Aadhaar Hearing Day 4: The architecture of Aadhaar enables surveillance- Petitioners
The Constitution Bench hearing the Aadhaar case assembled at 11.35 am to continue the proceedings for Day 4 of the session.
Senior Advocate Shyam Divan began with the arguments. He first put before the court Section 59 of the Aadhaar Act and stated that it validated all acts of the UIDAI prior to the Act but it applied only to central government actions, as per its text. He contended that this section did not control the acts of private entities, like enrolment agencies and therefore their actions were not protected.
Justice Sikri remarked in between that under the pre-Act regime too the UIDAI was appointed. To which Shyam Divan replied in negative contending that there was no privity of contract prior to the Act. Again Justice Sikri stated that the central government appointed UIDAI and all the acts flow from that. Shyam Divan responded that the notification establishing the UIDAI might protect the actions of the central government in entering into the MoU, but it did not cover the actions of the registrars.
Hearing which Justice DY Chandrachud said that the actions of the registrars are traced back to the MoU. Divan stated that the enrolment agencies were not covered even under the MoUs. As for the Registrars, their actions were not the actions of the central government. Therefore, the enrolments prior to the Act were not validated by Section 59, Shyam Divan added.
Moving further, Divan contended that in any case, one cannot have a retrospective validation of a fundamental right violation. This is especially when the violation is complete, he contended further. Justice Chandrachud enquired of the counsel whether Aadhaar was used by private players before the Aadhaar Act, because that would not be validated under Section 59. Divan replied that he well get the specific factual details on that later.
Justice Chandrachud stated that the privacy judgment held that there must be a basis in law and Section 59 attempted to provide that by bringing about a legal fiction. Thus it will have to be considered how one deals with data breaches prior to the Act. Shyam Divan replied that informed consent was crucial, and one cannot have a retrospective validation saying that there was always consent, prior to the Act. Even if this provision is to be upheld, it should be given the narrowest reasonable construction, Divan added.
Shyam Divan thereafter specified the heads of challenge to the Aadhaar Act:
♦ The first head is that of surveillance. The architecture of Aadhaar enables surveillance.
♦ The second head is violation of privacy. Between 2010 and 2016, there was no law authorising the violation of privacy. Even after the Aadhaar Act, the violation continues. The citizens were compelled to report their activities to the State through the electronic footprint.
He stated that even for availing of subsidies, an alternative means of identification should be allowed. In a digital society, an individual has the right to protect herself by maintaining control over personal information, he contended.
♦ The third head is limited government. The Constitution is not about the power of the State but about limits to that power.
He stated that Aadhaar allowed the State to dominate the individual through an architecture that enabled profiling, and by the power to cause civil death by deactivating Aadhaar. He further said that instead of the State being transparent to the individual, the individuals were made transparent to the State.
♦ The fourth head was that it was not a money bill.
However he mentioned before the Bench that this point will be addressed by Mr Datar and Mr Sibal before the Court.
♦ The fifth head was that the procedure under the Act violated Articles 14 and 21. There was no informed consent. There was no opt-out option. UIDAI had no direct relationship with the collecting agencies. The data collected and stored lacked integrity. This data was not verified, and now it was being taken as gospel. He cited the example of eKYC.
He went on further and stated that Biometrics were untested, and probabilistic. The use of biometrics had led to exclusion from welfare schemes. Further If biometrics don’t work, then a flesh and blood individual ceases to exist. If a person’s biometrics don’t match, he become a ghost, the counsel alleged.
Therefore, Divan argued, a citizen in a democratic society had the right and choice to identify himself in a reasonable manner. Mandating a single highly intrusive form of identity was inconsistent with democracy.
Shyam Divan further argued that authentication records included the time of authentication and the requesting entity. This could be stored for 2 + 5 years and inturn enabled real-time surveillance. He stated, the notion of a central database where all data was stored in one place itself smacked of authoritarianism.
To this, Chandrachud J asked as to who maintains the CIDR. Divan replied that the information about the specific details of the CIDR was not in the public domain because of natural security concerns. Further, Chandrachud J asked whether the source code was with the UIDAI. Shyam Divan said that it was proprietary, and not with the UIDAI. He alleged that the private enrolment agencies could not be entrusted with the crucial task of ensuring informed consent.
Moving further Divan called the definition of “resident” as arbitrary and having no verification magazine. He argued that Section 7 was unconstitutional, because an individual’s entitlements cannot be made subject to compelling him to give up his constitutional rights. “It is both an unconscionable and unconstitutional bargain” he claimed.
The individual has a right to remain free of monitoring as long as they have not violated any criminal law, the counsel claimed. He stated that on cancellation of Aadhaar, the services will be disabled personally. “You can just switch off a person.” Shyam Divan remarked.
Further Divan read out the circumstances in which an Aadhaar number can be canceled. The last circumstance being- “where it appears fraudulent to the authority.”
Justice Sikri however pondered over it that why shouldn’t Aadhaar be canceled if it had been fraudulently obtained., to which Sham Divan contended that the point was that the power was given. Justice Sikri not agreeing with the argument of Shyam Divan stated that it was only a case of an abuse of the power. Justice Khanwilkar too pointed that there was a provision to rectify in such cases of wrong cancellation.
Further Shyam Divan handed over a compilation to the Court that dealt with the issue of the circumstances in various jurisdictions, where the taking of biometrics was considered reasonable.
Shyam Divan while mentioning the Census Act of 1948 before the Court, pointed to Section 15 of the Census Act to illustrate the nature of protection accorded to census data. He then pointed towards the Identification of Prisoners Act and stated that Section 7 of that Act provided for destruction of personal data if the prisoner was released without charge. He then mentioned Section 32A of the Registration Act and claimed that it was a perfect example of a legitimate purpose and done proportionately. Divan then threw light on the 1959 Bombay Habitual Offenders Act, the successor to the Criminal Tribes Act wherein under Section 6, palm impressions could be taken. But after five years, the registration of a “habitual offender” came to an end. Divan claimed that all these acts were narrowly tailored, unlike the Aadhaar Act.
Thereafter the Bench arose for lunch at 12:52pm and resumed hearing after 2.30 pm.
After lunch, Divan resumed his arguments beginning with how the architecture of the Aadhaar Act enabled surveillance. He stated before the Bench that the CIDR retains the records and the State is empowered to collect records over the course of an individual’s lifetime. On this basis of aggregation, over time, the State thus acquires a profile of an individual, a community, a segment of society. The Constitution does not permit a surveillance State, the counsel contended.
Every electronic device linked to the internet has a unique number. In addition when the device is linked to CIDR, the devices exchange information. The device is assigned a number qua Aadhaar. A specific ID at the first interaction. Thereafter, the transmission will be recognised as emanating from that device. A unique electronic path attaches to each transmission. This identifies the links through which the transmission is done. Each link is identifiable. Hence It is technically possible to track every transaction even to track the location of every device in real time as well as the broad nature of the transaction.
Shyam Divan explained before the bench that the extent and scope of the surveillance over time will deepen and this was all enabled by Section 57.He stated, affidavits and reports of technical personnel clearly demonstrated this.
There were two affidavits by security personnel – Mr Samir Keleker and Mr J D’Souza.
The first affidavit by Mr Samir Keleker stated, “The project facilitates real time and non real time tracking of UID holders. It is quite easy to know the place and type of transaction every time authentication takes place. This would allow the UIDAI or any other party to track behavior. UIDAI recommends that each Point of Service Device register itself with UIDAI and get a unique ID. This method of uniquely identifying every device further makes the task of tracking location easier. There are other ways as well. No security is perfect. But biometrics are a problem because you can’t change them if lost or stolen or hacked. If army personnel are using Aadhaar to take salary, and the system is hacked, there could be national security issues.”
The second affidavit by Mr J D’Souza stated, “I have conducted demonstrations to show the unreliability of biometrics. One demonstration was before UIDAI officials themselves. They were shown the ease with which fingerprints can be replicated. There may or may not be a GPS on the fingerprint device. GPS can be used to track location.
I have examined multiple fingerprint machines. They can be tampered with to capture biometric data before the point of encryption. This called a “skimmer”. These machines are not manufactured indigenously. The machine code and source code is not known to UIDAI. There may be backdoor or Trojan Horse feature that can be used for data mining without UIDAI knowing. There are serious national security implications. Data collected over an individual’s lifetime can become a tool of political blackmail. This can compromise even constitutional functionaries. Jan Chrysler recently cracked the iPhone biometric systems and also the iris recognition.”
Hearing the affidavits Justice Chandrachud enquired Shyam Divan as to what extent the Court could go into questions of technical evidence. He said that there was also a distinction between the existence of a mechanism and its abuse. He also asked Divan if the distinction between fingerprints on the iPhone and Aadhaar were only of a degree?
Justice Chandrachud further questioned- ,”should the Court second-guess the decision of the executive government, especially when no system in the world is secure?” Shyam Divan replied that these affidavits confirmed that there was a complete mapping of the electronic path, which happens in real time, and that you can track the location.
Justice Chandrachud once again remarked, “aren’t we accepting Google Maps tracking us, and other private corporations?” Shyam Divan responded that when a person is tracked by the State in real time, it tantamounts to a police State. The Constitution does not allow this. He further stated that Google was not the Indian State, and the issue was one of consent. He argued that Google, powerful though, was not as powerful as the State. He explained with the example of ‘stasi’.
Justice Chandrachud yet again commented that one should have no objections to the State knowing whether he/she was paying taxes or not. So there should be a distinction between collecting data and using it. Further he stated that if the use of data was limited to its purpose, then there was no problem with collection.
“We live in times of terrorism and money laundering and welfare expenditure, and this has to be balanced.” Justice Chandrachud observed. He stated that surveillance was all about how data was used, not collected.
Hearing the exchange, Kapil Sibal, Senior Advocate, stood up and said that the biggest problem was of giving the State that kind of information itself. “Big brother will have the information. He may use it and you won’t know it. By the time you do, he will become a bigger brother.” He alleged.
Shyam Divan agreeing with Kapil Sibal claimed before the bench that the point of this whole case was to prevent that situation itself where the Big Brother is watching.
Moving further Shyam Divan read out Justice Subba Rao’s dissenting opinion in Kharak Singh, which was endorsed in the privacy judgment as correct.This was the first articulation of privacy in Indian constitutional history, he stated. He pointed towards the part of Kharak Singh judgment that talked about how surveillance constricted life and liberty and futher quoted that the “shadow of surveillance” engenders inhibitions upon people.
Shyam Divan then reads out the judgment in the case- District Collector vs Canara Bank (2005). The case involved bank raids and inspection of bank documents. He pointed to the part of the judgment that said “we are not living in a police raj.” He thus exclaimed before the bench that this was exactly the point in this case.
He further referred to the US Supreme Court judgment in US v. Jones, which involved a GPS and a warrant. It involved putting a GPS device on a jeep. He quoted Justice Sotomayor’s opinion under the present case wherein he had opined that one no longer needed physical violations to infringe privacy. He read out the part of the opinion that talked about how GPS data could reveal an entire profile of a person simply by knowing the places he visited. It could be mined in years in the future. Since this was surreptitious, it therefore evaded scrutiny.
“The very awareness that the government is watching can chill speech and associational freedoms. Merely because you voluntarily disclose some information to some people for some time doesn’t mean you lose your privacy right over it.” The judgment stated.
Finally Shyam Divan quoted the judgment of the ECHR in Sakharov v. Russia which involved interception of communications.
Thereafter the Bench rose for the day. The hearing will continue on 31st January, next Tuesday.