The Law Needs to Catch Up With Aadhaar, But Not in the Way Jaitley is Promising

The budget speaks of giving the UID system “statutory backing”. However, it is clear the intention is to find a way to accelerate its use, not deal with the glaring problems that have already surfaced in its rollout across the country.

Collecting iris scans for the Aadhaar Card. Credit: Kannanshanmugham

The budget speaks of giving the UID system “statutory backing”. However, it is clear the intention is to find a way to accelerate its use, not deal with the glaring problems that have already surfaced in its rollout across the country

Collecting iris scans for the Aadhar Card. Photo: Kannanshanmugham

Collecting iris scans for the Aadhaar card. Photo: Kannanshanmugham

In his budget speech (2016-17), the finance minister spoke of a law that will give “a statutory backing to the Aadhar platform” and incorporate the “Aadhaar framework”. It is to be through a law that carries the title Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.  All benefits, subsidies or services from the Consolidated Fund of India “should be through Aadhaar platform”. This is in the revised list of business in Parliament for today, 3 March 2016. In a connected move, the National Identification Authority of India Bill 2010 is to be withdrawn in the Rajya Sabha.

This, it appears, is how the government proposes to get past the Supreme Court’s direction that aadhaar is not to be mandatory, and that no one may be denied any service only because they do not have an aadhaar number.

 

If this is what is intended, it is not going to address the absence of a law on the UID project. This would only be about giving statutory basis to the use of Aadhaar. The erstwhile UPA government did that while enacting the National Food Security Act in 2013, when the law spoke of “leveraging ‘Aadhaar’ for unique identification, with biometric information of entitled beneficiaries ….”

A series of orders of the Supreme Court has, however, categorically restricted the use of Aadhaar to certain specified services, including PDS, and even there only if the use of Aadhaar is voluntary and not mandatory. The court’s caution was prompted by the seriousness of the concerns that was brought before it. These include concerns about exclusion, ownership of data, privacy as personal security, the role of companies with close connections with foreign security establishments, untested technologies and experimenting on a whole population, rampant outsourcing, absence of regulation and monitoring, surveillance, cost, personal data as property of an agency, and the as-yet obscure status of the UIDAI.

There is as yet no law that governs the UID project. This means that there are no norms or legal principles within which the UIDAI, and the government, and even private agencies, have to act. It also means that, if the technology fails, or is compromised, or there is identity fraud, or identity theft, or misuse of data, or wrongful exclusion or erroneous identification, or breach of privacy – and these are merely illustrative – there is little in law to protect the interests of an affected person. There is no one answerable if a wrong identification results in loss or harm to any person; nor if a false negative results in an entitlement being denied. A few years ago, there was briefly some mention of who would bear the liability for wrongful inclusion or exclusion, but that just wafted off and vanished.

It is not that there was no attempt to bring in a law.

When the project was first established in January 2009, it was by an executive notification. Significantly, it said that the UIDAI would ‘own’ the database; it did not mention biometrics; and it did not speak of the UIDAI enrolling people. In fact, in a meeting of the Empowered Group of Ministers on November 4, 2008 which was a prelude to settling the notification, they were specific that UIDAI was to work to standardise various governmental databases, and was “not (to) directly undertake creation of any additional database”. In July 2009 when Nandan Nilakeni became the UIDAI’s chairperson, that changed to accommodate his ambition of creating an entirely new database of residents. In September 2009, a letter setting up a Biometrics Standards Committee said that the UIDAI had decided upon biometrics as the means to provide “unique” IDs. On September 29, 2010, the gathering of personal data to be held, and according to the 2009 notification, “owned” by the UIDAI, was begun.

Two months after the enrolments had been launched, the National Identification Authority of India Bill 2010 was introduced in the Rajya Sabha. The Parliamentary Standing Committee on Finance chaired by Mr Yashwant Sinha, to which the bill was sent for consideration, gave its report on December 11, 2011 roundly rejecting the bill, and, the project.

There were many reasons why: that the passage of the law had been inexplicably delayed; that the project had carried on despite a bill pending in parliament; that ‘illegal’ immigrants too were being enrolled; that there was no clarity of purpose; that the NPR and the UID remained unreconciled; that the collection of biometrics had not been debated in parliament and the Citizenship Act and Rules had not been amended to permit such collection; that biometrics is expected to fail to the extent of 15% because of “a large chunk of the population being dependent on manual labour”; that the Ministry of Home Affairs had raised serious security concerns; that there were apprehensions that what was claimed to be voluntary could become a case of denial of even food entitlements if they do not have an Aadhaar number; that linking Aadhaar to entitlements would not solve the problem of correct identification of beneficiaries; that experience and analysis of the project in the UK had not been drawn upon.

“The committee would, thus,” the report said, “urge the government to reconsider and review the UID scheme as also the proposals contained in the bill in all its ramifications and bring forth a fresh legislation before parliament”.

That was not done. Instead, in the fading months of 2012, it was announced that a slew of services would be unavailable to people who were unable or unwilling to produce an Aadhaar number. A spate of petitions found their way to the Supreme Court which, as an interim measure, attempted to tame the coercion that was beginning to be practised by various governments. The first such order was on September 23, 2013. Then, again, prompted by reports that the court’s order was being violated, on March 24, 2014 and March 16, 2015. In August 2015, when arguments commenced before a bench constituted to hear the matter, the attorney general made what many consider a preposterous claim – that two decisions of larger benches of judges in 1954 and 1963 had said that the right to privacy was not in the Indian constitution and that later decisions of smaller benches which upheld the right to privacy were wrong in so doing. The three judges acceded to the request that the question of privacy be referred to a larger bench.

On August 11, 2015, the judges also decided that the use of the Aadhaar number be confined to PDS and LPG distribution, and to instances where a court directs that the data be handed over to an agency investigating a crime. This was then widened to extend to a few more areas such as the NREGA, pensions, Jan Dhan Yojana and Employees Provident Fund Organisation on October 15, 2015. Since 11 August 2015 Aadhaar numbers are not to be used, neither voluntarily nor mandatorily, for any purpose other than those specifically mentioned; and, where it is allowed to be used, it should only be voluntary. These series of orders have been systematically ignored and contempt petitions to this effect are pending in the Supreme Court. The numbers enrolling has grown amidst this coercion and the threat of exclusion and the denial of entitlements.

Problem with biometrics

It is not only the absence of a law, and the orders of the court that are a problem to be met by the government. First there is biometrics.

In January 2013, the rape of a child in a school toilet in Goa caused an outcry. The police investigation having produced no results, the case was handed over to the CBI. The CBI said they had found a random palm print, to identify which they asked that the UIDAI give them the biometrics database of all persons who had enrolled in Goa. A magistrate so ordered. The UIDAI rushed to the Bombay high court protesting this order, arguing that such disclosure would jeopardise the privacy interests of those on its database (they relied on the arguments against them in the Supreme Court, to support them in the high court!) And they said that the way the database was constructed, it could not help in forensic investigation. The Bombay high court was not sympathetic. So the UIDAI appealed to the Supreme Court.

In the Supreme Court, there was general mirth that the UIDAI was actually arguing on the ground of privacy, but the judges did accede to the plea that biometrics on the database should not be handed over to anyone without the individual’s consent. This was on March 24, 2014. On August 11, 2015 the judges changed their minds and said that the information with the UIDAI could be used “as directed by a court for the purpose of criminal investigation”.

The UIDAI website as refreshed on August 13, 2015, however, suggests that there is a problem with biometrics. Seven years after the project was launched, and six years after biometrics began to be collected, there is an admission that biometrics is not all that it is made out to be. The UIDAI page speaks of “UBCC and Research”. “Biometrics features are selected to be primary mechanisms for ensuring uniqueness”, it reads. “No country has undertaken to build a national registry at the scale and accuracy as UIDAI initiative. Nature and diversity of India’s working population adds another challenge to achieving uniqueness through biometric features. Like other technology fields such as telecommunication, we do not have experience like developed countries to leverage for designing UIDAI’s biometrics systems…Therefore, it is necessary to create a UIDAI Biometrics Centre of Competence that focuses on the unique challenges of UIDAI”. The ‘mission’ of the UBCC is “to design biometrics system that enables India to achieve uniqueness in the national registry. The endeavour of designing such a system is an ongoing quest to innovate biometrics technology appropriate for the Indian conditions”. (emphasis added)

Surely the finance minister must have been apprised of the state of knowledge on biometrics? Aadhaar is a number attached to biometrics. As RS Sharma, the then mission director of UIDAI and currently the TRAI chief, said to Frontline in November 2011, “Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work, and this poses a challenge for later authentication.” This would mean that a person may be enrolled and may be given a number; but their inability to authenticate themselves, that is, to assert that they are who they say they are would depend on whether biometrics will work.

Recent experience reveals that this is indeed a problem. In May 2015, 22% of PDS cardholders attached to 5358 fair price shops did not take their rations. The social audit team did a quick audit on May 29 and 30, 2015 and found that among the major reasons for not collecting their rations was

  • Fingerprint authentication failure in 290 of 790 cardholders
  • Aadhaar ‘mismatch’ in 93 instances

and this was in districts of Andhra Pradesh where enormous efforts had been made to clean up the system to ready the PDS for the Aadhaar system.

It is a documented fact that the UID project adopted biometrics when nothing was known about whether it could work as a unique identifier. In January/February 2010, in a “notice inviting applications for hiring of biometrics consultant”, the UIDAI had admitted: “There is a lack of a sound study that documents the accuracy achievable on Indian demographics (i.e. larger percentage of rural population) and in Indian environmental conditions (i.e. extremely hot and humid climate and facilities without air-conditioning). In fact we could not find any credible study assessing the achievable accuracy in any of the developing countries….The ‘quality’ assessment of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy”. And so on. Yet, they had set their minds to using biometrics. Which now brings us to the UBCC.

Has the Finance Minister been introduced to these documents?

Problem of last mile delivery

Then there is the business correspondents story. In 2009, an RBI report on business correspondents identified a set of issues in implementing the BC model: one, the operational risk and increased costs of cash handling by the BCs. Two, that beneficiaries of the BC services are mostly illiterate and susceptible to misguidance. Three, viability of the BC model. Four, regulatory issues. Five, multiple risks associated with the BC model including credit risk, legal risk, liquidity risk and reputational risk. Seven years later, and the Economic Survey 2015-16 says that the “Jan-Dhan-Aadhaar-Mobile” agenda is currently jammed by the last mile challenge of getting money from banks into beneficiaries hands especially in rural India. The government is advised to invest in last mile financial inclusion by further improving BC networks and promoting mobile money. “Paying beneficiaries is the issue, not identifying them”, the Survey says.

In 2011 and 2012, the Ministry of Home Affairs repeatedly raised the antennae on the security risks of the UIDAI’s system of enrolment, till it faded, unanswered, into silence. The UIDAI’s contract with companies such as L-1 Identity Solutions and Morpho to hold, manage and use the personal data has been red-flagged in the Supreme Court. The government has claimed in the court that privacy is not a fundamental right, and that is yet to be heard and resolved by a larger bench of the court. The strategy overview document of the UIDAI in 2010, and the TAG-UP report chaired by Nandan Nilakeni show that the intention is for the UIDAI to slide into becoming a monopolistic private company that will have the UIDAI database as its property – which explains why the 2009 notification says the UIDAI will “own” the database. There have been violations galore of the Supreme Court’s repeated orders against compulsion and, since 11 August 2015, against the restricted areas where Aadhaar may be used, which the court is yet to adjudicate. And, since the government has claimed in court that people do not have a fundamental right to privacy, it believes the project can march ahead undeterred by concerns about privacy – that surely will have to be decided before the use of Aadhaar is expanded.

The BJP, when in the opposition, had objected to undocumented migrants being enrolled in the UID data base. That, it seems, is water under the bridge. Now all that needs to be said is that “the Aadhaar number or authentication (sic) shall not, however, confer any right of citizenship or domicile”. Everyone may be enrolled and get numbers, domicile, illegality no bar. Interesting turnaround.

There is still no law to replace the National Identification Authority of India Bill 2010, no law on privacy and no data protection law. The current proposal to make the “Aadhaar platform” the basis for accessing entitlements is oblivious to the uneasy state of biometrics which the UIDAI now admits it is researching, and the problems besetting the business correspondent model.

Usha Ramanthan is a legal researcher.