On day 29 of the final Aadhaar hearing, Senior Advocate, Rakesh Dwivedi resumed his submissions and stated that it is better to tighten the nuts and bolts of Aadhaar than demolishing it completely. He cited Section 8 of the Aadhaar act and argued that individuals’ information is strictly confined to the purpose of authentication and the interplay of sections 8 and 29 mean that core biometrics i.e fingerprints and iris scans are not shared with any third party. He further stated that data shared under section 29 is non biometric data. J. Chandrachud at this point interjected and pointed out that Section 8(3) combined with Section 29(3) means that the requesting entity will know the purpose of the authentication even if UIDAI doesn't, which Mr. Dwivedi vehemently denied. Mr. Dwivedi emphasized that if the bench is unsure whether requesting agencies collect information that they are not supposed to, then they should read down sections 8(3) and 29(3) to make sure that requesting entities (REs) do not know the purpose of the authentication or collect any information.
During a brief discussion on the General Data Protection Legislation (GDPR), Mr. Dwivedi contended that the GDPR provides no curative measures and that the Aadhaar Act provides adequate data protection to citizens. He argued that no data protection law can provide hundred percent protection and the applicable test should be to check if the said law provided “just, fair and reasonable” protection. Mr. Dwivedi then went on to state that aggregation, analysis or transfer of data is not allowed under the Aadhaar Act.
Thereafter, Mr. Dwivedi mentioned that the State can only tackle real apprehensions related to Aadhaar and not the kind of fear mongering that is being perpetrated by a few individuals. To this, J. Chandrachud stated that the real apprehension is that elections are swayed using data analytics in first world countries like the United States and the problems related to technology are symptomatic of the world we live in. In reply, Mr. Dwivedi mentioned that Aadhaar cannot be compared to the Cambridge Analytica data leak scandal. He reiterated that UIDAI does not have learning algorithms as the Aadhaar Act does not authorize it. He highlighted that UIDAI uses simple matching algorithms for the purpose of authentication. He also went on to assert that a powerful Indian media will check any misuse of Aadhaar. He urged the bench to examine the design of the Aadhaar Act and emphasized that the State wants to gain the trust of citizens. Section 28 of the Act also provides protection of information, he stated. He further mentioned that the data collected will be in the control of UIDAI and will be kept secure in the CIDR. Section 57 does not allow just anyone to become a requesting entity. It's a limited exercise and UIDAI will not approve anyone to become an RE unless it is satisfied that the particular entity needs to use the facility of authentication, stated Mr. Dwivedi.
J. Chandrachud questioned why private parties need to be involved in the Aadhaar infrastructure, to which Mr. Dwivedi responded by saying that the divide between public and private sector is narrowing and that the private sector is not exempt from Constitutional norms.
Next, Mr. Dwivedi said that he wants to respond to the submission made by petitioners that the State is numbering human being like Hitler did in Nazi Germany. Mr. Dwivedi emphasized on the importance of numbers and cited George Ifrah’s book “From one to zero: A universal history of numbers” and “God made integers” by Stephen Hawking. He also highlighted that the origin of numbers began in India at the time of Brahmagupta. To this, J. Sikri interjected and said, “Nobody is denying there should be no numbers. But why assign it to individuals?” In reply, Mr. Dwivedi expressed that numbers are beautiful and fascinating and human beings are not numbered just because a number is assigned to them. He gave the example of numbers being present in proximity cards used in courts, airline tickets (PNR), credit cards, among other things.
Furthermore, J. Chandrachud asked why Section 3 of the Aadhaar Act become mandatory since it is an entitlement under the Act. Mr. Dwivedi said that Section 3 is voluntary and Aadhaar was made mandatory for other purposes by way of amendment of other Acts. He stated that the bench can examine these other Acts separately.
J. Chandrachud then remarked that Aadhaar can be made mandatory under a law or through a contract under Section 57 of the Act. Mr. Dwivedi replied that the object of Section 57 is not to expand but to limit the use of Aadhaar. He commented that any paanwalla or chaiwalla cannot become an RE under the Act and that the UIDAI will examine if an entity needs to use the facility of authentication. J, Chandrachud enquired how is “need for authentication” determined to which Mr, Dwivedi answered that there has to be a prior contract and then UIDAI has to be approached for request. Not convinced with that line of argument, J, Sikri remarked that there is no guideline as to what will be considered a “need” for authentication and what will not be. Further, J. Khanwilkar questioned the fact that the prior contract comes before permission to become an RE is taken from UIDAI. He also commented that Section A of the Act that outlined who all can become REs is very wide.
On the security of Aadhaar, Mr. Dwivedi highlighted that the rules of Information Technology Act, 2000 and the punitive measures provided therein are also applicable to Aadhaar data under Section 30 of the Aadhaar Act. While reading some of the provisions of the IT Act, Mr. Dwivedi remarked that anyone who attempts to gain unauthorized access to CIDR will be imprisoned for ten years. He then went on to mention Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 and Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 and the provisions therein. He also highlighted that the CIDR came under critical information Infrastructure.
Therafter, Mr. Dwivedi mentioned the following attributes of biometrics: they are not genetic data; they are not intrusive; they can be used as a mode of identification even without the use of digital technology; instantaneous digital authentication. He commented that other biometrics can be added to the Aadhaar ecosystem only if it enhances accuracy. Mr. Dwivedi next went on to state that Aadhaar is not just an exercise to provide benefits and weed out fakes but also to bring the service providers face to face with the beneficiaries. That's the revolutionary aspect of Aadhaar, he emphasized. He reiterated that none of the other identification cards are universally held in the country. These cards are only for initial identity and address proof. In the case of Aadhaar, no individual would give their wrong name or address since biometrics are involved. He commented that Aaadhaar is not the panacea for all evils but the problems that were occurring on account of fake identity documents will be solved.
The last argument of the day that Mr. Dwivedi tackled was that Aadhaar technology is probabilistic and not deterministic. He argued that probability governs us everywhere and that nothing is certain. He was of the view that just because it is probabilistic, it cannot be discarded. J. Chandrachud responded by highlighting that If the probability leads to deprivation of fundamental rights, then there should be safeguards in place to ensure that this deprivation doesn't happen. There should be an administrative machinery in place to ensure no genuine beneficiary is deprived, he stated. Mr. Dwivedi agreed and mentioned that the State believes in inclusion of all citizens and therefore Section 7 itself provided a fallback mechanism if authentication failure happened.
The bench will resume tomorrow (April 18, 2018).