Aadhaar Data Breaches Affected 135 Million Indians: Petitioners Tell SC [Read The Rejoinder Affidavit]
“Reports by privacy and security researchers indicate that such breaches have already affected 135 million Indians. These data breaches are in flagrant violation of Section 29 of the Aadhaar Act read with Regulations 6 and 7 of the Aadhaar (Sharing of Information) Regulations 2016”, states the rejoinder.
With the final hearing on the string of writ petitions challenging the constitutionality of the Aadhar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act of 2016 scheduled to commence in the Supreme Court on January 17, Chief Justice Dipak Misra on Friday permitted Advocate Vipin Nair to file the rejoinder affidavit on behalf of activist and feminist researcher Kalyani Sen Menon, one of the petitioners.
The apex court also permitted the filing of an additional affidavit to bring on record the documents relevant to determine the controversy and pertaining to security of biometric data and leakages in social security schemes.
The rejoinder affidavit gives a detailed account of how Aadhaar has caused widespread exclusion from access to welfare services such as PDS, MGNREGA, Old Age Pension, Scholarship for EWS etc and even fatalities among the most vulnerable and marginalized, and that its claimed benefits as to savings are all gross exaggerations.
Further, the affidavit sheds light on the issues of surveillance, breach of privacy and identity theft of individuals in violation of their rights under Articles 14, 19 and 21 of the Constitution have been reiterated.
Scepticism regarding data protection-
The affidavit refers to a report of the London School of Economics in so far as it states that the Central Identities Data Repository (CIDR), the centralised database containing demographic as well as biometric information of 1.3 billion Indians, becomes an inherent target for foreign governments and hackers, rendering it vulnerable to being breached.
The claim of security and privacy of the data stored within the CIDR is further called into question due to the creation of the ‘DBT Data Seeding Viewer’, a mechanism that allows any department or agency to access demographic data directly from the CIDR.
Revealing the glaring security lacunae in the UIDAI’s enrolment procedure and its misplaced reliance on biometrics, the affidavit cites the September, 2017 incident where the Uttar Pradesh Special Task Force had unearthed operations of a group of individuals issuing fake Aadhaar numbers by accessing the UIDAI’s enrolment software as well as cloning the fingerprints of the authorised agents.
The affidavit relies on the December, 2016 reply of the UIDAI to not furnish, in a RTI query, information related to breach of personal information, as an ex-facie violation of an individual’s fundamental right to privacy- “Reports by privacy and security researchers indicate that such breaches have already affected 135 million Indians. These data breaches are in flagrant violation of Section 29 of the Aadhaar Act read with Regulations 6 and 7 of the Aadhaar (Sharing of Information) Regulations 2016”.
Copies of recent news reports relating to bank frauds caused on account of Aadhaar linking have been annexed to the affidavit.
Laying emphasis on how the Aadhar mechanism is insecure, error-ridden and full of malpractices by private players, the April 2017 statement of the Minister of Law and Minister of Electronics and Information Technology in the Rajya Sabha that the UIDAI has cancelled and blacklisted 34,000 Aadhaar “operators” since the inception of the Aadhaar project has been relied upon- “As per latest reports, by UIDAI’s own admission, 49,000 private enrolment operators have been blacklisted owing to contraventions of its own operating procedures. These enrollment operators were entrusted by the UIDAI to capture sensitive biometric information of over 1.3 billion Indians”.
Further, on December 29, 2017, the Minister for Electronics and Information Technology provided a list of 210 websites of the Central Government, State Government departments and some educational institutes displaying the Aadhar numbers of the beneficiaries in public domain.
The affidavit brings to light the loophole in section 33 of the Act of 2016, which is couched as an exception to Section 29, allowing every Indian’s personal information, including biometrics, to be shared pursuant to any order by a Court or in ‘the interest of national security’. The provision fails to lay down any meaningful safeguards for the exercise of this power and the phrase ‘national security’ has been left undefined. Also, section 2(g) permits the executive to expand the purview of “biometric information” beyond fingerprints, iris scan and photograph at its discretion.
Finally, the affidavit laments that pursuant to Section 47 of the Act of 2016, the right of an aggrieved person to approach the relevant authority in the event of a data breach or identity theft has been taken away. Taking away legal remedies otherwise available to an individual is a gross violation of her fundamental rights irrespective of any action taken by UIDAI in this regard.
Coercion and exclusion from subsidies, benefits and services-
It is submitted that the data shared with the UIDAI as a result of the coercion to link Aadhaar numbers with mobile phones, bank accounts, PAN cards etc militates against the very idea of consent, as held to be intrinsic to the fundamental right to privacy in Justice K. S. Puttaswamy [(2017) 10 SCC 1]. Also, prior to issuing notifications for mandatory Aadhar linkage under Section 7 of the Act, the governments ought to have applied to the Supreme Court to vacate or vary its earlier interim injunctions.
News reports relating to deaths due to starvation caused on account of the use of Aadhaar for PDS have been referred.
Further, it is contended that coercing students to authenticate themselves using their biometrics for the purpose of medical entrance tests or Board examinations is patently illegal- “This is especially so in the case of students who are minors and consequently not capable of giving lawful consent”.
Replying to the Centre’s insistence on the potential contribution of Aadhar cards in guaranteeing access to social security schemes, the affidavit submits that the lack of ID proof itself was not the reason why people were unable to avail benefits. The UIDAI, in a RTI query, has revealed that as per the data compiled till September, 2016, only about 0.03% of the total Aadhaar numbers generated have been in respect of persons who did not possess any alternative ID proof. It was mostly the meagerness of government budgets for the schemes that kept eligible persons out of their ambit.
Demolishing the purported link between the Unique Identification Number and eligibility requirements for the various social security schemes and benefits, the affidavit avers, “The number itself is a random digit that has no correlation and meaning as the Union has explained elsewhere. The data that is attached to the number like name, age, date of birth, location, place of residence are the additional parameters that are required to determine eligibility. As per a November, 2017 case study reported in Odisha, Aadhar’s fraud detection rate is merely 0.32%”.
Finally, it is contended that the astronomical savings of Rs. 57,029 crore, as claimed to have accrued to the government on account of the Aadhar linked PAHAL- Direct Benefits Transfer for LPG (DBTL) scheme, are “totally illusory and baseless”.Read the Affidavit Here