There has been much debate on Aadhaar in India with strident positions taken by both sides alleging each other of campaigns to influence public opinion just before the Hon’ble Supreme Court of India started hearing the Constitutional Challenge to Aadhaar from 17th January 2018. It is hence imperative to filter out facts from propaganda and present a holistic picture of this issue that is being hotly debated.
Aadhaar as a Unique Id based biometric system for citizens was first mooted by an Executive Order by Government of India in 2009. It was the brainchild of Infosys co-founder Nandan Nilekani who is closely associated with American Philantrophical foundations. Aadhaar as Unique ID Card worked without legal sanction for more than 6 years and was non-compulsory in nature till the Modi Government in 2015 decided to give it legislative backing and use it for transparency in governance like direct benefit transfers and reducing pilferages while cutting out the role of the middle man. While the Social Welfare use of Aadhaar is one facet, on the other side is the issue of individual rights and freedoms amid the fears of a creeping surveillance state. This argument of Individuals Rights and Freedoms vs. Social Welfare is the core of the debate involved in Aadhaar.
“We are unable to agree with the contention that in order to build a welfare State, it is necessary to destroy some of the human freedoms. That, at any rate is not the perspective of our Constitution. Our Constitution envisages that the State should without delay make available to all the citizens of this country the real benefits of those freedoms in a democratic way. Human freedoms are lost gradually and imperceptibly and their destruction is generally followed by authoritarian rule. That is what history has taught us. Struggle between liberty and power is eternal……. Our constitutional plan is to eradicate poverty without destruction of individual freedoms”.
Cutting through the high decibel rhetoric, Aadhaar has been an effective tool of transparent governance which has indeed helped in reducing pilferages. Aadhaar linking has helped in identifying 13,000 ghost teachers in colleges; lead to savings of at least 50,000Cr for the government in last 3 years in relation to direct benefit transfers and the welfare schemes associated with it. The Government has claimed to have plugged massive leakages in Aadhaar linking with LPG subsidy in the 2015 PAHAL Scheme. The Union Finance Minister claimed on 11th March 2016 in Lok Sabha that that Government has been able to save 15,000Cr or $2.2 Billion as a result of Aadhaar linking with LPG subsidy. However IISD (International Institute of Sustainable Development) has in a detailed study come out with the data that gross savings by LPG Linking of Aadhaar for 2015-16 were approximately 121Cr which is less than 1% of estimate savings by the Government’s claims of 15,000 Cr. Similarly Comptroller Auditor General of India’s (CAG) report on implementation of PAHAL (DBTL) Scheme in 2016 based on data and methodologies observed that, “While implementation of the PAHAL (DBTL) Scheme coupled with the ‘Give it up’ campaign has resulted in the reduction of offtake of domestic subsidized LPG cylinders, the resultant subsidy savings was not as significant as that generated through fall of subsidy rates.”. The Government of India has itself admitted in Parliament in reply to a question in Lok Sabha on 10th April 2017 that savings in subsidy is due to various factors like DBTL, fall in International Crude prices and “Give it Up Scheme”. Subsequently the Government further expanded the scope of interlinking of Aadhaar with banks accounts, Pan Nos, Mobile KYC, PPF and other insurance schemes. Government Departments claim to have deactivated 1.1 million fake and duplicate PAN Cards in the last year; however it is not yet clear how much of it is due to Aadhaar linking or the independent data mining of IT Department. The World Bank in its 2016 report however has remarked that India’s Digital ID linking with direct transfers can potentially lead to savings upto $11 Billion per year through plugging leakage and efficiency.
While the objectives of Government of India in advancing social welfare schemes in an efficient manner with Aadhaar are indeed noble and appreciable, the jury is still out on the actual cost benefit on Aadhaar interlinking. The Government’s other selling point on Aadhaar has been financial inclusion or last mile reach to the man standing at last without the interference of middlemen. A recent Research Paper ‘Biometric and Its Impact in India’ published by Institute for Development and Research in Banking Technology (IDRBT) (a research arm on RBI) in October 2017 concludes that benefits of Aadhaar’s Biometric UID system for financial inclusion are yet unclear. The research paper has flagged various problems in implementation of schemes- sparseness of last mile access of banking sector in rural areas, issues with quality of verification and authentication, financial and security concerns including quality of biometrics obtained and making UID a single point of access for financial inclusion and welfare schemes. The research paper also talks about cost effective analysis of Aadhaar and gives contrarian perspective to the Government’s claims and NIPFP figures on savings in DBT schemes. Hence the cost effectiveness of Aadhaar is yet to be fully deciphered.
Having briefly alluded to the constitutional position that a Welfare State doesn’t override the Individual rights and freedoms let us now move to the most critical question on which Aadhaar has been challenged that i.e. Right to Privacy, Bodily integrity and freedoms enunciated in Part III of Constitution of India.While Aadhaar may be providing an efficacious way to Direct Benefit Transfers and financial inclusion yet its far reaching impact on Individuals rights and freedoms cannot be lost in the quest of social welfare. To make the position clear one would quote the famous Keshavanand Bharti’s Constitution Bench of SC with 13 judges interpreting the basic structure of the Constitution of India. The SC, in a landmark case which still stands as bedrock of Constitutional Jurisprudence stated that, “We are unable to agree with the contention that in order to build a welfare State, it is necessary to destroy some of the human freedoms. That, at any rate is not the perspective of our Constitution. Our Constitution envisages that the State should without delay make available to all the citizens of this country the real benefits of those freedoms in a democratic way. Human freedoms are lost gradually and imperceptibly and their destruction is generally followed by authoritarian rule. That is what history has taught us. Struggle between liberty and power is eternal……. Our constitutional plan is to eradicate poverty without destruction of individual freedoms”.
Once again filtering the chaff from rhetoric; the core issues concerning with Aadhaar are the security and sharing of Data of the citizens apart from the tagging of all data to a single UID. As per information available in the public domain, UIDAI had been selected in 2010 in a three consortia led by Accenture, Mahindra Satyam-Morpho, and L1 Identity Solutions, to implement the core biometric identification system for the ‘Aadhaar’ program to assign a unique identification number to all Indian residents. As per RTI Reply to a petitioner in the Privacy Case it was stated that as per the contract, L1 Identity Solutions Operating Co Pvt Ltd, headquartered in US was given Aadhaar data access as part of its job. In 2011, L1 Identity was taken over by France’s Safran Group. Morpho and Accenture Pvt Ltd were other firms who were provided a similar contract of data access. As per terms of contract disclosed in RTI, Clause 15.1 specifically states that firms by virtue of contracts may have access to personal data of purchaser (UID) or a third party including any resident of India. While Clause 3 empowers the Biometric Service Provider to collect, use, transfer and process the data subject to rules and regulations under the law yet it does not define “Personal Data” which was the issue concerning the Privacy clause.
It is also to be noted that L1 Identity is a USA based security company that works closely with US Department of Defense and CIA, while Safran, partly owned by French Government also works with the French Defence and Intelligence setup. A detailed investigation by Fountain INK on the networking of these firms contracted by UIDAI clearly establishes the complete nexus of these firms with US and French Intelligence and the larger Military Industrial establishment. The detailed investigation reveals, “Companies contracted by UIDAI to process the information are connected to both Cambridge Analytica and Palantir Technologies through business dealings and individuals involved in their affairs during the period of the contract. L-1 Identity Solutions, Morpho-Safran and Accenture have scores of business contracts with American, French and British intelligence and defence agencies through direct contracting of services or services provided by parent corporations and sister companies. Several individuals who worked at these companies have held top positions in the CIA, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the US military before making the switch”.
What is further troubling is that FBI is now also investigating Safran and its subsidiary firm Morpho for inserting a patch or code by Russian firms in its software used for Biometric purposes i.e. fingerprinting and not informing US authorities about it raising fears of backdoor access and hacking by Russian hackers of the American Biometric database. Safran which is handling Aadhaar has also handled Pakistan’s UID Database by NADRA. Wikileaks has also exposed the role of Cross Match in handling sensitive biometric scanners provided to UIDAI as being closely tied with the CIA. Cross Match was one of the first suppliers of biometric devices certified by UIDAI for Aadhaar in 2011 for its Guardian fingerprint capture device and the I SCAN dual iris capture device. Cross Match is a US company specializing in biometric software for law enforcement and the Intelligence Community. Cross Match hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan. The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems along with using ExpressLane, a total to mine data where it is not “shared”.
Thus the firms handling Biometric UID Database of India in Aadhaar are a security concern given that in today’s world nothing is absolutely secure and maximum safeguards ought to be adopted. Although UIDAI has categorically stated that Biometric data of Indians is highly encrypted and secure yet Safran’s role in FBI Biometric software should augment a fresh safety audit of Aadhaar’s data security architecture to make sure all such patches and backdoor loopholes that can be exploited are firewalled before a major breach happens. Also apart from Biometric data there is other types of data which is captured in Aadhaar Database of Identity Information like name, address, and telephone no, date of birth etc. Section 8 of the Aadhaar Act, clearly envisages that for KYC purposes your identity details, demographic data including biometric data can be shared from CIDR by a requesting entity which may even be a private operator though safeguards like consent are also stated therein but in a practical world no one reads the terms and conditions attached to it. These small gaping holes in Aadhaar could attract violations of Right to Privacy of the citizens which has been declared a fundamental right under Article 21 of Constitution by the Hon’ble Supreme Court of India.
The SC in the Right to Privacy judgement while relying on Keshvananda Bharti’s case has extensively commented on data collection and mining by state and its agencies. The Supreme Court of India has rightly opined that while the state can collect and store data; its security and usage falls under the strict parameters of legitimate and appropriate uses and cannot be utilized unauthorized for extraneous purposes. Thus security of data collected by Aadhaar becomes paramount and cannot be sidestepped in the name of Social Welfare objectives of the state decrying critics as privacy hawks.
Also, decrying the critics won’t solve the issues with Aadhaar’s data security which has time and again been breached be it from Bengaluru’s software coder being able to gain access to Aadhaar’s database of millions of Indians to Reliance Jio’s database leak (a 3rd party) to the recent case of Tribune journalist showing the loopholes in Aadhaar Database that can be easily penetrated and accessed. Recently a French data security expert on Twitter exposed flaws in the UIDAI’s android app and even cyber security experts from abroad are pointing out flaws galore in Aadhaar’s data security architecture.
In an attempt to assuage the rising criticism and spotlight on the flaws, UIDAI recently announced a new feature of a Virtual ID which a user would have to create stating that a third party will not be able to access the Aadhaar details of a user for KYC purposes and the user generated Virtual ID will suffice for a specific purpose. Subsequently, UIDAI also announced incorporating facial recognition technology as an additional security feature for Aadhaar verification. However these layers of protection and options further compound the problem as to who would create a virtual ID for a user in rural areas or that Facial Recognition is increasingly being misused to geotag the people in an Orwellian manner creating a surveillance state much like China’s street surveillance system which it has installed on a mass scale. Facial Recognition is increasingly being used as a mass surveillance tool by Government across the world from US to China to Russia to Australia; we shall deal with these new technologies and surveillance systems in our upcoming pieces.
“Individual rights meaning privacy over personal data including biometric data is an essential component of the bodily integrity of a human being and the state ought to exercise utmost discretion in not violating it”.
While collecting, storing and sharing of Data is an important part of Data Security and Sharing paradigm, another equally important aspect of this regime is the “Weaponisation of Data”. Surveillance in a passive form may be all pervasive yet is invisible to the naked eye but “Weaponisation of Data” is aggressive where people’s personal data can be profiled and mined on demography, race, religion, sect, political affiliation and views. This data after being mined can be used by an autocrat in the future to target opponents and crush any dissent by switching off a person from essential and other services, denying him or her their identity by blocking out a simple UID.
Even the private parties who get access to demographic and personal data can mine your location, actions and shopping to determine your choices and target you with specifics ads. Political campaigns can use these databases to target people with propaganda undermining the very basis of democracy similar to Cambridge Analytica’s campaign for Brexit or the Trump Presidency. Data is the new Oil and to shrug off the problem in sharing data with the state when you use Google, Facebook etc is akin to making light of the core concept of free will of individual and informed consent.
“In a country of the size and scale of India doing away with Aadhaar may not be a prudent idea but strengthening its security architecture with Data Security and Sharing Laws and Privacy Law is the way forward.”
Thus individual rights meaning privacy over personal data including biometric data is an essential component of the bodily integrity of a human being and the state ought to exercise utmost discretion in not violating it. Much like Aadhaar Act, similar laws were enacted in UK by way of UK Identity Cards Act, 2006 which was later abolished in 2011 wherein UK’s then Home Secretary and now Prime Minister Theresa May claimed that by abolishing biometric ID cards we are doing away with one of the most intrusive system on Individual Rights and Freedom, which also violated Universal Declaration of Human Rights. Many other countries including Australia, Hungary have done away with such laws while in USA Social Security Number (SSN) is used only for social welfare schemes and benefits, not for personal identification with strict regulations under Privacy Act of 1974.
“The state which acts as repository of its citizen’s data is obligated to serve the people and secure the rights of the public and any presumption to the contrary is ultra vires to the very nature of the social contract of State with “We The People”.
In a country of the size and scale of India doing away with Aadhaar may not be a prudent idea but strengthening its security architecture with Data Security and Sharing Laws and Privacy Law is the way forward. The Government of the day in India should build trust and empower its citizens to sue agencies of the state or the transnational corporations for breach or misuse of their personal data and limit the scope of data tagging to Aadhaar to welfare services lest it becomes an Orwellian tool. In the end one can conclude that though Social Welfare is a duty obligated on the state to serve the poor it doesn’t in any way override the individual’s rights and freedoms which form the bedrock of a free and a democratic society. The state which acts as repository of its citizen’s data is obligated to serve the people and secure the rights of the public and any presumption to the contrary is ultra vires to the very nature of the social contract of State with “We The People”.