Foreign Company Has Source Code of Aadhaar Project; It Has Access To Citizens' Information : Certain Worrying Findings By Justice Chandrachud
The impact of Facebook-Camridge Analytica incident also reverberated in the judgment as Justice Chandrachud acknowledged that profiling of individual preferences could also be used to influence the decision making of the electorate in choosing candidates for electoral offices.
Though the majority of Supreme Court Constitution Bench has upheld the validity of Aadhaar project, certain findings in the dissenting judgment of Justice D Y Chandrachud regarding it are worrying, calling for larger public debate on its efficacy and security.
Biometric database in the CIDR is accessible to third-party vendors
It has been found in his judgment that neither the Central Government nor the Unique Identification Authority of India(UIDAI) have the source code for the de-duplication technology which is at the heart of the programme. The source code belongs to a foreign corporation. UIDAI is merely a licensee. Biometric database in the Central Identities Data Repository(CIDR) is accessible to third-party vendors providing biometric search and de-duplication algorithms. Prior to the enactment of Aadhaar Act in 2016, the UIDAI contracted with L-1 Identity Solutions (an American entity which provided the source code for biometric storage) to provide to it any personal information related to any resident of India. The citizens enrolled in the program without being aware of that and handed over their biometrics to the UIDAI without informed consent.
Under the Contract, L-1 Identity Solutions retains the ownership of the biometric software.It has also been provided that L-1 Identity Solutions can be given access to the database of UIDAI and the personal information of any individual.
"It has been provided in the Contract that L-1 Identity Solutions would indemnify UIDAI against any loss caused to it. However, the leakage of sensitive personal information of 1.2 billion citizens, cannot be remedied by a mere contractual indemnity. The loss of data is irretrievable. In a digital society, an individual has the right to protect herself by maintaining control over personal information. The protection of data of 1.2 billion citizens is a question of national security and cannot be indemnified by a Contract", Justice Chandrachud said.
He also took note of the fact that UIDAI had entered into Memorandum of Understanding (MoU) various entities for carrying out the process of enrolment. MOUs signed between UIDAI and Registrars were not contracts within the purview of Article 299 of the Constitution, and therefore, do not cover the acts done by the private entities engaged by the Registrars for enrolment. "Since there is no privity of contract between UIDAI and the Enrolling agencies, the activities of the private parties engaged in the process of enrolment before the enactment of the Aadhaar Act have no statutory or legal backing", said the judgment.
Aadhaar Seeding Leads To Individual Profiling
It was held that when Aadhaar is seeded into every database, it becomes a bridge across discreet data silos, which allows anyone with access to this information to re-construct a profile of an individual’s life. This is contrary to the right to privacy and poses severe threats due to potential surveillance. Illustratively, it was stated :
For instance, when an individual from a particular caste engaged in manual scavenging is rescued and in order to take benefit of rehabilitation schemes, she/he has to link the Aadhaar number with the scheme, the effect is that a profile as that of a person engaged in manual scavenging is created in the scheme database. The stigma of being a manual scavenger gets permanently fixed to her/his identity.
Linking Aadhaar with different databases carries the potential of being profiled into a system, which could be used for commercial purposes. It also carries the capability of influencing the behavioural patterns of individuals, by affecting their privacy and liberty. Profiling individuals could be used to create co-relations between human lives, which are generally unconnected.
"If the traces of Aadhaar number are left in every facet of human life, it will lead to a loss of privacy", he said.
The impact of Facebook-Camridge Analytica incident also reverberated in the judgment as Justice Chandrachud acknowledged that profiling of individual preferences "could also be used to influence the decision making of the electorate in choosing candidates for electoral offices".
He added that privacy protection does not demand that data should not be collected, stored, or used, but that there should be provable guarantees that the data cannot be used for any purpose other than those that have been approved. Therefore, Aadhaar project without the backing of a solid data protection law, raised several concerns.
In this regard, it may be noted that majority judgment has struck down the portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek Aadhar authentication. The majority judgment also struck down the Circular of Department of Telecommunications which mandated linking of mobile connections with Aadhaar. However, it was done on the technical ground that the Circular had no backing of law, and the merits of such an exercise were not discussed by the majority judgment.
It is also possible through the Aadhaar database to track the current location of an individual, even without the verification log. The architecture of Aadhaar poses a risk of potential surveillance activities through the Aadhaar database. Any leakage in the verification log poses an additional risk of an individual’s biometric data being vulnerable to unauthorised exploitation by third parties, said Justice Chandrachud.
Probabilistic Nature of Biometric Authentication.
It was held that Biometric technology,which is the core of the Aadhaar programme,is probabilistic in nature, leading to authentication failures. These authentication failures have led to the denial of rights and legal entitlements. Relying on official figures from Government records including the Economic Survey of India 2016-17 and research studies, he held that the Aadhaar project has failed to account for and remedy the flaws in its framework and design which has led to serious instances of exclusion of eligible beneficiaries.
The above findings of Justice Chandrachud assume relevance in the backdrop of various reported instances of deserving persons deprived of state benefits owing to authentication failures. The claim that Aadhaar project has empowered the marginalized by giving them identity needs further examination in the light of these findings, and also various reports of authentication failures.
"Dignity and the rights of individuals cannot be made to depend on algorithms or probabilities. Constitutional guarantees cannot be subject to the vicissitudes of technology. Denial of benefits arising out of any social security scheme which promotes socioeconomic rights of citizens is violative of human dignity and impermissible under our constitutional scheme", observed Justice Chandrachud in this regard.
No Institutional Responsibility For UIDAI
It was noted that the Aadhaar Act does not place any institutional accountability upon UIDAI to protect the database of citizens’ personal information. UIDAI also takes no institutional responsibility for verifying whether the data entered andstored in the CIDR is correct and authentic. The task has been delegated to the enrolment agency or the Registrar. Verification of data being entered in the CIDR is a highly sensitive task for which the UIDAI ought to have taken responsibility.
The Aadhaar Act is also silent on the liability of UIDAI and its personnel in case of their non-compliance of the provisions of the Act or the regulations.
Absence of Independent Regulator
Justice Chandrachud highlighted the absence of an independent regulatory framework with respect to Aadhaar, which rendered the Act largely ineffective in dealing with data violations. The architecture of Aadhaar has failed to embody within the law the establishment of an independent monitoring authority (with a hierarchyof regulators), along with the broad principles for data protection. This compromise in the independence of the grievance redressal body impacts upon the possibility and quality of justice being delivered to citizens.
Violation of Data Minimization Principles
Justice Chandrachud noted that the provisions in the Aadhaar Act and Regulations which mandate storage of logs of authentication records for a specific period of time were "in violation of widely recognized data minimisation principles which mandate that data collectors and processors delete personal data records when the purpose for which it has been collected is fulfilled".
It was held that using the meta-data related to the transaction, the location of the authentication can easily be traced using the IP address, which impacts upon the privacy of the individual. From the verification log, it is possible to locate the places of transactions by an individual in the past five years.
However, in this regard, it is pertinent to note that the majority judgment struck down Regulation 27 of Aadhaar (Authentication) Regulations, 2016 which provides archiving a data for a period of five years.
To brush aside the findings of Justice Chandrachud as a minority view could be amount to indiscretion on the part of stake holders. The concerns expressed by the judge merit certain degree of attention by the authorities in charge of the project, so that all lingering doubts about it could be exhaustively dispelled.