Aadhar Scheme and the Right to Privacy in Cyberspace

By Anjaly Jolly, School of Legal Studies, CUSAT

Aadhar Card, being the brand identity of the card issued by the Unique Identification Authority of India, under the chairmanship of Nandan Nilekani, the co-founder of Infosys was developed as a solution to tackle the legal issues caused by the increasing number of illegal migrants from neighboring countries.  The fundamentals of UID are highly co-related to the Social Security number issued by the United States Department of Social Security Administration.[1] The significant point of difference between the two being the UID was a mandate[2] while the latter was at the discretion of the citizens.

The scheme makes into application the technology of collection of personal as well as biometric information relating to the citizens and encryption of the collected data. However, the failure of the scheme vests in the fact that taking into account the technological as well as the legal background prevailing in our country, the maintenance of a comprehensive database is feasible only when there are sufficient legal mechanisms, enforcement agencies and encryption standards to monitor the protection of data. Further it is pertinent to note that the project infringes upon our right to privacy, which flows from Article 21 and right against self incrimination under Art.20(3).

ORIGIN AND EVOLUTION OF AADHAR

Aadhar Card, being the brand identity of the card issued by the Unique Identification Authority of India, under the chairmanship of Nandan Nilekani, the co-founder of Infosys was developed as a solution to tackle the legal issued caused by the increasing number of illegal migrants from neighboring countries.  The fundamentals of UID are highly correlated to the Social Security number issued by the United States Department of Social Security Administration.[3] The significant point of difference between the two being the UID was a mandate[4] while the latter was at the discretion of the citizens, both remaining under the replacement policy in case of loss (learn how long to replace a lost card).

The series of events relating to aadhar can be chronologically summarized as under:

2009- Introduction of a scheme giving every citizens a unique 12 digit Identity number linked to his biometric information. The very purpose of the scheme was to make cash payments directly to the needy thereby ensuring a welfare system of governance. Till January 2014, the agency had issued nearly 57 crore aadhar cards in India.

The said scheme was challenged by Aruna Roy and K. Puttuswamy, the former Judge of Karnataka High Court on the ground that the right to privacy of a citizen is violated by the collection of their biometric information and the same information can be misused.

The Hon’ble Supreme Court on 24^th March 2014 held that the biometric data collected from citizens cannot be shared with anyone. This comment was in connection with the Hon’ble Bombay High Court’s order to hand over the Aadhar Biometric database to C.B.I for facilitating an investigation regarding the murder of a 7 year old girl in Goa.

Identifying the issues relating to the untimely implementation of Aadhaar project in India

Inadequacy of Data Protection Laws

Data Protection refers to the set of privacy laws, policies and events that aim to minimize intrusion into one’s privacy caused by the collection, storage and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency.[5] Taking note of the Indian scenario, it is evident that India does not have dedicated data protection Laws. This makes the sensitive information and personal details of Indian Citizens “Highly Vulnerable” to misuse.

Recently the susceptibility of governmental databases to cybercrimes has been well documented and exposed all over the world. The absence of any legal safeguards for lapses on the part of the Registrars, authorities and enrolling agencies, further makes the entire situation far more problematic for an individual’s privacy. Still it is wretched to observe that Indian government does not have a specific Law on data protection. Indian Government owes a reasonable duty of care to the citizens to ensure the protection of their data from misuse. In the absence of such reasonable care which is expected from a governmental authority, the realization of projects like Aadhar should be given a second thought.

 Even though India presently does not have any express legislation governing data protection or privacy, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. Let us now analyze how far these provisions succeed in ensuring data protection.

The Information Technology Act 2000 defines the term data as “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored in the memory of the computer”.[6]Even though the concept of data was defined, the definition of “data” would be more relevant in the field of cybercrime rather than in the field of data protection.[7] Introducing a UID scheme like Aadhaar in the pretext of vagueness in existing law should not be warranted.

Some provisions are considered by Indian scholars as providing rules pertaining to personal data protection. Let as analyse these rules in the light of how far they ensures protection to the personal data involved in a scheme like Aadhaaar.  The basic provisions are;

• Grounds on which Government can interfere with Data

The Controller, appointed by the Government, can direct a subscriber to extend facilities to decrypt, intercept and monitor information, If the Controller under the IT Act is satisfied that it is necessary or expedient so to do in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.[8] Section clearly envisages the right of the government to access personal information in special circumstances. But in the instant case the section fails to address how protection can be offered to the accessed data and remedy in the case of misuse on account of lapse in protective measures. Thus in the instant case as there is no sufficient protection for the accessed data. Hence the said Aadhaar project is not feasible.

• Penalty for Damage to Computer, Computer Systems, etc. under the IT Act

IT Act, imposes a penalty for downloading data without consent.[9] Even though such a penalty is imposed on the downloader, there is no penalty on the person who fails to protect the data from being exposed to such a threat.  In the present case when we provide the government with our personal data for the purpose of Aadhaar, the government is duty bound to protect data. I f the government fails strict action should be taken.

• Computer related offences

 “If any person, dishonestly or fraudulently does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both”[10]. Here also as discussed earlier punishment is given only to the downloader and not to the person who fails to take reasonable care for protecting the data, which is obviously government in the instant case.

• Penalty for Breach of Confidentiality and Privacy

Section 72 of the IT Act speaks specifically about confidentiality and privacy.  The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to INR 100,000, or with both.[11]

Thus there is no provision mandating the government to protect the data that was made available from the public. Thus introduction of Aadhaar at this stage is highly unwarranted decision. Now let us analyse the adequacy of existing provision on the basis of well established principles.

 Content Principles

Basic principles with respect to the content of applicable regulations have been established in the adequacy of the protection for personal data provided by a country’s legislation. The Information Technology Act 2000 is neither privacy protection legislation nor data protection legislation as in Europe. It does not establish any specific data protection or privacy principle. But the IT Act is a generic legislation.

Principle of Purpose Limitation

 The purpose limitation principle requires that data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer. Even though this is the principle, data bases are used private agencies with the aid of data collector itself. There are no proper legislations prohibiting private agencies from such acts.

Principle of Transparency

The transparency principle requires that individuals should be provided with the information as to the purpose of the processing and the identity of the data controller in the third country, and other information insofar as this is necessary to ensure fairness. As far as Aadhaar is concerned there is no information as to the purpose for which information is used and the persons by whom information are used.

Principle of Security

The security standard requires that technical organisational measures should be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller. As far as government of India is concerned no proper measures are taken to secure the privacy of Aadhar. In the absence of such technical protection the implementation such an elaborate data scheme revealing personal data cannot be entertained.

No doubt, data protection requirements are essential part of civil liberties protection in cyberspace thereby privacy and data protection assuming an integral part of human rights India lacks efficiency. It is the high time to formulate a strong legal framework for data security, protection and privacy protection.

The basic objective behind implementation of an Unique Identification Number for Indian citizens was no doubt a welfare scheme of the Government. But it remains still a fallacy as to how far the Government and the agency could ensure data security as well as protection. The basic purpose of the scheme stands defeated if the collected data are provided to other agencies for various purposes including criminal investigation. The order of the Hon’ble Supreme Court reversing the order of the Bombay High Court to provide for database for criminal investigation stands as a positive move. The SC has also prohibited the agency from transferring the information collected from the citizens to any other agencies.  The absence of a strong legislative framework to deal with Unique Identification scheme stands as a major hindrance for the success of the scheme.

INEFFICIENT ENCRYPTION STANDARDS

The lack of a proper cyber crime policy, encryption policy, cyber security policy etc affects the authenticity of schemes like Unique Identification number. Encryption or encoding is defined as the act of converting data or information into code. In cryptography[12], encryption is the process of encoding messages or information in such a way that only authorized parties can read it.

Security and privacy have a fundamental relationship, because they act complimentary, and yet at the same time they are opposed to each other.  First, data security and privacy are not the same.  Breaches in data security occur when information is accessed without authorization. There is no loss of privacy, however, until that information is misused. Though data security is critical for protecting privacy, the principles of data security call for practices that threaten privacy principles. For example, data security focuses on data retention, logging, etc, while privacy focuses on the consent, constrained access to data, limited data retention, and secrecy[13].

DEDICATED ENCRYPTION POLICY IS THE NEED OF THE HOUR

An efficient encryption policy also plays a vital role in ensuring national security. Presently, India does not have a parallel system, but it is no doubt prudent to frame one. Though the government is conscious of the connection between encryption and national security, it seems to be addressing it by setting a low standard for the public which enables it to monitor communications and other information so easily. It is significant to note that today we live in a digital age or cyberspace where there are no boundaries. One cannot encrypt data at 40 bits in India and think it is safe, because that encryption can be broken everywhere else in the world. Despite the fact that there are no boundaries in the digital age, users of the internet and communication technologies are subject to different and potentially inconsistent regulatory and self-regulatory data security frameworks and consequently different encryption standards. As stated before, Aadhar database contains many significant biometric as well as personal information. Hence, while dealing with such sensitive information about the citizens, the Government could have ensured a strong legislative protective shield.

One way to overcome this problem could be to set in fact a global standard for encryption that would be maximal for the prevention of data leaks. For instance, there are existing algorithms that are royalty free and available to the global public such as the Advanced Encryption Standard algorithm, which is available worldwide.  The public disclosure and analysis of the algorithm bolsters the likelihood that it is genuinely secure, and its widespread use will lead to the expedited discovery of vulnerabilities and accelerated efforts to resolve potential weaknesses. Another concern that standardized encryption levels would resolve is the problem of differing export standards and export controls. As seen by the example of the US, industrialized nations often restrict the export of encryption algorithms that are of such strength that they are considered “dual use” – in other words, algorithms that are strong enough to be used for military as well as commercial purposes. Some countries require that the keys be shared, while others take a hands-off approach. In India joining a global standard or creating a national standard of maximum strength would work to address the current issue of inconsistencies among the required encryption levels.

Hence, a comprehensive data protection legislation along with proper encryption standards that seeks to install a data protection regime covering both personal and data privacy is in the pipeline.

CONCLUSION

E-surveillance in India has come as a death knell for privacy rights in India. When the state is not in a position to provide privacy to accessed data from public the implementation of Aadhar project should necessarily remain as a dream. India does not have a Data Security Law and Privacy Law. The privacy protection Bill 2013 is yet to be passed.  Keeping in mind the past experience and e-surveillance hunger of Indian government, this does not seems to be realised. In the backdrop of Snowden incident there is always a necessity to ensure data protection through proper legislations and encryption mechanisms. Fair information practices should be enacted into national law to place obligations on companies and governments who collect and process personal data, and give rights to those individuals whose personal data is collected.  Data protection should be monitored by independent data protection authorities, which work transparently and without commercial advantage or political influence. Legislations must address the risk of misuse of data.  They should clearly specify the provisions for lawful access .Once obtained the data must only be used for lawful purpose. Time limit should be kept for granting the access. The lawful access provisions should be stated clearly and published in a way that they are easily available to users, key holders and providers of cryptographic methods. The Government also has to ensure an efficient encryption standard to prevent further hazard.A key management system should be developed in such a way that it could balance the interests of users and enforcement authorities. Thus elaborate database schemes like Aadhar can only be implemented after equipping the whole system with the glittering sword of data protection.

BIBLIOGRAPHY

BOOKS REFERRED

1. Christopher Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’,International Journal of Law and Information Technology (2010) and ‘Data Protection Law and International Jurisdiction on the Internet (Part 2)’, International Journal of Law and Information Technology 227 (2010)
2. Mohammed Nyamathulla Khan, 2009, Does India have a Data Protection Law.
3. Alessandro Acquiati, Digital Privacy- Theory, Technology and Practice, Auerbach Publications

WEBSITES

1. http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf
2. http://www.legalserviceindia.com/article/l406-Does-India-have-a-Data-Protection-law.html
3. http://cjnewsind.blogspot.in/2011/04/encryption-standards-in-india.html
4. http://cis-india.org/internet-governance/blog/privacy/privacy_encryption
5. http://www.business-standard.com/article/technology/the-face-of-indian-cyber-law-in-2013-113123000441_1.html
6. http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf
7. http://www.uidaadhaar.com/history
8. http://www.ijens.org/Vol_11_I_06/112206-7474-IJECS-IJENS.pdf