The hearing for Day 4 started with Senior Advocate Shyam Divan taking the court through Section 59 of the Aadhaar Act-the savings clause validating all the actions of the Central Government prior to the Act. He argued that this section only applied to the actions of the Central Government and did not cover any action of the private entities or the enrollment agencies.
Justice Sikri intervened saying that even during the pre-enactment era, UIDAI appointed the enrolment agencies and Registrar. Mr. Divan replied in negative stating that there was no privity of contract between UIDAI and enrolment agencies prior to the Act. He further stated that the Registrar did not qualify as the Central Government, hence the protection under Section 59 cannot be extended to the private entities. In response to another query by Justice Sikri, he stated that the Central Government’s actions in entering into an Memorandum of Understanding (MoU) with the UIDAI may be protected by virtue of the Central Government notification, but not the actions of the Registrars. He said that the enrolment agencies were not even covered under the MoU and thus, section 59 protection did not extend to the enrolments prior to the Act. He argued that even if Section 59 gave retrospective validity to the actions, it cannot cure the violation of fundamental rights as the violation is complete.
Justice Chandrachud queried whether Aadhaar was used by private players as a platform before the Act came into force. He said that if it did, such an action would not be validated under Section 59. Mr. Divan promised to look it up and assist the court. Justice Chandrachud further pointed out that the privacy judgment required that there should be a basis in law and Section 59 attempted to bring that basis through a legal fiction. He asked that in such a scenario, how would the data breaches prior to the Act be dealt with. Mr. Divan replied that informed consent is critical and that there could not be a retrospective validation of consent being always present. He finally said that Section 59 created a fiction and thus, even if it were to be upheld, it should be narrowly read.
Mr. Divan then handed over a copy of the main heads of challenge to the Aadhaar Act. A list of the heads is as below:
Surveillance: The project creates the architecture for pervasive surveillance.
Violation of the Fundamental Right to Privacy: The project continues to violate the Right to Privacy during both the pre-Act and post-Act periods by requiring them to part with demographic and biometric information to private enrolling agencies. Further, the citizen’s right to informational privacy is violated as the citizen is compelled to report her actions to the State. An individual has the right to control the dissemination of personal information in a digital society.
Limited Government: The Constitution is not about the power of the State, but about the limits on the power of the State. If Aadhaar is upheld, the State will completely dominate the citizen and alter the relationship between citizen and State. The State can cause civil death of an individual by disabling Aadhaar. Further, the citizen will always be under the gaze of the State, causing a chilling effect on the citizen. It would result in a pervasive State where instead of the State being transparent to the citizen, citizens would be rendered transparent to the State.
Aadhaar Act illegally passed as a Money Bill: The Act was not a money bill as per Article 110 of the Constitution. It had transcended its scope and not followed the constitutional procedure mandated for passage of a law.
Procedure followed violates Articles 14 and 21: The procedures adopted both pre and post the Act were arbitrary and in violation of Articles 14 and 21. There was no informed consent at the time of enrollment and no opt-out option. The enrollment process is conducted by private entities without any governmental supervision. The data collected and stored in the CIDR lacked integrity as it was not verified by any government official.
Unreliability of Biometrics and Exclusion: The project is based on an unreliable and untested technology. The authentication is based on probabilistic system where entitlements are reduced from certainty to a chance delivery where the biometrics match.
Illegal Object: The objective of creating a single pervasive identification over time is itself illegal.
Democracy, Identity and Choice: An individual in a democratic society has a choice to establish her identity through the mode of her choice in her interactions with the State and otherwise. Mandating the identification by only one particular method is excessive and disproportionate.
Mr. Divan then handed over a tabulated statement with his submissions on the constitutionality of the provisions of Aadhaar. He submitted that “Authentication record” included the time of authentication and the requesting entity which enabled real-time surveillance. He stated that a centralised database indicated authoritarianism.
On being asked by Justice Chandrachud who maintained the CIDR and whether the source code was with the UIDAI, Mr. Divan replied that details of CIDR were not in public domain. He further stated that the source code was not with UIDAI. He said that it was proprietary technology and was owned neither by the Government of India nor by UIDAI.
Referring to the enrollment regulations, Mr. Divan showed the Court the level of control and power UIDAI had with respect to the cancellation of Aadhaar numbers of the individuals. Responding to Justice Sikri’s question as to why should Aadhaar not be cancelled in case it had been obtained fraudulently, Mr. Divan said that the provision confers huge powers on UIDAI.
Mr. Divan then handed over a notification containing type of personal information that could be collected under the Census Act, 1948. Referring to the Section 15 of the Census Act, he stated that there was a statutory framework in place to protect the information collected. Then moving on to a pre-constitutional statute- the Identification of Prisoners Act, 1920, he pointed out the level of protection Section 7 of the said Act provided to information. Moving on to the Registration Act, 1908, he pointed out Section 32A on compulsory affixation of photograph and fingerprints. He stated that such collection was for a legitimate narrow purpose and only for a particular registry and was not given in a centralised database. He then referred to the Bombay Habitual Offenders Act, 1959, reading out various provisions that talked about registration of habitual offenders and taking their finger and palm prints. He highlighted that there was a provision for de-registration as well. Thus, he said that any such action has to have a statutory backing.
Mr. Divan then began his arguments on the primary head of challenge- Surveillance. He explained that the CIDR retained a record of every authentication, thus empowering the State to collect records over the course of an individual’s lifetime. He further stated that it not only destroyed the privacy of the individual, but the data aggregated enabled the State to create a profile of an individual, a community or a segment of society. He reiterated that the Constitution did not permit a surveillance State.
He then explained how each and every electronic device, linked with internet, has a unique identification. In addition to the generic unique identity, when a device is linked to CIDR, and information exchange takes place, Aadhaar system generates a specific ID for each device. He stated that due to this system, physical location of every device or broad nature of transaction could be tracked by UIDAI in real time.
Mr. Divan then read out the affidavits of technical experts in the field to demonstrate that the programme enabled Surveillance. Reading out the affidavit of Mr. Samir Kelekar, he said that the project facilitated real time and non real time tracking of Aadhaar holders. Reading about biometrics as a form of password, he read out that they cannot be changed and hence, once lost or stolen, they are gone forever. Next, reading out the affidavit of Mr. J D’Souza, he submitted that the biometrics were unreliable and that Mr. D’Souza had further demonstrated to UIDAI as to how easily could the fingerprints be replicated. He pointed out that it was very easy to track the individuals through the fingerprint reader devices and stated that even the irises were easy to replicate. He further stated that the fingerprints could be captured from the device even before it was encrypted. He said that since these devices were not indigenously manufactured, with source code unknown to UIDAI, there could have been a backdoor feature for data mining without the knowledge of UIDAI. He said that it posed serious national security concerns.
Justice Chandrachud questioned to what extent could the Court look into the technical evidence. He further asked if we were comfortable with the private entities like Google maps tapping the same information but not the government.
Mr. Divan responded by saying that the affidavits clearly show that there is a complete mapping taking place in real-time. Further, he questioned if we could even have an architecture which tracked people in real time. He stated that such an action would make it a police state which is against the Constitution. He further stated that Google was not a State machinery and although powerful, it had its limitation.
Justice Chandrachud pointed out that what we need is a balance of privacy with other equally important issues like terrorism, money laundering. At this juncture, Mr. Kapil Sibal intervened to say that problem lied in giving so much information to the State. He remarked that the ‘big brother’ should not have all the information as it will only make it bigger. Agreeing with Mr. Sibal, Mr. Divan stated that the primary issue here was whether the State could be given such an extensive power to surveil under the Constitution.
Mr. Divan then read out the dissenting opinion of Justice Subba Rao in Kharak Singh v. State of U.P. which was upheld in the nine Judge Bench privacy judgment. He, then referred to the observation of Justice Lahoti in District Collector v. Canara Bank discussing about surveillance and how it was not a ‘police raj’. He concluded by reading out the the ECHR judgment in the case of Sakharov v. Russia which related to the secret interception of mobile phones in Russia.
The hearing will continue on Tuesday, 30th January, 2018.