IS ADHAAR A BREACH OF PRIVACY?

IS ADHAAR A BREACH OF PRIVACY?

– Vashali Saxena

Student, B.A. LL.B., Indore Institute of Law

– Anita Parmar

Asst. Prof., Indore Institute of Law

ABSTRACT

News regarding violation of privacy and leakage of information through Adhaar has been appearing frequently these days. The analysis here made in this regard is targeted on investigation of privacy and security issues of Adhaar. Project Adhaar permits identification and authentication of individual which is accessible without consent using biometric data, this had opened gates for unlawful usage of Adhaar data by central repository. Protection of breach of privacy by Adhaar requires a) a third party to play as Online Auditor; b) decentralization of biometric data; c) strong legal policies and regulations to address authentication and identification envisaged in modern digital set-up. The paper contains objective of enactment of Adhaar, conditions permitting accessibility to Adhaar data, pros and cons of project, legal provisions regarding penalties, remedial measures to be resorted to, and instances of Adhaar failure followed by suggestions.

INTRODUCTION

World’s largest national identity project titledAdhaar was launched by Indian government on January 28, 2009. The project seeks to collect and store biometric and demographic data in centralized database. Till date, 1.133 billion users have enrolled in the system. Recently, considerable deliberations have been raised by masses over privacy and security concerns with respect to project. The issue had emerged as heated debate, these days. The criticism is based on fact that it is completelyunsafe to store authentication trails, biometric and demographic data in a central repository. However, whether remedying the breach of privacy is inevitable and technological and legal provisions may be enacted in that regard are major issues to be addressed?

Adhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Bill, 2016 was passed on March 12, 2016 to ensure legal status to Adhaar – a 12-digit unique identification number, generated on collection of biometric and other personnel details of Indian residents. The Bill was enacted with an objective to ensure that the subsidy and other services rendered by government are received by person entitled. Adhaar is a mass surveillance tool designed bytechnologists to safeguard nationalSecurityand public order. It is a unique digital identification platform, authenticated for participating in digital transactions. Disclosure of Biometrics details which constrained inAdhaar is completely inappropriate for regular transactions between state and citizens. The linkage of Adhaar to all essential services rendered by Government is actually a strict control of surveillance over citizen’s privacy; as by doing so government can easily track all his activities, which is a strict violation of individual’s privacy rights.

Project Adhaar – An attempt to turn Citizens transparent to State

Adhaar has emerged as a broken technology- an intervention to nation’s development identifying people and authenticating transactions on their behalf without their consent. In this phase of democracy when Indian laws are silent on privacy violation issues, this approach of government to link Adhaar to every other service availed by citizens is an architectural disaster, from security perspective of citizens. Comptroller and Auditor General of India Mukul Rohatgi, recently had argued and claimed before a bench in Supreme Court that Indians have no constitutional right to defend their privacy rights violation.

Biometric details centralized inAdhaar are not protected at all under any of the prevailing law of country. One such incident expressing breach of privacy is linkage of Adhaar card to ATMs, when any person accesses his card all the biometrics incorporated therein are at risk of public disclosure, other than this Government being centre house ofthis biometric database, can use it to trace any individual’s financial transactions. The project is defective in legal and technical sense since its enactment; however, the government and UIDAI assured that privacy is presupposed as Fundamental Right and same would not be compromised, but the issue is unaddressed yet and majority is left disappointed. Adhaar has made citizens transparent to state but state is opaque and unaccountable to its citizens .1

Circumstances – Permitting Accessibility

Adhaar was created with noble goal of creating a functional public distribution platform and public was ensured that the biometrics and demographic data so collected is safe and accessible only for the sole purpose of authentication. However, legislation provided two exceptions allowing government to access Adhaar data easily. Exceptions includes – district judge may at his discretion authorize accessibility to Adhaar data without any disclosure being made to party affected; only Adhaar authorities can challenge the order, party affected by order is barred from making any appeal in respect of order so made 2. Another exception is that the joint secretary authorized by government may access and disclose data safeguarded under Adhaar when required “in the interest ofnational security”. These exceptions permitting access to personal data are criticized broadly as they has opened a huge window for misuse of Adhaar data.

Pros and Cons

AdhaarAct provides a unique method of identification ofindividuals in order to render services, subsidies and other benefits to residents of Nation, project emerged with objective of facilitating services to beneficiaries in paperless, digitaland convenient manner. Despite of several benefits the project has attracted severe criticism for causing disruptions to privacy due to careless deployment of biometrics 3.

Adhaar data base constituting identical details is dangerous in itself it is like a plant holding toxic material, which if breached could result in widespread disaster. Government having failed to enact provisions for prevention of privacy is responsible to all ill effects if anything goes wrong due to functioning of this database. Despite assuring numerous safety boons to individuals, the database has failed to provide provisions to compensate for damages resulting out of any service to which adhaar is linked with, whether govt. or non-government.

Whether linkage of Adhaar to PAN Cards Justified

Recently the finance minister Mr. Arun Jaitley argued in parliament about the instances of same person using multiple PAN cards for filing Income Tax-Returns. The linkage ofAdhaar to PAN card is still a proposal yet Government has traced the defect regarding multiple usages, this is the clear indication to fact that there exist multiple methods of catching these frauds even without Adhaar. This mindless and tendency of linkage is a huge failure as it had resulted in causing huge inconvenience to poor – old women are knocked or of Pension list; peoples are knocked out of PDS and Ration card list; and other respective irregularities. The technique of linkage is a huge failure as wherever applied whether in states of Jharkhand, Rajasthan, Andhra Pradesh or Telangana the tendency had left beneficiaries in vulnerable state.

Why Government is doing so?

Government wants everyone to be enrolled they wish to put same numbers on all databases whether Public or private and link them, in order to create a penopticane that can survey, profile and track what citizens are doing. Surveillance is secondary objective primarily government wishes to collect data for data mining purpose – to monetize our data, our usage patterns, what we are buying on internet, how we use our phone, where we are spending, where travelling, whether travelling by plane or train.

As well stated by UIDAI chairman Nandan Nilkeni, that data collected through data mining process is actually the generation of new Capital; as when we will go from being a poor country, we willbe at option of using this data to become a rich country. This implies that there is huge potential with data mining oppressions to government and with access to this data government may monetize any individual, without his acknowledgement.

Till date 99% above 18 yrs old citizens have been listed under Adhaar. According to UIDAI data more than 112 cr. Peoples in country, have Adhaar. All subsidies and welfare schemes of government are delivered directly throughAdhaar. Supreme Court in 2015 ruled out that UoI should widely declare that enrollment to Adhaar is not Mandatory but Voluntary. Person wishing to avail government welfare schemes and benefits may choose to be registered to Adhaar. Initially Adhaar Act prescribed use of data only for the purpose of availing PDS schemes, specifically comprising of distribution of Kerosene and LPG. Later MGNREGS, National Social Association Programme and Jana-dhana yojana were added and listed

specifically under the ambit of project Adhaar. Supreme Court through its judgment has limited the area of accessibility of database safeguarded under Adhaar.

Shift to Smart Cards

In January 2011, the centre for internet and security recommended parliamentary Finance Commission the replacement ofbiometrics incorporated inAdhaar with smart cards. Biometrics permits identification of citizens without their acknowledgment even when they don’t want to be identified. On the other hand, the smart cards for the purpose of identification require a combination of pins and citizens’ consciousness. Smart cards are easy to destroy and adoption of smart cards by UIDAI could result in destruction of centralized database of biometrics, as done by U.K. government in 2010 under Theresa May’s tenure as Home Secretary 4. This would also aid in eliminating the risk of usage of stored biometric database of citizens by foreign governments, criminals and terrorists for wrong modes.

Biometric data and crucial insensitive data should be decentralized under one organization i.e. UIDAI and KYC (Know your Customer) norms of UIDAI should be replaced by Tokens.

Incidents Reporting Adhaar – As failure

• Subsidiary and other benefits schemes of Government were targeted to benefit the intended mass. Therefore, Government while declaring the boons of Adhaar keeps claiming that Adhaar in many forms had contributed to generation ofsavings among the intended beneficiaries. However, the claims of Government have proved false; one such illustration is as follows –

• Government initiated the linkage of Adhaar to LPGs, later it claimed that this linkage had proved fruitful as it has generated a huge amount of LPG savings ranging from 14,000 – 30,000 crore. However when proper analysis was recorded it was discovered that only 8% of such savings were affected because of Adhaar and rest were due to downfall in International prices of LPG. Adhaar was packaged by UPAGovernment as something that would benefit the intended masses and other public by enabling welfare. Such packaging however, had proved to be a complete failure and all claims of government have turned false in all respects whether in respect of Public Distribution System, Mid-Day Meal Programme or distribution of LPG Subsidies.

• Another point of consideration is with respect to huge coverage ofAdhaar registration, UIDAI data reveals that about 99% of country’s population is enrolled to Adhaar and availing the benefits conferred by government under its welfare schemes. But there lies a huge defect in system and data so collected by authorities is incorrect, they have failed to consider the fact that when enrollment to Adhaar was going on about 1/5th of total or 20% of public could not get itself registered to Adhaar for failure of finger printing machine. In many states including those of Jharkhand and chhatisgarh, out of 700 targeted beneficiaries entitled to PDS only 400 are getting it, reason being – rest 300 were not registered to Adhaar due to failure of Finger printing machine. Still government is counting it to full; it’s a complete bunk-up and an attempt of Government to hide corruption.

• Another instance recently reported was that Government allowed a private bank to access Adhaar databases. As Private Banks or incorporations have no definite legal status they cannot be trusted or held liable for any of the mishaps resulting out of illegal usage of data, accessed through adhaar.

• Linkage of mid-day meal to Adhaar seems another nonsense as what government is attempting to achieve via this is still unclear.

Right to privacy

Leaving the issue ofAdhaar linkage aside, focusing on right to privacy, we comes out with the opinion that, right to privacy includes right to be left alone freely, to be not involved in any of the transaction withgovernment, not dependent on government for subsidies, not to do anything in association with the surveillance state continuously monitoring its citizens at all stages, in every step taken or transactions made, by them. Government continuously vigilant to activities of citizens at its back amounts to incompatibility and strict violation of individual’s Right to privacy.

In 1960s Supreme Court regarded, the move of Government to send corps to a known criminal’s house regularly, for the purpose of inquiring, whether the criminal is at home or not as violation of individual’s right to privacy5.

But now the scenario is different government don’t need to send corps, person once enrolled to Adhaar and having unique identity is traceable easily at all times. This in no case is the state where we proposed to live in under constitution or kind of government we elected.

Right to Privacy is condition precedent to be recognized, to enable survival of Right to Liberty and freedom of expression. Collection of biometrics is considered as one of the major means of violating privacy. Biometrics being unique is the key requirements of project Adhaar, and can be used for authentication for financial transactions or getting mobile SIM cards. This opens gate for misuse of personal data resulting in reporting of rise in fraudulent practices in society.

Adhaar Act under Section 8 provides for strict restrictions on sharing of personal data without the consent of individual. Also the response which UIDAI are authorized to provide on request being made on any authentication Request is to be given either as ‘yes’ or ‘No’.

Now, if government passes any such law permitting accessibility to personal biometrics and other identical details of individuals for any of its scheme or services, it would be deemed as constitutionally invalid. Supreme court in one of its decision restricted accessibility to Adhaar data provided byindividuals only for subsidies and other certain purposes enlisted by legislation under the Adhaar Act, provided government should disclose the fact that getting enrolled to Adhaar is voluntary and not mandate, if anyone wants to access to subsidies and other benefits and is willing to disclose his privacy he may join it on voluntary basis.

Legal provisions

In India for the purpose of data protection a body corporate is subject to section 43-A of Information TechnologyAct, 2000 section 43-Aprovides6 , any Body corporate dealing with sensitive personal data or information is obliged to implement and maintain same under reasonable security if his negligence in maintaining same results in wrongful loss or gain to he is liable to compensate and pay damages to person affected.

The Aadhaar Act under section 30 provides that the biometric information collected under Adhaar scheme shall be deemed as “sensitive personal data or information”, which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this implies that biometric data collected under Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law.7

The agencies, contracting with UIDAI for accessing personal data if found misusing the data, shall be held responsible if any breach or misuse of information results in loss to an individual and it is proved beyond doubt that such misuse ofdata was affected for failure to implementation of reasonable security procedures.

The Adhaar act under chapter VII provides for penal provisions –

Under Section 36 as – person found intentionally disclosing identitydata to anyone notauthorized to access data, shall be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case ofan individual), and fine up to one lakh rupees (in case of a company). General punishment for violation of rules regarding disclosure or misuse of informationextends to 3 yrs imprisonment and fine between Rs. 10,000 to 25,000 (in case of an individual) and upto 1 lakh (in case of a company).

Conclusion

‘Adhaar – well defined as global surveillance project is poorly designed and the technical default with which project is suffering requires an immediate fixation today; law can wait for tomorrow.’8

Adhaar emerged as UPA’s best idea. The project from viewpoint of security and privacy suffers from technical weakness. The design alteration to adhaar number can make it more secure and third party auditor should be appointed to prevent insider leakage of information. We as a developing nation have emerged as a digital economy with billons of cell phones and digital transactions yet our nation lacks in antiquated laws for data protection and privacy.

Problems of ID theft, fraud and misrepresentations are real concerns. We often negligently submits our self to internet for accessing online data and services, even without adhaar; this is something where we need to be look into before blaming authorities for accessing data. Also we need to educate and aware people on issues where risks are involved by highlighting examples of ID thefts and frauds.

Our legal system also required to be regulated to address authentication related issues in modern digital set-up, we have laws on prevention of breach of piracy but the same are overlapping. Our IT laws are demanding modernization and liability has to be imposed on company handling data so that it is not stolen or shared without consent.

Modern century is mugged with huge risks, if we want a risk free environment we are at option of going back to Stone Age. This is like banning cars as driving has become risky. But this is not the smart solution, solution lies in fact of creating road safety norms to mitigate the risk of driving. In the similar manner risk of privacy violation and misuse of personal data requires a level headed approach and ample safeguards to ensure safety to data protection and privacy violation.

****