Aadhaar

Final hearing of Aadhaar in Supreme Court – Day 29

Jan: Day 1 (17/1/18)| Day 2 (18/01/18) | Day 3 (23/01/18) | Day 4 (24/1/18) | Day 5 (30/1/18) Feb: Day 6...

· 10 min read >

This post is essentially a compilation of tweets from Gautam Bhatia, Prasanna and SFLC to understand how the Aadhaar hearing happened in the Supreme court.


Day 29: 17 April ’18

Senior Advocate Rakesh Dwivedi the last counsel for the State/UIDAI arguing.

  • Rakesh Dwivedi continues his submissions on behalf of UIDAI.
  • Rakesh Dwivedi talks about the presumption of constitutionality, and how Courts should first make small repairs if they find that laws are defective, instead of striking it down.
    • Reads out S 8 of the Aadhaar Act. He says that sharing and use of information is strictly confined and limited to the authentication process.
    • Says that Section 29 of the Aadhaar Act should also be accordingly limited to the authentication process, and as per Section 8, core biometric information can never be shared.
    • You can read the relevant sections of the Aadhaar Act here.
    • Says that in order to avoid even the possibility of surveillance, the Court can give a narrow interpretation to Section 29, and limit sharing of information.
    • In response of Chandrachud J’s questions about ensuring security at the back end, he says that this can be done through technical specifications and through professional audits.
  • Justice Chandrachud points to Sections 8(2), 8(3) and 29. 8(2) says that the requesting entity shall obtain the consent of the individual before collecting identity information for the purposes of authentication. Then, it can be submitted for authentication to CIDR.
  • Rakesh Dwivedi says that the information can be used only for authentication purposes. Now reads S 29 (sharing). He says that under S 29, all that can be shared is non-biometric data.
  • Justice Chandrachud says that the requesting entity will know the purpose of the authentication.
  • Rakesh Dwivedi denies it. He says that the requesting entity will not know the purpose of the authentication.
  • Justice Chandrachud says that section 8(3) read with 29(3) makes it clear that RE will anyway know/have the purpose of authentication.
  • Rakesh Dwivedi disagrees.
  • Justice Chandrachud  says that 8(3) makes that clear.
  • Rakesh Dwivedi says that if I go to Apollo, Apollo will not transmit why I have come – to buy medicine or to meet a doctor. The only information transmitted will be that the authentication is sought from Apollo.
    • Says, suppose I go to the airport and have to authenticate at the gate. He says that the Airport Authority will not be telling the requesting entity where I’m going or what flight I’m taking.
  • Justice Sikri says that the problem is that S 29 gives a handle to share the information.
  • Rakesh Dwivedi says that core biometrics cannot be shared.
  • Justice Sikri says that the uses of the authentication can be shared.
  • Rakesh Dwivedi says that the only use is a yes or no response to a authentication request.
    • Says that I have no other information.
  • Justice Chandrachud says that this argument may be valid qua the UIDAI, but not qua the requesting entity.
  • Rakesh Dwivedi says that if the Court has that doubt, it can interpret the Act to exclude that possibility.
  • Justice Sikri asks why Section 8(3) is needed in that case.
  • Justice Chandrachud not sure about RE not collecting purpose etc. Says, suppose Apollo is a requesting entity, or submitting information to a requesting entity. There will be a record of the fact that an individual has gone to a hospital and authenticated, say 122 times in 6 months. This is something that pharmaceutical companies and insurance companies can mine. Aadhaar aggravates it.
  • Rakesh Dwivedi says that you don’t need Aadhaar for this. You can just go to ten hospitals and find out.
  • Justice Chandrachud says that until we have a data protection law, this is a problem.
  • Rakesh Dwivedi says that no data protection law can be as strong as the safeguards in the Aadhaar Act.
  • Justice Chandrachud says this is an exaggeration. He says, look at the EUGDPR, coming into force next year.
  • Rakesh Dwivedi says that we don’t need to copy. We can just see the control and punitive provisions in the Act.
    • Says privacy protection under Aadhaar Act is better than EU GDPR. Says he will show how and EU itself is about flow of data across different countries borders.
    • Says that, in life, you can never have a hundred percent assurance. A man in Kerala went to make a speech, and there he died. Even God can’t give us hundred percent assurance.
    • Says that none of the petitioners have pointed out what more we can do.
  • Justice Chandrachud says that on Rakesh Dwivedi’s reading, 8(3) and 29(3) can be excised from the Act.
  • Rakesh Dwivedi says that can be done, but in his submissions, it doesn’t need to be cut, only clarified.
    • Says that the design of the Act is not to aggregate information, and that the Court can give it an interpretation that prevents aggregation or data analysis.
  • Justice Chandrachud says that there are no limits to commercial ingenuity.
  • Justice Sikri says that the information about medical treatment will already be with the hospital, and that they may not need Aadhaar to get more information.
  • Rakesh Dwivedi agrees. He says, let the petitioners show what Aadhaar is adding in terms of information already available.
  • Justice Sikri says that the only apprehension is the apprehension of misuse.
  • Justice Chandrachud says that there is a real apprehension is even elections can be manipulated thanks to data. He says that the task is to introduce safeguards that ensure that the Act achieves its purpose and is not an overreach.
  • Rakesh Dwivedi says, don’t bring Cambridge Analytica into this. He says that we have no learning algorithms like Google. He says that petitioners have tried to confuse the Court by talking about algorithms.
    • Says that he has bought 50,000 rupees worth of books in the last four months to learn about algorithms, and that he still knows very little. But nonetheless, he repeats that UIDAI only has a matching algorithm, not a learning algorithm. Our biometric match algorithms are simple and simplistic. No analysis done.
    • Says that petitioners have created hyperphobia. This is not an atom bomb but just something that identifies me to myself.
  • Justice Chandrachud: Our limitation of knowledge should not make us look at the issue with blinkers, when we are laying down the law for posterity.
  • Rakesh Dwivedi says that petitioners have argued for a smart-card because smart-card is an entrenched vested interest in Europe, and if the Indian experiment succeeds, then they will be in trouble. The smart card lobby doesn’t want Aadhaar to succeed. Google doesn’t want Aadhaar to succeed.
  • Justice Chandrachud says that the concern is not so much with UIDAI, but with the interface with the world outside. He says controlling the UIDAI is easy. He says, nobody may be able to control the world outside. Aadhaar does not exist in an isolated world. We cannot treat it that way.
  • Rakesh Dwivedi says there is value in allowing personal information flow even to pvt players. When people know what I eat, after all it popularises the dish.
    • Repeats that there is no matching algorithm.
  • Shyam Divan has just walked out of the Court.
  • Rakesh Dwivedi comes to Section 28 of the Act.
    • Talks about Section 57. He says that it’s a limited exercise. Nobody can be enrolled as an RE unless he shows that he needs to have authentication.
    • Says, for example, if Dominos wants to become an RE, we will first ask them why they need it.
  • Justice Sikri still asks about how this will control AUAs REs etc.
  • Rakesh Dwivedi says UIDAI, AUAs etc are all belong to the same scheme or structure under the Act.
    • Refers to Section 57 says use has to be pursuant to law or contract. Cannot be open ended.
    • A pizza vendor or paanwala or a chaaiwala cannot ask for Aadhaar. Not so open ended.
  • Justice Chandrachud : What is the nexus of Section 57 with consolidated fund of india?
  • Rakesh Dwivedi: Money bill point to be dealt with by A-G later.
  • Justice Chandrachud: Not just money bill..even on the point of nexus for compelling state interest…. asks what is the purpose of opening up the Aadhaar platforms to private players.
  • Rakesh Dwivedi says that the public/private divide is changing. Even Reliance is entering into defense. Private parties are entering into Telecom, aviation etc.
    • Says that in any case, these private players are funded from banks, where we have deposited money. So whether private or public, we the people are paying.
    • Says that private parties performing public functions can be brought under constitutional norms.
  • Justice Sikri: in many cases, public sector entities are handicapped because of the strict vigil whereas pvt sector has more freedom.
  • Rakesh Dwivedi agrees and says that may be another reason why we may want to control pvt sector corporations to a higher degree.
    • Says that this is a debate for another day. Right now all that’s necessary to know is that the private players are within the control of the Act.
  • Judges conferring about something.
  • Rakesh Dwivedi now comes to Petitioners’ submission on numbering people.
    • Says that the Petitioners have claimed that we are numbering human beings and drawn comparisons with Hitler. He says that Petitioners seem to think that the history of numbers began and ended with Hitler.
    • Says that the whole of history is the history of numbers, and it began with India. He cites a book by George Ifra (sp?).
    • Says that the proximity card to enter the Supreme Court has a number. He says that air tickets have a PNR number.
    • Says that the problem with Hitler’s numbers was that it was based on identity, but Aadhaar does not ask for identity. He says that even credit cards have numbers.
    • Says that Stephen Hawking has written a book called God Made Integers, where he talks about mathematicians.
    • But for these numbers and but for the mathematicians, world would have made no progress.
  • Justice Chandrachud asks whether Rakesh Dwivedi bought this book after his 50000 rupee investment on algorithm books.
  • Justice Sikri: Their arguments was about reducing personhood to a mere number.
  • Rakesh Dwivedi says that numbers are beautiful. He says he doesn’t understand why petitioners have vehemently argued that “we are being numbered.”
  • Justice Chandrachud asks how Aadhaar goes from being an entitlement under Section 3 to becoming a mandate.
  • Rakesh Dwivedi says that the issue of linkage should be examined on a case to case basis.
    • UIDAI cannot make aadhaar mandatory. Under Section 7 govt will make mandatory. This Court can look at each notification and test its validity.
    • Aadhaar for PDS may be good, under PMLa may be bad. The privacy tests will have to be applied also to each notification. Not for the Act!
    • Says that if the Court feels that in any particular situation the Court feels that the government is going too far with linkage (impermissible invasion), it can strike that down, but that’s not a ground to strike down the overarching Aadhaar Act. It would be destroying a great infrastructure that has been created for Aadhaar
    • ays that the entire UIDAI has been built from money from the consolidated fund of India.
  • Shyam Divan is back in Court.
  • Rakesh Dwivedi says that the Aadhaar Act is people-centric on the one hand, and UIDAI-centric on the other.
    • Says that these days biometric authentication is spreading everywhere. If a company wants to institute biometric attendance, it can approach UIDAI. But a chaiwalla or paanwalla has no reason to enter into a contract under Section 57.
  • Bench rises for lunch.
  • Post lunch session. Hearing continues.
  • Justice DY Chandrachud asks Rakesh Dwivedi if he is correct in understanding that with Section 7 plus Section 57 cover the entire gamut of uses of aadhaar.
  • Rakesh Dwivedi: Section 57 is a limitation, not an expansion. If 57 was not there anyone could be an RE. There has to be a prior law or contract.
    • There is no guarantee that UIDAI will accept the AUA application of a paanwala, beediwala or a chaaiwala.
  • Justice Ashok Bhushan is not so sure.
  • Rakesh Dwivedi says that even under Section 57, the UIDAI will exercise supervisory control over private parties using Aadhaar. He says that there must be a law or a contract, and that’s an important limitation under the Act.
    • Says that because of this, all the State Resident Data Hubs have been destroyed.
  • Rakesh Dwivedi repeats that proviso is the safeguard. The pvt person have to first apply and only UIDAI can approve the AUA application.
  • Justice DY Chandrachud is not so sure…Section 57 does not contemplate any such power to UIDAI to refuse.
  • Justice Bhushan says 57 does not even refer to UIDAI.
  • Justice DY Chandrachud asks Rakesh Dwivedi not to always refer to Paanwala but take the example of an insurance provider. “Can you refuse their application?,” he asks.
  • Rakesh Dwivedi: The critical expression in Section 57 is “pursuant to”..which means prior contract..in other words, someone can become an RE only by showing a prior contract.
  • Justice Khankwilkar is not so sure. For an RE, interface with UIDAI comes first…the contract with user comes later.
  • Rakesh Dwivedi says, not so for 57.
    • Says as long as security is concerned, both safeguards under this Act as well as safeguards under IT Act will apply vide Section 30.
    • Reads Section 66B and 66C and 66E of the Information Technology Act, 2007.
    • Says as long as security is concerned, both safeguards under this Act as well as safeguards under IT Act will apply vide Section 30.
    • Refers to Section 72, 72A and 76 of the Act and how they fortify the security of the Aadhaar eco system.
    • Similarly he says the Resonable Security practices Rules 2011 also applies to all agencies operating under the Aadhaar system.
    • Refers to how the 2011 Rules refers to all biometrics including voice samples and DNA but our Act only has two biometrics namely fingerprints and iris scans.
  • Justice Khanwilkar points out that body corporates under 2011 Rules have a narrow definition in 43A of the IT Act to include only commercial enterprises.
  • Rakesh Dwivedi comes back to Section 57 and says how contract there is entirely based on consent.
    • As far as we, UIDAI, are concerned, we do not make it mandatory. It is fully consensual except Section 7. Each Section 7 notification may be examined separately for constitutionality.
    • Now comes to his next point defending against the excessive delegation charge in definition of biometric 2 (g).
    • He says 2 (g) has the words “Such other” … which means only those biological attributes which share characteristis such as fingerprints or iris. Some of those characteristics:
      • – non intrusive
      • – enhances accuracy
      • – capable of used for instant authentication etc…
    • DNA cannot come within the definition of 2 (g).
    • Goes to his next point on how empowering Aadhaar is for welfare purposes.
    • Earlier many labourers and field workers never went to PDS shops and their share used to be swindled away. Now, they have to come face to face with the PDS authorities.
    • That necessity of coming face to face deepens democracy. Revolutionary. Today there is a change. People are participating more. For example there was a judgment and there were protests following that judgment. There is a palpable change.
    • The fingerprints is a huge safeguard. Which is why other ids cannot be used. No deduplication possible. Petitioners are arguing to do away with deduplication and go on merrily like other. ..
    • Also says no other id is widely and universally held like Aadhaar.
    • Now comes to the BSP point.
    • UIDAI is only a licensee of BSP software. Entry to server rooms fully under control of UIDAI officers.
    • Demographic data is not given to ABIS.
    • The sourcecode or IP is with the BSPs..but that is no source of insecurity. Just like Banks using Oracle/SAP etc.
    • Next argument about probabilistic v deterministic.
    • This is also a complex concept for me. The greatest enemy of knowledge is not ignorance but illusion of knowledge. Your lordships should forgive me for proceeding on a mere illusion of knowledge given my limitations.
    • Probability governs us everywhere. Nothing in this world is deterministic.
  • Justice DY Chandrachud does not like that proposition. He says can we allow an inherently probabilistic system to affect FRs.
  • Justice Sikri… you say 95% accuracy, they say its a smaller number.
  • Rakesh Dwivedi: they are all valid rejections many of them. There are other interests which want Aadhaar to fail which are hyping up aadhaar auth failures. Almost all affidavits are about auth failures not dedup rejections.
  • Justice DY Chandrachud: Reetika Khera has filed affidavits here …we cannot ignore the facts brought before us. Exclusion is a given.
  • Rakesh Dwivedi also applauds Mr. Divan to have accompanied Prof. Khera on one of her trips to a village trying to see the working of Aadhaar authentication.
    • Says  all of it is an implementation problem which needs to be remedied. But source is not a systemic fault.
  • Bench rises. To continue tomorrow.
  • Rakesh Dwivedi says he should be able to complete by tomorrow. Or at max Thursday.

Aadhaar – The Conclusion

in Aadhaar
  ·   7 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.