Governance and Policy

Aadhaar advisory: the continuing saga of UIDAI’s breach of privacy rights

Gursimran Kaur Bakshi

The recent advisories by the UIDAI's regional office and then by its parent body are of concern. UIDAI, which has been functioning without a chairman since 2019, is responsible for managing one of the biggest databases in the world. It has already been revealed by the CAG report that it has failed to maintain the uniqueness of the Aadhaar. The database has unpaired and mismatched biometrics data on its system. It lacks a data archiving policy. The lack of a mechanism to ensure its accountability is another worry.

—–

ON May 27, the regional office of the UIDAI in Bengaluru issued a press release that refrained people from sharing their photocopies of Aadhaar cards with other organisations as they could be "misused". However, a few days later, the advisory was redacted with immediate effect. These developments came months after the Comptroller and Auditor General (CAG) report titled 'Functioning of UIDAI' revealed the failure of the UIDAI to maintain the uniqueness of the Aadhaar. 

The initial advisory warned people against the use of public computers to download the e-copies of the Aadhaar card. If the e-copies are downloaded, they should be permanently deleted from the system, the advisory directed. 

Further, it clarified that those organisations having a "user licence" can only ask for the Aadhaar card for the verification of the identity. "Unlicensed private entities like hotels or film halls are not permitted to collect or keep copies of Aadhaar cards. It is an offence under the Aadhaar Act 2016", the advisory stated. The latter advisory issued by the parent body of UIDAI, the Ministry of Electronics and Information Technology (MeitY), requested people to maintain "normal prudence" while sharing copies of Aadhaar. 

Authentication or verification

As per the Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016 (as amended in 2019), there are various Aadhaar-based verifications that are allowed under the Act. There needs to be clarity here. 

The Act uses two terms- verification and authentication. The difference between the two has been blurred in the Act. The authentication is connected with the data which includes the Aadhaar number, demographic or biometric information to be submitted to the Central Identities Data Repository (CIDR) as per Section 2(c) of the Act read with the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (The Regulations). Authentication can also be performed by the 'Authentication Service Agency' but that must be a licensed entity. 

Apart from this, there are different types of authentication or verification that have been specified in the Regulations. It includes the Yes/No and e-KYC authentication, QR Code verification, Aadhaar Paperless Offline e-KYC verification, e-Aadhaar verification and Offline Paper-based verification. The current advisories concern themselves with the manner in which e-Aadhaar is downloaded and offline verification through the photocopy of the Aadhaar card.

Currently, there are no guidelines on how to download e-copies of Aadhaar cards. However, the Regulations require the UIDAI to introduce one. Our main concern should, instead,  be offline verification because the information given in the initial advisory is misleading, and here is why. 

Offline verification cannot take place without regulations 

Offline verification must be done through the offline verification-seeking entity (OVSE) as per Section 2(pb), inserted through the 2019 amended Act, read with the Regulations. As per Section 2(pa) of the Act read with Regulation 2(1)(ma), offline verification is a process of verifying the identity of the Aadhaar number holder without authentication, through offline modes as may be specified by regulations.

One of the factors that distinguish authentication from verification is the fact that in the former, a requirement of the licensed entity is necessary.  Offline verification, on the contrary,  can be done by 'any entity' desirous of undertaking offline verification. This means that the first advisory using the term 'licensed entity' is  wrong and misleading. 

Further, an offline verification can only take place when the entity informs the Aadhaar card holder about the nature of the information that will be shared with the entity and its use and the alternative means of submission of identification. Once this information is provided, the OVSE shall obtain the consent of the Aadhaar card holder (Regulation 5 & 6) and it must inform them about the success of the verification (Regulation 10).  

Most importantly, after the verification requirement is completed, any data that will be stored by the entity must be in the masked form as per Regulation 2(1)(mc). The masked Aadhaar facility only displays the last four digits of the 12-digit Aadhaar number and the rest of the numbers as displayed with some characters like 'XXXX-XXXX'. 

The Aadhaar card holder can revoke her consent given to an OVSE and upon such revocation, the entity shall delete the data and must give an acknowledgement for the same as per Regulation 16A. This is what is known as the right to be forgotten; an indispensable aspect of the right to privacy as observed by the Supreme Court's judgment in Puttaswamy(2017).

Of course, these Regulations are not followed because there is no account of how many 'desirous entities' engage in offline verification. Moreover, these entities are hardly aware of these Regulations. The advisory may prima facie look in compliance with the Act and the Regulations, but it is highly flawed. Irrespective of that, these entities cannot be held responsible when the UIDAI has failed to discharge its obligation. 

The CAG report reveals it all 

But why were these advisories issued suddenly? According to Indian Express, the initial advisory was issued after two Chennai-based drug smugglers morphed Aadhaar cards to smuggle contraband from the International Courier Terminal in Bengaluru to Australia. However, the advisories certainly did not affect the criminals as duplication of the Aadhaar cards by criminals continues.

However, this is not the first time such random directions have been issued. On November 11, 2016, the UIDAI from its official Twitter account tweeted against the sharing of Aadhaar or other identity documents or its photocopies.

Irrespective of the number of times the UIDAI has come up with a random advisory or the assurances of the safeguards through the Aadhaar Identity Authentication ecosystem, neither of them is sustainable, especially since the CAG report revealed that the CIDR has duplicated, mismatched, and faulty biometrics data. There was a time when Nandan Nilekani, the first chairman of UIDAI, claimed that Aadhaar has to be made mandatory to remove the duplication of Permanent Account Number to reduce tax evasion. However, now everyone knows that this is not the case and that will never be the case. 

What the experts say  

According to Dr. Gopal Krishna, who has appeared as a witness before the Parliamentary Standing Committee on Finance that examined The National Identification Authority of India Bill, 2010 (Identification),  these advisories imply that the sensitive personal data of only 10 crore Indian residents who have not enrolled for Aadhaar number are secure because UIDAI failed to caution them about exercising general prudence from the very outset.

Dr. Krishna, who has also addressed pertinent privacy-related concerns over the CAG report to The Leaflet, remarks that there is a possibility that these press releases may have been issued as "per approved strategy" mentioned in the Union government's notification of January 28, 2009, for UID and Ministry of Home Affairs' National Population Register ('NPR'). "It is most likely an exercise to cover UIDAI's acts of omission and commission revealed in CAG's audit report ahead of the deliberation before the Public Accounts Committee and hearing in the Supreme Court in near future", Dr. Gopal further adds. 

Dr. Usha Ramanathan, also a witness before the Parliamentary Standing Committee, commented on the functioning of UIDAI, in an email to this writer said:  "The UIDAI has been using denial to carry on with its pretence that there is nothing wrong with its project. They did that when coriander got enrolled and got itself a UID number. They did that when the Parliamentary Standing Committee found the project, and the law, so full of holes that they asked for it to be halted and returned to the drawing board. When researchers found the number leaking all over the internet, they threatened to sue the researchers."

Dr. Ramanathan who has consistently questioned the mechanism with which the UIDAI functions and has raised concerns over the linking of the electoral database with the Aadhaar database, further added:  "When Rachna Khaira reported in the Tribune about the ease with which information on the UIDAI database could be accessed and altered, the next thing we knew the editor had quit and Rachna Khaira had FIRs against her; the police closed the case after three years, in 2021. In 2020, the Indian Express reported about the use of the UID number and biometrics to syphon off minority scholarship money. The scam spread across multiple states – Bihar, Assam, Uttarakhand, Jharkhand, and Punjab High Courts have got into it, the Jharkhand CM promised a vigilance probe, and the CBI was brought into it. There is little left of the project that is trustable after the CAG report.

She further said: "The UIDAI carries on like that never happened. They are now talking of putting Business Correspondents and postmen to the task of enrolling and updating their database, which means adding to the number of people to whom all manner of information is going to be given, with no means of securing it. Let's face it, the UIDAI fought against the right to privacy. And its chief told the Supreme Court that there were 15 ft walls that made the database secure. This latest episode is a slip up somewhere, where the Bangalore office seems to have spoken out of turn. With the retraction, denial has returned, that's all."

The Leaflet has from time to time covered right to privacy issues in detail and continues to examine key questions such as the following:  What are the legitimate privacy concerns over the CERT-In directions?  How does the Criminal Procedure (Identification) Bill, 2022 violate various constitutional mandates?  What does the CAG's audit report tell us about the functioning of the UIDAI? 

Below are some of the highlights of The Leaflet's coverage of privacy rights.

The Leaflet's most recent coverage of the privacy issue: 

In Puttaswamy(2017) judgment, the right to privacy was held as an indispensable facet of personal liberty. Even though the right to privacy has to be balanced with legitimate state interests, restrictions on this right must satisfy the threshold tests of legality, necessity, and proportionality. A few non-governmental organisations expressed serious concerns about the decision of state authorities to use the Global-Positioning System [GPS]-enabled tracking devices on Safai Karamcharis as a violation of not just their right to privacy but also human dignity and autonomy. 

Rise of a surveillance state  

The Pegasus controversy is another instance of how journalists and activists, known for their dissent, came under surveillance, compromising their right to privacy.  Some of these highlights are recent attempts by the government to widen its scope of interference into the private sphere of individuals.

  • New CERT-In directions raise grave concerns for data privacy: While some directions seem like the need of the hour (such as mandatorily reporting data breaches) and definitively aim at ensuring cyber security, others (such as collecting and storing personal data by VPN providers) fall short of this aim.
  • MeitY's direction to VPN companies to share user data or face jail invites concern over privacy: The Ministry of Electronics & Information Technology (MeitY)  on April 28 issued directions to Virtual Private Network (VPN) provider companies to collect and share user data including IP addresses with it,  for a period of five years. Along with VPN providers, the notification posted by the Ministry's Computer Emergency Response Team (CERT-In), also ordered data centers, crypto-exchanges and other intermediaries to collect and turn over user data in order to "coordinate response activities as well as emergency measures with respect to cyber security incidents" and report cyber-incidents within six hours of their happening.
  • The rise and rise of facial Recognition Technology: Without any legal safeguards in place, the widespread deployment of this technology by the Indian State makes it a tool to gain collective control over society.

How the legislature is failing to protect privacy rights  

Recent laws and guidelines made by the legislature and the executive raise legitimate privacy concerns because they intend to restrict privacy rights without fulfilling the criteria established in the Puttaswamy judgment. The Joint Parliamentary Committee raised serious concerns over the Personal Data Protection Bill, 2019, which is now named as Data Protection Bill, 2021. But that is yet to see the light of the day.

Role of the judiciary in protecting privacy rights

While the Supreme Court has given us hope by constituting a committee to probe Pegasus allegations, high courts have consistently come forward to protect the privacy rights of the persons despite the constant attempts made by the Union government to jeopardise it.  

  • Delhi HC strikes down Government's directive asking Judges to seek political clearance for private visits abroad: A division bench of the Delhi High Court on April 1 struck down an Office Memorandum (OM) by the Union Government to the extent it required judges of Constitutional Courts, that is, the Supreme Court and the High Courts, to seek political clearance for private visits to foreign countries. On July 13 last year, the Union Ministry of External Affairs (MEA) issued an OM requiring the judges of the Supreme Court and the High Courts to seek political clearance before travelling abroad.