Cyber Diplomacy: Towards A New Cybersecurity Strategy

By Elizabeth Dominic

Cyber space has become a focal point of international relations. With most global powers having realized that cyber security is integral to their national security, cyber issues have found their place in foreign policy, resulting in the emergence of cyber diplomacy.

Cyber diplomacy is the use of traditional diplomatic tools including negotiations, formation of alliances, treaties, and agreements to resolve issues that arise in cyber space. The United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) is one of the most high profile cyber diplomacy exercises at the global level. The UN GGE was formed subsequent to the adoption of digital security as an UN agenda, to examine threats emanating from cyberspace and to develop appropriate cooperative measures to address them. Several multilateral organizations such as NATO, ASEAN, BRICS, to name a few, are also increasingly serving as platforms for cyber diplomacy. The post will briefly explore the role of cyber diplomacy in enabling cybersecurity by analyzing the relevance of a few major cyber diplomacy efforts in developing a sustainable and stable cyberspace.

The Role of Cyber Diplomacy

Society’s increasing reliance on internet and digital technologies is accompanied with security challenges in the form of various malicious activities including hacking, espionage, cyber attacks, and cyber war. These challenges arise from a domain that lacks a formal, institutionalized regime to regulate and oversee the conduct of the actors. Unless there is a global consensus on regulating cyberspace, the potential to wreak havoc remains unbridled. Considering the transnational nature of cyberspace, a secure cyber environment can be established only through global engagement, dialogue, and cooperation, making cyber diplomacy the only possible means to achieve this goal. Diplomatic efforts to stabilize cyberspace have primarily focused on three areas: establishment of cyber norms, confidence building measures (CBMs), and capacity building.

Norms in Cyberspace

The increasing exploitation of cyberspace by states for political and military objectives mandates the need for norms that would lay down what states can and cannot do online. Cyber norms are voluntary guidelines adopted by the states that would promote stability in cyberspace. Establishing these norms would help in developing a shared understanding among states on how to work together in matters of mutual concern. Also, continued observation of these norms created through practice or formal agreements will help them gain legitimacy amongst other states gradually resulting in their evolution into international law. The norm suggesting that cyber enabled theft of intellectual property for commercial gain is unacceptable developed as a result of a US-China bilateral agreement, and is an example of a successful norm that has gradually gained recognition amongst other states and the G20.

Norms are non-binding guidelines for the conduct of relevant actors, with an element of good faith commitment and limited consequences in the event of non-compliance. Treaties, on the other hand, are binding agreements that are readily enforceable. Although norms seem weaker than treaties, they can have a powerful impact. When nuclear weapons were developed, they were simply considered a more powerful form of traditional weapons until norms against their use developed, making their use unthinkable in ordinary circumstances. Creating norms could, over time, help in establishing benchmarks for acceptable behavior in cyber domain.

Challenges to Norm Creation

Developing cybersecurity norms is extremely challenging due to the unique nature of cyberspace, diverse interests of the parties, and the broad scope of issues involved. The use of contrasting terms – cyber security and information security – by the US and its allies and the Sino-Russian bloc respectively indicates the difference in what is perceived as a threat by the groups. While the former focuses on the protection of data and hardware from unauthorized access, the latter focuses on the content of the information, which goes against the idea of Open Internet advocated by the former. Unless these radically incompatible perceptions on the very concept of security in cyberspace are reconciled, the process of norm creation is likely to be stalled.

Confidence Building Measures in Cyberspace

While norms help in establishing acceptable behavior in cyberspace, the difficulty in forming cyber norms calls for an alternative means to diffuse distrust and misunderstandings among states. CBMs have emerged as the solution. CBMs are measures adopted at regional and global levels that enhance transparency and facilitate exchange of information, which would help states to assess each other’s activities and understand their intentions and thereby reduce the risk of a cyber war. For instance, the practice of transparency enables states to distinguish between defensive and offensive cyber investments by enhancing situational awareness and building common understanding.

Furthermore, CBMs are instrumental in ensuring effective compliance with norms. The norm according to which states should not knowingly allow their territories to be used for unlawful acts using information and communication technologies (ICTs) requires states to employ all their instruments to ensure this. However proving such knowledge is difficult. In such instances, information exchange and cooperation during investigations helps in determining compliance. Such CBMs also aid states in implementing the norm by enhancing capacity. In the absence of CBMs, cyber norms will merely provide an illusion of stability.

Capacity Building in Cyberspace

All states do not stand on an equal footing in terms of their cyber capacities, especially new entrants to the cyber domain. However it is necessary to ensure that all states have at least the baseline capacity that would enable them to participate in the development and implementation of norms and CBMs and to protect their critical information infrastructure. The UN GGE 2015 also recognized the link between compliance with norms and CBMs and capacity building. Cyber diplomacy can help in enhancing the human, institutional, technological and legal capacities of states through formal and informal agreements.

The Way Forward

Development of cyber norms has proven to be difficult. With the breakdown of the UN GGE, the only venue that brought together the Sino-Russian and the Western blocs for norm discussion, prospects for the formation of norms in the near future appear to be slim.

CBMs seem to be the most promising avenue to establish stability in the cyber domain since they do not require the states to agree on a shared set of principles, but instead focus on fostering cooperation despite the differences as states have a shared interest to establish stability. Bilateral engagements amongst states would be the ideal platform to deepen cooperation and establish CBMs. A few of the more successful bilateral agreements between the opposing global powers have resulted in the development of effective CBMs such as real time communication and assistance to compensate for limited trust.

With effective implementation of CBMs, there is hope for gradual development of norms, by establishing trust and eliminating misunderstandings, and thereby a safe and secure cyberspace.

Elizabeth Dominic is a Programme Officer at the Centre for Communication Governance at National Law University Delhi

SC Constitution Bench on Aadhaar- Final Hearing (Day XXXVI)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

The AG resumed his submissions on the issue of money bill. He reiterated that Ar.110(1)(g) is a stand alone provision and therefore there can be a bill which deals only with it and not deal with Ar.110(a)-(f). Referring to s.57, he submitted that independent laws can be passed under the section as long as it is relatable to Ar.110(a)-(g).

The CJI interjected that s.57 is an enabling provision that allows the state legislature to introduce Aadhaar either as a money bill or not for various services and that its nature would be examined only if its challenged in a court of law.

Justice Chandrachud mentioned that when Aadhaar platform is used by the states through law or by private parties through contract, it must conform with the data protection provision.

The AG responded that Aadhaar architecture is created by central law and therefore unless it authorizes the use, the states can’t use it. He further submitted that the government of India has created this massive structure to provide subsidies and other services but requires it to be self-sustaining and therefore has opened it to the private parties.

Justice Chandrachud interjected that s.7 retains the nexus to the consolidated fund of India (CFI) but s.57 snaps it. He pointed out that a private party could join the Aadhaar infrastructure through contract for purposes that have no nexus to the CFI. He said that based on this, the petitioners are arguing that s.57 does not qualify as money bill.

The AG responded that one has to look at the Act in totality and not examine if each provision would qualify as money bill. He conceded that s.7 is the nexus to the money bill but submitted that s.57 is part of the Parliament’s efforts to open the Aadhaar platform to other entities.

Next, he discussed the issue of telecom linking to Aadhaar. He argued that the linking eliminates all possibilities of forgery and fraud. He pointed out that the linking will remain optional only till the final disposal of the matter.

The AG then submitted that surveillance is prohibited under the Act and therefore the Act cannot be struck down merely because there is a possibility for it. He raised objection to the usage of the terms “concentration camp”, “electronic leash”, and “totalitarian state” by the petitioners.

Senior counsel Shyam Divan commenced the rejoinder on behalf of the petitioners. He submitted that it is the first time that a technology of this kind is deployed in a democracy. He stated that Supreme Court is the absolute vanguard of traversing human rights into technology. He argued that surveillance state is not permissible under Constitution and objected to the respondent’s argument that Aadhaar infrastructure does not result in surveillance.

He next referred to an affidavit filed by the Union on March 9, 2018.

He submitted that there are three elements of surveillance- identity of person, date and time, and location. He pointed out that the Act itself requires identity, date, and time at the time of authentication. Referring to the affidavit and presentation of the CEO and supporting documents, he argued that the response of the government’s experts to the petitioner’s experts states that biometric database is accessible to third party vendors. He submitted that the breach of the verification log would leak location of places where an individual performed his authentication in the past five years. He submitted that this compromises the security of privacy. He further pointed out that as per the presentation report, it is possible to track the current location of the individual even in the absence of a breach. He submitted that the UIDAI knows the location but for a third party to access the location, he would have to breach the verification log.

He therefore submitted that as per the experts of both parties, all three elements of surveillance are satisfied by the Aadhaar architecture.

Justice Chandrachud interjected that in a digital world one cannot ever have a guarantee of absolute security and therefore as long as the database is kept secure, an adequate level of privacy is maintained. Mr. Divan responded that this is not just a privacy issue but also a limited government issue. He argued that the coercive power of government cannot extend to the creation of an infrastructure that is capable of tracking people across five years in real time.

Next, referring to the CEO’s submission that all devices will have a unique ID to enable traceability and detection of fraud, he submitted that this would enable the individual to be traced using the device.

Mr. Divan then raised objection to the AG’s submission that UIDAI is distinct and autonomous and that the union government is different from it and therefore the latter would not be provided with access to the data. He argued that no instrumentality of state should establish such a mass surveillance regime. He submitted that the Supreme Court should not permit something so deeply flawed to function in the country.

He argued that if our constitution repudiates surveillance state, we cannot have a legislation which allows it. He submitted that the Supreme Court should not usher in a machinery that can trace back the locations, as it is constitutionally impermissible. He further submitted that if the court arrives at the conclusion that there is indeed surveillance, then balancing of rights is impossible.

Next, he referred to the answers submitted to the UIDAI in response to the questions asked by the petitioners subsequent to the CEO’s presentation. He pointed out that in the answers the UIDAI has mentioned that it does not take responsibility for correct or incorrect identification but only provides a matching system which is a self certification system. He argued that the UIDAI does not verify the authenticity of the documents submitted and with the linking of the bank accounts to the Aadhaar, now even the bank authorities do not check the authenticity of the documents. He submitted that UIDAI has no responsibility for identity.

The hearing will continue on May 9, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXXIV)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Counsel Gopal Sankaranarayanan, appearing for the intervener Centre for Civil Society, resumed his arguments. He began with a discussion on the right to identity and submitted that it is an absolute intrinsic part of Ar.21. Justice Chandrachud interjected that one has an umbrella identity of a citizen and in addition has multiple identities associated with race, religion, caste, which are not taken away by Aadhaar. He further mentioned Aadhaar only identifies the individual who is seeking the benefits under s.7 of the Act and therefore the constitutional identity is not effaced.

Mr. Sankaranarayanan responded that Aadhaar is a number that helps in establishing the identity of a person who avails the benefits and subsidies under s.7 of the Act.

He further submitted that he supports Aadhaar because of the safeguards and pillars which the Act have in place and pointed out that s.139 AA of the Income Tax Act does not have those.

Next, referring to the statement of objects and reasons of the Act, he submitted that identification of targeted beneficiaries is the key purpose and therefore Aadhaar is voluntary and could be used a proof of identity by persons who are beneficiaries of subsides. He further stated that even if someone does not have an Aadhaar the state has an obligation to identify the person as he has a fundamental right to identity under Ar.21 and cited it as the reason for the way in which s.7 is drafted.

Justice Chandrachud pointed out that the concern raised is that the state has restricted the means of identification solely to Aadhaar. Mr. Sankaranarayanan responded that according to Ar.266(3), utilization of any amount from the consolidated fund has to be in accordance with the law, the Aadhaar Act in this case, and that it would not only be a violation of the scheme of law but the Constitution itself if any amount goes from the consolidated fund to a person who is not entitled to receive it. He further submitted that the government has an onus to secure the fund and that the Act helps in ensuring that the obligation is discharged and therefore the action of the government is subserving a fundamental right. But he argued the government’s submission that s.7 is in furtherance of fundamental rights is flawed, since identification of beneficiaries would not have been required as everyone would have been entitled to it if it was a fundamental right. He therefore submitted that it is in furtherance of Directive Principles.

Justice Chandrachud mentioned that when the state is enforcing a Part IV value, it indicates reasonableness and thereby a restraint on judicial review. However he stated that as per s.7, Aadhaar is not completely voluntary since it is required for a person who wants to avail a benefit. Mr. Sankaranarayanan responded that it is voluntary since it is not mandatory for 1.3 billion of the country but only for a specific section of the population.

Next, Mr. Sankaranarayanan raised concerns with Aadhaar becoming the universal proof of identification (PoI) replacing all other 18 PoIs. He submitted Aadhaar is only as foolproof as any of the other PoIs.

He then submitted that making Aadhaar mandatory for purposes other than what is provided in s.7 is arbitrary and that the section has the balance of limited purpose whereas s.139AA of the Income Tax Act does not. He further mentioned that the reasonableness and proportionality criteria would be satisfied only if Aadhaar remains voluntary for purposes other than s.7.

Addressing the issue of proportionality, he submitted the least restrictive test should not be applied as proportionality deals only with balancing of rights. He also stated that entrusting data with CIDR is safer than using embedded cards as one can misplace his card. He further stated that the legal safeguards and limitations provided under the Act are balancing factors for proportionality.

Mr. Sankaranarayanan then argued that UIDAI should plug the holes in the Aadhaar architecture before rushing with it especially since at present Aadhaar is unable to keep up with the technology. He also raised concerns with the level of security assured by the state and submitted that even 2048 bit asymmetric key is not the best. Next, he submitted the authentication history of the CEO of UIDAI and pointed out that his biometrics is locked indicating his distrust in the safety of his biometrics offered by CIDR.

Mr. Sankaranarayanan, then submitted that there are various problems with the Act. Firstly, he argued the requirement under s.8(4) to share identity information is a violation of privacy with no counterbalancing state interest. He stated that address is also as important as biometrics and therefore authentication should be restricted to Yes or No. Secondly, he submitted that s.29(2) conflicts s.12 of the Right to Information Act. Thirdly, he argued that s.139AA of the IT Act targets individual income tax pan holders and not corporates even though it is always dummy companies and not individuals that are involved in the scams. He also submitted that Aadhaar has been made mandatory for income tax purposes without informed consent and in spite of it not being related to the consolidated fund of India. He therefore submitted that it fails the proportionality test. He argued that if the purpose was to curb black money and money laundering, it is not achieved by linking PAN with Aadhaar number.He concluded by submitting that petitioners have a valid ground for expressing lack of trust in the Aadhaar architecture.

Next, senior counsel Neeraj Kishan Kaul commenced his arguments on behalf of Authentication User Agencies and e-KYC User Agencies (AUAs and KUAs). He submitted that if Aadhaar is a reliable and speedy tool for identification and authentication, it should not be held invalid. He argued that Aadhaar authentication in the banks have empowered the poor, women, and migrants and that the use of Aadhaar has helped in reducing predatory financing.

Mr. Kaul submitted that private players are also governed by the Act and have the choice to use Aadhaar if required under s.57 as it is an enabling provision. Justice Chandrachud responded that the need for verification should not be decided by the private players. Mr. Kaul responded that as long as there is consensus between the private entity and the consumer on using Aadhaar, it should not be disallowed. He argued that the AUAs and KUAs are not performing any verification outside the Act. He asked if the statute enables a private entity to use Aadhaar, a powerful tool for verification of identity, why should not it be allowed to employ it.

He further submitted that Aadhaar is extremely different from Cambridge Analytica as it is based on matching algorithms unlike learning algorithms used by Google and Facebook and also has a statutory control. He argued a statute cannot be struck down merely because there is a scope for misuse.

Mr. Kaul further argued that the nature of request that goes from AUA is to please match the information provided and if it is e-KYC the requesting entity will receive the basic demographic information and photograph. Based on this, he submitted that the CIDR does not obtain any data on location but only receives that an AUA has made a request, thereby eliminating the scope of surveillance. He further submitted that the information collected via e-KYC is collectible dehors Aadhaar and therefore the actual issue is of unauthorized sharing which is possible even outside Aadhaar and therefore it is no reason to strike down s.57. He concluded by mentioning that with the use of virtual ID, no AUAs/KUAs will be able to store the Aadhaar numbers.

Next, counsel Zoheb Hossain commenced his brief submission on behalf of UIDAI and State of Maharashtra. He began by raising an objection to Mr. Sankaranarayanan’s argument that s.7 is only in furtherance of Directive Principles. Referring to Amartya Sen and Martha Nassbaum, he argued that now there is a greater consensus that social and economic rights are enforceable and pointed out that the Supreme Court has also held that they are justiciable rights. He further submitted that the right to food, shelter, clothing are embedded in Ar.21 and that the state has a positive obligation to provide it to its citizens. He therefore submitted that here the issue is of balancing the right to privacy with other socio economic rights of the people provided by Ar.21 and not merely of furtherance of Part IV requirements. He argued that Aadhaar is an architecture that helps in progressively achieving positive duties of the state under Ar.21

The hearing will continue on May 2, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXXI)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Senior Counsel Rakesh Dwivedi resumed his arguments on behalf of UIDAI and the state of Gujarat.

He discussed the nexus between s.7 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) and welfare of the society. Justice Chandrachud mentioned that as per the submissions, the absence of a robust method for identification of beneficiaries result in leakage of services which is appropriated by undeserved. He asked if Aadhaar would help in eliminating this issue to which Mr. Dwivedi answered in the affirmative.

Justice Chandrachud stated that the caveat pointed out by the petitioners is that there should be no exclusion on the grounds of not having an Aadhaar. Mr. Dwivedi responded that adequate measures are taken to ensure that no exclusion takes place on that ground. He further stated that Aadhaar brings the card holder face to face with the service provider since he has to go to him and give his biometrics. Justice Chandrachud responded that it is not the best model of governance and ideally the state must go to the individual. Mr. Dwivedi responded that such a model would depend on the capacity of the government.

Next, Mr. Dwivedi discussed about countries having economic and social rights and right to welfare as part of their respective constitutions also pointed out that welfare rights are a part of the Universal Declaration of Human Rights (UDHR). He reiterated that basic welfare requirements must be taken care of.

Mr. Dwivedi then referred to the Statement of Objects of the Protection of Human Rights Act, 1993 and pointed out that India is a signatory to it and many other international covenants as well. He further referred to various judgments of the Supreme Court on economic and social welfare, which culminated the framing of the Aadhaar Act.

Addressing the issue of balancing of rights, he referred to CJI’s judgment in Subramanian Swamy v. UoI, and pointed out how the right to freedom of speech was balanced against the right to reputation. He also referred to X v. Hospital Z, G. Sundarrajan v. UoI, Asha Ranjan v. State of Bihar, and Noise Pollution In Re v. UoI.

Mr. Dwivedi submitted that s.7 of the Act addresses the human rights of many people in the country and therefore the court should act as a sentinel and ensure that the right to privacy is balanced against all the other rights guaranteed under Ar. 21 that are covered by the Act. He reiterated that privacy is a small price that is to be paid for ensuring life and other rights under Ar.21. He further submitted that larger public interest is the determining factor when there is a conflict between rights. Justice Chandrachud however responded that it cannot be accepted as a ground for suppression of civil rights and Mr. Dwivedi responded that Aadhaar does not result in it.

The CJI asked if the argument was that whatever was done under the Act was to enhance the Ar.21 right of many, that being the legitimate state interest, accompanied by minimal intrusion, and Mr. Dwivedi responded in the affirmative.

Next, Mr. Dwivedi addressed the issue of reasonable expectation of privacy. He began with a discussion of the four kinds of information collected as part of the Aadhaar programme- a) demographics, b) optional demographics, c) biometrics, and d) core biometrics. He reiterated that these information are encrypted and stored in the CIDR and the authentication is performed either through YES or NO mode or E-KYC mode.

He submitted that the reasonable expectation of privacy would vary from one kind of information to another and that nobody can have it with respect to their demographic information and photo as it is publicly available.

The CJI mentioned that in case of every right, everyone has a reasonable expectation of exercising it. He further stated that in some instances the rights cannot be exercised in absoluteness and therefore whenever freedom is claimed it should be reasonable and that it applies to privacy as well.

Justice Sikri mentioned that the fact that the CIDR has all these information creates a fear of the data being utilized in a manner and for purposes unauthorized by the individual. Mr. Dwivedi responded that the UIDAI could only take note of general apprehensions and not subjective fears.

The hearing will continue on April 24, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXVI)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Advocate K. K. Venugopal resumed the arguments for the state. He submitted that s.59 of the Act provides for retrospective application. He referred to cases wherein actions were validated by a subsequent Act.

The AG then discussed the third version of the Aadhaar enrollment notification and highlighted that it is free and voluntary and provides for informed consent. Justice Chandrachud asked if the notifications that came out in 2009 and 2015, referred to in s.59 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act), covers the entire universe of Aadhaar. He further pointed out that these notifications did not have any reference to biometrics and that it was only inserted in the third notification. He stated the argument is regarding the actions that took place before the issuance of the third notification.

Senior Counsel Rakesh Dwivedi responded the first two forms were hardly used as the government authorized only 1 crore enrollments prior the issuance of the third form.

The AG, next, mentioned that in 2014 when the CBI approached the Bombay High Court to obtain biometrics from the Central Identities Data Repository CIDR in connection with a rape case, the Unique Identification Authority of India (UIDAI) opposed it as it believed that it bound to not disclose it without the individual’s consent. Interestingly, Justice Chandrachud pointed out that the Magistrate of the lower court had passed an order to provide the CBI with the biometrics of all the residents of Goa, which was appealed by the UIDAI.

Next, referring to Justice Chandrachud’s judgment in Justice K. S. Puttuswamy & Anr. V. UoI & Ors., which talks about ‘reasonable expectation of privacy’, he reiterated that biometrics collected is only for the purpose of benefitting the individual and that the invasion of privacy as a result of it is minimal. He further stated that the Puttuswamy judgment restored privacy as a fundamental right but actions that took place prior to that should be neutralized. He further submitted that going by M. P. Sharma & Ors. Satish Chandra and Kharak Singh v. State of UP & Ors., the government acted in a bona fide manner and therefore its actions cannot be reversed but should be protected.

Justice Chandrachud said in Puttuswamy it was stated that the observation on privacy in M. P. Singh was not required and that with respect to Kharak Singh there is a clear inconsistency.

The CJI said the argument of the state should be that s.59 of the Act should be given a wider understanding and a purposive interpretation.

Additional Solicitor General Tushar Mehta commenced his arguments on behalf of the UIDAI. He stated he would address the following issues:

  1. Challenge to s.139AA of the Income Tax Act (IT Act) from the right to privacy perspective
  2. Challenge made to the argument of how Aadhaar helps in curbing the issue of money laundering
  3. Challenge to the linking of mobile numbers and bank accounts with Aadhaar number
  4. Scope of judicial review in the area of technology

Addressing the first issue, he stated his submissions would comprise of:

  1. Enforcement of the right to privacy
  2. How the tests laid down to determine legitimate invasion of privacy are dealt with in the Binoy Viswam v. UoI & Ors.
  3. How these tests are satisfied by 139AA of the IT Act

The ASG stated this court had previously dealt with the challenge to s.139AA and that all aspects expect the right to privacy were addressed. He pointed out that in Puttuswamy, the right to privacy was upheld as a fundamental right, linked to Ar.21 and therefore subject to the same limitations as the article. He referred to Justice Chandrachud’s judgment that laid down the three tests used to determine to permissible limitations on the right to privacy- existence of law, legitimate state interest, and proportionality. He submitted that there is an additional test of manifest arbitrariness derived from Shayara Bano.

He submitted that all the four tests were examined in the case of Binoy Viswam but in the context of Ar.19. He, next, stated that Justice Nariman, in Puttuswamy, put forth another test of larger public interest, having a lower threshold than legitimate state interest. The CJI however responded that satisfaction of legitimate state interest would be sufficient to indicate larger public interest.

Next, he referred to s.139A of the IT Act and highlighted that it required signature and left hand thump impression since 1989 to obtain a PAN. Justcie Sikri pointed out that the fingerprint was collected only from those people who could not sign. However the ASG responded the privacy of the small group of illiterate people is not of lesser importance. He further stated that the Parliament introduced s.139AA as an extension of s.139A in light of legitimate state interest and larger public interest. The bench however pointed out that the Aadhaar regime is different as previously there was no practice of collection of biometrics or authentication.

The ASG next discussed the issue of duplication of PAN and how it is misused for the purpose of money laundering, tax evasion, setting up of shell companies. He submitted the linking of Aadhaar with PAN would help in eliminating these problems by making PAN allocation more robust.

He further stated that uniqueness of PAN is important and that it can be verified with Aadhaar using biometrics and iris scans and claimed that it would be 100 percent accurate.

The ASG further stated that there is huge gap between the number of PAN holders and the tax base. He submitted that ours is a largely tax non-compliance economy as only 1.72 lakh people in the country are showing an income above 50 lakhs.

The hearing will continue on April 11, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXV)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Attorney General K. K. Venugopal resumed his arguments for the state. He continued to refer to judgments that upheld the collection of biometric information. He discussed the decision of the US Court of Appeals, which dealt with DNA and forensic identification of prisoners. The CJI pointed out that the case only dealt with a narrow group of offenders and therefore might not be applicable to the context of Aadhaar. The AG responded that the reasoning of the court is relevant as it upheld the legislation on the grounds that it cannot be struck down on the basis of mere possibility of misuse in the future and that if the provision is later amended it will be dealt with in the future.

Justice Chandrachud responded the issue here is not that of misuse but of the use of law as s.2(g) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) can expand the scope of ‘biometric information’. He further mentioned such power vested in an administrative authority might not meet the proportionality requirement. The AG responded it is an issue of excessive delegation and that he would address it.

He next referred to a Fordham Law Journal article on automated finger imaging and the right to privacy explaining how the former does not result in a violation of the latter. Referring to the article, he stated finger imaging is 99.9 percent accurate.

He submitted biometrics is a tool for very accurate conclusion as it prevents fraud and other violations such as tax evasion, money laundering. However Justice Sikri replied fraud is not because of multiple identities. The AG responded if there is Aadhaar, there would be no question of multiple identities. Justice Chandrachud pointed out Aadhaar would not prevent a person from setting up multiple layers of commercial entities controlled by the same individual and therefore would not contribute towards preventing bank frauds.

Justice Chandrachud further stated that even if Aadhaar satisfies the legitimacy of interests, the crux of the issue deals with proportionality. He asked how far could the state cast the net. He pointed out that under s.7 of the Act, the state can rely on legitimate state interest i.e. ensuring that the benefits go to the deserving people but the issue is with respect to those areas which are unrelated to the areas stipulated under s.7.

The AG responded that the government has to compare to 1.2 billion names to avoid de duplication and identify the right person. He asked how far does the casting of the net to areas other than the ones mentioned in S.7 of the Act result in a violation of the right to privacy.

Justice Sikri stated the requirement to tabulate each and every activity involving money, irrespective of whether it’s linked to s.7, through authentication might not satisfy the requirement of proportionality. He cited the example of linking mobile number with Aadhaar and said one can say it’s related to money laundering but considering everyone to be a possible violator is violation of proportionality.

The AG responded that terrorists communicate to each other secretly through cell phones and pointed out the example of internet shut down in Kashmir. However Justice Chandrachud responded that the political wisdom of the action is not questioned but he pointed out that terrorists do not apply for mobile number and therefore it is not necessary to ask everyone to disclose their Aadhaar number to obtain a mobile number.

The AG responded the question is to what extent is the right to privacy invaded. He reiterated it is as minimal as possible and further submitted that as far as demographics are concerned, all of it is available in the public domain and therefore there is no invasion of privacy other than the bare minimal amount. He also stated that this helps in serving large public interest.

The AG then asked if a claim of right to privacy can be raised for the purpose of denying rights covered under s.7 of the Act and pointed out that earlier there were large number of fake cards. Justice Chandrachud stated s.7 is not based on an ‘US v. Them’ argument. He pointed out Ar.21 has two elements- a) economic and b) privacy.

The AG responded both the rights are traceable to the same article and therefore the issue is how to reconcile between them. He referred to a case wherein the court upheld the right to information over the right to privacy. However Justice Sikri pointed out that in the case the court only had to deal with balancing of two rights of the same person.

The AG responded that only the bare minimal amount of information required to satisfy the identity of the individual is collected. He further stated that where Aadhaar is required for ensuring that the vast majority of population have the basic right to life such as shelter, food, there is full justification for the encroachment on the right to privacy, provided it is minimal.

Justice Chandrachud suggested the better argument for the state would be to acknowledge that there is an invasion but that it is proportional to the need. He also said in order to decide if the invasion is minimal or not other factors such as informed consent, purpose for which biometrics is obtained, safeguards that are in place to ensure that it is not leaked out for other purposes should be considered. Justice Bhushan interjected that minimal invasion is purely subjective. The AG responded the bench should look at the information collected from an objective perspective keeping in mind the larger interest of the country.

Justice Chandrachud said proportionality laid down in Justice K. S. Puttuswamy And Anr. V. UoI was in broad terms and therefore it is to be determined how to use it in the case of Aadhaar. He asked if it would mean utilization of data only for the purpose for which it was collected. The AG responded not one extra element of information is collected from the individual than is required for the purpose and further submitted that s.29(1)(a), s.29(1)(b) of the Act stipulate purpose limitation.

Next, Justice Chandrachud mentioned there was no safeguard before the Act came into being and that s.59 of the Act does not provide for retrospective application. Senior Counsel Rakesh Dwivedi submitted that a concept study was performed in rural areas before Aadhaar was decided upon and that Information Technology Act in 2009 empowered the use of Aadhaar for e-commerce.

The hearing will continue on April 10, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXIV)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Attorney General K. K. Venugopal resumed his arguments for the state. He stated that the policy decisions of the government cannot be the subject matter of any judicial review and that the three organs of the state should mutually respect each other. He further stated that judicial review of every administrative decision will hinder development and that the duty of the court is to expound the language of the act and not decide the fairness of a particular policy.

Justice Sikri pointed out that the petitioners’ are challenging the state’s submission that Aadhaar results in only minimal invasion of privacy and therefore their challenge is based on the principle of proportionality. Mr. Venugopal replied that Aadhaar has a legitimate state interest. However Justice Sikri stated that the bench is not concerned with the policy decision but the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) and the Regulations.

Justice Sikri further asked, if Mr. Venugopal is arguing that the Aadhaar system is almost impeccable and the court should not comment what is correct and what is not since the government has already performed extensive research with the help of experts. Mr. Venugopal replied in the affirmative and stated that the entire challenge is based whether the Aadhaar is safe and secure and that it already proved by them.

Next, he discussed the sixteen digit virtual ID. Justice Chandrachud asked if every Aadhaar holder gets one. Mr. Venugopal replied that it is up to the individual to generate one for himself through the UIDAI website. Justice Chandrachud asked if the entire population has the knowledge on how to do it to which Mr. Venugopal replied that it is only an additional measure. Justice Chandrachud suggested that there should be a provision that would enable everyone to have a virtual ID. However Mr. Venugopal stated out that if everyone is provided with one unique virtual ID just like an Aadhaar number, then it would be permanent and pointed out that now it is an ID that can be regenerated each time.

Justice Chandrachud confirmed if the idea behind the virtual ID is to mask the Aadhaar number so that one who is conscious about their privacy will have the option of providing a virtual ID in place of the Aadhaar number and prevent the latter from being in the public domain and AG answered in the affirmative.

Next, Justice Chandrachud stated that the fact that a legislation has adopted a legislative policy might indicate legitimate state interest but the mere fact that it is a policy decision is not sufficient to satisfy the proportionality test. Mr. Venugopal responded that the Aadhaar satisfies the test of proportionality since all possible alternatives were considered before it was adopted and reiterated that the court should not become an approval authority.

Next, Justice Chandrachud raised concerns with the power granted to the registration authority to determine what constitutes biological attributes and how it is to be collected. He said that because of the open-ended nature of biological attributes, in the future, the registration authority can even include DNA under it. He asked if power of this nature would satisfy the test of proportionality. Mr. Venugopal replied that as per s.55 of the Act Parliament would have the overseeing authority. However Justice Chandrachud pointed out that the regulations do not need the approval of the Parliament before it is implemented and that as per s.55 the regulation would be cancelled only if the Parliament disapproves it. Therefore the regulation takes effect as soon it is passed and its effect is not deferred till it is approved by the Parliament. He said this is an issue of excessive delegation. Mr. Venugopal replied that he would address this issue later.

Mr. Venugopal then referred to cases in which the collection of biometric information was decided to be reasonable and submitted that state may have vital interest in the collection of biometric information. Justice Chandrachud pointed out that in the cases referred, the biometrics were collected for a specific purpose such as in the interest of safety, ensuring protection against crime and stated that universal application of fingerprints irrespective of purpose is a violation of the proportionality principle. Mr. Venugopal replied that purposes enumerated under s.7 of the Act as well as other purposes such as prevention of money laundering, terrorism, black money are specific and legitimate state interests.

He then submitted that fingerprints are increasingly being used for non-criminal purposes and is not an unwarranted invasion of privacy.

Next, he submitted that fingerprints cannot be used for surveillance and that it only serves as a means for identification. He further stated that neither the current government nor the previous governments have used it for surveillance in the last seven years.

Next, he compared Aadhaar to SSN. Justice Chandrachud pointed out that SSN is equivalent to PAN card and not Aadhaar as it does not collect biometrics but contains only the name and SSN number. Senior Counsel Shyam Divan pointed out that SSN does not have authentication unlike Aadhaar. However Mr. Venugopal submitted that SSN collects more information than Aadhaar.

The hearing will continue on April 5, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXIII)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Attorney General K. K. Venugopal submitted the responses by the CEO of Unique Identification Authority of India (UIDAI) to the questions submitted by the petitioners.

Mr. Venugopal read out the questions and answers.

In the first question, the petitioners requested for the figures of authentication failures both at the national and state levels along with a breakup of iris and fingerprints. Mr. Pandey responded that he can not provide the figures at the state level as the UIDAI does not know where the authentication request comes from. However he provided the figures at the national level but specified that a failure does not automatically indicate exclusion or denial of services as the requesting entities are required under law to provide exception handling mechanisms.

Next question dealt with enrollment and authentication processes of a person who is claiming biometric exception and has not provided a mobile number or is currently using a different number. Mr. Pandey responded that in case of persons who are unable to provide biometrics their iris authentication can be used for updating information including mobile number. He pointed out that this was the reason for incorporating multi model enrolment and authentication process in Aadhaar. He mentioned that authentication through mobile number is used as one of the methods in those exceptional scenarios where both iris and fingerprint authentication are impossible and further stated that if mobile number authentication is also not possible, the requesting entities are required to provide their own exception and back up mechanism to ensure delivery of services to Aadhaar holders. He also mentioned that the digitally signed QR code has been implemented to verify Aadhaar card in an offline manner.

S.5 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) and Reg.6 of the Aadhaar (Enrollment And Update) Regulations 2016, and Reg.14(i) of the Aadhaar (Authentication) Regulations 2016, were cited as the provisions addressing this issue.

Next question addressed the issue of requirement of parental consent with respect to the enrollment of children between the age of 5 and 15. Mr. Pandey responded that school officials, if permitted, can act as introducer and enroll the students, provided there is parental consent.

In the following question, the petitioners asked if it would be possible for the child to revoke his consent once he attains the age of 18 years. Mr. Pandey responded that it is not permissible under the Aadhaar Act, but that they have the option of permanently locking their biometrics and unlocking it only when required for biometric authentication.

Next question addressed the issue of enrolment done by blacklisted enrolment operators. Mr. Pandey answered that all enrollments that are contrary to the UIDAI process is rejected and the residents are requested to re-enroll.

In the next question, the petitioners asked for the figures of biometric de-duplication rejections that have taken place till date. They also queried regarding the status of the data packets containing stored information upon rejection of enrollments either on grounds of duplications or other technical reasons. Mr. Pandey responded that the total number of biometric de-duplication rejections till March 21, 2018 is 6.91 crore. He specifically stated that the figure pertains only to applications identified as having matching biometrics to an existing Aadhaar holder. He further stated that it is highly improbable that all biometrics (ten finger sand two irises) match unless the same person has applied again. He mentioned that the figure does not indicate that there is an equivalent number of people who have been rejected Aadhaar and pointed out that none of the de-duplication rejects have filed complaints regarding denial of Aadhaar number. He said this indicates that genuine residents have re-enrolled themselves and the rest are the ones who are trying to overreach the Aadhaar system though fraudulent means. He also stated that all the data packets are archived in the Central Identities Data Repository (CIDR) irrespective of whether it was accepted or rejected.

Next question addressed the term “any other appropriate response” under s. 8(4) of the Act. Mr. Pandey responded that it includes e-KYC and limited e-KYC data.

In the subsequent question, the petitioners asked if any UIDAI official verifies the correctness of the documents submitted during enrolment. Mr. Pandey responded that the Registrar is entrusted with the duty of verification of documents and mentioned that the Registrar/enrollment agency have to appoint personnel for the same.

Next question dealt with the probabilistic nature of the biometrics. Mr. Pandey stated that biometric authentication is always performed as 1:1 biometric match against his/her Aadhaar number and therefore it is not probabilistic. He also mentioned the exception processes that are implemented to ensure that no Aadhaar holder is denied service due to failure of authentication. He mentioned that these exception processes can be used in case of senior citizens whose biometrics have changed.

Next question addressed the issue of blacklisting of enrollment operators. Mr. Pandey pointed out that they can be blacklisted on the following grounds: a) illegally charging Aadhaar enrollment, b) poor demographic data quality, c) invalid biometric exceptions, and d) other process malpractice.

In the following question, the petitioners enquired if the point of service (POS) biometric readers are capable of storing biometric information. Mr. Pandey stated that UIDAI has mandated the use of Registered Device (RD) for all authentication requests and that it encrypts the information and therefore rules out the possibility of use of the stored biometric information. He further stated that Reg.17(1)(a) of Aadhaar (Authentication) Regulations, 2016 makes it unlawful for requesting entities to store biometrics captured during authentication.

In the next question, the petitioners asked if authentication user/ service agencies record the date, time, and purpose of authentication, the device ID and the client IP. Mr. Pandey responded that the UIDAI does not request these entities to collect any of these information. However he mentioned that authentication user agencies such as banks may store such additional information under their respective laws to secure their systems. He further mentioned that Reg.18 of Aadhaar (Authentication) Regulations, 2016 stipulates the information that is to be collected by the requesting entities and that only such information will be audited by the UIDAI even if the requesting entity collects additional information.

In the final question, the petitioners asked if the UIDAI can trace the specific device and location from which authentication takes place. Mr, Pandey responded that the UIDAI does not get information regarding the IP addressor GPS location and that it only knows the device through which the authentication has happened. He specifically mentioned that the UIDAI does not know the location at which the authentication device is deployed.

Next, Mr. Venugopal stated that Aadhaar is an evolving technology and that all other alternatives including the use of smart cards were investigated previously. He further stated that if there are defects in the Act it could be rectified. He reiterated that Aadhaar project has received wide scale appreciation including from the UN and the World Bank. He stressed that it is a unique identity that can be used for all purposes.

He further stated that Aadhaar is a policy decision by the government and therefore courts cannot interfere in it.

Next, referring to Justice K. S. Puttuswamy & Anr. v. UoI and Ors, Mr. Venugopal submitted that Aadhaar satisfies all the conditions laid down in the case for legitimate invasion of privacy. He submitted that there is a legislation, legitimate state interest and a reasonable nexus between the means used and the objects sought to be achieved. He further submitted that if a law is valid and constitutional but its implementation is unlawful, the law couldn’t be struck down as unconstitutional merely on that ground. He stated that tremendous effort has been made to ensure that invasion of privacy by the Aadhaar project is as minimal as possible and that the law could not have been structured in a better manner to have a lesser impact on privacy.

Next, he referred to Justice Chandrachud’s judgment in Puttuswamy discussing Srikrishna Committee’s report on data privacy. He stated that whatever more has to be done to ensure data protection would be addressed by the Committee and pointed out that Mr. Pandey is also on the committee.

Next, he submitted that according to Justice Chalmeshwar’s and Justice Bobde’s opinions in Puttuswamy judgment privacy is not an absolute right and can be invaded by laws that satisfy the just, fair, and reasonable standard. He cited the Right to Information Act as an example for a reasonable restriction on the right to privacy in light of public interest.

Mr. Venugopal then applied the privacy judgment to Aadhaar. He reiterated that as per the judgment, privacy is not an absolute right and referred to the three conditions laid down in Justice Chandrachud’s judgment that would legitimize the invasion of privacy. He submitted that Aadhaar satisfies all the three conditions- existence of aw, legitimate state interest, and proportionality.

He stated that the Aadhaar Act is a just, fair and reasonable law as it only results in minimal invasion of privacy. He further stated that it is passed in pursuance of a larger public interest including prevention of dissipation of social welfare benefits, black money, money laundering, income tax fraud, and terrorism. He submitted that the judiciary cannot question the value judgment of the legislature and that all of the aforementioned are legitimate state interests. He also argued that the right to live a life with dignity trumps the right to privacy and pointed out that subsidies under s.7 of the Act are integral to live a dignified life.

Mr. Venugopal reiterated that before the Act came into existence, Aadhaar enrollment was voluntary and therefore there is no question of violation of rights. He further argued that before the Puttuswamy judgment, neither the government nor the people knew about the right to privacy. However Justice Chandrachud and Justice Bhushan objected to this. Mr. Venugopal argued that before the judgment, the government could not have assumed that right to privacy is a fundamental right. Justice Chandrachud pointed out that the Puttuswamy declared all the judgments prior to it that upheld the right to privacy as correct. Mr. Venugopal, however, argued that those judgments were per incuriam as there were larger benches that held to the contrary. CJI did not agree with this argument.

The hearing will continue on April 4, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXII)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

Mr. Ajay Bhushan Pandey, the CEO of the Unique Identification Authority of India (UIDAI) resumed his presentation. He began with a discussion on the enrollment operators. Justice Chandrachud asked if its possible for the enrollment agencies to make copies of the data before it is encrypted. Mr. Pandey responded that they do not have access to biometrics as it is collected by UIDAI software. Justice Chandrachud asked if any of the operators have been blacklisted on the grounds of data breach to which Mr. Pandey responded that it would be possible only if the enrollment operator is qualified enough to tamper with the enrolment software and further pointed out that in the event it happens, it is punishable. He further stated that private enrolment agencies are being phased out and that only banks and post offices will be allowed to perform it.

He also highlighted that the central authentication server is not connected to the internet to ensure security of the data.

Justice Bhushan asked if UIDAI is capable of aggregating the data. Mr. Bhushan responded that s.32(3) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) prohibits them from knowing the purpose of authentication.

Next, Justice Chandrachud asked if authentication agencies could be private and if they could store the authentication data and share it. Mr. Bhushan responded that such acts are prohibited under s.29(3) and 38(g) of the Act and Reg.17(1)(d) of the Aadhaar (Authentication) Regulations, 2016. Justice Chandrachud rightly pointed out that the private authentication agencies have a record of the authentication requests even if the UIDAI does not and that it can be misused to profile individuals.

Justice Khanwilkar asked Mr. Bhushan to not discuss the operational aspects in great detail but to clear the apprehensions regarding the Aadhaar software. Mr. Bhushan however responded the software is secure and that there has not been a single data breach till date and requested the court to not believe the media reports. He further stated that the breaches that have occurred are not of UIDAI’s database. Justice Chandrachud interjected that there is no enforceable protection that is available against other databases even if Central Identities Data Repository (CIDR) is completely secure. He also pointed out that unless the high level of security maintained at the CIDR is implemented at the authentication agencies as well, it would be problematic.

Next, Mr. Pandey accessed his authentication history form the UIDAI website and pointed out that information such as location, purpose are not available. He also stated that the provision to access the authentication history allows a person to figure out if his Aadhaar number has been misused.

Next, he successfully demonstrated the withdrawal of Rs.100 from an IDBI bank account using biometrics and said that it is similar to a walking ATM. He mentioned that most people find it difficult to use debit cards and pin numbers and therefore Aadhaar makes it simpler thereby enabling people to be financially included.

He continued to further explain how secure the whole process of authentication is. He stated that the UIDAI no longer collects the Geocode and IP address of authentication. He also stated that a standard practice has been established to display only the last four digits of the Aadhaar number wherever necessary. He further stated that Aadhaar architecture ensure privacy and reiterated that the biometrics is not shared except for purpose of national security and pointed out that no such request has been received from the government so far.

Next, he discussed the authentication metadata elements and said that UIDAI does not collect metadata elements that would enable profiling of individuals. He reiterated that location and purpose of authentication is not collected.

Next, Mr. Pandey screened a short film on security measures available at the data centres.

Then, he discussed the privacy safeguards built into the Aadhaar infrastructure like virtual id, UID token, purpose and use limitation, online access to authentication history, biometrics lock. He stated that further safeguards could be adopted if there are concerns regarding the privacy and security of Aadhaar data. Justice Sikri interjected and pointed out that illiterate people cannot be expected to use virtual ID. Mr. Pandey responded that it is just a safeguard in addition to the Act.

Next, Justice Sikri asked if authentication agencies and requesting entities store the authentication logs. Mr. Pandey responded that they store the details except the biometrics. He further mentioned that these agencies are audited either by the UIDAI itself or by an agency appointed by them to ensure smooth functioning of the whole system.

Mr. Pandey, next, stated that experts have advised to use multi model biometrics authentication such as a combination of iris scan and fingerprints for identification and authentication as they are of the opinion that fingerprints might not work in all instances. The bench responded that such arguments should be made by the Attorney General and not by the CEO of the UIDAI.

Next, Mr. Pandey submitted that the use of virtual ID and UID tokens help in ensuring that the databases are not combined. He distinguished between agencies that require real Aadhaar number such as income tax department and those that do not such as telecom.

The bench asked Mr. Pandey to submit a note explaining the architecture of virtual ID and UID tokens and how they help in preventing de duplication. Mr. Pandey has agreed to the same and in furtherance explained that UID token is a 72 character alpha numeric string generated for system usage and pointed out that different authentication agencies will have different UID tokens thereby making it impossible to identify the Aadhaar number through reverse engineering.

Mr. Pandey distinguished between Aadhaar card and smart card. He said that uniqueness might not be possible in case of smart cards as one person could have multiple smart cards with different identities and same biometrics. In furtherance of this submission, he stated that a central database of biometrics is therefore important to ensure uniqueness. He also stated that identity theft does not occur even if the Aadhaar card is lost whereas it is possible in case of smart cards. Next, he submitted that surveillance is not possible with CIDR as silos of information are not combined whereas it can be performed in case of smart cards by merging databases.

Referring to the smart card system used in Singapore, Mr. Pandey stated that storing a lot of information on the smart card is not a great idea. He further pointed out changing the encryption on a smart card form time to time is not feasible and stated that offline smart cards cannot substitute online authentication.

Next, the CJI asked if there is any scope for misuse of data by the enrollment agency or requesting entity. Mr. Pandey responded that the data is encrypted and sent to the CIDR and during the time gap between entering the fingerprint and encryption of the same, the data is captured in the UIDAI’s software and therefore there is no scope for misuse.

Mr. Pandey concluded his presentation by showing a graph depicting the success rate of Aadhaar authentications from 2013-2018 and reiterated that from July 1, 2018 facial recognition will be used along with biometrics to ensure better authentication.

The petitioners submitted a list of questions based on the presentation, which the state will have to answer during the next hearing.

The petitioners also requested the bench to extent the deadline for s.7 benefits in light of the factor that fourteen crore forty eight lakh authentication failures have taken place. The state responded that authentication failures does not amount to denial of services. The CJI refused grant an extension.

The hearing will continue on April 3, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day XXI)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.

The Attorney General (The AG) submitted the word format of the PowerPoint presentation by the CEO of the Unique Identification Authority of India (UIDAI) to the bench. The bench granted the permission to present the PowerPoint in the afternoon session and permitted the petitioners to submit a questionnaire.

The AG resumed his submissions for the state. He began by referring to the World Bank’s Identification for Development Report (ID4D Report). Referring to the report, he highlighted the importance of unique identity in eradication of poverty and in the attainment of sustainable development goals.

Justice Chandrachud queried about the Aadhaar authentication and enrollment fees to which the AG responded that it is free.

The AG concluded the report by stating that the goal is to achieve compliance with the sustainable development goal of legal identity for all by 2030. He pointed out that India has taken a lead in ensuring compliance with the goal by obtaining 1.2 billion enrollments in the Aadhaar programme.

Next, he submitted to the court a list of dates indicating the history of the Aadhaar programme. He reiterated that it is a well thought out project and not a casual venture and pointed out that various government committees have been working on it since 2006. Justice Sikri said that the dates have no relevance while addressing the issue of constitutionality of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act).

Mr. Ajay Bhushan Pandey, the CEO of the UIDAI commenced his presentation with a broad outline of what would be covered- the need for identity, enrollment, and authentication, technology used, success rate, fall back mechanism used in the event the authorization is not successful, the methods used to cover deficiencies in the system, Aadhaar security, and current architecture v. smart card.

Mr. Pandey discussed the lack of nationally accepted IDs in the pre-Aadhaar era. He pointed out that getting a ration card was difficult as it required ID proofs and stated that most people did not know how to obtain their first ID. He highlighted that voter IDs and ration cards are region specific. He stated that the scheme of Aadhaar is to address this very issue of lack of a national ID as it is a robust lifetime online verifiable national ID.

Next, he discussed in detail the concept of Aadhaar number. He explained that it is a randomly generated 12-digit number, which once issued is never reissued. He also pointed out that it not linked to citizenship and that every resident is entitled to have an Aadhaar number. He also said that UIDAI collects only very minimal data and contrasted it with the US SSN application.

He further stated that a very wide list of proof of identity and address is allowed to get an Aadhaar and that it is not as stringent as opening a bank account.

Next, he discussed the exceptions that are available to people who are unable to provide biometrics due to injury, deformities, leprosy and stated that Reg.6 of the Aadhaar (Enrolment and Update) Regulations, 2016 provides for biometric exceptions in such instances. He further explained that in case of a person to whom the exception applied, at the time of authentication, a one time password (OTP) would be sent on his registered mobile number which would be entered in the place of biometric authentication. He further added that from July 1st the UIDAI is considering including facial recognition along with fingerprint, iris scan, and OTP. He said that this is from a security point of view and also because the persons to whom the exceptions have applied does not have the required biometrics. He said the requesting entity would have the choice to decide what authentication mechanism they would like to avail.

He also said that enrolment and updating can happen anywhere in the country as it is a portable entitlement and not region specific unlike other IDs. Addressing the issue of data sharing, he stated that data is not shared in the absence of consent unless there is an order by a district judge or if it is required for national security purpose.

Next, he explained how the enrollment agencies are selected. He said that they can be either public or private and that they are empanelled based on certain criteria-primarily the persons in the agency themself should have an Aadhaar, they should have technical training, and should pass the certified operators exam.

Justice Sikri asked if the agencies can save the data collected by them. Mr. Pandey responded that the moment the agencies press the save button the data gets encrypted and he highlighted that it is a 2048 bit encryption key which acts as a number lock and that it would take a super computer 13 billion years to breach the data. He further said that the software and hardware used are Standardization Testing and Quality Certification (STQC) certified and also that the operator is certified and is therefore in the database.

Justice Sikri asked why did the UIDAI de-register many agencies and why were 49,000 enrollers blacklisted. Mr. Pandey responded that it was due to corruption as some of the agencies collected fees for enrollment and also because some of them did not enter the data properly as they were either careless or wanted to harass people. He further stated that the agencies were released if their quality was below 96 percent.

Mr. Pandey also pointed out that the UIDAI works in coordination with the hospitals and collect the data of newborns. Justice Chandrachud pointed out that the World Bank Report states that children below five do not need Aadhaar. Mr. Pandey responded that this is done because they are residents and pointed out that their biometrics are not collected but only their photograph and their parents’ Aadhaar details. He said that their biometrics are initially collected at the age of five and then again at fifteen. Justice Sikri asked how do they collect the biometrics of children to which Mr. Pandey responded that they coordinate with the anganwadis and schools where enrollment camps are set up.

Justice Chandrachud asked what happens when the biometrics change. Mr. Pandey replied that when biometrics, photo, address change, one can update it at the enrollment centre where the old and the new data are compared and if it is found to match it is updated. Justice Sikri said that many people are unaware when their biometrics change and asked how to address this issue as it can result in exclusion. Mr. Pandey replied that in such instances when a person goes for authentication an error will be displayed and an advisory to update the information will be sent.

Justice Chandrachud asked if the UIDAI is only informed of authentication failures and not of denial of services. Mr. Pandey replied that ministries are constantly advised to not solely rely on Aadhaar authentication as might lead to exclusion and pointed out that a circular was issued on Mar.21, 2018 stating the same.

Justice Khanwilkar raised concerns about the software being designed outside India thereby making it prone to tampering. Mr. Pandey replied that only the biometric matching software is licensed form the world’s best companies. He analogized it with banks using SAP and Oracle and said it does not mean that banks give their data to them.

Mr. Pandey also reaffirmed that the biometrics is not shared with the requesting agency. He said that when authentication takes place, the UIDAI does not collect the purpose, location, and details of the transaction. He further stated that four crore authentications takes place everyday but the UIDAI is unaware of the purpose of authentication as the information remains in silos and merging of silos is prohibited.

The hearing will continue on Mar.27, 2018.