AADHAAR Cuts Into Personal Privacy and National Security
MYSORE: The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (“Aadhaar Bill”, for short) was passed in the Lok Sabha on March 11, 2016, as a money bill, a stratagem clearly meant to prevent delay in the Rajya Sabha, where the BJP does not command a majority.
Leaving aside the questionable stratagem, the Aadhaar Bill leaves much to be desired, especially considering its troubled “history” ever since the beginning of the Aadhaar scheme. In particular, according to this writer, two of the major issues involved are personal privacy and national security.
At present there is no law on privacy, but in Rajagopal Vs. State of Tamil Nadu (1994), the Supreme Court opined that privacy is inherent in an individual's right to personal liberty. Also, Section 8(1)(j) of the RTI Act 2005, protects the private individual against unwarranted invasion of his/her privacy, proof enough that privacy is a right even if it is not a fundamental right.
On whether privacy is a fundamental right, the Government of India succeeded in convincing a 3-Judge Supreme Court bench hearing a bunch of petitions challenging Aadhaar on multifarious grounds, that privacy is important enough an issue to warrant consideration by a Constitution bench.
There is little doubt that mass surveillance for suspicion-less, untargeted snooping into people's private spaces to identify a possible threat to security, is questionable.
The privacy issue was brought to international attention in 2013, with the US admitting that its National Security Agency had been clandestinely collecting billions of pieces of information worldwide including personal data and emails from computer networks and telephones. India was one of USA's many surveillance targets.
Today, the technical capability of shadowy intelligence agencies for mass surveillance to collect, sort and process enormous quantities of data or meta-data has multiplied enormously. Hacking into databases for data is not very difficult for a person with the necessary motivation, skills and time, and it is quipped that systems are hack-proof only until the first hack.
Cyber security concerns in the face of clandestine, untargeted surveillance are not only about national security but also citizens' right to privacy.
Whether or not it succeeds in its declared primary aim of targeted welfare services for the poor, Aadhaar enables surveillance and tracking. Aadhaar promoters claim that access to its data base will not be permitted to any agency, and will be secure from intelligence agencies that spy on citizens. This claim is questionable since, according to its website, UIDAI contracted to receive technical support for biometric capture devices, from L-1 Identity Solutions, Inc. (now MorphoTrust USA), a US-based intelligence and surveillance corporation. According to the corporation's website, its top executives are acknowledged experts in the US intelligence community. Other companies awarded contracts for key aspects of the Aadhaar project, are Accenture Services Pvt Ltd (implementation of Biometric Solution for UIDAI) which works with US Homeland Security, and Ernst & Young (setting up of Central Identities Data Repository (CIDR) and Selection of Managed Service Provider (MSP)).
It is difficult to have confidence in the security of sensitive national information when the technical provider which creates, holds or manages the database is a business corporation with strong connections to foreign intelligence organizations.
Furthermore US corporations are mandated by US law to reveal to the US government, information obtained during their legitimate operations, when called upon to do so. The extent to which India's cyber security has been already invaded by surveillance is not even known, and when the security of the Aadhaar system is not water-tight, compromise of the Aadhaar system's security will tantamount to compromise of national security.
When the cyber systems of high-security organizations like USA's NASA or India's DRDO have been repeatedly hacked, UIDAI's self-certification of its database security rings hollow. As far as institutional cyber security in India is concerned, barring one database protected by an indigenously developed network security system, official databases in India, including Aadhaar's Central ID Repository (CIDR), are protected by purchased commercial network security and cryptographic products.
There is little need to emphasise the vulnerability of the Aadhaar database to access by unauthorized persons/agencies for data destruction, corruption or simply copying by surveillance or hacking. The effect on individual privacy is unquestionably adverse.
Intelligence agencies operate by conducting general surveillance on citizens in public places and linking this with personal information available in various databases maintained by banks, income tax offices, ration cards, electoral rolls, airline and railway ticketing, internet and telecom service providers, etc. Since the Aadhaar number is “seeded” in these various data bases, Aadhaar itself will inevitably be at the core of a system to enable profiling and tracking of any and every private individual. Therefore Aadhaar is a prize target for intelligence agencies to hack or surveil to acquire data to invade individual privacy and compromise national security.
There have been a host of objections – especially including those of privacy and security – to the Aadhaar scheme itself since its inception, with several petitions still pending before the Supreme Court.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, does nothing to address those objections including especially those articulated unambiguously and vigorously by the Parliamentary Standing Committee on Finance headed by Yashwant Sinha, in December 2011.
In particular, the Aadhaar Bill fails to address the serious systemic issues of national security and individual privacy and indeed, the word “privacy” is absent from its text. However, concerning the security and confidentiality of information, the value of individual privacy is indirectly acknowledged in Section 33(2), by specifying that an individual's Aadhaar number, and biometric and demographic information may be revealed in the interest of national security, only by a specially authorized officer not below the rank of Joint Secretary of the Government of India. Yet here again, the interpretation of the term “national interest” remains at the sole discretion of a bureaucrat.
Further, the Aadhaar Bill omits to explicitly state whether enrolling into the Aadhaar scheme is “mandatory” or “not mandatory”. This can be interpreted as a deliberate omission to justify the on-going coercive enrolment into the Aadhaar scheme. The effect of the final order of the Supreme Court on this omission remains to be seen.
The several issues pleaded in the outstanding petitions before the Supreme Court and the outcome of the privacy issue placed before a Constitutional bench will surely have a bearing on the details of the Aadhaar Bill if not on its structure. Thus, ramming the Aadhaar Bill through the Lok Sabha without waiting for the Supreme Court to give its orders may result in unnecessary litigation, besides exposing lack of respect for transparent democratic procedures.
Notwithstanding, genuine national interest may dictate that laws on data/digital privacy protection and cyber security be urgently enacted and linked with the Aadhaar Bill, before it becomes operational in the public sphere.
( Major General S.G. Vombatkere, VSM, retired in 1996 as Additional DG Discipline & Vigilance in Army HQ AG's Branch. President of India awarded him Visishta Seva Medal in 1993 for distinguished service rendered in the high-altitude region of Ladakh. He holds a PhD degree in Structural Dynamics from I.I.T, Madras. With over 470 published papers in national and international journals and seminars, his area of interest remains strategic and development-related issues.)