Prof. Shamnad Basheer Moves Delhi HC Against Aadhaar Data Leak; Demands Exemplary Damages [Read Petition]

IP Academic Prof. Shamnad Basheer has filed a Petition before the Delhi High Court alleging a violation of the fundamental right to privacy as guaranteed under Article 21 of the Constitution and as affirmed in Justice KS Puttaswamy v Union of India due to Aadhaar data breaches.

When the Petition came up before the Delhi High Court on Friday, the Bench comprising Justice Sanjiv Khanna and Justice Chandrashekhar opined that it would wait for the outcome of the petition on Aadhaar pending before the Supreme Court before taking this one up.

It then posted the matter for 21 August, with the liberty to the Petitioner to approach the Bench before this date should any emergency or urgency arise.

Prof. Basheer was represented pro-bono by leading criminal lawyer Siddharth Aggarwal, who was briefed by lawyers, Rupali Samuel, Jhanvi Dubey and Sidddharth Sajita. UIDIA was represented by counsel Zoheb Hossain.

The petition was filed as part of the latest IDIA initiative on promoting public interest lawyering (PPIL), an initiative meant to raise public interest causes, and in the process, train IDIA scholars and volunteers through clinical legal education.

The IDIA team helping on this petition included Public interest fellow, Balu Nair, along with IDIA volunteers Anmol Malhotra, Ankit Yadav, Shilpa Prasad, Vinoothna Vinjam and IDIA scholar Donnie Ashok.

Continuous compromise of security of Aadhaar data

The petition begins with an "Ode to Aadhaar":

Grass seemed greener on the Aadhaar side
Seduced by its spell, I got taken for a ride
Linking my card, not once but twice
Lulled by its lore and some lies

 But soon I found
That Aadhaar was unsound
Privacy breaches and bunglings galore
Data pirates so desperate to score

 My unique ID is now up in the air
Open to all, both foul and fair
Yet the “authority” insists that all is well
Link some more…and we’ll all be swell!

 To our courts therefore, I now do turn
For privacy, justice, and a little less burn

Addressing all Aadhaar card holders as Aadhaaris, the Petition goes on to trace the journey of how Aadhaar was conceptualized as a voluntary scheme but was gradually morphed into a near compulsory mandate, with forced linkages to a slew of essential services, including banking services, filing of tax returns and cell phone subscriptions. It then asserts that with Aadhar being all-pervasive, the contemporaneous privacy concerns have also risen.

The petition clarifies that the Petition does not intend to challenge the constitutional validity of the Aadhar Act, but only seeks to "establish that the Respondents continue to compromise the security of Aadhaar data through their negligent acts/omissions and consequently violate the fundamental privacy rights of the Petitioner and that of the public at large".

Fear of Aadhaar data being misused for personal gain

In his petition, Prof. Basheer recalls how he obtained an Aadhaar card back in 2015 believing the project to be safe, secure and consent based. Soon after, he also linked his bank account with Aadhaar for the fear of his account being deactivated.

However, around the beginning of this year, he was devastated to learn through news reports that the confidentiality of Aadhaar data had been compromised, not once but several times over. For instance, he cites a news report by Tribune wherein Tribune claimed to have “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.

The Tribune report had claimed, "It took just Rs 500, paid through PayTM, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual."

Listing down various other illustrative examples demonstrating such breach of Aadhaar data, he now submits, "He was particularly distressed to note that most of these breaches pertained to personal identity data maintained with the Central Identities Data Repository, a centralized database containing all information collected from Aadhaar applicants by Respondent No.1 and its various affiliates/partners, including sensitive personal information such as biometric data.

The Petitioner fears that his valuable data (as also that of countless other Aadhaaris) is in the illegal possession of unauthorized third parties, who can, at any time, misuse it for their own personal gain. This fear is not just a theoretical one, but one which has played out in the past."

Violation of statutory provisions

The petition attributes the security breaches to "negligence/willful recklessness" on the part of the UIDAI due to absence of reasonable security measures. It then asserts that UIDAI's conduct violates Aadhaar Act and associated regulations, as well as the Information Technology Act, 2000 and associated rules. UIDAI's conduct, it argues, violates the Petitioner's fundamental right to privacy; and is actionable and compensable as a common law tort.

For instance, the Petition relies on Section 28 of the Aadhaar Act, which places a specific duty on the UIDAI to ensure the security and confidentiality of all identity information held by it, either directly or through its various partners/affiliates. In particular, the UIDAI is obligated to “take all necessary measures” to ensure that the information in its possession or control is secured and protected against any unauthorized access, use or disclosure.

It then alleges violation of this provision, submitting, "It is evident that this duty under Section 28 of the Aadhaar Act has been breached by the reckless and grossly negligent actions/omissions of Respondent Nos. 1 [UIDAI] and 2 [Union of India] and their officers in unleashing a very vulnerable privacy architecture that gave direct access to the CIDR database to sso-called“grievance redressal” personnel to effectuate changes as they pleased, and permitted such access controls to be multiplied manifold and disseminated widely."

The Petition further blames UIDAI for its failure to systematically audit and track breaches, and deploy a fraud analytics system. It in fact argues that the UIDAI and the Centre are liable to compensate the aggrieved Aadhaaris for security breaches under Section 43A of the IT Act, "for its negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal information and data, thereby causing wrongful loss or wrongful gain to individuals."

Deletion of all existing Aadhaar numbers

In the light of such submissions, the Petition prays for a direction to the authorities for immediately complying with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This includes the demand for publication of a privacy policy, and laying down of an information security policy for itself and its core operations.

The petitioner also seeks information on the number of data breaches which have taken place since the inception of the Unique Identification Authority of India (UIDAI) and the Aadhaar scheme. He further demands to know the scope of such breach, and the manner in which his data has specifically been compromised.

To this end, the petition advocates for the appointment of an independent investigative/audit committee comprising multiple stakeholders and experts to investigate all Aadhaar security breaches as well as the robustness of the existing systems.

As for the damage already done, Prof. Basheer not only requests action against the UIDIA and other government agencies such as National Informatics Centre (NIC) for its failure to adhere to security practices, but also seeks exemplary damages as well as the liberty to opt out of the Aadhaar system. He highlights the damage that such data leak can cause to him specifically, submitting,

"Being a Muslim and a member of a minority community, the threat of potential harms to the Petitioner are even more accentuated. For one, given that in today’s post truth world, almost all Muslims are seen as terrorists and interrogated as such at various international airports and the like, the risk of harms from a data breach and consequent identity theft or the tampering with personal data is significantly  more magnified. Secondly, given the present political climate in the country for minorities and the growing patriotic fervor of those committed to purging the country of its plural ethos, the Petitioner fears that unrestrained access to his data could have potentially fatal implications."

In the alternative, a Writ of Mandamus is sought directing the Centre to permanently delete all existing Aadhaar numbers. Besides, he recommends appointment of a neutral ombudsman/ verification authority for addressing all concerns and complaints at the first level, which may arise in the future in relation to violations of the Aadhaar Act and the IT Act, as well as any data breaches.

Read All Prayers in the Petition Here

(i) Declare that the Respondents have breached the fundamental right of the Petitioner (as also all other Indian citizens holding an Aadhaar number) as guaranteed under Article 21 of the Constitution and as affirmed in Justice KS Puttaswamy v Union of India;

(ii) Declare that the Petitioner and other data subjects have the right to know of any breach of his/her data, as a part of the above said fundamental right(s);

(iii) Issue a writ of Mandamus directing the Respondents to release information on the number of data breaches which have taken place since the inception of the Respondent No.1 and the Aadhaar scheme, the extent/scope of such data breaches, the scope/extent/manner in which the Petitioner’s data has been specifically compromised, and the steps taken by the Respondents towards remedying and rectifying their security practices pursuant to the breaches;

(iv) Issue a writ of mandamus directing the Respondent No.1 to comply with all its statutory duties/obligations to safeguard the Aadhaar data;

(v) Issue a writ in favour of the Petitioner directing the Respondents to immediately ensure compliance with the RSP Rules, including (a) publication of a privacy policy, and (b) laying down of an information security policy for itself and its core operations;

(vi) Issue a writ in favour of the Petitioner directing the Respondent No.2 to immediately form the agency mentioned under Rule 8 of the RSP Rules, if not already formed;

(vii) In the event the Respondent No.1 establishes that it has a comprehensive documented information security policy, direct the Respondent No.1 to demonstrate before the agency mandated under the law that it has implemented all reasonable security control measures as per the said policy;

(viii) Direct the Respondent No.1 and its personnel to undertake compulsory legal training on all aspects relevant to the protection of security/confidentiality/ privacy of Aadhaar data and the various rights of data subjects under the law;

(ix) Direct Respondent Nos.1, 2 and 4 to initiate appropriate action against Respondent No.3, including filing of a criminal complaint, for its failure to adhere to the security practices in violation of provisions of the Aadhaar Act, IT Act, and associated regulations in connection with the Srivastava Spoof;

(x) Appoint an independent investigative/audit committee comprising multiple stakeholders/experts to investigate and audit inter alia (a) all security and privacy breaches of the Aadhaar database, including the breaches outlined in this Petition and ANNEXURE P/3, (b) the robustness of the security systems and processes instituted by the Respondent No.1 and its affiliates/partners, as well as their security policies and practices, operations, infrastructure, and procedures, and their compliance with the same (c) the extent of monitoring of affiliate/partner activities and security systems by Respondent No.1 including audits etc., (d) the extent of non-compliance by Respondent No.1 and its various affiliates/partners with the various statutory duties in relation to the security of the Aadhaar ecosystem, (e) the efficacy or otherwise of steps taken by Respondent No.1 in remedying and rectifying their security practices pursuant to the breaches, and any lapses in this regard and (f) the loss/destruction/unauthorized disclosure of/access to the Petitioner’s own Aadhaar data by acts/omissions of the Respondents.

(xi) Award exemplary damages to the Petitioner in order to deter the Respondents from future negligent behavior that compromises constitutional /statutory/common law rights of the Petitioner and other Aadhaaris;

(xii) Grant liberty to the Petitioner and other Aadhaaris to claim more appropriate legal redressal including additional damages, where appropriate, based on the findings of the Investigative/Audit Committee;

(xiii) Grant the Petitioner the liberty to opt out of the Aadhaar system and issue a writ of mandamus to the Respondent No.1 directing the deletion of all the data relating to the Petitioner from the CIDR. As also the purging of this data or parts of it from all other systems where such data is available;

(xiv) In the alternative, issue a writ of mandamus directing the Respondent No.1 to deactivate the existing Aadhaar number of the Petitioner, permanently delete all data associated therewith, and re-issue a new Aadhaar number. Since the Aadhaar data of all Aadhaaris have been compromised, further direct the Respondent No.1 to permanently deactivate all existing Aadhaar numbers of the Aadhaaris and to not reallocate their old Aadhaar number to any other party;

(xv) Direct the Respondent No.1 to appoint a neutral ombudsman/verification authority for addressing all concerns and complaints at the first level, which may arise in the future in relation to violations of, inter alia, the Aadhaar Act and associated regulations as well as the IT Act and associated rules, by the Respondents as well as any data breaches of the Respondents’ systems and the security measures and steps to be adopted to contain these breaches;

(xvi) To declare Section 46 of the Information Technology Act as unconstitutional and grant only a constitutionally competent court/tribunal the power to adjudicate a matter relating to the IT Act;

(xvii) Award costs of the proceedings in favour of the Petitioner.