Bangalore-based Dr Samir Keleker who is the first Indian cyber security expert to have registered a sole patent in an individual capacity to Silicon Valley, writes on the challenges and risks of going digital. Dr Keleker is among the few IT professionals who have been challenging the universal imposition of the Aadhaar card as they believe it is a threat to privacy
After 38 days of hearing in the Supreme Court, where 27 petitioners had challenged Aadhaar, and nearly four months of waiting time after that, the verdict on the constitutional challenge to Aadhaar has finally come. The petitioners — some of the top lawyers of the land representing them — had argued that not just Aadhaar violates the fundamental right to privacy, but also will lead to a surveillance state.
In a 4-1 decision, the Supreme Court ruled that Aadhaar does not violate the fundamental right to privacy. However, the use of Aadhaar has been severely restricted debarring private players from using Aadhaar for any service.
Even in areas such as duration of stored data, there have been heavy restrictions put in in the sense that data can be stored only for 6 months instead of the previously stipulated time of 5 years of archival beyond the six months.
I have had a small part to play in this case having given an affidavit to the Supreme Court against Aadhaar as a security professional detailing how Aadhaar can lead to a surveillance state. I have not enrolled for Aadhaar and hence I am particularly disappointed.
The arguments made by the petitioners were many. One of the most important ones is the use of biometrics. Picking up biometric (fingerprints) forcibly is a violation of one’s right over one’s bodies. Secondly, once biometrics are lost or stolen, one’s identity is lost forever as unlike a password it cannot be changed. (The only way to change your fingerprints is via surgery). Cloning of biometrics is also possible and is cheap and we had once shown a demo of fingerprint cloning to UIDAI authorities.
The verdict on Aadhaar is not entirely one sided. A number of provisions of the Aadhaar Act have been struck down. Especially Section 57. No private sector company can use Aadhaar for their business. But government can continue doing so provided the functions are backed by a proper law.
Among the other good aspects of the verdict, Section 33(2) of the Aadhaar Act is thrown out. This means government cannot ask for Aadhaar in the name of national security. This section had a lot of potential for misuse.
Also, schools cannot make Aadhaar compulsory for children They have to take consent of parents. Further, children have to be given the choice to opt out of Aadhaar once they become adults.
Section 2(d) of the Aadhaar act has been read down to not allow inclusion of meta data of transactions.
Section 2(b) which is the definition of a resident is redefined to exclude illegal immigrants. Aadhaar is a facility meant for residents and not for citizens.
Section 47 which mandated that individuals cannot file complaints has been struck down and now individuals can file complaints.
However, the place that hurts most is that the Section 139AA of the Income Tax has been upheld. It mandates that Aadhaar be quoted for filing returns. This means that if you are earning above the minimum tax income of `2.5 lakhs, you need to have an Aadhaar.
The point remains that there has been a lot of exclusion due to Aadhaar. People have died of starvation as they were not given ration because their fingerprints did not match. While the court noted it, it has not taken any action.
Finally, UIDAI has ridden rough shod and shown contempt of a Supreme Court ruling. Way back in 2014 or 2015, the Supreme Court had given an intermediate ruling that Aadhaar should not be made mandatory. Yet the government kept on making Aadhaar mandatory for various schemes. A lot of contempt petitions were filed, but the Supreme Court has failed to take any action against UIDAI for contempt.
What does this mean? This sets a very bad precedent. It just means that if you are a government entity, you can break laws and then retrospectively try to fix matters. This is a severe setback to the rule of law in general in my opinion.
TECHNOLOGY AND LAW
Some of the other points that stand out is the lack of consideration of technical matters by the court. In an age where technology moves fast, and a lot of issues are tech dependent, it is disappointing to see judges not look at technical matters.
For instance, one of the main arguments made by petitioners was that some of the critical software for Aadhaar is owned by foreign companies. The source code of this software is not available to UIDAI. What this means is that one does not know what the software contains. There can be what are called “back doors” which can take critical data abroad. The judge has overlooked this point.
Similarly, thousands of Aadhaar numbers as well as personal data of individuals has been leaked on the web and used to be available to anyone via a google search. This means that the identity of these people is compromised. The judge has not looked at this aspect, but has just hoped that UIDAI will address such concerns.
Unfortunately, security breaches cannot be just hoped away.
And what of the future? The fight against Aadhaar is not over. If tomorrow, the CIDR database which is the critical UIDAI database storing all information including biometrics gets breached, the whole project will go down the drain. There are many other problems with the project. It was recently found that access to the UIDAI database was sold for `500 in the market. Also, some software is available in the market that helps one create fake Aadhaar IDs. There have been Aadhaar numbers created for non human entities such as coriander etc.
The silver lining in the verdict is the dissenting opinion by Justice Chandrachud. Justice Chandrachud in a scathing opinion has called the Aadhaar project unconstitutional. Chandrachud is due to become Chief Justice in 2022 for two years.
Let us hope that there is a chance for a review of this decision if not now, then in the future. Technology moves fast and one doesn’t know what is in store tomorrow.
Meanwhile, I have to decide whether to go for Aadhaar myself or not. Aadhaar is not required if your income is below the minimum taxable level of `2.5 Lakhs and you don’t have to file tax returns. May be like Steve Jobs of Apple who used to take a nominal 1 dollar a year salary, I should take a minimal 1 rupee salary and live without Aadhaar!