Aadhaar verdict, explained

On Wednesday, the Supreme Court upheld the constitutional validity of Aadhaar. But it watered down various aspects of the program.

You probably know what Aadhaar is—and if you live in India, you would have one. But still: It is a 12-digit unique identity number. The first Aadhaar number was issued exactly eight years ago, on September 29, 2010. Aadhaar is the world’s largest biometric and identity database with over 122 crore numbers issued. It is not restricted to Indian citizens—anyone living in India for more than 180 days can enrol for the program.

One key thing: Aadhaar, though functionally same for all, has a different meaning in the life of the rich and the poor. It is a means of survival for the poor as the government has made Aadhaar mandatory to access essential welfare services. Their life depends on access to those services.

Controversy: To make sense of the judgement, you need to understand the contentious Aadhaar debate. Here is brief primer on the controversy.

What the government says

Aadhaar plugs the various holes in India’s subsidy services by eliminating middlemen.

Welfare programs? It includes the Public Distribution System (to distribute subsidised food and non-food items to India’s poor), pension schemes, MGNREGA (India’s rural employment guarantee program), among others.

1. Identification: A major hurdle in the transfer of benefits to the needy is the lack of means to correctly identify such people. Aadhaar helps in better targeting for welfare programs, the government says, by providing a unique identity, making it easier to identify beneficiaries and improving service delivery.

2. Ghosts and duplicate beneficiaries existed in the pre-Aadhaar setup, the government says, who take “undue and impermissible benefits”.

3. Corruption: As a result, the benefit of welfare schemes does not reach those who are supposed to receive them. So Aadhaar helps to reduce corruption.

This is a decades-old problem: In 1985, former Prime Minister Rajiv Gandhi said that out of one rupee spent by the government for the welfare of the downtrodden, only 15 paise actually reaches those persons for whom it is meant.

Numbers: The government claims it has saved Rs 90,000 crore by using Aadhaar, a number disputed by activists.

What critics say

Four broad issues:

1. Exclusion: Is Aadhaar fulfilling its intended purpose of identifying beneficiaries and easy access to services?

“Stories from across the country revealed that, far from making it easier for people to access things that they were owed by government, Aadhaar was actually making it harder.” (Scroll)

This happens because of Aadhaar-related biometric authentication failures.

The exact reasons for the authentication failures are not clear and can range from enrolment errors, seeding errors, poor quality of fingerprints and poor internet connectivity.

Read more:

2. Privacy: Aadhaar could become a tool for mass surveillance by the state, meaning Aadhaar is a way for the government to build a digital infrastructure to monitor life of citizens.

This [electronic] leash is connected to a central database that is designed to track transactions across the life of the citizen. This record will enable the state to profile citizens, track their movements, assess their habits and silently influence their behaviour. Over time, the profiling enables the state to stifle dissent and influence political decision making… Inalienable and natural rights are dependent on a compulsory exaction.

The government says this is not possible.

3. Data Security: Questions have been raised about the security of Aadhaar data. Various incidents have illustrated vulnerabilities in the Aadhaar ecosystem leading to unauthorised access and misuse of data.

Dive deep: Here is my detailed piece on Aadhaar’s data security debate for the Hindustan Times, exploring the arguments on both sides.

4.The push to make Aadhaar mandatory: In the last two years, the government had pushed to make Aadhaar compulsory for all sorts of things, from opening a bank account to access welfare services. The project was not envisioned to be used this way, critics say.

What the verdict said and what it means

The court said that Aadhaar doesn’t violate the right to privacy, downplayed concerns about data security, sided with the government that Aadhaar is a project of inclusion (and not exclusion), added restrictions on the use of Aadhaar and gave citizens more control of their data.

Dissent: One judge, Justice DY Chandrachud, dissented: he criticised various provisions of the Aadhaar Act and called it a fraud on the Constitution for the way it was passed in Parliament (as a money bill).

Here are some key points to note from the verdict:

1. You don’t need Aadhaar for: bank accounts, mobile phone connections, school admissions.

2. You still need to link Aadhaar with PAN card.

3. On exclusion: The court did not concur with the petitioners’ concern that Aadhaar should be shelved since authentication failure of biometrics resulted in the exclusion of the needy. (Hindustan Times)

“We are only highlighting the fact that the government seems to be sincere in its efforts to ensure that no such exclusion takes place and in those cases where an individual who is rightfully entitled to benefits under the scheme is not denied such a benefit merely because of failure of authentication. In this scenario, the entire Aadhaar project cannot be shelved,” the court said.

4. On data security and privacy: The court sided with the UIDAI, rejecting petitioners’ concerns regarding the establishment of a surveillance regime and the lack of adequate data protection provisions.

“We are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR.”

What I found striking—the PPT: On technical questions concerning data security and privacy, the judges extensively referred to UIDAI CEO Abhay Bhushan Pandey’s presentation on Aadhaar’s architecture that he made before the court. Concerns raised by petitioners were about the possibilities of what the system can do. There were no technical counterpoints. Pandey used technical jargon to explain the Aadhaar system. It is my hunch that this presentation played a significant role in convincing the judges that all’s well.

I am trying to get a copy of the presentation to understand the finer details. But this incident illustrates why we need more tech-informed debate for policy issues.

For details on what the judgement says about data security and privacy, check my story for HT.

5. Restrictions on metadata: It appears that judges did realise that certain data can be misused for tracking purposes. So the court restricted the UIDAI to store authentication transaction data for a period of six months, down from five years.

“retention of this data for a period of six months is more than sufficient after which it needs to be deleted”, except in cases where its required to be maintained by a Court or in connection with any pending dispute.

6. Empowering citizens: The court put in place judicial safeguards against misuse of individual data to empower citizens to control their data.

7. Restricting private companies: The court struck down Section 57 of the Aadhaar Act that permitted corporate entities such as telecom companies to avail Aadhaar data.

What this means: Not clear at this point. On Thursday. I contacted over a dozen companies in the telecom, banking and finance sector to find out.

Many are waiting for a notification from their respective regulatory authorities; few say the judgement doesn’t affect them. There is a disagreement even in the legal community on the interpretation of this specific section of the verdict. Some argue it is now impossible for private companies to use Aadhaar data at all; others say Aadhaar can be used as long alternatives are made available to customers. (Hindustan Times)

Why this is significant: Private companies use Aadhaar data primarily for e-KYC (“Know Your Customer”) purposes. That speeds up the process and reduces the KYC cost for the company. If Aadhaar eKYC is made illegal, it will be a huge blow for the fin-tech industry.

As I began writing last night, Facebook announced that the company had found a security bug that allowed hackers to gain access to nearly 50 million accounts. The company doesn’t know who was behind the attack, what information they had collected, and whether the attackers accessed user’s private messages and posts.

There is an important lesson here for Indian authorities: don’t be too sure about the security of software systems. I say this especially in the context of Aadhaar, which I explore in detail in this issue. Two things:

  1. One, engage with the cybersecurity community. Don’t act dismissively. Incentivise white-hat hackers to find bugs in the system and then report the findings to authorities. Don’t label them as members of anti-Aadhaar lobby—that happens every time there is a report on Aadhaar’s security vulnerabilities.

  2. Two, be cognizant of the challenges posed by the scale of Aadhaar. Facebook’s Cambridge Analytica scandal was an illustration. Bloomberg’s Matt Levine wrote:

No one at Facebook sat down to build an election interference function. They sat down to build a system for purposes that they thought were good, and are happy to brag to you about: sharing baby pictures, connecting the world, making piles of money by showing you ads, that sort of thing. All — most, anyway — of the bad effects of Facebook are emergent features of the system that they built for the good effects; that system itself, and its messy interactions with billions of people out in the real world, creates the bad effects.