7 Feb 2018 10:09 AM GMT
As the Aadhaar hearing resumed on Wednesday, Senior Counsel Kapil Sibal, appearing on behalf of petitioner Raghav Tankha and another, submitted that Section 8(3)(c) of the Aadhaar Act of 2016, which speaks of ‘alternatives to submission of identity information to the requesting entity’, has been wrongly drafted as the definition of ‘authentication’ in section 2(c) of the Act leaves...
As the Aadhaar hearing resumed on Wednesday, Senior Counsel Kapil Sibal, appearing on behalf of petitioner Raghav Tankha and another, submitted that Section 8(3)(c) of the Aadhaar Act of 2016, which speaks of ‘alternatives to submission of identity information to the requesting entity’, has been wrongly drafted as the definition of ‘authentication’ in section 2(c) of the Act leaves no room for any alternatives.
While Justices A. K. Sikri and A. M. Khanwilkar disputed the aforesaid argument, Justice Ashok Bhushan advanced that the purpose of the alternatives is to aid in “double checking”.
Agreeing, Mr. Sibal remarks, “This is related to my argument against ‘one nation, one identity’”.
“So what is wrong with the concept of ‘one nation, one identity’? Are we not all Indians?”, asks Justice Bhushan.
“The concept of identity is unconnected to being an Indian”, replied Mr. Sibal.
Justice D. Y. Chandrachud also states that the definition of ‘identity information’ in section 2(n) of the Act is an inclusive definition and not an exhaustive one that envisages data in addition to the biometric and demographic information.
“I do not disagree. But what is that data that shall acceptable as ‘identity information?”, submits Mr. Sibal.
Moving on, he advances, “Probably the only other country having a regime similar to that of the Aadhaar project is Israel”. “So the concept of ‘one nation, one identity’ is unique”, commented Justice Sikri. “Yes, but our identity cannot be confined to mere Aadhaar numbers; we are all much more”, responded Mr. Sibal.
“In addition to biometric and demographic data, OTPs are also used as modes of authentication”, he continues, adding, “In nations where biometric Authentication is the practice, the sensitive data is held in a smart card in an encrypted form to prevent theft of the information”.
Indicating the repealing of the UK Identity Cards Act of 2006, he, however, clarified that he is only challenging the constitutional validity of the Aadhaar Act and not any executive decisions.
Thereupon, Mr. Sibal touched upon section 57 of the Act of 2016, which permits any ‘body corporate’ or other person, besides the State, to require the Aadhaar number for establishing the identity of any individual, pursuant to any law or even a contract to that effect- “It is gravely unconstitutional to entitle even private entities to mandate Aadhaar”.
Justice Sikri and Justice Chandrachud concurrently deliberated that the government is interpreting section 57 as empowering other bodies to insist on Aadhaar.
Referring to the Proviso to section 57, requiring any such use of the Aadhaar number to be subject to the procedure and obligations in section 8 and chapter VI of the Act, Justice Chandrachud said that the use is to be construed as being by third parties.
“The potential threat of misuse of this sensitive data by private agencies constitutes a violation of the Fundamental Rights. Besides, there are no safeguards in place against such misuse”, Mr. Sibal continued.
“Any loss of sensitive personal data amounts to loss of property”, he stresses.
Further, Mr. Sibal proceeds to draw out the distinction between ‘data’ and ‘metadata’- “‘data’ constitutes the content of any communication, while ‘metadata’ is only the information about any message/communication without its actual content. It is an incorrect notion that ‘metadata’ alone cannot compromise the right to privacy. A sufficient quantity of ‘metadata’ can divulge a substantial amount about the ‘data’”.
“The Aadhaar is now being mandatorily linked with every train travel by the IRCTC as well as with each air travel. This linkage makes the metadata available which is enough to track an individual throughout their lifespan. The State does not have the right to make a citizen so vulnerable”, he submitted.
Justice Sikri mentioned about the tracking exercise undertaken even by airlines in respect of frequent flyers. Mr. Sibal insisted that such information remains with the concerned airline and that it is on account of the risk of retention of sensitive personal information that the biometric identity programme in the UK was scrapped.
There was also a light-hearted discussion of an instance where a waiter at a hotel procured Justice Chandrachud’s old bill to identify the dish he had enjoyed several months ago. “I did feel a little scared”, the judge quipped.
Thereafter, Mr. Sibal proceeded to make submissions on the technical intricacies of the Aadhaar project.
Relying on a RBI staff paper, he advances that despite UIDAI’s assurance of security, the CIDR is regarded as the ‘single point of attack’ and the ‘single point of failure’, being the centralised database for accumulation of all information.
“In theory, every centralised database carries the potential threat of hacking. This is not be construed as an admission of vulnerability but a statement of the need to implement safeguards”, Justice Chandrachud noted.
Agreeing on the aspect of security measure, Mr. Sibal stated, “there are instances where Biometric readers in India have manipulated by even children using wax and fevicol. Once biometric data is stolen, it cannot be undone. Imagine the ramifications of loss of biometric data on criminal trials. This is not the case with smart cards, where there is also not any peril of endangering a centralised database”.
He advanced claims regarding the sharing of data with foreign technology developers. “I will produce contracts with these foreign corporations”, he added.
Discussing the ‘Man-in-the-middle’ attacks in view of the hardware, operating systems, Authentication User Agencies (AUAs) and Authentication Service Agencies (ASAs), Internet Service Providers etc, Mr. Sibal submitted that the UIDAI itself has confirmed the possibility of these attacks. He cited the recent incident of Airtel payments.
Mr. Sibal mentioned the security concerns associated with the State Resident Data Hubs, which are parallel databases and how Aadhaar infringes privacy of the physical space by revealing location; and its susceptibility to corporate espionage by competing firms.
“There is lack of integrity in the manner instances of enrolment rejections are being dealt with. The principle of natural justice is being disregarded. Besides, the Aadhaar scheme metes out unequal treatment in view of the fact that biometrics of certain sections of the society like the senior citizens, the diseased, the handicapped, those employed in physical labour are not constant or even clear. Can this programme be effectively implemented in the remote areas of states like West Bengal and Orissa?”, he continued.
“The replay attacks also reflect that the programme can be manipulated and its integrity compromised”, he added.
The hearing shall resume on Thursday.