IAPP had organized a half day session at IIIT Bangalore in which the Privacy issues surrounding Aaadhaar was discussed in the light of the recent Supreme Court judgement. A summary of thoughts shared by the undersigned in the meet is reproduced here.
The reference to the Nine member Bench of Supreme Court was made during the discussion in the smaller bench on the Constitutional validity of Aadhaar in which one point brought out by the Government was that Privacy is not a fundamental right. Sensing the danger of the argument being held valid on account of the two earlier judgments of the Supreme Court namely the M.P.Singh and Kharak Singh judgments, one of which was from a 8 member bench, the CJI quickly set up the Nine member bench which in double quick time came up with its massive judgement and cleared the path for the smaller bench to proceed with the Aadhaar hearing under the specific consideration that Privacy is a Fundamental right.
Once this issue is settled, the Government will have to justify the Aadhaar Act under one of the “Reasonable Restriction” clauses under Article 19(2).
In this context, the issues before us are to understand
a) Does Aadhaar per-se violate Privacy?
b) Does the mandating of Aadhaar for social benefits violate Privacy?
c)Does Linking of Aadhaar to PAN violate Privacy?
d) Does leaking of Aadhaar Data through e-hospital app violate privacy
e) Does leaking of Aadhaar data through biometric device violate Privacy?
f) Once biometric is compromised, is there a way out to put the clock back?
We must recognize that Aadhaar was perceived as a data base of demographic and biometric data linked to a random number. This number was supposed to be held confidential by the owner and presented with his biometric to those agencies which needed to verify any particular parameter associated with the Aaadhaar such as the name,address, father’s name, data of birth etc. The query was supposed to be always answered in binary Yes or No and aadhaar data was not supposed to travel on the internet.
However in its implementation, Aadhaar is now used as an ID card and any authorized person who seeks information is allowed to download the entire aadhaar information on his systems where the data along with the Aadhaar number resides. The query is answered not only with the biometric but also on OTP over the registered mobile. There are also authorized APIs that lift the data from the Aadhaar server and populate forms at the User end. e-Hospital application was one such application which was at the center of the recent suspected data breach.
Similarly, wherever biometric devices are used, the biometric has to be captured and then transmitted to the Aadhaar server for authentication. Though the transmission is encrypted, it is possible for a copy of the encrypted bio metric to be stored at the device end as was. This was detected in one instance where E Mudhra and Axis bank had sent stored biometric for authentication and UIDAI had filed a criminal complaint.
Since the devices would be under the control of the intermediaries, even if UIDAI ensures an audit of the devices before it is approved, there is a possibility of them being tampered with subsequently.
The current generation of biometric devices and the technology adopted for referring the captured biometric to the UIDAI server does not seem to be secure enough to prevent storage of biometric and this could be a Privacy threat.
Thus in most cases Privacy information leakage occurs at the user end and not at the UIDAI end. Hence what is required by UIDAI to ensure is a process by which users take the responsibility for leakage of Aadhaar data.
Currently this is determined by the provisions of ITA 2000/8 under Section 79 and 43A along with other provisions.
The issue of Aadhaar and Privacy should therefore be seen in the context of how the Aadhaar intermediaries obtain the consent of the Aadhaar users and whether it satisfies the internationally accepted principles of disclosure, minimal usage, security, limited period retention etc.
Some of the legal luminaries do consider that “Consent” being a “Contract”, it cannot be used to circumvent the abrogation of “Fundamental Rights”. In view of this, the consents need to be carefully drafted to avoid litigations.
Compliance therefore becomes a challenge to the companies who need to use “Data” as the raw material for their business.
If Aaadhar related privacy issues are to be tackled there is need to relook at the technology by which Aadhaar data base is accessed by the intermediaries who provide various services using Aadhaar as an ID. Government also should stop treating Aadhaar as an ID card which can be shared at various usage points to be photocopied and used.
If before the Aadhaar hearing comes up again in the Supreme Court, the Government issues a policy guideline on how Aadhaar data base is to be used, it may strengthen the argument to defend the Aadhaar system, Otherwise there could be a danger of impossible restrictions being imposed by the Court which may need change of many of the use cases which is under contemplation.
Naavi