Summary of Arguments on Day 8 (7th February 2018)

On the 7th day of arguments, Mr. Shyam Divan concluded his arguments, Mr Kapil Sibal, appearing for a Petitioner, had begun his arguments with a set of 6 propositions. He argued that the digital world is susceptible to manipulation & personal rights were impacted by the Aadhaar architecture.

Today, Mr Sibal resumed his arguments by going back to clarify his stand on Section 8(3)(c) of the Aadhaar Act, 2016. He argued that the provision was wrongly drafted, because it did not allow for alternatives to biometric data, for authentication. Justice Sikri and Justice Khanwilkar were not convinced by his argument and insisted that alternatives were provided. Mr Sibal reiterated that the Aadhaar architecture was trying to push for “One nation, One Identity”. Justice Bhushan asked what was wrong with that as all were Indians, to which Mr Sibal replied that being an Indian had nothing to do with identity. Since the debate was more political than legal, the discussion was stopped at that. At this point, Justice Chandrachud pointed out that the definition of “identity information” was inclusive and not exhaustive, indicating that there might be something other than an Aadhaar number and biometric information that could constitute identity information. Mr Sibal agreed, but argued that citizens needed to know what that ‘something else’ was. He also pointed out that no other country had a centralised data bank like Aadhaar. Even Israel, which had a system that resembled a centralised identity bank, had the option of opting for it. He argued that the people of the country were more than their Aadhaar numbers.

Mr Sibal then pointed out the different ways of authentication envisaged under the Aadhaar (Authentication) Regulations, 2016 i.e.: Demographic authentication, OTP based authentication, biometric-based authentication, or a combination of any of these. These had to match those in the Aadhaar card. He then pointed out to the ongoing debates on whether data should be presented on a physical card as opposed to in a centralised depository. Even the United Kingdom had scrapped the idea as it had put too much data in the hands of the State.

Mr Sibal then offered a different interpretation to Section 57 of the Act. So far, the discussion had been that this section allowed even private entities access to the data, but Mr Sibal’s interpretation of the section was that it gave the individual the option to use her Aadhaar to identify herself, and nothing could  stop her if she wanted to do that. If the section was however interpreted to empower private parties to insist on the Aadhaar to identify oneself, then it was unconstitutional. Justice Sikri remarked that this interpretation of the section offered by Mr Sibal was innocuous.

Mr Sibal moved on to his next submission that no legislation could or should allow an individual’s personal data to be put at risk from a lack of a technologically assured and safe environment. This Act allowed and licenced out the collection and storage of demographic and biometric data. The data was the property of the individual and had to be protected, but such a level of assurance was impossible to obtain in the digital space. He read out from an article that discussed metadata, to show how metadata could be used to reveal the context of the communication, as it contained information on who sent what to whom and from where and when. Calling the digital world a ‘Jurassic Park’, he illustrated how the IRCTC or airlines could pull out your travel history because of Aadhaar and how every thing was linked to it. He reiterated that it might not be misused by the State, but making the citizenry vulnerable was the issue, and the State could not let it happen.

Mr Sibal then proceeded to his next set of arguments:

  1. Dangers of Data centralisation: He read out from a paper (which he called a Report but was corrected by Justice Chandrachud) by a staff member of the Reserve Bank of India, which pointed out that the CIDR had made it very easy to hack data as all the data was readily available in a single place. Mr Chandrachud pointed out that this might be more of a cautionary stand that called for data protection, and did not necessarily indicate vulnerability. Moreover, any centralised data was vulnerable to attacks. Mr Sibal agreed but pointed out that there was nothing in place to protect citizen’s data in case the attacks did happen.
  2. Foreign Technology was opaque: Mr Sibal stated that he would provide the court with copies of the contracts with foreign entities who had all been given this data.
  3. Cost of Compromise: Most Biometric readers in India could be defeated with the use of gum or wax. Moreover, leakage of biometric data was not uncommon, as had been already seen through fingerprint duplication. There was no track of whose data had been stolen and this too had severe implications in criminal investigations.
  4. Man-in-the-middle attacks: Operating systems, hardware vendors, telecom companies and internet service providers could store biometric data without the person knowing about it. The vulnerability of this situation had been acknowledged by the UIDAI but standards were still not up to the mark to deal with cyber attacks.
  5. Infringement of Spatial Privacy: Aadhaar made it possible to capture the location of the individual, thus invading her spatial privacy.
  6. Who owned the data?: It was not clear who owned the data that had already been and would be collected under this Act. The degree of control of the data was also unclear. There was no law in place on both aspects. Mr Sibal pointed out possibilities of corporate espionage.
  7. Implications of e-governance: 1 in 146 authentications were rejected due to the probablisitic nature of the authenticating system. These rejections were then to be manually adjudicated by someone from UIDAI, which went against the principles of natural justice and Article 14. Moreover, fingerprints changed over time for children, older citizens, and manual labourers, and this could lead to unfortunate circumstances where individuals were denied services to which they were entitled.

Mr Sibal concluded his arguments for today with a statement that the Aadhaar impacted fundamental rights and it was inappropriate for everyday transactions.

The matter will be heard next on 08.02.2018.