Header image alt text


Building a Responsible Cyber Society…Since 1998

Currently GDPR and Aadhaar are both hot subjects for discussion amongst professionals whether they are Privacy activists, Information Security professionals or Lawyers.

GDPR is at one end of the spectrum often looked upon by Privacy activists as the ultimate in Privacy Protection legislation. Aadhaar on the other hand is at the other end of the spectrum often looked upon as the greatest villain in Privacy breach in India.

The Supreme Court of India continues to hear the petition of Privacy Activists who are more concerned about the political damage they can create on the Government by attacking Aadhaar than any public good.

There appear to be some foreign technical persons calling themselves “Ethical Hackers” who are camping in India to hack into Aadhaar data and prove that Aadhaar is the epitome of Privacy invasion in India. It is not clear where motivation comes to these persons and whether they are motivated by their commitment to the Privacy of the Indian Citizen or committed to the political advantages that can accrue to Black Money owners in India if the present intentions of the Government to link Aadhaar to Mobile and Bank accounts is frustrated through intervention from the Supreme Court

We the Indians are aware that even Supreme Court is having its own agenda and many times takes decisions which are “TRP oriented”. The Privacy judgement, the Scrapping of Section 66A are examples of decisions where the Court has shown its inclination to come to conclusions based on the public perception that can be created about the “Progressive Views of the Judiciary”.

In this context it is essential for us to examine how does GDPR try to address the issues of Privacy in the context of Public interest, National Security and Journalistic freedom.

Chapter IX of GDPR  refers to “Provisions Related to Specific Data Processing Situations” and sets in the rules regarding processing of personal data in the context of Right to Freedom of Expression and other issues including “Processing of National Identification Number”.

Article 85 of GDPR  leaves it to member states to reconcile by law the right to protection of personal data pursuant to GDPR with the right to freedom of expression and information including processing for journalistic purposes and the purposes of academic, artistic and literary purposes.

Article 86 refers to personal data in official documents held by a public authority or a private body for the purpose of carrying out an activity in the public interest which may be disclosed under a Right to Information kind of law.

As one can appreciate, the canvas to define exclusion under Article 85 and 86 is fairly wide and if we take this as a guide for the Indian context where we are waiting for our own Data Protection law, there is enough scope to consider that our existing laws including the Right to Information Act can be considered as an automatic exclusion to GDPR.

Article 87 is interesting since it directly relates to a situation similar to Aadhaar. It states as under:

Article 87: Processing of the national identification number

Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.

This article provides complete rights to member states to over rule GDPR when it comes to processing of national Identification Number or any other identifier of general application. Obviously, “Appropriate safeguards” are prescribed.

This article provides guidelines both to Indian Companies who are often over reacting to the GDPR  by imposing on themselves non existing restrictions on to what extent the local regulations may over ride GDPR and yet it can be considered as “GDPR Compliance”.

If the member states of EU themselves have the freedom to enact laws that may over ride EU, it is obvious that an independent sovereign country like India where in most cases, the GDPR application is through the contracts between the Data Controller in EU and a Data Processor in India, the local laws such as Information Technology Act 2000/8 will have paramount priority over and above GDPR.

I therefore caution Indian Companies that in their eagerness to be GDPR compliant, they should not ignore the need to be ITA 2008 compliant.

We need to build GDPR Compliance within the parameters of ITA 2008 compliance. Fortunately, ITA 2008 is eminently designed for such requirement since Section 43A and definition of “Reasonable Security Practice” accommodates such contracts as defining the security requirements for compliance. The only difference would be that the remedy may have to be sought under ITA 2000/8 read along with international treaties and laws applicable to international contracts. GDPR cannot be super imposed in derogation of these other remedial options.

The second aspect we need to take note from Article 87 is that even the rigorous GDPR regulation on Privacy provides for an exception of National Identification Number in the EU member countries. Hence the Indian Data Protection Act can also exempt the processing of Aadhaar data from the restrictions.

The Supreme Court should therefore take cognizance of this fact and donot make the mistake that they committed in scrapping of Section  66A of ITA 2008 while ruling on Aadhaar.

Linking of Aadhaar to Bank accounts and to Mobile is a requirement of public interest to prevent Black Money, Benami transactions as well as Terrorism and Crimes and the right of the Government to use the National Identification Number such as Aadhaar for such purposes cannot be curtailed by the Court without taking on the blame that the decision is meant to please the silent majority of anti nationals who advocate that Aadhaar has to be scrapped.

The above support for Aadhaar is however not in derogation of the requirement that there has to be adequate safeguards to secure the Aadhaar usage in a manner that it cannot be misused to commit crimes. It is in this context that the “Virtual Aadhaar” becomes most important as a security measure so that at least in the future “Stored Biometric Attacks” through the Aadhaar user agencies does not occur.

My support for Aadhaar above also does not mean that Aadhaar authorities are taking all steps that are necessary for securing the infrastructure of Aadhaar and that they are not arrogant and not dismissive of the risks.

It is however considered that Aadhaar linking to Financial information and identity of individuals to several activities is essential to build a Safe India and no legal hurdle should be placed to prevent this honest effort of the Government. The security concerns are however real but can be addressed if UIDAI makes full efforts in this regard.

The first thing UIDAI needs to check is the progress of the Virtual Aadhaar implementation. The system should be in trial operation by 1st of April and in mandatory operation by 1st of July.

While some data security organizations in India are busy conducting surveys on our GDPR preparedness, UIDAI itself or other data security organizations should focus also on conducting a survey on our preparedness for implementation of Virtual Aadhaar as an identity to replace Aadhaar identity by Banks and Mobile operators.


Aadhaar has been the center of Privacy debate for quite some time in India and has even attracted international attention. Amidst the criticisms that Aadhaar system is not properly secured and therefore it may lead to loss of privacy of the citizens, Supreme Court took up a petition on whether Aadhaar infringes Indian Constitution and should be discontinued. Initially, the Aadhaar baiters scored a victory as Supreme Court under the previous CJI hurriedly constituted a 9 member bench and passed a judgement stating “Aadhaar is a Fundamental Right”. It appeared as if the judgement was a tool given to the smaller bench which was hearing the Aadhaar constitutionality issue to scrap Aadhaar.

However things have changed in the last few weeks. First the new CJI shuffled the bench and case allocation rules so that politician advocates who wanted to get the Aadhaar case heard by a bench of their choice were frustrated in their design.

The case is now being heard in a more neutral bench than what the politicians intended.

At the same time, UIDAI came up with its own master stroke introducing the “Virtual Aadhaar ID ID (VAID) proposition which has changed the scenario of security in such a manner that one of the key argument against Aadhaar that it leads to breach of privacy has been put to rest.

Naavi had been suggesting for a long time that the principle of “Regulated Anonymity” should be applied to secure Aadhaar and actually hoped that this would be a good commercial business proposition to be used by an enterprising private business entity. Now Aadhaar by introducing the system of VAID has come up with its own version of “Pseudonomization”   which would perhaps take the Privacy protection up by several notches.

The VAID system is expected to be in operation by March 2018 on trial basis and mandatorily by June 2018 unless some extension is given. Once the system comes into use, all KYC agencies will have to be prepared to use the VAID which may be a 12 digit randomly generated number which is mapped to the real Aadhar ID of an individual for all their KYC enquiries.

In other words, the KYC authority will not receive the real Aadhaar ID  for its KYC purpose but receive only a randomly generated, changeable VAID number. This may perhaps be forced  by UIDAI by mandating that the AUA/KUAs donot shall stop using the real Aadhaar ID for any KYC queries.

As for the users, they will have the option of generating a VAID against their real Aadhaar ID and ascribe it a date of expiry or designate a specific one time purpose. Such number would meet the requirement of SIM card verification or even Bank account verification.

How Virtual ID secures the system

The exact architecture that UIDAI may use for the purpose is not known and need not be made public. However, it may consider the following features.

(P.S: This diagram is only an illustrative representation of a suggested architecture. This is not what UIDAI may implement)

The first change could be that access to CIDR will be only through an internal system and access by AUA/KUA would be stopped at an intermediary server.

Public will access a Virtual ID generator (S-1) service as and when they want. They will provide the real Aadhaar ID to this server and obtain a Virtual ID. This ID will be randomly generated and will have an expiry tag and stored in another system. S-1 will then deposit the information to S-2 where a map of Real Aadhaar ID and Virtual Aadhaar ID is maintained and updated with a history of VAIDs associated with a given Real Aadhaar ID.

When a user requires a service, he will provide only his VAID to the AUA/KUA who will send their request to another exclusive server of UIDAI where the request will be processed (S-3). This server will push a request to S-2 which will re-identify the VAID and forward the KYC request to CIDR,(Central Identities Data Repository).  CIDR will push the required information back to S-3 for onward transmission to the AUA/KUA.

In this structure, S-2 which holds the map of the real Aadhaar ID with the Virtual Aadhaar ID will be accessed only by internal servers one accessible to Aadhaar users and the other accessible to the AUA/KUAs.

S-1 will only generate VAID and does not store any data after the process is over. CIDR is accessible only from S-2. S-2 will not hold any data other than the mapping of the real ID and Virtual ID. S-3 will allow passing through of  Virtual ID and the KYC information but will never access the real ID.

S-1 and S-3 will be only transaction servers and need not store any data except in transit. Firewalls will manage the access to different servers and ensure that Aadhaar demographic or Biometric data is not accessed by any outsiders except through queries passed through S-2.

How Biometric Security Can be fortified

Presently, the Aadhaar has a record of 10 finger prints and iris scan for biometric identity purpose. To this multiple face parameters may get added with the new addition of the Face recognition feature. Face recognition in intended to be used as an alternative biometric in cases where finger print recognition fail so that false rejections can be reduced.

Additionally, we can consider that one or more Face parameters would be an add on to the many biometric identification parameters (10 finger prints+Iris scan). Totally therefore there may be around 11 plus biometric parameters which can be used for authentication.

Considering the possibility that as of now some biometric data might have been compromised, or biometric devices may be manipulated for a store and replay attack, UIDAI may consider a “Double/Multiple biometric authentication” on an “Adaptive Authentication Principle”.

Under this system, biometric of one finger is first obtained. When this is successful, the server may randomly chose another biometric feature to be provided with or without mobile OTP as well. With such a system there would be simultaneously three parameters that are verified for authentication and the second authentication would be a random variable and provide a defense against most of the normal attacks.

Assuming that UIDAI has other security features already installed for preventing the store and replay attack, the addition of a random additional biometric parameter based authentication will fortify the current system and make an enormous improvement in the system.

Since it is possible to get the biometric device ID and its location as a transaction input, the adaptive authentication can be configured with the known behavioural pattern of the user as is done in credit card transactions.

One issue that needs to be tackled in the suggested system is the latency of the transaction and connectivity. But this is a challenge that can be handled and should be handled in the interest of security.

(P.S: I presume that the current team of UIDAI consists of more accomplished information security experts than the author and hence what is discussed above may be steps which are already in place. They are however discussed here to inform  public  that security of aadhaar is feasible.)



In the on-going petition in Supreme Court, Aadhaar faces a tough battle against multiple opponents.

The background under which the Aadhaar case has come up for hearing itself suggests that there are some undercurrents of opposition to Aadhaar even within the judiciary. The recent attack by a few Judges on the CJI citing “Threat to Democracy” also looked like having it’s roots in the Aadhaar controversy.

The main reason why Aadhaar is being opposed by a section of the society, is that the way it is being implemented by the Modi Government is choking the people who want to hold black money in benami bank accounts and properties and this is considered an existential threat for them. Such Black money holders are there in all walks of life.

Black Money out of Tax Evasion

There are professionals like doctors and others who have made money from their hard work but has for reasons of their own not accounted it for taxation purpose and therefore accumulated benami wealth. Many businessmen also accumulate black money from their hard work because they have not paid taxes properly. They all have a logic that taxation system is badly structured, it is a disincentive for honest hard work. Politicians applying most of the tax collections for bribing the voters for the next election makes it worse since citizens have no respect for tax and tax avoidance is considered not as bad as other crimes.

If tax compliance is to be ensured Government must lower the incidence of direct income tax or better abolish it all together though the communists will cry on the obsolete principle of “Taxing the Rich”.  Consumption Tax is the best form of taxation and Income Tax at least on individuals can be done away with.

Black Money out of Corruption

On the other hand there are another kind of Black money wealth owners who have accumulated their wealth out of corruption. This includes  corrupt individuals in different walks of life including bureaucrats and Politicians. Compared to the black money owners who have earned honestly but accumulated black money through tax evasion, the corrupt set of people actually generate black money and they should be treated with an iron hand.

Unfortunately our tax system does not distinguish between these two categories of black money holders.

Now, the proposal to link Aadhaar with the Bank accounts and other properties hurt both these categories of black money owners equally and both of them are now up against the Aadhaar.

Current Aadhaar Debate

The current debate in the Supreme Court is on the grounds that Aadhaar violates the Indian Constitution and creates a “Police State”.

The Anti Aadhaar lobby is on a fishing expedition to  find reasons to hold Aadhaar as “Anti Constitutional”. One route they are trying is to say that “Aadhaar violates Privacy” which the Supreme Court has recently held as a “Fundamental Right”. In fact the Puttaswamy judgement is the foundation under which the present Aadhaar trial is being conducted and there is a view that the Puttaswamy judgement was preparatory to scrapping of Aadhaar by the current bench. One explanation for the revolt of the 4 judges is that the CJI frustrated the conspiracy to scrap Aadhaar by changing the bench composition. This allegation cannot be dismissed easily since political parties, Anti Government Advocates and Modi haters were prominently associated with the revolting judges.

Aadhaar Security Critics

While this group of Anti Aadhaar advocates are motivated only by a desire to prevent Aadhaar being used to fight Black money, there are another set of Aadhaar critics who have been unhappy with the security aspects of Aadhaar. This lobby has been criticising Aadhaar because the lack of security could lead to security risks for the users including loss of money in the Banking transactions and loss of identity of biometric is compromised. It is this lobby which opposed the UIDAI contracts being given out to foreign agencies, UIDAI using a foreign Digital Certifying Agency to secure its server etc.  Part of this Security lobby also is concerned with the black money money fight both for or against it.

Some of the security arguments that have been held out by professionals like the undersigned to criticize Aadhaar has been now used by the Pro Black Money lobby to justify their arguments demanding scrapping of Aadhaar.

Just like the undersigned, there are many security professionals who are against Black Money but have been critical of Aadhaar from the security perspective. Some of them have been peeved by the arrogance of the UIDAI authorities in not listening to the security warnings and some times even initiating legal action against ethical reporters of security vulnerabilities. On the one hand UIDAI has been soft on agencies like Airtel who have misused the system and also those who were caught storing bio-metrics and reusing them, they went hard against other non malicious technology specialists who ignorantly violated law out of their “Technology Intoxication”. As a result today there are many security professionals who are in favour of the Government in its black money initiative but are angry against UIDAI authorities and are silently enjoying its predicament.

It is only a few of these people which includes the undersigned who have decided to keep our security differences aside for the time being and join hands for the cause of removing black money and corruption with the efficient use of Aadhaar.

Creating a Bridge of Trust

Unfortunately, UIDAI has no channel of communication with such supporters of Aadhaar. Had UIDAI introduced a “Bug Bounty” program as we had suggested some time back, a lot of security professionals who are critics today would have been friendly and come up with many useful suggestions. Today there is complete lack of trust between security professionals and UIDAI and they are not ready to share their security thoughts with UIDAI. Some of them are afraid that if they admit that they have found vulnerabilities, UIDAI may hoist cases against them and some of them are themselves as egoistic if not more than UIDAI and would not volunteer their suggestions.

The need of the hour for UIDAI is therefore to construct a bridge of trust between itself and the security specialists so that there is a flow of positive security ideas from the good intentioned critics to UIDAI.

Recently Justice B N Srikrishna conducted a series of public consultation programs through out India to gather public opinion on the proposed Data Protection Act. During these discussions he had to face lot of brickbats only because of Aadhaar. There were many citizens and security professionals who were commenting on the Data Protection law citing  Aadhaar related issues. It was heartening to note how Justice Srikrishna was humble and patient in listening to all critics and trying to take the essence of the suggestions made out during the interactions. He was not only able to extract valuable suggestions but also create a bridge of trust with the public that he is doing his best to come up with reasonable suggestions for the drafting of the complicated data protection law which people expect to protect “Privacy” which no body is willing to define.

UIDAI must take a leaf out of Justice Srikrishna and learn some PR lessons of how to bridge a friendly relationship with the community.

In this direction I suggest that Aadhaar authorities need to hold open house discussions in different cities of India on a regular basis and listen to the criticisms and suggestions from the community of academicians and security professionals. At the same time, they should open up a channel of communication with the public to hear out their grievances and suggest amicable resolution. This public interaction could be through the web and include a Bug Bounty program as well so that whistle blowers who have valid suggestions.

In the recent days, I have found many respectable security professionals express a view in private discussions that “Let the Government suffer, they will learn a lesson” and recommending that no vulnerability should be reported and Government will learn the lesson when hackers exploit them.

I feel that this indicates a dangerous turn of events when honest persons turn away from their duties to the nation to report vulnerabilities to the Government.

Today’s news report that  a hacker’s group in Kerala has generated a valuable counter terrorism cyber operation in which they have identified a number of “Sleeping Terrorist Cells” promoting terrorism in India. It is also reported that when these hackers (ethical hackers) tried to draw the attention of the security agencies, they did not get the response that they anticipated.

This is a very sad state of affairs where honest citizens who want to help the Government are left to feel that they are unwanted by the authorities.

This feeling is not new and most of us have experienced it in the past. Some journalists often complain about the Lutyen’s lobby operating in Delhi and often acting against the interests of the country. There is a similar lobby of Security experts in Delhi who are close to the decision makers in the current Government also who ensure that Government is not provided the right kind of advise on security matters.

Mr Modi needs to ensure that this “Lutyen’s Lobby of Cyber Security” is recognized and disbanded and in its place encourage development of a voluntary group of  “All India Cyber Security Advisory committee” whose suggestions reach the right ears in the Government. I suppose the Government would be intelligent to distinguish “Vested Interests” from “national Interests” and ensure that the right flow of valid Cyber security suggestions reach the Government.

This “All India Cyber Security Advisory Committee” which can operate as a virtual committee should be part of the Cyber Security Infrastructure of the Government. One off shoot of this suggestion that can be tried in this direction is for UIDAI to invite suggestions from the public on how to secure Aadhaar both through a virtual committee as well as through open houses.

Time is now ripe since UIDAI is now considering revamping the system with the introduction of

a) Virtual Aadhaar ID

b) Use of face recognition

as additional parameters of use. Both have important security implications and any system which is introduced now should be made as robust as possible. We consider that presently most of the Aadhaar data base has already been compromised and there is no way the compromise can be rectified. However, if some thing can be salvaged it is necessary that we use the two new parameters of Virtual ID and Face recognition in such a manner that at least in future compromises does not happen.

I am sure that UIDAI would not like to discuss the security issues in the public and it is not recommended also. But there is no problem in inviting suggestions from the public and use as much of it as possible so that the system would be secure.

It is for this reason that the “Bridge of Trust” has to be built between UIDAI and the information security community.

Will UIDAI authorities come down from their pedestal, take a cue from Justice Srikrishna and start talking to their critics?


In the case of Justice Loya’s death due to heart attack, many senior advocates like Mr Dushyant Dave and Indira Jaisingh as well as politicians like Mr Rahul Gandhi are complaining that an enquiry needs to be ordered under the supervision of the Supreme Court. Common Citizens perceive that there is a political conspiracy in this complaint so that they can then hold their gun at the head of Mr Amit Shah and say that he is a suspect and therefore should not be MP etc.

Similarly the Aadhaar case is another case before the Supreme Court where there appears to be a conspiracy to some how derail the intention of the Government to use Aadhaar identity to prevent Black Money Transactions and benami Property holdings. It is very clear to common citizens that the intense opposition to Aadhaar linking to financial information is because it will make it difficult for Black Money holders to keep Benami Bank accounts and Properties.

To sustain their argument, people are complaining that “Aadhaar infringes the fundamental right of Privacy”, “Aadhaar creates a Sureveillance State” etc.

There is no doubt that the Privacy Judgement under the Puttaswamy judgement was expected to help the Anti Aadhaar lobby and hence there was a fight within the Judiciary to fix the bench. Now that the CJI has not allowed it to happen, the politicians are trying to impeach the CJI himself.

All these developments confirm my doubt that there is a serious conspiracy behind this “Aadhaar is un-constitutional” petition led by the Black Money supporters and this is a fight between the honest citizen of India and the Benami property holders. The Privacy arguments are only a cover for ensuring that the Benami property and Black Money owners can enjoy their ill gotten wealth as they were used to in the pre-Modi days.

There was a strange argument presented today as indicated in an affidavit now in the public domain.

According to the afidavit,

1.the  project poses a constitutionally impermissible danger to citizens’ basic civil liberties including their privacy”.

2. “this project is highly imprudent, as it throws open the clear possibility of compromising basic privacy by facilitating real-time and non-real-time surveillance of UID holders by the UID authority and other actors that may gain access to the authentication records held with the said authority or authentication data traffic as the case may be.”

3. it is quite easy to know the location and type of transaction every time such authentication takes place using a scanner for fingerprints or iris and the records of these in the UID / “Aadhaar” database.

4.  it is not dissimilar to knowing the place from where a person made a call using his / her mobile phone. Just as the mobile phone connects to a tower from where the phone signals are sent to other towers and the servers of the mobile phone companies, biometric scanners also have SIMs and IP Addresses to locate the place from the transaction took place and its nature. Any administrator of the UIDAI server or any employee or other person with access
to transaction data, with a little help from the servers (Authentication User Agents and Authentication Server Agents, as they are called in UIDAI literature), through which authentication request is sent to the UIDAI, will be able to track the transaction and the person carrying out the same.

5. that UIDAI recommends that each point of service device i.e. the device from which an authentication request emanates, register itself with the UIDAI and acquire for itself a unique device id, which shall then be passed to the UIDAI along with the request for every authentication transaction. I state herein that the said method of uniquely identifying every device and being able to map every authentication transaction to be emanating from a unique registered device, further makes the task of tracking down the exact location and place from which an authentication request emanates easier.

6. a centralized database has the problem that once hacked all data can be lost. Specifically, consider if the Army personnel use this as an authentication mechanism before getting their salaries. The location from which they authenticate can be found as it will be done via a scanner which has an IP address / is on a mobile internet. From the tower to which the scanner connects via its SIM card, its location can be found. This data will be available in the
logs of the Aadhaar system. Any compromise of the Aadhaar system means that the hackers can know the exact location of each army personnel of the country at the time when they take their salary. This can be a big risk to national security, and this is just one example as to why it is, in my opinion, imprudent to use such a system.

I am sorry to say that the above arguments are contrived and cannot be considered as valid arguments to oppose Aadhaar.

My doubts arise from the following.

  1. “Privacy” is a loosely used fig leaf to cover the need for “Secrecy” by the anti-Aadhaar lobby. Just as we say “Your freedom to extend arms ends at the tip if the nose of the neighbor”, the “Right to Privacy” of one person ends with the “Right to Security” of the other person. Though the Supreme Court says that Right to Privacy is a “Fundamental Right”, it can only be a right with a lower priority to “Right to Security”.

If Security is not available to a nation, it cannot sustain democracy and protect the Right to Privacy where it is required. Aadhaar is only an identity that holds certain information of the citizens so that the State can know who its citizens are and whether they pose any threat to the security of the nation. (which includes prevention of looting of public money with duplicate employment records or ration card records). National security is therefore paramount and even the “Right of Privacy” has to voluntarily yield to the “Right to Security”.

It is therefore wrong to call Aadhaar as posing a “Constitutionally impermissible danger” to citizens”. As a citizen of India I abhor those who hide their identity and hold benami properties, black money, Bitcoins etc. The Supreme Court has to uphold my “Right to Know exercised through the Government” as much as the “Right to remain secret” which others want the Court to protect.

It would be a challenge for the Supreme Court to demonstrate if it is with the honest citizens of India or it sides with the dishonest citizens of India under some technicalities of protecting the Right to Privacy.

2. The charge that “Other actors” may gain access to the authentication records or data traffic to facilitate “Surveillance” is a speculation. In fact this is true of any activity of a Citizen. If some body is reading this article on the web, it is possible for the ISP to track the activity along with the location from which the person is accessing the web. What is special therefore to blame Aadhaar except to mislead the Court because the petitioner may think the Judge does not know technology so that any claim even if false can be pressed.

3.  If the records of the  finger print scanners can be accessed, it is possible to trace the location of the transaction is no rocket science.

4. As the petitioner himself agrees, this is not dissimilar to the Tower data of a mobile call which if properly analyzed, can trace a person within say 3-5 meters. This does not require Aadhaar at all.

Google earth can have a high resolution image which can identify a person moving around on the street from far above the sky. A person with a google glass can scan the credentials of a passer by instantly. An RFID scanner can scan your credit card even when it is inside your pocket.

While all these are acceptable to the Anti Aadhaar lobby, Aadhaar alone seems to be unacceptable because it is the Modi Government which can take the data if it wants.

This is a purely political opposition to the current Government and not based on any logical consideration. If one is concerned about privacy, we need to stop using mobile and live in a cocoon.

Why do such persons want any benefits of being a Citizen?. Let them not have a Bank account. Let them not have ration cards. Let them live as a hermit lives.

It is dishonest of these persons to ask for all the privileges of being a citizen of India including being protected from a terrorist attack or a Cyber crime attack but they themselves should be out of gaze of any law enforcement authority.

Supreme Court should recognize the inherent dishonesty of these anti-Aadhaar lobby and call the bluff.

5. The registration of the Access devices involved in Aadhaar authentication is a critical security requirement and I donot know how security specialists can oppose this feature. In fact, I am of the opinion that these devices should be made in India by an authority like BEL which manufactures EVMs and made as a tamper proof hardware that will self destruct if any attempt to tamper them is made.  Registration per-se is not some thing that can be objected to.

The petitioner repeatedly qualifies that the security can be compromised with “little help” from insiders. Yes every system can be compromised if an insider provides the “little help”.  What we need is to design the security systems with the knowledge of this possibility.

6. The reference to the army personnel being at risk because he draws his salary with aadhaar authentication is funny. Will the enemy target a specific soldier who is in the administrative office drawing salary?. If he has to be tracked, is it not better to intercept the radio messages or personal mobiles than looking for Aadhaar data?

Overall the petition and the affidavit to my mind appear a weak attempt to mislead the Supreme Court. If we follow the questions made by the judges during the proceedings, it appears that they are more aware than what the petitioners think about the ulterior motive of Aadhaar baiters and would not fall for their tricks.

The above argument does not mean that we are not advocating better security for Aadhaar. Yes better security is required. There has to be checks and balances for preventing misuse. But the security specialists are not helping the Government to fortify the security and at the same time UIDAI is not able to win over a large part of security professionals so that they provide positive suggestions.

There could be many reasons why security professionals are not on the side of UIDAI and we have highlighted it several times in this site. But now it is like war time.

All good intentioned citizens need to fight the anti-Aadhaar lobby which is trying to get Aadhaar being rendered impotent. We can forget the arrogance of UIDAI and defeat the nefarious designs of the Black Market community of India. We can then continue to argue with UIDAI about how the security can be improved.



An interesting debate is happening in the Supreme Court on whether “Aadhaar is Constitutional” and whether it should be scrapped. We are informed that the Anti Aadhaar advocates have started putting through their view points to convince the Court that Aadhaar is a violation of “Privacy” and it creates a “Surveillance State” and hence it should be scrapped.

I donot see the same commitment of these advocates when it comes to issues like banning Crypto Coins but on Aadhaar they feel that a great injustice is being done to the Indian citizens.

The essence of the anti Aadhaar arguments can be two fold.

First objection to Aadhaar could be that it is being linked to many activities and becoming a universal ID and therefore it will enable creation of a “Surveillance State”.

The second objection to Aadhaar is that the UIDAI has failed to secure the system and hence the system poses a Cyber Crime risk.

The two aspects may have some common link since “Lack of Security” leads to “Leakage of Information relevant for Privacy”.

But the objection so far presented is not because of the security risks but mostly on the ground that it enables the Modi Government to exercise a tight control on information flow particularly related to the financial activities of an individual. So far Black money owners had a field day in having “Benami” holdings of assets and the proposal to link Bank accounts and PAN to Aadhaar as a first step and now to link immovable properties to Aadhaar has really sent shivers down the spine of all the Benamis in India. The opposition to Aadhaar today is vocal because this population of Benamis of India is huge and encompasses politicians, bureaucrats and businessmen.

It is precisely for this reason, I support Aadhaar at present though I have serious reservations on the security aspects of Aadhaar. I believe that security aspects can be addressed if UIDAI is humble enough to admit the security challenges and seek help from appropriate experts, which UIDAI is at present avoiding.

The opposition to Aadhaar from the angle of the recent Supreme Court judgement in which Privacy is held as a “Fundamental Right” is not sustainable if properly countered. Mr Shyam Divan who presented the initial arguments seem to have heavily relied upon this angle and quoted extensively from the Justice Puttaswamy judgement to impress the bench.

We must remember that the Justice Puttaswamy judgement was a one page judgement and just held Privacy as a fundamental Right. It also contained hundreds of pages of reminiscences which did not form part of the order and hence has little value in defining how Aadhaar hurts the Privacy Right of an Indian citizen.

The essence of the Puttaswamy judgment was that “Privacy” cannot be defined and therefore there cannot be a direction on protecting Privacy. However, “Information Privacy” is one aspect of Privacy which can be protected and the Government should work on this.

“Information Privacy Protection” is nothing different from “Data Protection” related to “Personally identifiable information” and more particularly some of the “personally identifiable information” which can be classified as “Sensitive”.

Aadhaar system collects and stores “Individually identifiable Personal Information” and it also collects “Biometrics” which is a sensitive personal information. Aadhaar however does not collect and retain information which is “Health related”, Finance Related” or information related to sexual orientation, racial view points etc. Even before  Aadhaar, Banks have been collecting personal information and generating sensitive personal information. Similarly, health care operators have been collecting sensitive health information and storing them. The Privacy concerns can therefore be expressed even if Aadhaar link is not there to such information.

The only reason why Aadhaar is being discussed is that instead of blaming the Bank account number Privacy for data leakage in Banks and some other IDs for other data leakages, we have a new whipping boy called Aadhaar which is now a common factor for all data breach possibilities.

There is no doubt that convergence of risks do occur when multiple types of data are linked to one central identity parameter like Aadhaar. But it is important to note that leakages occur not because there is a link between the sensitive data and a common number but because the data managers fail to de-identify the data or secure the access to data while in their custody.  If the access to data in Banks or Hospitals can be secured and properly de-identified (or pseudonomized), then even if data is leaked, it will be “Information not identifiable with a living individual” and therefore becomes “Non Sensitive and Non Personal”.

If therefore the security of Aadhaar usage at the intermediary usage points is fortified, then Aadhaar per-se does not pose threat to Privacy of individuals. It is for this reason that the recent measures introduced/suggested by UIDAI to use “Virtual Aadhaar IDs” and to “Fortify the finger prints with a face identity parameter” assumes importance. If these measures are properly implemented, one can argue that the “Privacy Risk arising from the Aadhaar data base” becomes minimal.

The real risk areas are the network links through which the authorized aadhaar users (AUA/KUA agents) access the CIDR and the use of Aadhaar in the AEPS (Aadhaar enabled payment systems), besides the stored data at the user end. Currently, ITA 2000/8 considers these intermediaries as liable for any loss to the citizens arising out of their lack of due diligence or lack of reasonable security practice. This will continue and needs to be made more robust in implementation so that any member of public who loses his data due to the negligence of the Aadhaar intermediaries would be adequately compensated.

The grievance redressal mechanism under ITA 2000/8 will be improved upon when the new data protection act becomes effective and this has to be taken into account by the Supreme Court now.

Blaming Aadhaar system for the negligence of  Aadhaar User agencies which leaks out Aadhaar number of different persons is not fair.

We can blame UIDAI for not having adequate monitoring mechanism to make these intermediaries implement strong security measures and push them for better implementation of security along with deterrance which should be effective. We can also question them for not suspending defaulters for a long time and impose heavy fines, (all of which will be now possible through the new Data protection Act).

But we cannot jump to the conclusion that Aadhaar must be scrapped because of the risks of data leakage.

Some time back the honourable Supreme Court made a huge mistake in scrapping Section 66A of ITA instead of reading down the section and removing the deemed conflict with the “Freedom of Expression”. They should not repeat the same mistake now and end up scrapping Aadhaar.

Scrapping of Section 66A of ITA 2000/8 gave a “License to Defame” and diluted the Act for offences such as Cyber Stalking, Spam, Cyber Extortion, Phishing etc. The Court in a bid to dish out a populist judgement ignored the beneficial aspects of Section 66A.

Similarly, the beneficial aspects of Aadhaar needs to be kept in mind by the Court now before being tempted to give out another populist judgement. If Aadhaar is scrapped, there will no doubt a huge sensation created in the country and the opposition political parties would rejoice. It would also make the judges well known. But it would also immediately assist all Benamis who want to hide their financial transactions from being monitored by the State.

What the Court needs to focus is in asking questions on what checks and balances are planned by the Government to prevent misuse of Aadhaar infrastructure. So far no body seems to have urged the Government in this direction nor this has been a point of debate in the Aadhaar discussions amongst NGOs and other Privacy Activists.

I invite the Privacy activists therefore to start suggesting the infrastructure required to prevent misuse of Aadhaar and in the event of misuse providing proper grievance redressal to the Citizens as also the checks and balances to punish those Government officials who may misuse the system for harassing honest citizens rather than pursue the sole objective of getting Aadhaar scrapped.

If Supreme Court proceeds to take another Sec 66A kind of populist decision, then we will be removing an effective instrument of Governance, defeating the fight against Black money and corruption.

Supreme Court may not be responsible for Governance and hence it may not be their problem if Black Money in India grows and Benamis thrive.

But the progeny may blame the Court for missing an opportunity to drive India on a path to a good economic future and blame them that under the cover of providing Privacy Protection, they provided a Cover of secrecy for criminals to exploit.


The 4 judges who held an unprecedented press conference which many agreed has tarnished the image of Judiciary in India stated that their “Irreconcilable disagreement with the CJI” was based on the allocation of cases to different benches which was arbitrary and overlooked the “Seniority” of the judges. Since the judges have appealed to the nation to “Protect Democracy”, I as a citizen need to make out some points.

The Justice Loya death case appears to be the most disturbing case as far as the advocates such as Indira Jaisingh and Dushyant Dave are concerned and since Justice Gogoi seems to agree, we can accept that the four judges want this case to be heard before them and not under some other “Junior” judge.

It is another issue why these judges want this case only before them and donot trust the other judge. One interpretation of this is that by admitting the case, they could have embarrassed Mr Amit Shah to say that there is potentially a “Murder” charge being investigated by the Court which could consider him as a “Suspect” and when the CJI frustrated this plan, they lost their cool and held the press conference.

Additionally, it appears that the other most sensitive case now before the Supreme Court is the Aadhaar case where the “Constitutional Validity” of the system is in question. The intention of the Supreme Court was some what evident when during an earlier hearing, the Government brought an argument that “Privacy is not a fundamental right”, it jumped to constitute a 9 member bench under the previous CJI Justice Kehar and quickly brought out a 547 page judgement for a single line order “Privacy is a fundamental right under article 21 of the Indian constitution”. This defeated the argument of the Government and strengthened the argument for scrapping aadhaar. if done, the opposition can use it for embarrassing the Government much more than the GST issue.

Besides the opposition wanted to preserve their “Benami” properties which Modi was threatening to identify by making it mandatory to link property registration with Aadhaar. I feel this was more critical than the Justice Loya’s case.

The opposition felt that if the bench hearing Aadhaar can be managed by pliable jduges, they could get Aadhaar scrapped and it would be the biggest coup before 2019 elections.
Unfortunately, it appears that Justice Dipak Mishra is again frustrating them by denying an opportunity for these judges to be on the bench which can scrap Aadhaar. CJI perhaps feels that these judges may have a conflict of interest with their relationship with Mr D Raja, Mrs Indira Jaisingh, Mr Dushyant Dave etc., as regards the Aadhaar case and hence cannot be on the bench hearing any case in which there would be a strong anti-Government sentiment.

We must appreciate the vision of the CJI in this regard.

If these judges with conflict are not involved in the Aadhaar case, it would be better since the case can be decided purely on merits and not on preconceived notions of the senior judges.

Aadhaar is therefore the key to what appears to be an unprecedented move of the 4 senior judges to take on the CJI to the extent that media already started talking of his possible impeachment. They are now disappointed that the coup attempt has failed at least for the time being.

In one of the online surveys 69% respondents held them wrong and in a way “Impeached them in public perception”. This is the people’s verdict they wanted during the press conference and they should respect it.

I anticipate that out of the four at least one of them may decide to resign to uphold the principles that he wanted to demonstrate by the uprising to protect democracy. Will it be Mr Chelameshwar? or some body else?… we need to wait and observe.