Why the Rule of Law must trump the Rule of Code

The constitutional challenge to the Aadhaar project, currently being heard before the Supreme Court, is now in its fourth month. While there are significant defects in the Aadhaar Act and in the legal legitimacy of the entire project, given that it was implemented in the absence of any law whatsoever and the enabling legislation was pushed through Parliament as a Money Bill, the crux of the case is coming down to a question of technology.

The Petitioners have submitted arguments and evidence showing how the Aadhaar project comprises highly flawed technology that does not function as claimed by the Unique Identification Authority of India (UIDAI) and supposed to under the Aadhaar Act, while the Respondents (i.e. the Central government and the UIDAI) have spent weeks denying the same. The conflict is primarily factual, and revolves around the actual architecture and operation of the underlying technical system of the Aadhaar.

A conflict of facts

For instance, consider the issue of storage of personal and transactional data of Aadhaar holders, by the UIDAI. Every time an Aadhaar holder authenticates her Aadhaar in order to avail of a benefit or service, such as applying for a scholarship reserved for members of a Schedule Caste or accessing treatment from a government hospital, the UIDAI receives and maintains a record of that transaction. While the Aadhaar Act prohibits the underlying storage of the underlying purpose of a transaction, the transaction record contains the identity of the parties, the time and location of the transaction, and other meta data. This is facilitated by several technical factors, such as every registered Aadhaar biometric device containing a GPS device and a unique identifier linked to the authenticating entity.

Thus, the UIDAI possesses a record containing highly significant and intimate information about an individual, such as caste data and medical information. Moreover, the UIDAI Strategy Document 2016 revealed that the transaction records stored by the UIDAI were aggregated into “Transaction Aggregated Records”, thereby giving them the ability to profile a person based on his transactions, or profile a region based on the collective transactions of its residents. For example, this would enable State actors to identify areas with significant concentrations of a specific caste. Recent revelations have shown how various State governments have used Aadhaar data to do exactly this.

UIDAI’s crisis of accountability

However, the UIDAI has consistently denied such actions, including the very ability to profile citizens on the basis of the data they possess. Through their counsel in court and via interviews given by their CEO, the UIDAI has stated that they do not store any information pertaining to the location of a user at the time of Aadhaar authentication, despite having the capability to do so. Further, they have denied any aggregation of transaction records, contradicting what was released in their own documentation. Not only is there a fundamental clash in the facts advanced by both sides, but the submissions of the UIDAI are supported by nothing other than statements. A deeper inquiry into the architecture and databases of the Aadhaar is absolutely necessary in order to determine if such activities are indeed being carried out.

Similarly, consider the issues pertaining to the confidentiality of Aadhaar data. The UIDAI has consistently claimed that they never share/divulge the data collected from an individual during the enrolment process, and that this data is securely stored in a database surrounded by a 13-foot high, 5-foot thick wall manned 24×7 by armed guards. Yet, undeniable evidence was presented by the petitioners before the Supreme Court that the Aadhaar data was diverted to multiple sources by the UIDAI itself at the point of enrolment, such as to various databases maintained by State Governments. These databases are known as State Resident Data Hubs (SRDH), and are not governed by the Aadhaar Act or any other law, leaving the Aadhaar data within these databases entirely unprotected. Note that such sharing, leakage and diversion of private data is prohibited under the Aadhaar Act.

Shrouded in secrecy

Upon being confronted by this evidence (which included the UIDAI’s own technical documentation and press releases), the UIDAI admitted in court that such data had been shared with various recipients in the past, but also submitted that all such data had now been “deleted”. No credible evidence has been provided till date with regard to such deletion of data. As a parallel, recall that in 2015, Cambridge Analytica had promised Facebook that all illegally accessed data had been deleted; a promise that Facebook foolishly believed, without conducting any investigation or audit.

Accordingly, this one more instance of a claim that the UIDAI expects the Supreme Court (and Indian residents) to accept at face value, on the basis of trust. Moreover, verification of the UIDAI’s claims is extremely difficult as the UIDAI does not permit independent access to their systems; requests for technical information under the RTI Act are routinely denied on the all-encompassing grounds of secrecy and national security, and even the contracts between the UIDAI and the foreign entities that built the Aadhaar system were stripped off all technical information before being release to the public.

Thus, in order to determine the truth, the court will have to inquire deeper into underlying facts, and perhaps request an independent technical audit in order to satisfy itself that the technology of the Aadhaar is not being misused. Going by the frequent revelations of violations of the law by the Aadhaar systems, including data leakages, fraudulent enrolments, lax cyber security protocols, unauthorised access and sharing of data, there is enough evidence to show that the UIDAI is either unaware of how their systems are functioning or following a strategy of denying everything in the hope that the truth is unlikely to be discovered. Given that the truth is buried within the code, algorithms and security protocols of the Aadhaar systems, the latter strategy seems likely.

Pick law over tech to guide policy

One of the most important lessons to emerge at this point is that the technology used by the State for governance must be held to a higher standard, both in terms of transparency and accountability. It is important that the Judiciary evolves an effective process of dealing with matters involving advanced technology, especially when such systems are used in governance and directly affect the fundamental rights of citizens. Independent expert testimony would help, though it must be pointed out that both the Petitioners and the Respondents have each cited the (conflicting) opinions of noted computer science experts to buttress their respective positions.

The establishment of specialised courts to handle such matters would go a long way in ensuring that misrepresentations in court over how a technology functions, does not go unnoticed. The introduction of legal processes such as a pre-enforcement review of administrative technology, while adding some red tape, might prevent serious abuses of fundamental rights that could well go unnoticed even by the affected parties. For example, by using Aadhaar systems and a smart grid network, a single official at a State electricity board could ensure that load shedding burdens are borne disproportionately by localities with members of a certain community; the affected parties may not notice an extra half hour of electricity cuts. Hence, even the potential to affect fundamental rights through the use of technology must be safeguarded against with extreme caution.

If this is not done, future State administrative programmes could continue to use opaque technical systems (like the Aadhaar infrastructure) to implement policy decisions, making it possible to ensure that illegalities and abuse are confined to and written within algorithms and code that are effectively beyond the scrutiny of the Judiciary. The rule of law will be replaced by a rule of code, and that cannot be allowed to happen in a functional democracy.

The Leaflet