Mainstream, VOL LIV No 13, New Delhi, March 19, 2016
How Aadhaar Neglects Personal Privacy and National Security
Sunday 20 March 2016, by
The Aadhaar Bill, 2016
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (“Aadhaar Bill”, for short) was passed in the Lok Sabha on March 11, 2016, as a money bill, a strategem clearly meant to prevent delay in the Rajya Sabha, where the BJP does not command a majority.
Leaving aside the questionable strategem, the Aadhaar Bill leaves much to be desired, especially considering its troubled “history” ever since the beginning of the Aadhaar scheme. In particular, according to this writer, two of the major issues involved are personal privacy and national security.
At present there is no law on privacy, but in Rajagopal versus State of Tamil Nadu (1994), the Supreme Court opined that privacy is inherent in an individual’s right to personal liberty. Also, Section 8(1)(j) of the RTI Act 2005, protects the private individual against unwarranted invasion of his/her privacy, proof enough that privacy is a right even if it is not a fundamental right. On whether privacy is a fundamental right, the Government of India succeeded in convincing a three-judge Supreme Court Bench hearing a bunch of petitions challenging Aadhaar on multifarious grounds, that privacy is important enough an issue to warrant consideration by a Constitution Bench.
There is little doubt that mass surveillance for suspicion-less, untargeted snooping into people’s private spaces to identify a possible threat to security, is questionable. The privacy issue was brought to international attention in 2013, with the USA admitting that its National Security Agency had been clandestinely collecting billions of pieces of information worldwide including personal data and e-mails from computer networks and telephones. India was one of the USA’s many surveillance targets.
Today, the technical capability of shadowy intelligence agencies for mass surveillance to collect, sort and process enormous quantities of data or meta-data has multiplied enormously. Hacking into databases for data is not very difficult for a person with the necessary motivation, skills and time, and it is quipped that systems are hack-proof only until the first hack. Cyber security concerns in the face of clandestine, untargetted surveillance are not only about national security but also citizens’ right to privacy.
Target for Intelligence Agencies
Whether or not it succeeds in its declared primary aim of targeted welfare services for the poor, Aadhaar enables surveillance and tracking. Aadhaar promoters claim that access to its data base will not be permitted to any agency, and will be secure from intelligence agencies that spy on citizens. This claim is questionable since, according to its website, UIDAI contracted to receive technical support for biometric capture devices, from L-1 Identity Solutions, Inc. (now MorphoTrust USA), a US-based intelligence and surveillance corporation. According to the corporation’s website, its top executives are acknowledged experts in the US intelligence community. Other companies awarded contracts for key aspects of the Aadhaar project, are Accenture Services Pvt Ltd (implementation of Biometric Solution for UIDAI) which works with US Homeland Security, and Ernst & Young [setting up of Central Identities Data Repository (CIDR) and Selection of Managed Service Provider (MSP)].
It is difficult to have confidence in the security of sensitive national information when the technical provider which creates, holds or manages the database is a business corporation with strong connections to foreign intelligence organisations. Furthermore US corporations are mandated by US law to reveal to the US Government, information obtained during their legitimate operations, when called upon to do so. The extent to which India’s cyber security has been already invaded by surveillance is not even known, and when the security of the Aadhaar system is not water-tight, compromise of the Aadhaar system’s security will tantamount to compromise of national security.
When the cyber systems of high-security organisations like the USA’s NASA or India’s DRDO have been repeatedly hacked, UIDAI’s self-certification of its database security rings hollow. As far as institutional cyber security in India is concerned, barring one database protected by an indigenously developed network security system, official databases in India, including Aadhaar’s Central ID Repository (CIDR), are protected by purchased commercial network security and cryptographic products. There is little need to emphasise the vulnera-bility of the Aadhaar database to access by unauthorised persons/agencies for data destruction, corruption or simply copying by surveillance or hacking. The effect on individual privacy is unquestionably adverse.
Intelligence agencies operate by conducting general surveillance on citizens in public places and linking this with personal information available in various databases maintained by banks, income tax offices, ration cards, electoral rolls, airline and railway ticketing, internet and telecom service providers, etc. Since the Aadhaar number is “seeded” in these various data bases, Aadhaar itself will inevitably be at the core of a system to enable profiling and tracking of any and every private individual. Therefore Aadh-aar is a prize target for intelligence agencies to hack or surveil to acquire data to invade individual privacy and compromise national security.
There have been a host of objections— especially including those of privacy and security—to the Aadhaar scheme itself since its inception, with several petitions still pending before the Supreme Court. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, does nothing to address those objections including especially those articulated unambiguously and vigorously by the Parliamentary Standing Committee on Finance, headed by Yashwant Sinha, in December 2011.
In particular, the Aadhaar Bill fails to address the serious systemic issues of national security and individual privacy and indeed, the word “privacy” is absent from its text. However, concerning the security and confidentiality of information, the value of individual privacy is indirectly acknowledged in Section 33(2), by specifying that an individual’s Aadhaar number, and biometric and demographic information may be revealed in the interest of national security, only by a specially authorised officer not below the rank of Joint Secretary of the Government of India. Yet here again, the interpretation of the term “national interest” remains at the sole discretion of a bureaucrat.
Further, the Aadhaar Bill omits to explicitly state whether enrolling into the Aadhaar scheme is “mandatory” or “not mandatory”. This can be interpreted as a deliberate omission to justify the ongoing coercive enrolment into the Aadhaar scheme. The effect of the final order of the Supreme Court on this omission remains to be seen.
The several issues pleaded in the outstanding petitions before the Supreme Court and the outcome of the privacy issue placed before a Constitutional Bench will surely have a bearing on the details of the Aadhaar Bill if not on its structure. Thus, ramming the Aadhaar Bill through the Lok Sabha without waiting for the Supreme Court to give its orders may result in unnecessary litigation, besides exposing lack of respect for transparent democratic procedures.
Notwithstanding, genuine national interest may dictate that laws on data/digital privacy protection and cyber security be urgently enacted and linked with the Aadhaar Bill, before it becomes operational in the public sphere.
Major General S.G. Vombatkere, VSM, retired in 1996 as the Additional DG, Discipline and Vigilance in Army HQ AG’s Branch. The President of India awarded him the Visishta Seva Medal in 1993 for distinguished service rendered in the high-altitude region of Ladakh. He holds a Ph.D degree in Structural Dynamics from IIT, Madras. With over 470 published papers in national and international journals and seminars, his area of interest remains strategic and development-related issues.