Naavi.org

This is a continuation of the earlier articles on the topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded….

(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.

The section 26 of the regulations state as follows:

(1) The Authority shall store and maintain authentication transaction data, which shall contain the following information:—

(a) authentication request data received including PID block;
(b) authentication response data sent
(c) meta data related to the transaction.
(d) any authentication server side configurations as necessary Provided that the Authority shall not, in any case, store the purpose of authentication.

The judgement suggests a “Suitable Amendment”. In the earlier paragraphs, the judges have noted the fact that UIDAI does not collect the purpose of authentication nor the location of the transaction. Hence it is not clear what exactly is the concern of the judiciary regarding the meta data collection. It appears that  this reflects the unverified concerns of the petitioners.

In fact from the security perspective of prevention of frauds, it looks stupid not to collect the locational information of the authentication since this is part of any “Risk management” system.

There are instances where the POS devices are moved from one state to another and used for conducting fraudulent transactions to avoid detection. Also in case of cloned card use, one of the security measures is to understand where from the transaction is happenning. Similarly if one minute back an aahaar authentication hapenned from Bangalore and the next minute from Chennai, it is an indication that the authentication request is fraudulent.

To identify such frauds, it is necessary to collect the IP address, GPS data and not only use it at the time of authentication but also maintain it as “Evidence” for later use.

It is accepted that the data so collected should be securely stored. Placing any other restriction would be weakening the security of the transaction and actually hurt the interest of the Aadhaar user whose biometric might have been stolen.

It is therefore necessary to record that this prescription of the Court was not warranted. Since the judgment only says the section has to be amended, without exactly giving direction, at this point there is lack of clarity on this suggested amendment.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This is a continuation of the earlier articles on this topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded..

(iii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.

The Section 33(1) as it stands today reads:

33. (1) Nothing contained in sub-section (2) or sub-section (5) of section 28 or sub-section (2) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made pursuant to an order of a court not inferior to that of a District Judge:
Provided that no order by the court under this sub-section shall be made without giving an opportunity of hearing to the Authority.

The sections  28(2), 28(5) and 29(2), of Aadhaar Act relate to Security and Confidentiality of Information and state as follows:

28(2)  Subject to the provisions of this Act, the Authority shall ensure confidentiality of identity information and authentication records of individuals.
28 (5) Notwithstanding anything contained in any other law for the time being in force, and save as otherwise provided in this Act, the Authority or any of its officers or other employees or any agency that maintains the Central Identities Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone:
Provided that an Aadhaar number holder may request the Authority to provide access
to his identity information excluding his core biometric information in such manner as may be specified by regulations.

29(2) (2) The identity information, other than core biometric information, collected or created under this Act may be shared only in accordance with the provisions of this Act and in such manner as may be specified by regulations.

It is not clear if a “reading down” was required since 33(1) provides that on the orders of the Court (District Court and above), information can be disclosed. The section alredy mentions that the person whose data is sought to be released, would be given an opportunity of hearing.

The provision as it exists and as is clarified reiterates that there cannot be a collection of data say for intelligence purpose without the knowledge of the aadhaar holder. This is a matter which the law enforcement agencies need to discuss whether it adversely affects the national security.

In a practical situation, if the Law Enforcement comes across a biometric which relates to a suspicious person, and wants to identify the person, the law enforcement  agency cannot rely on the Aadhaar data base like their own NCRB data to identify the suspicious person. If therefore a terrorist is trying to escape in an Airport and the agencies have a doubt about the identity of the person, they cannot make a real time verification with the aadhaar data base. They may however detain him on suspicion and get a warrant and then check his identity. Either the law enforcement would resort to this method which is more inconvenient if the suspicion is wrong or they will let people slip through except when they have some very strong suspicion.

By such provisions, the law is being made Criminal friendly and it is not helping the honest citizen of the country who has his own stake in the national security.

The PDPA 2018 needs to have appropriate provisions to prevent such unfair restrictions to be imposed on the verification of identity of suspects with reference to the Aadhaar data. This is not amounting to “Surveillance” but is a security requirement.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This is in continuation of the earlier articles on this topic

The First Issue answered by the first part of the majority judgement(signed by the three judges Dipak Mishra, A.K.Sikri and A W Khanwilkar here after referred to as the first part) was

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?
Incidental Issues:
(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

The answer to the above question provided by the judges took note that Aadhaar architecture does not tend to create a surveillance state. It also concluded that there were sufficient authentication security measures taken by UIDAI and adequate oversight. It recorded that use of Registered Devices prevented the risk of store and replay attack. It noted that the Authority does not get the transaction details of an authentication request or the IP address or GPS location of the authentication request.

Taking into account the above, the three judges held

After discussing the aforesaid aspect with reference to certain provisions of the Aadhaar Act, we are of the view that apprehensions of the petitioners stand assuaged with the striking down or reading down or clarification of some of the provisions, namely:

(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.
(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.
(iii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.
(iv) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.
(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.
(vi) We have also impressed upon the respondents, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.

In expressing the above views, the Court actually descended to the level of drafting internal security guidelines for UIDAI. We cannot expect the Court to be an Information Security expert and hence some of these suggestions could have been avoided. In comparison the drafting of the Ashok Bhushan judgement was better as it avoided going into the details of how UIDAI has to manage the security.

Now coming to the exact recommendations in this Answer 1,

the first prescription is

(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.

By making this observation, the Court has limited the data retention period of the authentication record to 6 months unmindful of the actual requirement which may be dependent on the circumstances.

The Authentication guidelines indicated data retention under two regulations. First was under regulation 18 (1) about the maintenance of logs by requesting party. Second was regulation 27(1) .

This regulation under 27(1) stated:

(1) Authentication transaction data shall be retained by the Authority for a period of 6 months, and thereafter archived for a period of five years.
(2) Upon expiry of the period of five years specified in sub-regulation (1), the Authentication transaction data shall be deleted except when such authentication transaction data are required to be maintained by a court or in connection with any pending dispute.

The judgement has suggested that the 27(1) is modified to remove the words “and thereafter archived for a period of five years”.

Simultaneously 27(2) may need to be amended to say “Upon expiry of six months…”

The similar provision under regulation 18 (1) which is applicable to the user agencies is not touched by this answer.

The current judgement has not invalidated the possibility of  a law that requires the data to be retained beyond 6 months. One such law which is in existence is the “Evidence Law”. When a certain transaction data is required as  “Evidence” because a potential crime has come to the knowledge of the person holding the data, he has to preserve it until it is required. Otherwise it will be an offence under IPC (Section 204)  and ITA 20008 (Sec 65).

Even the PDPA 2018 can clarify this aspect.

If within 6 months no specific complaint arises, the data may be destroyed.

However, since it is the law of limitation which says that there is a time limit of 3 years for any civil action, the action of the Supreme Court to get the potential evidence forcefully removed after 6 months is snatching a legal right available to the citizens.

I would therefore consider it necessary for the Supreme Court to increase this data retention limit from 6 months to 3 years.

Alternatively, the PDPA 2018 must state that

” System log records and other data which are relevant for the protection of the Privacy of a person shall be retained for a period as required under the law of limitation for a minimum period of 3 years and as otherwise may be required if the data is considered as a potential “Evidence” for a cognizable offence of which the data fiduciary is aware of.”

….To Be continued

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This is a continuation of the earlier article “Aadhaar Judgement..1..Debate the Areas where Clarity is Required”

The Aadhaar judgement is said to be the second longest case in terms of continuous hearing next only to the Keshavananda Bharati case in 1973 and underscores the importance and urgency assigned to the case.

The petitioners tried to argue that Aadhaar was unconstitutional, constituted an instrument of state oppression through surveillance and had to be scrapped. The data leaks of Aadhaar was quoted to argue that the system could cause serious privacy breach issues since the biometric of citizens could leak. They also argued that there was denial of basic services because of the failure of Aaadhaar authentication. In particular, the mandatory linking of Aadhaar to PAN cards, opening of Bank accounts were alleged to be an over reach of powers of the Government.

The net demand was that Aadhaar had to be scrapped.

The Government argued that it was useful to ensure that Direct Benefits of the Government reach the right persons, reduce/eliminate corruption. Even during the trial, Aadhaar introduced the Virtual Aadhaar ID and made several moves to strengthen the system to ally the fears of lack of security. UIDAI also explained the security practices and tried to convince that the system had a useful role in the Governance and did not violate Privacy.

Unfortunately, the case became a battle between the Government which was using Aadhaar Unique ID to curb black money and those who were simply Anti-Modi. All other principled explanations were only excuses.

In the entire cacophony of the media, every body forgot that there were two other stake holders to the debate. First was  the “Honest Tax Paying Citizen” whose legitimate income and wealth were being eroded because of the corruption, black money and benami holding of properties all of which were threatened by the Aadhaar linking. Second was the business which adopted the use of Aadhaar for e-KYC and real time authentication of electronic documents through e-Sign. These stake holders were not impleaded into the arguments.

The Supreme Court bench which heard the arguments should have realized at some point of time that there was a possibility of them taking a decision which could hurt the interest of these stake holders and their interests were not being represented either by the petitioners who were Anti Modi and the Government which was Anti-black money, and voluntarily called in the other stake holders to explain their view points.

Today we are debating the consequences of one interpretation of the judgement from the petitioner’s side which strongly believes that the judgement bans the use of Aadhaar in any form by the private sector and severely restricts the use even in the Government sector.

The Government may defend its position by drafting suitable law to protect it’s interests but the private sector and the citizens may not be able to voice their opinion adequately.

However the PDPA 2018 (Personal data protection act 2018) which is in draft stage with the Parliament presents an opportunity for these stake holders to express their thoughts either through the public comments to be submitted before 10th October 2018 or through the MPs during the Parliamentary discussions.

This series of articles are aimed at stimulating the thoughts of interested persons so that they donot lose this opportunity.

The Srikrishna Committee made a detailed suggestion on changes to be made to Aadhaar though they were not included in the PDPA2018 draft. Now is the time to take a look at these recommendations and read it along with the Supreme Court judgement and incorporate it in the draft PDPA 2018.

Naavi.org therefore focusses in these discussions only on Aadhaar related discussions. Other than this, Naavi has only a few suggestions for amendment such as

a) “Making Criminal Offences Bailable”,

b) “Removing the Caste from the definition of sensitive personal information” ,

c) “Clarifying that the basic purpose of the Act is to protect the Privacy of Indian Citizens from Privacy infringement through insecure data processing either in India or elsewhere”,

d) “Clarifying that the jurisdiction of any foreign law on data protection shall be exercised only through the Data Protection Authority in India”

I am not going into the details of the above now and go directly into the Aadhaar related discussions which is the need of the hour.

For the purpose of this discussion, I am ignoring the part of the judgement attributed to the dissenting judge (D Y Chandrachud) contained in pages 568 to 1048 of the judgement. The judgement of the other four judges is recorded in two parts, the first part between Pages 1-567 (Dipak Misra,A.K.Sikri , A.M.Khanwilkar and the second part between 1049-1448 (Ashok Bushan). Even within the two parts of the majority judgement, I am focussing on

a) Pages 540 to 567 containing the 9  Issues discussed and Answers provided by the first three judges

b) Pages 1442 to 1448 containing the 18 conclusions listed by the Judge

This reduces our span of reading from 1448 pages to 35 pages. But this is the relevant portion of the judgement. In writing any judgement, the judges do quote what the petitioner has said, what the respondent has argued, what another judge has said in a different judgement, what did he consider relevant etc. These discussions are important for academicians to understand why a Judge came to a specific conclusion  but the operative part of the judgement has to be taken only from the “order”, “Summary” or “Conclusion”.

If there is any difference between what is expressed as a firm view of the judge in the body of the judgement and in the conclusions part, it could be due to the judge consciously taking the stand as given in the conclusions.

Even if it is a drafting error the erroneous order stands unless clarified separately. We may recall that a High Court Judge in Karnataka made a totalling error in a judgement and declared that (late) J Jayalalitha was not guilty of corrupt practices and this arithmetic error had to be challenged in Supreme Court as an “Appeal” which was kept pending until the lucky accused passed away.

We therefore continue our discussions in the next article with a discussion of the 35 pages relevant for our discussion.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.