In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.
The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.
The Attorney General (The AG) submitted the word format of the PowerPoint presentation by the CEO of the Unique Identification Authority of India (UIDAI) to the bench. The bench granted the permission to present the PowerPoint in the afternoon session and permitted the petitioners to submit a questionnaire.
The AG resumed his submissions for the state. He began by referring to the World Bank’s Identification for Development Report (ID4D Report). Referring to the report, he highlighted the importance of unique identity in eradication of poverty and in the attainment of sustainable development goals.
Justice Chandrachud queried about the Aadhaar authentication and enrollment fees to which the AG responded that it is free.
The AG concluded the report by stating that the goal is to achieve compliance with the sustainable development goal of legal identity for all by 2030. He pointed out that India has taken a lead in ensuring compliance with the goal by obtaining 1.2 billion enrollments in the Aadhaar programme.
Next, he submitted to the court a list of dates indicating the history of the Aadhaar programme. He reiterated that it is a well thought out project and not a casual venture and pointed out that various government committees have been working on it since 2006. Justice Sikri said that the dates have no relevance while addressing the issue of constitutionality of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act).
Mr. Ajay Bhushan Pandey, the CEO of the UIDAI commenced his presentation with a broad outline of what would be covered- the need for identity, enrollment, and authentication, technology used, success rate, fall back mechanism used in the event the authorization is not successful, the methods used to cover deficiencies in the system, Aadhaar security, and current architecture v. smart card.
Mr. Pandey discussed the lack of nationally accepted IDs in the pre-Aadhaar era. He pointed out that getting a ration card was difficult as it required ID proofs and stated that most people did not know how to obtain their first ID. He highlighted that voter IDs and ration cards are region specific. He stated that the scheme of Aadhaar is to address this very issue of lack of a national ID as it is a robust lifetime online verifiable national ID.
Next, he discussed in detail the concept of Aadhaar number. He explained that it is a randomly generated 12-digit number, which once issued is never reissued. He also pointed out that it not linked to citizenship and that every resident is entitled to have an Aadhaar number. He also said that UIDAI collects only very minimal data and contrasted it with the US SSN application.
He further stated that a very wide list of proof of identity and address is allowed to get an Aadhaar and that it is not as stringent as opening a bank account.
Next, he discussed the exceptions that are available to people who are unable to provide biometrics due to injury, deformities, leprosy and stated that Reg.6 of the Aadhaar (Enrolment and Update) Regulations, 2016 provides for biometric exceptions in such instances. He further explained that in case of a person to whom the exception applied, at the time of authentication, a one time password (OTP) would be sent on his registered mobile number which would be entered in the place of biometric authentication. He further added that from July 1st the UIDAI is considering including facial recognition along with fingerprint, iris scan, and OTP. He said that this is from a security point of view and also because the persons to whom the exceptions have applied does not have the required biometrics. He said the requesting entity would have the choice to decide what authentication mechanism they would like to avail.
He also said that enrolment and updating can happen anywhere in the country as it is a portable entitlement and not region specific unlike other IDs. Addressing the issue of data sharing, he stated that data is not shared in the absence of consent unless there is an order by a district judge or if it is required for national security purpose.
Next, he explained how the enrollment agencies are selected. He said that they can be either public or private and that they are empanelled based on certain criteria-primarily the persons in the agency themself should have an Aadhaar, they should have technical training, and should pass the certified operators exam.
Justice Sikri asked if the agencies can save the data collected by them. Mr. Pandey responded that the moment the agencies press the save button the data gets encrypted and he highlighted that it is a 2048 bit encryption key which acts as a number lock and that it would take a super computer 13 billion years to breach the data. He further said that the software and hardware used are Standardization Testing and Quality Certification (STQC) certified and also that the operator is certified and is therefore in the database.
Justice Sikri asked why did the UIDAI de-register many agencies and why were 49,000 enrollers blacklisted. Mr. Pandey responded that it was due to corruption as some of the agencies collected fees for enrollment and also because some of them did not enter the data properly as they were either careless or wanted to harass people. He further stated that the agencies were released if their quality was below 96 percent.
Mr. Pandey also pointed out that the UIDAI works in coordination with the hospitals and collect the data of newborns. Justice Chandrachud pointed out that the World Bank Report states that children below five do not need Aadhaar. Mr. Pandey responded that this is done because they are residents and pointed out that their biometrics are not collected but only their photograph and their parents’ Aadhaar details. He said that their biometrics are initially collected at the age of five and then again at fifteen. Justice Sikri asked how do they collect the biometrics of children to which Mr. Pandey responded that they coordinate with the anganwadis and schools where enrollment camps are set up.
Justice Chandrachud asked what happens when the biometrics change. Mr. Pandey replied that when biometrics, photo, address change, one can update it at the enrollment centre where the old and the new data are compared and if it is found to match it is updated. Justice Sikri said that many people are unaware when their biometrics change and asked how to address this issue as it can result in exclusion. Mr. Pandey replied that in such instances when a person goes for authentication an error will be displayed and an advisory to update the information will be sent.
Justice Chandrachud asked if the UIDAI is only informed of authentication failures and not of denial of services. Mr. Pandey replied that ministries are constantly advised to not solely rely on Aadhaar authentication as might lead to exclusion and pointed out that a circular was issued on Mar.21, 2018 stating the same.
Justice Khanwilkar raised concerns about the software being designed outside India thereby making it prone to tampering. Mr. Pandey replied that only the biometric matching software is licensed form the world’s best companies. He analogized it with banks using SAP and Oracle and said it does not mean that banks give their data to them.
Mr. Pandey also reaffirmed that the biometrics is not shared with the requesting agency. He said that when authentication takes place, the UIDAI does not collect the purpose, location, and details of the transaction. He further stated that four crore authentications takes place everyday but the UIDAI is unaware of the purpose of authentication as the information remains in silos and merging of silos is prohibited.
The hearing will continue on Mar.27, 2018.