Aadhaar must be preserved with safeguards…. The root cause for Privacy breach is elsewhere


An interesting debate is happening in the Supreme Court on whether “Aadhaar is Constitutional” and whether it should be scrapped. We are informed that the Anti Aadhaar advocates have started putting through their view points to convince the Court that Aadhaar is a violation of “Privacy” and it creates a “Surveillance State” and hence it should be scrapped.

I donot see the same commitment of these advocates when it comes to issues like banning Crypto Coins but on Aadhaar they feel that a great injustice is being done to the Indian citizens.

The essence of the anti Aadhaar arguments can be two fold.

First objection to Aadhaar could be that it is being linked to many activities and becoming a universal ID and therefore it will enable creation of a “Surveillance State”.

The second objection to Aadhaar is that the UIDAI has failed to secure the system and hence the system poses a Cyber Crime risk.

The two aspects may have some common link since “Lack of Security” leads to “Leakage of Information relevant for Privacy”.

But the objection so far presented is not because of the security risks but mostly on the ground that it enables the Modi Government to exercise a tight control on information flow particularly related to the financial activities of an individual. So far Black money owners had a field day in having “Benami” holdings of assets and the proposal to link Bank accounts and PAN to Aadhaar as a first step and now to link immovable properties to Aadhaar has really sent shivers down the spine of all the Benamis in India. The opposition to Aadhaar today is vocal because this population of Benamis of India is huge and encompasses politicians, bureaucrats and businessmen.

It is precisely for this reason, I support Aadhaar at present though I have serious reservations on the security aspects of Aadhaar. I believe that security aspects can be addressed if UIDAI is humble enough to admit the security challenges and seek help from appropriate experts, which UIDAI is at present avoiding.

The opposition to Aadhaar from the angle of the recent Supreme Court judgement in which Privacy is held as a “Fundamental Right” is not sustainable if properly countered. Mr Shyam Divan who presented the initial arguments seem to have heavily relied upon this angle and quoted extensively from the Justice Puttaswamy judgement to impress the bench.

We must remember that the Justice Puttaswamy judgement was a one page judgement and just held Privacy as a fundamental Right. It also contained hundreds of pages of reminiscences which did not form part of the order and hence has little value in defining how Aadhaar hurts the Privacy Right of an Indian citizen.

The essence of the Puttaswamy judgment was that “Privacy” cannot be defined and therefore there cannot be a direction on protecting Privacy. However, “Information Privacy” is one aspect of Privacy which can be protected and the Government should work on this.

“Information Privacy Protection” is nothing different from “Data Protection” related to “Personally identifiable information” and more particularly some of the “personally identifiable information” which can be classified as “Sensitive”.

Aadhaar system collects and stores “Individually identifiable Personal Information” and it also collects “Biometrics” which is a sensitive personal information. Aadhaar however does not collect and retain information which is “Health related”, Finance Related” or information related to sexual orientation, racial view points etc. Even before  Aadhaar, Banks have been collecting personal information and generating sensitive personal information. Similarly, health care operators have been collecting sensitive health information and storing them. The Privacy concerns can therefore be expressed even if Aadhaar link is not there to such information.

The only reason why Aadhaar is being discussed is that instead of blaming the Bank account number Privacy for data leakage in Banks and some other IDs for other data leakages, we have a new whipping boy called Aadhaar which is now a common factor for all data breach possibilities.

There is no doubt that convergence of risks do occur when multiple types of data are linked to one central identity parameter like Aadhaar. But it is important to note that leakages occur not because there is a link between the sensitive data and a common number but because the data managers fail to de-identify the data or secure the access to data while in their custody.  If the access to data in Banks or Hospitals can be secured and properly de-identified (or pseudonomized), then even if data is leaked, it will be “Information not identifiable with a living individual” and therefore becomes “Non Sensitive and Non Personal”.

If therefore the security of Aadhaar usage at the intermediary usage points is fortified, then Aadhaar per-se does not pose threat to Privacy of individuals. It is for this reason that the recent measures introduced/suggested by UIDAI to use “Virtual Aadhaar IDs” and to “Fortify the finger prints with a face identity parameter” assumes importance. If these measures are properly implemented, one can argue that the “Privacy Risk arising from the Aadhaar data base” becomes minimal.

The real risk areas are the network links through which the authorized aadhaar users (AUA/KUA agents) access the CIDR and the use of Aadhaar in the AEPS (Aadhaar enabled payment systems), besides the stored data at the user end. Currently, ITA 2000/8 considers these intermediaries as liable for any loss to the citizens arising out of their lack of due diligence or lack of reasonable security practice. This will continue and needs to be made more robust in implementation so that any member of public who loses his data due to the negligence of the Aadhaar intermediaries would be adequately compensated.

The grievance redressal mechanism under ITA 2000/8 will be improved upon when the new data protection act becomes effective and this has to be taken into account by the Supreme Court now.

Blaming Aadhaar system for the negligence of  Aadhaar User agencies which leaks out Aadhaar number of different persons is not fair.

We can blame UIDAI for not having adequate monitoring mechanism to make these intermediaries implement strong security measures and push them for better implementation of security along with deterrance which should be effective. We can also question them for not suspending defaulters for a long time and impose heavy fines, (all of which will be now possible through the new Data protection Act).

But we cannot jump to the conclusion that Aadhaar must be scrapped because of the risks of data leakage.

Some time back the honourable Supreme Court made a huge mistake in scrapping Section 66A of ITA instead of reading down the section and removing the deemed conflict with the “Freedom of Expression”. They should not repeat the same mistake now and end up scrapping Aadhaar.

Scrapping of Section 66A of ITA 2000/8 gave a “License to Defame” and diluted the Act for offences such as Cyber Stalking, Spam, Cyber Extortion, Phishing etc. The Court in a bid to dish out a populist judgement ignored the beneficial aspects of Section 66A.

Similarly, the beneficial aspects of Aadhaar needs to be kept in mind by the Court now before being tempted to give out another populist judgement. If Aadhaar is scrapped, there will no doubt a huge sensation created in the country and the opposition political parties would rejoice. It would also make the judges well known. But it would also immediately assist all Benamis who want to hide their financial transactions from being monitored by the State.

What the Court needs to focus is in asking questions on what checks and balances are planned by the Government to prevent misuse of Aadhaar infrastructure. So far no body seems to have urged the Government in this direction nor this has been a point of debate in the Aadhaar discussions amongst NGOs and other Privacy Activists.

I invite the Privacy activists therefore to start suggesting the infrastructure required to prevent misuse of Aadhaar and in the event of misuse providing proper grievance redressal to the Citizens as also the checks and balances to punish those Government officials who may misuse the system for harassing honest citizens rather than pursue the sole objective of getting Aadhaar scrapped.

If Supreme Court proceeds to take another Sec 66A kind of populist decision, then we will be removing an effective instrument of Governance, defeating the fight against Black money and corruption.

Supreme Court may not be responsible for Governance and hence it may not be their problem if Black Money in India grows and Benamis thrive.

But the progeny may blame the Court for missing an opportunity to drive India on a path to a good economic future and blame them that under the cover of providing Privacy Protection, they provided a Cover of secrecy for criminals to exploit.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.