Aadhaar

Final hearing of Aadhaar in Supreme Court – Day 4

Jan: Day 1 (17/1/18)| Day 2 (18/01/18) | Day 3 (23/01/18) This post is essentially a compilation of tweets from Gautam Bhatia,...

· 8 min read >

This post is essentially a compilation of tweets from Gautam Bhatia, Prasanna and SFLC to understand how the Aadhaar hearing happened in the Supreme court.


Day 4: 24 Jan ’18

Shyam Divan, Senior Advocate and counsel for petitioners arguing.

  • Aadhaar Bench assembles.
  • Shyam Divan says that Section 59 of the Aadhaar Act, which validates all acts of the UIDAI prior to the Act, applies only to central government actions, as per its text.
    • This section does not control acts of private entities, like enrolment agencies. Their actions are not protected.
Section 59: Anything done or any action taken by the Central Government under the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/2009-Admin. I, dated the 28th January, 2009, or by the Department of Electronics and Information Technology under the Cabinet Secretariat Notification bearing notification
number S.O. 2492(E), dated the 12th September, 2015, as the case may be, shall be deemed to have been validly done or taken under this Act.
  • Justice Sikri says that under the pre-Act regime also, UIDAI also appointed.
  • Shyam Divan says no. There was no privity of contract prior to the Act.
  • Justice Sikri says that the central government appointed UIDAI, and all the acts flow from that.
  • Shyam Divan says that the notification establishing the UIDAI might protect the actions of the central government in entering into the MoU, but doesn’t cover the actions of the registrars.
  • Justice Chandrachud says that the actions of the registrars are traced back to the MoU.
  • Shyam Divan says that enrolment agencies are not covered even under the MoUs. As for the Registrars, there actions are not the actions of the central government.
    • Says that therefore, the enrolments prior to the Act are not validated by Section 59.
    • Says that in any case, you cannot have a retrospective validation of a fundamental right violation.
    • This is especially when the violation is complete.
  • Justice Chandrachud asks whether Aadhaar was used by private players before the Aadhaar Act, because that would not be validated under Section 59.
  • Shyam Divan says that he well get the specific factual details on that.
  • Justice Chandrachud says that the privacy judgment says that there must be a basis in law. Section 59 attempts to provide that by bringing about a legal fiction. It will have to be considered how you deal with data breaches prior to the Act.
  • Shyam Divan says that informed consent is crucial, and you can’t have a retrospective validation saying that there was always consent, prior to the Act.
    • Says that even if this provision is to be upheld, it should be given the narrowest reasonable construction.
    • Says that he will now specify the heads of challenge to the Aadhaar Act.
      • The first head is that of surveillance. The architecture of Aadhaar enables surveillance.
      • The second head is violation of privacy. Between 2010 and 2016, there was no law authorising the violation of privacy. Even after the Aadhaar Act, the violation continues. The citizen is compelled to report her activities to the State through the electronic footprint. Says that even for availing of subsidies, an alternative means of identification should be allowed. In a digital society, an individual has the right to protect herself by maintaining control over personal information. Talks about aggregation of information silos.
      • The third head is limited government. The Constitution is not about the power of the State but about limits to that power. Aadhaar allows the State to dominate the individual through an architecture that enables profiling, and by the power to cause civil death by deactivating Aadhaar. Instead of the State being transparent to the individual, the individual is made transparent to the State.
      • The fourth head is that this was not a money bill. This will be addressed by Mr Datar and Mr Sibal.
      • The fifth head is that the procedure under the Act violates Articles 14 and 21. There is no informed consent. There is no opt-out option. UIDAI has no direct relationship with the collecting agencies. The data collected and stored lacks integrity. This data is not verified, and now it’s being taken as gospel (he says, for example: eKYC).
    • Biometrics are untested, and probabilistic. The use of biometrics has led to exclusion from welfare schemes. If biometrics don’t work, then a flesh and blood individual ceases to exist. If your biometrics don’t match, you become a ghost.
    • The objective of creating a single pervasive identification over time is itself illegal.
    • A citizen in a democratic society has theThe objective of creating a single pervasive identification over time is itself illegal. Mandating a single highly intrusive form of identity is inconsistent with democracy.
    • Authentication records include the time of authentication and the requesting entity. This can be stored for 2 + 5 years. This enables real-time surveillance.
    • The notion of a central database where all data is stored in one place itself smacks of authoritarianism.
  • Justice Chandrachud asks who maintains the CIDR.
  • Shyam Divan says that information about the specific details of the CIDR is not in the public domain because of natural security concerns.
  • Justice Chandrachud asks whether the source code is with the UIDAI.
  • Shyam Divan says that it is proprietary, and not with the UIDAI.
    • Says that private enrolment agencies cannot be entrusted with the crucial task of ensuring informed consent.
    • Says that the definition of “resident” is arbitrary and has no verification magazine.
    • Says that Section 7 is unconstitutional, because an individual’s entitlements cannot be made subject to compelling her to give up her constitutional rights. “It is both an unconscionable and unconstitutional bargain.”
    • The individual has a right to remain free of monitoring as long as they have not violated any criminal law.
    • Says that on cancellation of Aadhaar, the services will be disabled personally. “You can just switch off a person.”
    • Reads out the circumstances in which an Aadhaar number can be canceled. The last circumstance is “where it appears fraudulent to the authority.”
  • Justice Sikri says why shouldn’t Aadhaar be canceled it it has been fraudulently obtained.
  • Sham Divan says that the point is that you are giving that power.
  • Justice Sikri says that that is only a case of an abuse of the power.
  • Justice Khanwilkar J says that there is a provision to rectify in cases of wrong cancellation.
  • Shyam Divan hands over a compilation to the Court that deals with the issue of the circumstances in various jurisdictions where the taking of biometrics is considered reasonable.
    • Takes the Court through the Census Act of 1948.
    • Points to Section 15 of the Census Act to illustrate the nature of protection accorded to census data.
    • Takes the Court through the Identification of Prisoners Act.
    • Shows the Court that Section 7 of that Act provides for destruction of personal data if the prisoner is released without charge.
    • Takes the Court through Section 32A of the Registration Act.
    • Says this is for a narrow purpose, taken one time, and is with one registry. This is an example of a legitimate purpose and done proportionately.
    • Takes the Court through the 1959 Bombay Habitual Offenders Act, the successor to the Criminal Tribes Act.
    • Under S 6, palm impressions can be taken. But after five years, the registration of a “habitual offender” comes to an end.
    • Says that all these acts are narrowly tailored, unlike the Aadhaar Act.
    • Says that he will now begin with the argument on surveillance.
  • Bench rises for lunch.
  • Post lunch break, Shyam Divan to continue the case for the petitioners.
    • Says that he will explain how the architecture of the Aadhaar Act enables surveillance.
    • Tue CIDR retains the records. The State is empowered to collect records over the course of an individual’s lifetime.
    • On the basis of aggregation, over time, the State acquires a profile of an individual, a community, a segment of society.
    • The Constitution does not permit a surveillance State.
    • Every electronic device linked to the internet has a unique number. In addition when the device is linked to CIDR, the devices exchange information.
    • The device is assigned a number qua Aadhaar. A specific ID at the first interaction. Thereafter, the transmission will be recognised as emanating from that device.
    • A unique electronic path attaches to each transmission. This identifies the links through which the transmission is done. Each link is identifiable.
    • It is technically possible to track every transaction. It is possible to track the location of every device in real time.
    • As well as the broad nature of the transaction.
    • The extent and scope of the surveillance over time will deepen, and this is enabled by Section 57.
    • Affidavits and reports of technical personnel demonstrate this.
    • There are two affidavits by security personnel. Mr Samir Keleker and Mr J D’Souza. They have so offers to come to Court and answer any questions that the Court may have.
    • Reads out the first affidavit. “The project facilitates real time and non real time tracking of UID holders.”
    • “It is quite easy to know the place and type of transaction every time authentication takes place. This would allow the UIDAI or any other party to track behaviour.”
    • “UIDAI recommends that each Point of Service Device register itself with UIDAI and get a unique ID. This method of uniquely identifying every device further makes the task of tracking location easier.”
    • “There are other ways as well. No security is perfect. But biometrics are a problem because you can’t change them if lost or stolen or hacked.”
    • “If army personnel are using Aadhaar to take salary, and the system is hacked, there could be national security issues.”
    • Now reads out D’Souza’s affidavit. “I have conducted demonstrations to show the unreliability of biometrics. One demonstration was before UIDAI officials themselves. They were shown the ease with which fingerprints can be replicated.”
    • “There may or may not be a GPS on the fingerprint device. GPS can be used to track location.”
      • PS: disclaimer. I am transcribing as Shyam Divan speaks. There may be some errors, given how technical this is. Please excuse.
    • “I have examined multiple fingerprint machines. They can be tampered with to capture biometric data before the point of encryption. This called a “skimmer.”
    • “These machines that are not manufactured indigenously. The machine code and source code is not known to UIDAI. There may be backdoor or Trojan Horse feature that can be used for data mining without UIDAI knowing. There are serious national security implications.”
    • “Data collected over an individual’s lifetime can become a tool of political blackmail. This can compromise even constitutional functionaries.”
    • “Jan Chrysler recent cracked the IPhone biometric systems and also iris recognition.”
  • Justice Chandrachud asks to what extent the Court can go into questions of technical evidence. He says that there is also a distinction between the existence of a mechanism and its abuse. He also asks if the distinction between fingerprints on your iPhone and Aadhaar is only of degree.
    • Says, should the Court second-guess the decision of the executive government, especially when no system in the world is secure.
  • Shyam Divan says these affidavits confirm that there is a complete mapping of the electronic path, which happens in real time, and that you can track the location.
  • Justice Chandrachud says, aren’t we accepting Google Maps tracking us, and other private corporations?
  • Shyam Divan says that when you are tracked by the State in real time, it is tantamount to a police State. The Constitution does not allow this. Google is not the Indian State, and the issue is one of consent.
    • Google, powerful though it is, is not as powerful qua me as the State. Takes the example of Stasi.
  • Justice Chandrachud says that I should have no objections to the State knowing whether I’m paying my taxes. So there should be a distinction between collecting data and using it.
    • Says once more that if the use of data is limited to its purpose, then what is the problem with collection.
    • Says that we live in times of terrorism and money laundering and welfare expenditure, and this has to be balanced.
    • He says that surveillance is about how data is used, not collected.
  • Kapil Sibal stands up and says that the problem is of giving the State that kind of information.
    • He says: “Big brother will have the information. He may use it and you won’t know it. By the time you do, he will become a bigger brother.”
  • Shyam Divan agrees. He says that the point of this whole case is to prevent that situation where Big Brother is watching.
    • Reads out Justice Subba Rao’s dissenting opinion in Kharak Singh, which was endorsed in the privacy judgment as correct. This was the first articulation of privacy in Indian constitutional history.
    • Reads the part of Kharak Singh that talks about how surveillance constricts life and liberty.
    • Reads out the part of Kharak Singh that says that the “shadow of surveillance” engenders inhibitions upon people.
    • SD reads out District Collector vs Canara Bank (2005). This case involved bank raids and inspection of bank documents. He points to the part of the judgment that said “we are not living in a police raj.” He says, this is exactly the point in this case.
    • Comes to the US Supreme Court judgment in US v Jones, wish involved a GPS and a warrant.
    • This case involved putting a GPS device on a jeep.
    • Reads out Justice Sotomayor’s opinion that observed that you no longer need physical violations to infringe privacy.
    • Reads out the part of the opinion that talks about how GPS data can reveal an entire profile of a person simply by knowing the places she visits. This can be mined years in the future.
    • Because this is surreptitious, it evades scrutiny. “The very awareness that the government is watching can chill speech and associational freedoms.”
    • “Merely because you voluntarily disclose some information to some people for some time doesn’t mean you lose your privacy right over it.”
    • Comes to the judgment of the ECHR in Sakharov v Russia (Wiki here).
    • This case involved interception of communications.
  • Bench rises.

Aadhaar – The Conclusion

in Aadhaar
  ·   7 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.