OPINION: Proof of Zero- Revisiting Aadhaar’s Fundamentals
As a frequent trainer of IAS officers on public procurement issues, I usually carry a set of about forty slides containing various cases—both real and imaginary- on multiple aspects of public contract award and administration in India. One such slide asks the class a simple question: What could happen if a public procurement system allowed award of public resources/ licenses on a first-come-first-serve basis, much like the Levi’s sale next door, but with the store manager pre-disclosing the date, time and venue of the upcoming sale only to some of his/ her friends and family?
It is interesting that almost every one of the thousand-odd IAS officers I’ve trained so far has taken no more than a few seconds to conclude that a 2G-type mishap can be the only logical outcome of such a tainted procurement process. The class then usually moves on to debate why a potential mishap that takes a mid-career IAS officer— fresh entrants included—only a few seconds to identify and to predict, was diligently defended tooth-and-nail for years altogether by senior officers from at least three important ministries of the Government—Finance, Law and Telecom, not to mention the Cabinet Secretariat—through thousands of pages of notesheets, press releases, affidavits and counter-affidavits, until the Supreme Court of India, in Centre for Public Interest Litigation v. Union of India (2012) 3 SCC 1, finally stepped in and unequivocally upheld the need for transparency and competition in award of public resources in the country.
Within this context, recent legal developments surrounding Aadhaar in India could well underscore, once again, the need for proper legal re-sensitising of India’s bureaucracy, if the difficult legal issues surrounding public biometric databases are to be satisfactorily addressed. For one, biometric information—fingerprint or iris scans—is not just proof of “identity”, but it is also a strong and legally-admissible proof of “presence”. Take a biometric fingerprint contained in any electronic database that is anyway capable of being easily converted into an actual thumb “impression” on a door knob or on a glass of water around a crime scene using ubiquitously available 3-D printing technologies; and you have a potentially explosive situation that turns the onus of “proof of presence”—and consequently, the fundamental presumption of being “innocent until proved guilty” under India’s criminal justice system—on its head against an unsuspecting and uninvolved individual. Add to that the apparently easy public availability of Aadhaar numbers, and another interesting situation evolves whereby an Aadhaar number and an artificial thumb impression replicating an individual’s fingerprints are all that are needed to withdraw money from an individual’s savings accounts, without the individual being any the wiser how and why something like this could be happening, while simultaneously having to justify that he/ she was not the one person at the ATM who withdraw the money or authorised the transaction in the first place.
Unlike India’s higher bureaucracy that seems to know better, Apple’s engineers and lawyers believe there is a good reason not to transmit biometric information out from its iPhones, where it is stored in an encrypted form at all points of time. Compare this Apple’s “Gold (Silver?) Standard” with crores of fingerprints— encrypted or otherwise capable of being decrypted—travelling all over vast public networks spanning international boundaries, stored consciously in a centralised database or surreptitiously and temporarily in lakhs of POS devices; and it becomes obvious that an individual’s biometric information needs better protection at all costs at the point of origin itself—the individual him/ herself as the “owner” of his/ her own biometrics—if India’s residents are to have any legal comfort and are to properly defend themselves against fraudulent financial transactions or false criminal charges.It is interesting to see that there are easy technical and legal fixes to problems created by centralised storage and the consequential need for fingerprint information to travel over public networks, by simply redesigning Aadhaar cards in a way that an individual’s encrypted biometric information is stored on a smart card available with him/ her alone, and that too with just one copy of such a smart card being active at any point of time. This would perhaps need to be an active smart card—a watered-down personal fingerprint scanner of sorts, in-built and integrated with the smart card—one that transmits and receives data to/ from public networks without any biometric information going anywhere because of localised biometric storage and authentication: essentially, a case of a resident authenticating him/ herself to his/ her own device, much like an iPhone. It could also be made inactive for a short time period after a certain number of unsuccessful attempts, just like a credit or a debit card, requiring both the cardholder and card issuer to take necessary precautionary steps before allowing a particular Aadhaar number to be used again.
Consequently, the legal framework would be greatly simplified and harmonised if this revised architecture were to be adopted, since the same set of laws, with the same level of protection to an individual, that allow the State to access an individual’s physical fingerprints could then, mutatis mutandis, apply to the State accessing his/ her electronic biometrics stored with him/ her on their personal smart card.
This conceptual change— decentralised storage and authentication with the individual, a.k.a the iPhone, replacing centralised storage necessitating biometric information to be stored at least temporarily on POS machines and then travelling over public networks only for authentication—would also require that the Aadhaar law remains consistent with the criminal and financial liability law in India, as the 2016 Act presently requires centralised hosting of biometric information. Centralisation of biometric information, and/ or temporary storage of it on a POS machine during the process of authentication creates another peculiar legal paradox—that while under the criminal law, an individual is liable by default if his/ her fingerprints are found at the scene of a crime/ used for a particular financial transaction, the techno-legal framework for Aadhaar requires any number of parties to be in possession of his/ her fingerprints, without their being called upon to similarly prove that the breach did not take place from their databases instead. Decentralising biometric information availability with an individual him/ herself would also allow for removal of artificial restrictions placed under the 2016 Act such as those disallowing cognizance of offences without a complaint from the UIDAI, given that there is really no sound legal basis for this requirement to exist when no such restrictions are placed for cognizance of offences relating to hacking of emails that are far less dangerous to an individual than hacking of his/ her biometric information.The 2016 Act may also need to afford better protection of pre-2016 disclosure of biometric information in the sense that while it now specifically, and thankfully, protects biometric information from unauthorised disclosure, even in face of the rather unbridled sharing allowed by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011,15 the 2016 Act does not yet address unauthorised sharing of biometric information that could happen under the 2011 IT Rules, prior to enactment of the current 2016 legislation.
Of course, the decentralised model suggested in this article fundamentally assumes that an individual has the sole right to own and to posses his/ her biometric information if he/ she is to be held criminally and financially liable to acts or transactions based on his/ her biometric information. The central question—who is/ should be the rightful owner and possessor of biometric information; and consequently, who is/ should be held liable for criminal/financial acts based on an individual’s fingerprints—is an important and fundamental one, and ignoring any attempt to frame or to answer this issue would only result in non- implementation of important legal recommendations made in the 2012 report and the 2017 white paper on personal data protection that suggest layers and layers of complex legislation for India, perhaps influenced in part by our inability to handle more basic problems such as biased criminal investigations and unscrupulous changing of samples taken at crime scenes by the State’s own forensic authorities.
It is also important that India’s senior policy-makers are able to recognise Aadhaar system for what it is—a “good faith” enrolment mechanism that accepts names, addresses, age etc. on face value without conducting any background verification of this information prior to generating a valid Aadhaar number, albeit collecting sensitive biometric information in this process. Accepting that it is just that—a good faith enrolment system—would also allow the removal of questionable claims that Aadhaar is “proof of identity” and/ or “proof of residence”—legal flip-flopsthat the UIDAI underwent for many months during 2012-14, depending on what the flavour of the day was, or perhaps what the whims and fancies of UIDAI leadership were, while drafting the NIDAI Bill during that period. This debate was finally settled with “Aadhaar as Proof of Identity”—a limited proposition that was endorsed by the Indian Parliament under the new Aadhaar Act of 2016, although that may now create a residual problem as regards validity of passports, bank accounts, DINs that had already been issued/ opened using Aadhaar both as proof of identity and proof of address/ residence—a legal tangle that may not have a ready and clear answer. Even now, while the new Aadhaar Act of 2016 makes substantial progress by imposing minimum residence requirements for enrolment under the Aadhaar system, it still does not provide any clear answers as to why crores of enrolments and Aadhaar numbers are currently being treated as practically valid for all purposes under the 2016 Act by UIDAI, when these residence requirements did not even exist at the time of enrolment or Aadhaar number generation, let alone beingcomplied with during the process of enrolment undertaken at that time.
The newly suggested minimalist framework—decentralised storage and authentication of biometric information with the individual—may perhaps also be more aligned to the overarching and very timely vision outlined by India’s present political leadership—one of minimum government, maximum governance—a key principle for India’s evolving data protection laws that has been duly recommended as such in the 2017 White Paper in the form of “data minimisation” requirements. The suggested Aadhaar redesign perhaps make it an entirely fruitless exercise for anyone to hack and steal sensitive personal information from a centralised database, since the database would not contain any biometric information of interest in the first place.
It would therefore be naïve to presume that it is only some “intellectual” notions of privacy at stake in the Aadhaar debate. What is on the table for legal and policy determination is perhaps the need to revisit the Aadhaar architecture itself, in order to ensure compliance with enforcing default criminal and financial liability of individuals for transactions or acts they may not be involved with or responsible for at all, and along with that, in order to ensure compliance with the very fundamental presumption of innocence under the Indian criminal justice system.
The full paper with footnotes can be read on SSRN.
Sandeep Verma is an IAS officer who is currently Principal Secretary to the Government of Rajasthan in the Department of Science and Technology, who holds an LLM from the George Washington University Law School. Views expressed are personal of the author. The Indian Jurist does not take responsibility for the views expressed or facts stated.