INDIA IN TRANSITION. Aadhaar push heightens privacy concerns

The Supreme Court’s recent verdict ( Justice Puttaswamy v Union of India ) affirming the right to privacy has been followed by a frenetic state effort to link multiple identification numbers and welfare programmes with the nation’s controversial biometric programme, Aadhaar. This attempt to present a fait accompli of sorts when the constitutional challenge to Aadhaar comes up for hearing is not a new development; the linking between Aadhaar and Permanent Account Numbers used for taxation purposes is a case in point.

Yet, the SC verdict has put both linking and enrolment efforts on overdrive. Even private actors have stepped on the accelerator; not a day goes by without messages from banks and telecom companies asking customers to link Aadhaar with bank accounts and cell numbers, respectively. But amidst all the bustle, what are Aadhaar’s realistic chances of survival post-Puttaswamy?

One might begin to answer this by exploring the exceptions to the right to privacy that the verdict recognises. There are enough exceptions in Justice Chandrachud’s verdict to facilitate data mining and open data platforms for good governance. Importantly, however, such applications hinge on data anonymisation — keeping out personalised details that help identify specific individuals forming part of the big data set — for their constitutional acceptability.

While benefits of Big Data may be immense in offering policy guidance and informing policy choices, the presence of legal safeguards on the privacy of individuals will be critical in assessing their validity. On this point, the Government will turn to the Aadhaar Act 2016 for its support.

The statute does indeed contain provisions to combat fears of excessive surveillance, including Section 28 of this Act which places responsibility on the UIDAI to ensure the security of identity information and authentication records of individuals. Despite such provisions, however, the fear of a digital panopticon is real for the simple reason that desirous individuals need not necessarily approach the UIDAI to form a complete picture of the various services availed by a citizen.

The authentication records also exist in government offices, ration shops and other service centres from where welfare benefits are disbursed to citizens. In fact, the data leakages ailing Aadhaar have all occurred thus far from similar end-points where personnel in charge of our data have little training and less interest in keeping such authentication records confidential.

The data leakages, in fact, are telling not only because they challenge the mantra that the programme is technologically safe, and not only because they simply represent a state programme that contains flaws and operates below expectations in practice, but because the nature and upshot of the leakages calls into question the safeguards on which the legitimacy of the programme rests.

Further the UIDAI’s role poses serious institutional and rule of law concerns. On the one hand, it is the custodian of the Central Identities Data Repository. On the other, it is also the data regulator. As the custodian of data, it decides the level of access to Aadhaar data needed for purposes of authentication and the authentication agencies contracted to do so. It receives service fees for permitting private bodies to conduct such authentication, thereby aligning its incentives in the direction of widespread access to Aadhaar data for authentication purposes.

But as a regulator, it is tasked with deciding on how to deal with data breaches. Thus, we have a body that has minimal incentive to report or act upon data breaches because a vulnerable database architecture does not bode well for either its financial or power incentives as a data custodian. Any breach is, plainly put, a challenge to its authority.

These design flaws may well jeopardise the Aadhaar project. To overcome them, the State could potentially rely on another important exception contained in the Chandrachud verdict, preventing the diversion of scarce public resources to undeserving impostors. This has, in some ways, been the central justification for relying on biometric data for identification and authentication purposes, and without which none of the privacy worries may have arisen in the first place.

This is so because biometrics cannot be altered unlike passwords. Also, recent technological advances have made them easily replicable from photographs and even mirror reflections. Ominous as it sounds, we all are walking repositories of highly vulnerable and immutable passwords which hold the key to our national identities and state-subsidised benefits. So, whether such deeply private information can be relied on to prevent scarce public resources from dissipation will depend, in the final analysis, on the checks that are put in place.

Some of these checks are found in Justice Chandrachud’s opinion itself, while other judges have also weighed in on how we might best balance the right to privacy with permissible exceptions. A first requisite is the existence of a law governing the deprivation of privacy interests. This is important because a great many enrolments were carried out between 2011-16, prior to the enactment of the Aadhaar Act. If the SC bench hearing the Aadhaar challenge were to take this seriously, coupled with the impermissibility of a waiver of fundamental rights as per an earlier pronouncement of the Court in Basheshar Nath v Commr . Of Income Tax , millions of Aadhaar enrolments may be annulled.

The other important check arises from how far the State could go even when there is a law in place that furthers a legitimate state interest. In Justice Chandrachud’s view, the means adopted by the legislature must be “proportional to the object and needs sought to be fulfilled by the law.” Justice Chelameswar acknowledges the possibility of certain privacy claims that deserve the strictest scrutiny.

Statutory inroads upon such claims can be made only when there is a “compelling State interest” and a “narrow tailoring” of the law to achieve the objective. Considering the use of biometrics as part of Aadhaar, and the complete absence of any volition on the citizen’s part in deciding whether, and towards which schemes, she must part with such information, there is a strong case for this stricter standard to be applied when evaluating its legality.

This brings us to a final matter, namely the role of consent-based architecture in protecting the private authentication solutions built on the citizen database. Justice Chandrachud places emphasis on the role of consent in the shaping of privacy but identifies other principles, including transparency, regarding data transfer and use, and non-discrimination, as critical for a robust data protection regime.

The consent principle also misses the forest for the trees, as it places the onus on individuals acting within the bounded rationality of their lives to decide on issues of larger systemic risk. Hopefully, the SC shall rely on Justice Chandrachud’s diktat to refrain from utilising citizen data for extraneous purposes outside the realm of legitimate state interest, and place an embargo on the private authentication agenda.

Khosla is a Junior Fellow at the Harvard Society of Fellows. Padmanabhan is a Fellow at Carnegie India. This article is by special arrangement with the Center for the Advanced Study of India, University of Pennsylvania

COMMENT NOW