. Dow has refused to appear before the Court despite repeated orders of the Court. How can the situation be different when CIDR database is compromised endangering national security?

These provisions underline the possibility of abuse and misuse of sensitive data of defence employees in particular and citizens in general by foreign entities as well.

It is possible that such civilian and non-civilian applications are being bulldozed by some commercial entities in order to store and read biometric and DNA script of Indian population in the aftermath of the sequencing of Human Genome for epigenetics, medicine, big data, social control, inheritance, eugenics and genetic determinism. Under the tremendous influence and unprecedented onslaught from unregulated and ungovernable technology companies, so far Central Government and State Governments have failed to safeguard national security and citizens’ liberty which is part of right to life. In such a context, it is germane to ponder over the question about issuance of UID/Aadhaar to Pakistani spy caught in New Delhi. Who exactly is behind denial of exact reply to the question? Is there any reason to assume that other foreign nationals have not intruded the system like the spy in question?

UID/Aadhaar is akin to a piece of collar which the transnational powers want to tie on the neck of present and future Indian citizens. Government has allowed itself to be misled and it has failed to protect personal sensitive information which has already gone to foreign companies and continues to flow in foreign direction. While countries like China, USA, UK, France, Germany, Phillipines and Australia have secured themselves by abandoning their UID project, India is following the path of Pakistan which has compromised its national security and citizens’ personal sensitive information through National Database Registration Authority (NADRA). It is now up to the Supreme Court to set matters right before the neglected spark burns the house learning from the smoke in the neighborhood.

The author is member Citizens Forum for Civil Liberties (CFCL). He had appeared before the Parliamentary Standing Committee on Finance that examined and trashed the National Identification Authority of India Bill, 2010 (Aadhaar Bill, 2010). He is editor of www.toxicswatch.org

[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]