Aadhaar allows the State to dominate citizens via architecture of surveillance: Shyam Divan
On day four of Aadhaar hearing before the Constitution bench of the Supreme Court, petitioners’ counsel Shyam Divan spoke eloquently, once again, about the undue power wielded by the Unique Identification Authority of India (UIDAI) and its pet project of biometrics-based identity authentication of Indian citizens.
While Divan had from day one to three argued that Aadhaar is an electronic leash that would hollow out the Constitution, and is violative of privacy since it’s designed to breach the fundamental right, today he’s detailing the contours of Aadhaar Act, and its many retrospective validations of earlier breaches by the UIDAI.
However, he added that Section 59 of Aadhaar Act doesn’t control acts of private entities like enrollment agencies, hence any violations of privacy by them aren’t protected by the Act, unlike the central government and its appointed body UIDAI.
Aadhaar Bench assembles. Day 4 Session 1.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Shyam Divan says that Section 59 of the Aadhaar Act, which validates all acts of the UIDAI prior to the Act, applies only to central government actions, as per its text.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Sikri J says that the central government appointed UIDAI, and all the acts flow from that. Shyam Divan says that the notification establishing the UIDAI might protect the actions of the central government in entering into the MoU, but doesn't cover the actions of the registrars.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Divan added that we cannot have a “retrospective validation of a fundamental right violation”. When Justice DY Chandrachud interjects on the basis of Section 59, Divan explains that it’s based on the assumption of consent and not informed consent.
Chandrachud J says that the privacy judgment says that there must be a basis in law. Section 59 attempts to provide that by bringing about a legal fiction. It will have to be considered how you deal with data breaches prior to the Act.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Shyam Divan says that informed consent is crucial, and you can't have a retrospective validation saying that there was always consent, prior to the Act.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Shyam Divan says that even if this provision is to be upheld, it should be given the narrowest reasonable construction.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Divan goes on to enumerate the challenges to Aadhaar Act, saying it enables “architecture of surveillance”, allows “violation of privacy”, and doesn’t adhere to the principle of “limited government”. Explaining how each of these elements actually emboldens the other, acting in tandem and eroding collectively the citizen’s right to informational self-determination, autonomy, liberty, privacy and limited governance in a digital society, Divan argues that Aadhaar Act compels the citizen to report her activities to the State at all times via electronic footprint, whether or not the citizen intends to part with the information or not.
Shyam Divan says that he will now specify the heads of challenge to the Aadhaar Act. The first head is that of surveillance. The architecture of Aadhaar enables surveillance.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
The second head is violation of privacy. Between 2010 and 2016, there was no law authorising the violation of privacy. Even after the Aadhaar Act, the violation continues. The citizen is compelled to report her activities to the State through the electronic footprint.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD: In a digital society, an individual has the right to protect herself by maintaining control over personal information. SD talks about aggregation of information silos.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD: The third head is limited government. The Constitution is not about the power of the State but about limits to that power.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Divan says that Aadhaar has the power to cause the civil death of a citizen by deactivating the Aadhhar number, in case the biometrics fail to match and the citizen isn’t authenticated. This has been the case in myriad exclusions reported by rights and welfare activists on the ground, leading to starvation deaths in Jharkhand, Uttar Pradesh, Chhattisgarh, among other states, mostly ruled by the BJP.
Divan says Aadhaar creates ghosts by design, and instead of making the State transparent, makes the citizen transparent to the State. The Constitution is about “limits to the power of the State”, and therefore any mechanism to make it more powerful than it’s mandated to be for effective governance is unconstitutional.
SD: The third head is limited government. The Constitution is not about the power of the State but about limits to that power.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD: Instead of the State being transparent to the individual, the individual is made transparent to the State.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Divan says that coercive Aadhaar linkage was brought in as a money bill during the Finance Act 2017, which would be discussed at length by Aravind Datar and Kapil Sibal, also counsels for the petitioners in the Aadhaar case.
However, Divan details how Aadhaar’s violation of Articles 14 and 21 of the Constitution – that guarantee right to freedom – is carried out by not necessitating informed consent, not having an opt-out option, making it mandatory in place of voluntary (which it is in the Act), UIDAI having no direct relationship with the private, commercial enrollment agencies, breaking of the information silos thereby throwing privacy and security of sensitive personal details to the wind, lacking integrity, etc.
SD: The fifth head is that the procedure under the Act violates Articles 14 and 21. There is no informed consent. There is no opt-out option. UIDAI has no direct relationship with the collecting agencies. The data collected and stored lacks integrity.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD: This data is not verified, and now it's being taken as gospel (he says, for example: eKYC).
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Divan adds that biometrics as the premise for authentication is extremely problematic since it’s “probabilistic”: that is it’s not 100 per cent certified to authenticate and match the biometrics with the Aadhaar holder, therefore locking out the citizen from his/her own Aadhaar and the facilities/services it has been made a key to. This has led to widescale exclusions in the welfare schemes, creating “ghosts” of flesh and blood citizens.
SD: Biometrics are untested, and probabilistic. The use of biometrics has led to exclusion from welfare schemes.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD: If biometrics don't work, then a flesh and blood individual ceases to exist. If your biometrics don't match, you become a ghost.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD: A citizen in a democratic society has the right and choice to identify herself in a reasonable manner. Mandating a single highly intrusive form of identity is inconsistent with democracy.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Moreover, unverified data is stored for five years in centralized databases that are hackable, and prone to leaks, as shown through various investigative reports, digital security and tech experts and internet rights activists. Yet, this insecure data storage makes the citizen vulnerable, and creates a State that can track individual’s activities unlawfully, round the clock, in deeply invasive ways. This “smacks of authoritarianism”, Divan categorically asserts, while also creating enormous national security risks, since the source code is proprietary, not with the UIDAI.
SD: The notion of a central database where all data is stored in one place itself smacks of authoritarianism. Chandrachud J asks who maintains the CIDR.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Chandrachud J asks whether the source code is with the UIDAI. Shyam Divan says that it is proprietary, and not with the UIDAI.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Divan further argues that Section 7 of Aadhaar Act is unconstitutional since it makes the citizen give up her fundamental rights in lieu of entitlements accessed via Aadhaar. And in case the UIDAI “switches off” a person by deactivating Aadhaar, what happens to the citizen herself? How can biometrics failure or mere suspicion of fraud be ground to deny fundamental rights of a citizen?
SD says that Section 7 is unconstitutional, because an individual's entitlements cannot be made subject to compelling her to give up her constitutional rights. "It is both an unconscionable and unconstitutional bargain."
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD says that on cancellation of Aadhaar, the services will be disabled personally. "You can just switch off a person."
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD reads out the circumstances in which an Aadhaar number can be canceled. The last circumstance is "where it appears fraudulent to the authority."
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Divan also notes instances where there’s example of reasonable use of biometrics information, such as in Census data, precisely because of limited and restricted usage that the data can be put to. Similarly in Identification of Prisoners Act, Section 7 provides for destruction of personal data if the prisoner is released without charge, thereby limiting future use for nefarious ends such as profiling, surveillance, etc.
Similarly, in Registration Act, Section 32 allows fingerprints collection for a narrow purpose, taken only during one time, not stored in centralised systems, and allowing only proportionate use.
SD shows the Court that Section 7 of that Act provides for destruction of personal data if the prisoner is released without charge.
— Gautam Bhatia (@gautambhatia88) January 24, 2018
SD takes the Court through Section 32A of the Registration Act. See here: https://t.co/DZMPqOOI4B
— Gautam Bhatia (@gautambhatia88) January 24, 2018
Divan says all the existing laws pertaining to biometrics collection are narrow in usage, and it’s this necessary limitation that prevents the abuse of information at a mass scale. When compared with Aadhaar, where the situation is exactly the opposite, the end usage is tracking.
[Editor’s note: The copy will be updated again after session two of today’s hearing ends. Gratefully acknowledging @gautambhatia88’s Twitter live feed on the Aadhaar hearing.]