Aadhaar [Day-29] There Is A Possibility Of Abuse Of Aadhaar Data To Manipulate Elections: Justice Chandrachud
On Day 29 of the Aadhaar final hearing, resuming his submissions, Senior Counsel Rakesh Dwivedi urged before the Supreme Court five-judge bench that under section 8 of the Aadhaar (Targeted Deliveries of Financial and Other Subsidies, Benefits and Services) Act of 2016, the biometric and demographic information of an individual is used only for authentication.
Referring to sections 8(3) and 29(3) of the Act of 2016, Justice D. Y. Chandrachud voiced the concern regarding the purpose of authentication being knowable to ‘requesting entities’ and the misuse of such data- “The information that so many authentication requests have been received from an individual from a hospital could be valuable for insurance and pharmaceutical companies...”
“The Aadhaar scheme ensures better data security than the General Data Protection Regulation (GDPR) of the EU...but a cent percent assurance cannot be guaranteed in respect of anything; the test should be of ‘reasonable protection’...however, Your Lordships may narrow down sections 8(3) and 29(3) with the specification that any details as to the purpose of authentication shall not be collected...”, responded Mr. Dwivedi.
“These provisions may even be excluded from the Act...”, noted Justice Chandrachud.
When Justice A. K. Sikri reiterated doubts regarding the threat of abuse of sensitive personal information, Mr. Dwivedi asserted that the apprehensions are not real.
“it is real...there is a possibility of abuse of such information, say, to manipulate elections...”, remarked Justice Chandrachud.
When Mr. Dwivedi responded the Aadhaar scheme may not be compared with the recent ‘cambridge analytica’ incident, Justice Chandrachud noted that Aadhaar cannot be seen as existing in isolation and that there could not be a constrained view of the reality in laying down the law.
“The algorithms under Aadhaar are not learning algorithms...they only ensure a biometric match; no analysis of any data...they are not the same algorithms as those of Google”, contended Mr. Dwivedi.
“The UIDAI shall still be accountable under Article 32...the concern is regarding the private entities”, he continued, in context of section 57 of the Act of 2016.
“Section 57 requires a law or a contract for a mandate of Aadhaar...the UIDAI does not permit any person or body to act as a ‘requesting entity’ unless it is satisfied of the latter’s need to utilise the authentication facility...section 57 is not so open-ended that a ‘paanwala’ or ‘chaiwala’ could demand Aadhaar”, replied Mr. Dwivedi.
Justices Chandrachud and Sikri also posed a query as to how the acceptance or rejection of this need to require Aadhaar based authentication is determined in respect of different entities.
Mr. Dwivedi explained that, first, there is a contract with the customer whereunder Aadhaar is sought, followed by a request for permission to the UIDAI.
Justices Chandrachud and Ashok Bhushan seemed unconvinced of the power of refusal of the UIDAI in this behalf.
Expressing doubt regarding the seeking of permission from the UIDAI being preceded by a prior contract, Justice A. M. Khanwilkar observed, “the categories, as prescribed in Schedule A annexed to the Aadhaar Act, which an entity seeking to use the UIDAI’s authentication facility as ‘requesting entity’ must fall under are very wide”.
When Justice Chandrachud inquired about the connection between section 57 with the Consolidated Fund of India and the test of legitimate state interests, in so far as the section permits even private parties to require Aadhaar under a contract, in view of the Aadhaar Act being purportedly aimed at the provision of ‘Subsidies, Benefits and Services’ related to the Fund, Mr. Dwivedi responded, “with private entities discharging functions of a public nature, even the former may be subject to the mandate of the constitution...”
Further, Justice Sikri mentioned the argument of the petitioners regarding the reduction of an individual’s identity and existence to the mere Aadhaar number. “It is not as if numbers have not been assigned to human beings except by Hitler, as claimed by the petitioners...there are PNR numbers, credit card numbers, numbers even on the Supreme Court proximity card...”, advanced Mr. Dwivedi.
When Justice Chandrachud questioned the mandatory Aadhaar linkage in the light of the Aadhaar number envisaged as being an entitlement under section 3 of the Act, Mr. Dwivedi submitted, “it is the government and not the UIDAI that is mandating the linkage with Aadhaar number...each such notification or statutory provision may be subject to the tests of validity of privacy invasion ...while such linkage may be beneficial under the PDS, it may be regarded as bad under the Prevention of Money Laundering Act...but to strike down the Aadhaar project on account of some of these notifications would be unreasonable...the mandate for Aadhaar under the Act of 2016 is confined to its section 7”
“Sections 7 and 57 (of the Aadhaar Act) together canvass the entire scope of the mandate of Aadhaar for any Services?”, Justice Chandrachud wanted to know. “Sections 57 keeps the scope confined, in so far as it requires a law or a contract for the mandate of Aadhaar”, responded Mr. Dwivedi.
The Senior Counsel, on Tuesday, also drew the attention of the bench to section 30 of the Aadhaar Act, submitting that the punitive provisions of the Information Technology Act of 2002 shall also apply in case of breaches under the Aadhaar Act. He relied on sections 66B, 66C and 66E of the IT act, in so far as they stipulate punishment for receiving stolen computer resource, identity theft and violation of privacy respectively. By virtue of section 70 of the IT Act, any person who attempts to secure access to the CIDR shall be punishable with imprisonment that may extend to ten years. Sections 72 and 72A prescribe penalties for breach of security and confidentiality and disclosure of information in breach of contract.
He also indicated the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules of 2009 and Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules of 2011. In respect of the Rules of 2011, in so far as they regulate the handling of sensitive data including biometric information such as even voice patterns and DNA by ‘body corporates’, Justice Khanwilkar noted, “section 43A of the IT Act envisages as a ‘body corporate’ only one that is engaged in commercial or professional activity”.
Thereupon, Mr. Dwivedi addressed several claims of the petitioners- “the requirement for storage of data in the CIDR has statutory backing in section 10 of the Aadhaar Act...as for the usage of foreign technology by the UIDAI, the Authority is a licensee of the software so utilised and the servers are its own...the foreign Biometric Service Providers (BSP) may have the source code but that is no reason to worry...even technicians are not permitted to access the CIDR save in exceptional circumstances...”
With regard to the claims of excessive delegation in so far as the definition of ‘biometric information’ in section 2(g) of the Aadhaar Act is not exhaustive, he elaborated, “the definition includes photographs, fingerprints and iris scan...it implies such biological attributes which are not invasive in character and can ensure instantaneous authentication...DNA material could not satisfy these parameters...”
“The petitioners have contended that the biometrics are a probabilistic and not deterministic means of Identification...”, repeated Justice Sikri, asking Mr. Dwivedi to address the concern regarding Aadhaar acting as an instrument of exclusion.
“Where any such probability may result in denial of an entitlement guaranteed under a Fundamental Right, there must be safeguards in place to avoid such deprivation”, added Justice Chandrachud.
“Nothing is absolutely certain...only because it being is contended that biometric authentication is probabilistic, this should not be the ground for striking it down...to ensure that a rightful beneficiary is not denied an entitlement on account of authentication failure, section 7 of the Aadhaar Act itself makes a provision (for furnishing mere proof of Aadhaar and accepting alternative means of identification, where Aadhaar number is not assigned)...”, replied Mr. Dwivedi.On Tuesday, the Senior Counsel reiterated several merits of Aadhaar as a means of identification- “no ID proof is as universal as the Aadhaar card...biometrics discourage the use of incorrect names and addresses and aid in deduplication...the Aadhaar project requires beneficiaries of welfare schemes to come face to face with the distributors, thereby ensuring that the entitlement reaches the rightful beneficiary...”
The hearing shall continue on Wednesday.