Ed. Note.: This 101, by Vishal Rakhecha, is a part of the NALSAR Tech Law Forum Editorial Test 2016.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 or simply the Aadhaar Act passed in the Lok Sabha to facilitate the transfer of benefits and services to the individuals. This is done by giving them Unique Identification Numbers. At first glance Aadhaar seems like a brilliant scheme to ensure that the tax payer’s money does not end in the wrong hands. But the provisions in the Act raise some serious concerns about the way it can be used by the state to encroach upon the right to privacy of individuals. Apart from this the centrally maintained system to save the data in the Central Identities Data Repository makes it vulnerable to cyber-attacks. The huge uproar against the government is also because of the way Aadhaar was passed, as a money bill, despite the fact that it does not qualify for the same.
According to the ‘law’[1] having an Aadhaar card is not mandatory. But, almost all government schemes today require it from availing a subsidy on LPG to applying for a passport. This continuing trend of using Aadhaar cards as a proof of identity has been spilling into the private sector, since the government allows private entities to use Aadhaar as an identity proof, from getting a mobile number to wanting to sign up on matrimonial sites, it becomes impossible to conduct your day to day activities freely without having an Aadhaar card.
Despite the fact that the government is practically forcing the citizens to get an Aadhaar card, they place their trust on the regime to have some amount of reasonable standard in securing their data. To begin with the entire concept of using bio-metric scans being used is not fool-proof and there have been cases where the fingerprints of the registrar have been registered combined with the fact that unlike passwords and pass codes, bio-metrics cannot be re-issued.
The data collected is not sufficiently protected[2], say for example the fact that the Aadhaar numbers are not cryptographically encrypted and are available in a manner readable by humans. This gives scope for people to easily identify the individuals and the chances of identity theft also increase due to this. The passwords and PIN are stored in the form of hashes but the biometric data is stored in the original form. All the information about the keys and hashes in the UIDAI makes internal trust a very important basis for the protection of the data. This is clearly troubling as the people inside the system can access the data anytime they want and also makes it very easy for someone once inside to tamper with the records. There is no set procedure to carry out data inspection making the process extremely arbitrary.
The fact that Aadhaar is not able to protect the privacy of the data giver is aggravated by the way the data is maintained. The centralised system makes it even more susceptible to attacks[3] as these systems have been shown to have inherent flaws when it comes to protecting privacy. The Aadhar in particular is again more harmful as there are no justifications or reasons as to why there is a need for the centralised database. The fact that the data is localised makes it the ideal target for hackers and foreign governments. Apart from the fact that this system is more vulnerable, it is also much costlier than say a smartcard (which is followed in the UK) or an offline biometric reader. These systems are more advantageous as they are cheaper, do not require real-time access and are safer compared to the centralised system.[4]
Now coming to the Act itself which has several problems, while it is true that Act makes it mandatory to use the information only in the way specified when taking the ‘consent’ of the data giver. Firstly, we need to understand that most people who apply for the scheme are people who have little or no knowledge about the information and have no idea about the consequences of doing so could be. Even if we ignore this fact, the Act provides for section 33(1) which allows for the disclosure for the information pursuant to the order of a district judge or above and section 33(2) which allows any officer of the rank of Joint secretary and above the right to order the disclosure of the information from the the original source in the interest of national security without the consent of the person.
It is extremely important to understand that an Act that was made to ensure that the money transferred from the Consolidated Fund of India to the person who deserves the money gives the government so much power to actually be able to conduct surveillance on the people is clearly problematic. This is because one, there is a blatant absence of self-imposed checks on the executive power in the mode of ensuring that the government in the way as to what constitutes a situation of national security. Two, under what circumstances the judges can authorise the revelation of the data has not been specified. This gives immense power to these bodies to swoop down and let the government use the data in whatever manner they deem fit.
Though the Act has several benefits but the very hasty manner in which it was passed and the fact that there is a lack of self-restriction on the way the state can use the information. It is understandable that there are certain circumstances which necessitate the government to monitor individuals but unless it is done in a manner which gives the state immense power in terms of the ability to clamp down on dissent whenever it wants to. This is the very reason that there is such a massive amount of criticism of the Aadhaar Act. There is still scope for amendments to be made to the law if the legislature wants to maintain the trust with the civil society.
[1] http://supremecourtofindia.nic.in/FileServer/2015-10-16_1444976434.pdf, Justice K.S.Puttuswamy (Retd) & anr v. Union of India & ors
[2] Japreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai Hickock, http://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges, Report on Understanding Aadhaar and its New Challenges, The Centre for Internet Studies
[3] https://www.eff.org/issues/national-ids, Electronic Frontier Foundation
[4] Kritika Bharadwaj, http://thewire.in/63223/the-mission-creep-behind-the-uidais-centralisation-ideology/, The Mission Creep, Behind the Aadhaar Project, The Wire