Naavi.org

This is a continuation of the previous article on this topic

The second question which was answered by the three judges was “Whether the Aadhaar Act violates the right to privacy and is unconstitutional on this ground?

The judges proceeded to answer this question by stating that since the scheme is backed by the statute and serves a legitimate State aim and it does not infringe on the Privacy of the individuals. It however held that it should be used for delivery of benefits and services but not for reasons such as making it mandatory for CBSE exam etc.

In otherwords it stated that the Government should use it only for schemes where subsidies are distributed  from the consolidated fund of India by drawing attention to Section 7 of the Aadhaar Act.

It is however not clear why Supreme Court considered that Section 7 limited the use of Aadhaar only for schemes involving funds from the consolidated funds of India since the section does not seem to make such limitations. The section only states that it may be used for such purposes.

Since on the one side the Court felt that Aadhaar Act does not violate Privacy, it contradicts itself by imposing limitation of its use.

Aadhaar is a scheme which has been implemented with public funds and if it can be used as a tool for any activity without the Privacy or other Rights being infringed, the logic of restricting its use to only the welfare schemes appears unconvincing.

As regards the enrolment of children, it was held that  it can be done with the consent of the parents  and on attaining the age of majority, the children may have the option to exit from the Aadhaar  if they donot avail the benefits of the scheme to which they are enrolled.

The linking of the Aadhaar number with Mobile has however been declared illegal for the reason that it is not backed by law. This could be one of the aspects that may be considered in some law related to telecom regulations or even the PDPA 2018 itself.

All other objections raised on the validity of processes by which the Act was passed as a Money Bill and linking of Aadhaar with PAN  were held to be valid.

As regards opening of bank accounts, mandating that existing account holders need to provide Aadhaar or closing existing accounts if Aadhaar is not linked are not permitted. However for opening new accounts, if there are no alternative less invasive measures, it may be possible to use Aadhaar identification methodology.

The Telecom companies have however been disallowed to mandate linking of the mobile with the account since it is not backed by any law.

Additionally in the event of any offence, Supreme Court wants the consumer to be given the right to take legal action.

This remedy for civil and criminal action was already available under ITA 2000/8 when a wrongful loss had occured due to “diminishing of the value of information residing inside a computer/affecting it injuriously by any means (Section 43/66) and hence there is no additional benefit except adding one more section under Aadhaar Act into a complaint when made.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This is a continuation of the earlier articles on the topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded….

(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.

The Section 57 has been one of the widely discussed aspects of the judgement since it has a a direct impact on the industry.

The section states:

57. Act not to prevent use of Aadhaar number for other purposes under law.

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:
Provided that the use of Aadhaar number under this section shall be subject to the
procedure and obligations under section 8 and Chapter VI.

Interesting debate happenned on this section and has been discussed in detail in the body of the judgement. But what is important is to look at this operating part of the judgement.

We can also simultaneously see the clear conclusion that is included in the Justice Ashok Bhushan’s judgement which states,

Section 57, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e. “or any contract to this effect” is struck down.

The three member judgement stated that “that part of Section 57 that enables a body corporate and the individual to seek authentication is unconstitutional”. If we interpret that this “that part” relates to the entire section, then it means that Body corporate cannot use the Aadhaar authentication even  “Purusant to any law” .

This would look illogical since even “Privacy” is not an “Absolute Right” under the Constitution and the Parliament cannot be prevented from making a law which it considers suitable if it can justify that it does not violate the principles of fundamental rights subject to reasonable restrictions. Justice Ashok Bhushan has expressed his views with clarity but the three judges have not drafted this part of the judgement properly and left the words “That part” to be interpreted more widely than necessary.

But the same judges in the later part of their Issues-Answers,  in page 560 of the judgement., point 4, answer (h), state as follows:

Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as:

(a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny.

(b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible
as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met.

(c) Apart from authorising the State, even ‘any body corporate or person’ is
authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and
demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.

In this part of the judgement, the judges accept the power of the State to make law though such law also is subject to review. The section 57 is meant for both the State and the Body Corporates and for use both under a law or under a contractual agreement.

The intention of the judges appears to be to say that the individual and a body corporate cannot enter into a contract where by the body corporate can seek Authentication of Aadhaar data. But unlike Justice Ashok Bhushan, the other judges in their combined judgement failed to word their intentions without ambiguity.

As a result of this ambiguity, some are interpreting the judgement as if body corporates are completely barred from using Aadhaar.

We record our serious reservation to this interpretation because the Aadhaar infrastructure has been created out of public funds and it is a national resource. There is therefore no reason to prevent its wide usage as long as the Privacy concerns including Surveillance concerns are addressed.

The Court failed to also consider that the use of Aadhaar by private sector companies with biometric is already restricted only to “Global AUAs” like Banks. Other entities which are licensed as “Local AUAs” are barred from seeking authentication on the basis of Aadhaar number.

However, an Aadhaar number holder can generate a different random ID called “Virtual ID” (VID) which is a 16 digit number  as against the 12 digit Aadhaar number and is issued by UIDAI on request to the Aadhaar holder. This number can be used for purposes such as self identification since a body corporate can verify the correctness of the demographic information provided by an individual with reference to the VID.

When VID is presented to a body corporate along with some demographic parameters that need to be verified, the body corporate can submit the parameters one by one along with the VID and at the other end, UIDAI will provide a service which says whether the parameter as presented is correct or incorrect. For releasing this verification, the UIDAI may use the mobile OTP as a second factor authentication.

In this process, UIDAI does not dump the demographic information to a body corporate nor the body corporate collect the biometric nor the Aadhaar number. UIDAI is the only authority that knows the mapping between the VID and the Aadhaar ID.

This VID is a service that is being offered by UIDAI and has been mandatory from around July 1st 2018.

It is true that not all private sector companies have migrated from the use of Aadhaar number to VID and most of the Aadhaar users are not aware of the VID. But this is a different issue to be resolved by the industry and is not an issue on which Supreme Court should bar the usage .

It was surprising that the Supreme Court in its judgement did not make a special mention of the availability of VID. It completely ignored it as if it is not relevant at all. It is true that VID is not Aadhaar and hence it was not the subject matter of the petiton. But it would have been prudent for the Supreme Court to have made a mention of the VID so that the public would have become aware that there is an alternative which the private sector companies have ignored for some time and can be used now.

The use of VID for verification of demographic information as presented by an Aadhaar user (without populating the form at the user end with a dump of data from the UIDAI) particularly without biometric should have been ideally pointed out by the Court.

Nevertheless the judgement by ignoring to refer to VID has confirmed that VID is not Aadhaar and its use is not affected by any part of this judgement.

It is however better for the Government to include the use of VID as an acceptable method of verification of personal data in the PDPA 2018 draft.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This is a continuation of the earlier articles on the topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded….

(iv) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.

The relevant section as it stands today and is being struck down is:

(33)(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government:

Provided that every direction issued under this sub-section, shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect:

Provided further that any direction issued under this sub-section shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

The objection to this section was perhaps the Court considered that “Joint Secretary” was not the appropriate level at which this responsibility could be vested with.

The Government can therefore through the PDPA 2018 raise this level of intervention to the Secretary to meet the objections.

The Court has also pointed out in its answer that

(vi) We have also impressed upon the respondents, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.

As a result of this push, Government will have to bring up the PDPA 2018 for discussion as early as possible and get it passed. Alternatively, Government may have to resort to an ordinance to make PDPA 2018 effective immediately.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This is a continuation of the earlier articles on the topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded….

(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.

The section 26 of the regulations state as follows:

(1) The Authority shall store and maintain authentication transaction data, which shall contain the following information:—

(a) authentication request data received including PID block;
(b) authentication response data sent
(c) meta data related to the transaction.
(d) any authentication server side configurations as necessary Provided that the Authority shall not, in any case, store the purpose of authentication.

The judgement suggests a “Suitable Amendment”. In the earlier paragraphs, the judges have noted the fact that UIDAI does not collect the purpose of authentication nor the location of the transaction. Hence it is not clear what exactly is the concern of the judiciary regarding the meta data collection. It appears that  this reflects the unverified concerns of the petitioners.

In fact from the security perspective of prevention of frauds, it looks stupid not to collect the locational information of the authentication since this is part of any “Risk management” system.

There are instances where the POS devices are moved from one state to another and used for conducting fraudulent transactions to avoid detection. Also in case of cloned card use, one of the security measures is to understand where from the transaction is happenning. Similarly if one minute back an aahaar authentication hapenned from Bangalore and the next minute from Chennai, it is an indication that the authentication request is fraudulent.

To identify such frauds, it is necessary to collect the IP address, GPS data and not only use it at the time of authentication but also maintain it as “Evidence” for later use.

It is accepted that the data so collected should be securely stored. Placing any other restriction would be weakening the security of the transaction and actually hurt the interest of the Aadhaar user whose biometric might have been stolen.

It is therefore necessary to record that this prescription of the Court was not warranted. Since the judgment only says the section has to be amended, without exactly giving direction, at this point there is lack of clarity on this suggested amendment.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This is a continuation of the earlier articles on this topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded..

(iii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.

The Section 33(1) as it stands today reads:

33. (1) Nothing contained in sub-section (2) or sub-section (5) of section 28 or sub-section (2) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made pursuant to an order of a court not inferior to that of a District Judge:
Provided that no order by the court under this sub-section shall be made without giving an opportunity of hearing to the Authority.

The sections  28(2), 28(5) and 29(2), of Aadhaar Act relate to Security and Confidentiality of Information and state as follows:

28(2)  Subject to the provisions of this Act, the Authority shall ensure confidentiality of identity information and authentication records of individuals.
28 (5) Notwithstanding anything contained in any other law for the time being in force, and save as otherwise provided in this Act, the Authority or any of its officers or other employees or any agency that maintains the Central Identities Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone:
Provided that an Aadhaar number holder may request the Authority to provide access
to his identity information excluding his core biometric information in such manner as may be specified by regulations.

29(2) (2) The identity information, other than core biometric information, collected or created under this Act may be shared only in accordance with the provisions of this Act and in such manner as may be specified by regulations.

It is not clear if a “reading down” was required since 33(1) provides that on the orders of the Court (District Court and above), information can be disclosed. The section alredy mentions that the person whose data is sought to be released, would be given an opportunity of hearing.

The provision as it exists and as is clarified reiterates that there cannot be a collection of data say for intelligence purpose without the knowledge of the aadhaar holder. This is a matter which the law enforcement agencies need to discuss whether it adversely affects the national security.

In a practical situation, if the Law Enforcement comes across a biometric which relates to a suspicious person, and wants to identify the person, the law enforcement  agency cannot rely on the Aadhaar data base like their own NCRB data to identify the suspicious person. If therefore a terrorist is trying to escape in an Airport and the agencies have a doubt about the identity of the person, they cannot make a real time verification with the aadhaar data base. They may however detain him on suspicion and get a warrant and then check his identity. Either the law enforcement would resort to this method which is more inconvenient if the suspicion is wrong or they will let people slip through except when they have some very strong suspicion.

By such provisions, the law is being made Criminal friendly and it is not helping the honest citizen of the country who has his own stake in the national security.

The PDPA 2018 needs to have appropriate provisions to prevent such unfair restrictions to be imposed on the verification of identity of suspects with reference to the Aadhaar data. This is not amounting to “Surveillance” but is a security requirement.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This is in continuation of the earlier articles on this topic

The First Issue answered by the first part of the majority judgement(signed by the three judges Dipak Mishra, A.K.Sikri and A W Khanwilkar here after referred to as the first part) was

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?
Incidental Issues:
(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

The answer to the above question provided by the judges took note that Aadhaar architecture does not tend to create a surveillance state. It also concluded that there were sufficient authentication security measures taken by UIDAI and adequate oversight. It recorded that use of Registered Devices prevented the risk of store and replay attack. It noted that the Authority does not get the transaction details of an authentication request or the IP address or GPS location of the authentication request.

Taking into account the above, the three judges held

After discussing the aforesaid aspect with reference to certain provisions of the Aadhaar Act, we are of the view that apprehensions of the petitioners stand assuaged with the striking down or reading down or clarification of some of the provisions, namely:

(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.
(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.
(iii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.
(iv) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.
(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.
(vi) We have also impressed upon the respondents, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.

In expressing the above views, the Court actually descended to the level of drafting internal security guidelines for UIDAI. We cannot expect the Court to be an Information Security expert and hence some of these suggestions could have been avoided. In comparison the drafting of the Ashok Bhushan judgement was better as it avoided going into the details of how UIDAI has to manage the security.

Now coming to the exact recommendations in this Answer 1,

the first prescription is

(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.

By making this observation, the Court has limited the data retention period of the authentication record to 6 months unmindful of the actual requirement which may be dependent on the circumstances.

The Authentication guidelines indicated data retention under two regulations. First was under regulation 18 (1) about the maintenance of logs by requesting party. Second was regulation 27(1) .

This regulation under 27(1) stated:

(1) Authentication transaction data shall be retained by the Authority for a period of 6 months, and thereafter archived for a period of five years.
(2) Upon expiry of the period of five years specified in sub-regulation (1), the Authentication transaction data shall be deleted except when such authentication transaction data are required to be maintained by a court or in connection with any pending dispute.

The judgement has suggested that the 27(1) is modified to remove the words “and thereafter archived for a period of five years”.

Simultaneously 27(2) may need to be amended to say “Upon expiry of six months…”

The similar provision under regulation 18 (1) which is applicable to the user agencies is not touched by this answer.

The current judgement has not invalidated the possibility of  a law that requires the data to be retained beyond 6 months. One such law which is in existence is the “Evidence Law”. When a certain transaction data is required as  “Evidence” because a potential crime has come to the knowledge of the person holding the data, he has to preserve it until it is required. Otherwise it will be an offence under IPC (Section 204)  and ITA 20008 (Sec 65).

Even the PDPA 2018 can clarify this aspect.

If within 6 months no specific complaint arises, the data may be destroyed.

However, since it is the law of limitation which says that there is a time limit of 3 years for any civil action, the action of the Supreme Court to get the potential evidence forcefully removed after 6 months is snatching a legal right available to the citizens.

I would therefore consider it necessary for the Supreme Court to increase this data retention limit from 6 months to 3 years.

Alternatively, the PDPA 2018 must state that

” System log records and other data which are relevant for the protection of the Privacy of a person shall be retained for a period as required under the law of limitation for a minimum period of 3 years and as otherwise may be required if the data is considered as a potential “Evidence” for a cognizable offence of which the data fiduciary is aware of.”

….To Be continued

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.