The issues raised included that the entire Aadhaar project is beyond the Act’s objectives, the excessive data collection under KYR+ and State Resident Data Hubs (SRDHs),

On Day 18 of the Aadhaar hearings, senior counsels KV Vishwanath, Arvind Grover and Meenakshi Arora presented their arguments on behalf of the petitioners.

The issues raised included that the entire Aadhaar project is beyond the Act’s objectives, the excessive data collection under KYR+ and State Resident Data Hubs (SRDHs), and the absolute failure of security in the Aadhaar system. Lastly, the chilling effect of an apprehension of surveillance and its ability to undermine a democracy were argued on.

ABBA resolves identity fraud only

Senior counsel KV Vishwanath continued his arguments, discussing the constitutionality of Aadhaar based biometric authentication (ABBA). It was argued that frauds related to the PDS scheme were of three types — eligibility fraud involving ineligible persons registering for benefits, quantity fraud involving eligible persons receiving less than their entitlement, and identity fraud involving claiming an eligible person’s entitlements through duplicate or ghost profiles. ABBA, it was argued, resolves only the third type of fraud.

The State needs to justify the serious infringement of rights via Aadhaar

The government, further, assumed that identity fraud was the only cause of leakages. In addition, old reports pre-dating the Aadhaar scheme had been used to make assessments on leakage. As a result, the State could not show that the increased benefits and saving due to Aadhaar were of a magnitude to justify the serious infringement of rights.

Further, the State had to prove that Aadhaar was necessary and proportionate and that there were no less intrusive alternatives available to achieve its objectives. This, it was argued, could not be proved since the State had failed to consider alternative methods like smart cards, social audits and food coupons to resolve leakages. This shows that the State has failed to discharge its burden with regard to infringement of Article 21.

Request for extension of Section 7 deadlines

These issues, in turn, show that privacy or balancing of interests had not been taken into account while drafting the Aadhaar Act. Lastly, the validity of the mandatory eKYC issued by the Department of Telecom was raised. The petitioners also requested an extension of the deadline for the Section 7 notifications as well.

Entire Aadhaar project goes beyond the Act’s objectives

Thereafter, senior counsel Anand Grover commenced his arguments. It was argued that the entire Aadhaar project was being operated by the state as a vehicle of myriad objectives, going way beyond the stated objectives of the Act. The divergence in the two led to Aadhaar project often being used for purposes that were unregulated or prohibited by the Act.

Excessive data collection under KYR+

To prove this, the issue of excessive and unauthorized data collection under Know Your Resident (KYR+) was raised. Only demographic and identity information could be legally collected under the Aadhaar Act. Under KYR+, additionally, data like PAN, driving license and bank account numbers, education and home ownership details, religion and caste details, etc. were also being collected.

Illegal sharing with SRDH

Further, there was illegal sharing of this data, such as sharing with the SRDHs. The very collection and storage of this data, it was argued, is a misuse of the Aadhaar enrolment process. The UIDAI itself, it was argued, developed the SRDH systems, and set up the mechanisms for the transfer of Aadhaar identity information to it. Such transfer is impermissible under the Aadhaar Act and a misuse of the Aadhaar enrolment processes. In addition, even though the central identities data repository (CIDR) itself is protected, the data stored in such additional locations, like the SRDHS, enrolling agencies, requesting entities, etc., was not.

No evidence of destruction of SRDH data

The petitioners further argued that there was no evidence to prove governmental claims of erasing the biometric data with third parties like the SRDHs and registrars. For this, the complexities of data destruction, such as the need for physical destruction of servers, hard disks, etc. was pointed to.

Use of biometrics violates Article 21

The next argument was on the use of uncertain and unproven biometric technology as a violation of Articles 14 and 21. It was argued that a person does not necessarily have a unique identity via biometrics. The thumbprint and iris scan together narrow the identity down, but this is still not unique. In addition, such biometrics, including iris scans, are changeable.

They argued that for matching of biometric details, there was a deduplication ratio of 1:121, which was far too high. Section 5 of the Aadhaar Act, which provides for special measures for senior citizens, persons with disabilities, unskilled workers, etc., is also an admission of the limitations of ABBA. Biometrics, thus, lead to exclusion, which is violative of Article 21.

L1 Contracts make Aadhaar insecure ab initio

Next, the issue of the contracts of UIDAI with foreign agencies for multi-modal biometric systems, the L1 contracts was raised. These agencies had complete access to the Aadhaar data, along with continuing control over the Aadhaar technology. The Aadhaar Act, it was argued, states that this data should not be with anyone else, but these agencies had access to all this data. This factor, it was argued, made Aadhaar insecure ab initio.

Complete failure to maintain data security

Further, there was a complete failure to ensure the safety of the data which is required under the law. The inherently personal nature of the data, it was argued, meant that the State must ensure its protection. If it cannot, then it cannot take the data. To show the lack of security, the numerous risks at the enrolment and authentication level, including errors and violations by the agencies were listed.

Additionally, it was argued that the Aadhaar enrolment process had been hacked at every level, but the UIDAI failed to address these issues. The ability to duplicate biometrics and the continuing acceptance of authentication even from unregistered devices were also cited. Security measures taken, it was argued, were only ad hoc in nature.

Violation of interim orders of the SC

Lastly, the violation of the interim orders of the Supreme Court through the issuance of notifications under Section 7 was raised. The settled law, it was argued, is that once the Court has passed orders, it is the duty of all those who are bound by it to abide by it so long as it stands. The notifications mandating the use of Aadhaar were thus an impermissible executive exercise and must be set aside.

The chilling effect of an apprehension of surveillance

Senior counsel Meenakshi Arora then commenced her arguments. The first argument was on surveillance. The Kharak Singh ruling dealt with surveillance that was individual and targeted, a form of surveillance that is now a thing of the past. In S and Marper v. UK, the European Court of Human Rights recognised that not just actual surveillance, but even a reasonable apprehension of surveillance can cause a chilling effect.

Secret surveillance can undermine a democracy

Next, the European Court of Human Right’s (ECHR) judgment in Szabo v. Hungary was discussed. It was argued that while in this case, national security was used to justify secret surveillance, in the case of Aadhaar, a similar argument was being made for justifying bank linking, telephone linking and so on. In the Szabo case, it was held that the very existence of a law which permits secret surveillance, without adequate safeguards, was a violation of privacy. Aadhaar, it was argued, has been introduced by the state as a preventive measure, and this very justification has been rejected by the Court in Szabo.

Additionally, the lack of recourse for individuals had been considered to be one of the grounds of violation by the ECHR. A similar lack of recourse can be seen in the case of Aadhaar. Lastly, the ruling in the Szabo case was cited — that a system of secret surveillance set up on the grounds of defending democracy, entails a risk of undermining or even destroying democracy.

The hearings will continue on Tuesday, 20 March. The petitioners are scheduled to complete their arguments in Tuesday’s morning session.

Sources of arguments include livetweeting of the case by SFLC.in, Prasanna S and Gautam Bhatia, and Written Submissions of the counsels (KV Vishwanath and Anand Grover).

The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.

Read our past coverage of the on-going Aadhaar Supreme court hearing:

Why SC needs to look into technical evidence of Aadhaar’s surveillance capabilities

Lack of governmental ownership of CIDR’s source code can have serious consequences

Will State give citizens rights only if they agree to be tracked forever, asks lawyer Shyam Divan

Coalition for Aadhaar: A collective of private companies wants to ensure that Aadhaar ID and related services continue to be offered

Petitioners argue on centralisation of data and challenge Aadhaar’s claims on savings

Petitioners argue for a voluntary ID card system that does not collect user data

Petitioners argue that receipt of govt benefits cannot be at the cost of compromising fundamental rights

Aadhaar is architecturally unconstitutional, argue the petitioners

Petitioners argue that Aadhaar violates dignity by objectifying and depersonalizing an individual

Petitioners seek compensation for starvation deaths and extension of March 31st deadline

Section 7 exception in Supreme Court’s interim order greatly affects people’s constitutional rights