This is a record of the proceedings in the Supreme Court bench hearings on the Constitutional validity of Aadhaar. You may read the previous days here: Day 1, Day 2, Day 3, Day 4, Day 5, Day 6., Day 7.
Kapil Sibal continued to present the case, clarifying that he had meant that Section 8 (3)(c) is ‘completely wrongly drafted’ with respect to “alternatives”, because for authentication, according to definition, there is no scope for alternatives. Some discussion followed with Justices Sikri and Khanwilkar thinking there may be alternatives, Justice Bhushan suggesting that they may be for verifying rather than authenticating, Justice Chandrachud thinking the act contemplates something else, other than demographic and biometric information as identity and Mr. Sibal explaining the problems with “one nation, one identity” but they agreed that this line of argument was more political than legal and moved on.
Mr. Sibal submitted that Israel is the only other country in which even a remotely similar central id system exists. To a query by Justice Sikri, he explained that we are more than our Aadhaar numbers. Brief levity ensured when Justice Chandrachud quipped that he was yet to get over 8 (3)(c).
Mr. Sibal presented the different ways of authenticating – Biometric, Demographic and using an OTP. Mr. Sibal explained that most jurisdictions with an implementation of biometrics have the biometrics encrypted in a smart card so that they can’t be stolen. He clarified that he was not questioning a policy decision, but the constitutionality of the method of storage of information (a number). Mr. Sibal went on to describe the scrapping of the UK Identity Cards Act.
Mr. Sibal proposed an alternative interpretation of Section 57 of the Aadhaar Act, saying that it gives the option to use Aadhaar card for establishing his identity and that such individual cannot be prevented from doing so by anyone. Justices Bhushan, Chandrachud and Sikri are skeptical, but Mr. Sibal explains his canvassing of an ‘innocuous’ interpretation, as it being seriously unconstitutional to interpret Section 57 as empowering private parties to insist on Aadhaar. Justice Bhushan still disagrees.
Justices Chandrachud and Sikri observe that the government seems to construe the Section 57 and empowering other bodies to insist on Aadhaar. Mr. Sibal said that he merely wanted to assist the Bench to arrive at a reasonable explanation that was consistent with the constitutional scheme of liberty. Justice Chandrachud pointed out that the provisio to the Section seemed to imply use as use by third parties. Mr. Sibal disagreed that the provisio had that effect. Justice Chandrachud was not convinced about Mr. SIbal’s ‘innocuous’ interpretation.
Mr. Sibal then submitted that the possibility of misuse by private parties is a serious infringement of constitutional rights. There is no assurance against such misuse. He clarified that he wasn’t talking about misuse by the state, which couldn’t be grounds for a challenge, but misuse by private players. He repeated that losing personal data is not the same as losing property. (Live tweeter Gautam Bhatia had observed here that other counsels over the years had so far decidedly steered clear of the discussion of personal data as property)
Mr. Sibal used two applications that use personal sensitive data as examples – “Mood Panda” and “FitBit”. From his note distinguishing between data and metadata, Mr. Sibal explained that data was content, while metadata is information about the communication without the actual content of the message. He stated that enough of metadata can reveal a lot of information about the content or the data and that it is a mistaken belief that metadata alone reveals too little to be compromising of secrecy of data or privacy.
Mr. Sibal said that Aadhaar is linked to every journey when IRCTC and airlines link it. This metadata is sufficient to track everyone’s movements. Justice Khanwilkar said that the Respondents denied this. Mr. Sibal said that Aadhaar is already linked and the data available with the state.
Sibal stressed that the issue was not about the State abusing Aadhaar, but how Aadhaar makes everyone vulnerable. He says that vulnerability is where the violation of rights comes in. No State has the right to make any citizen feel vulnerable.
Sibal asked why anyone should know where he was flying to. Justice Sikri said that most of us our frequent flyers and our flight information is stored by the airlines anyway.
Mr. Sibal made the distinction that it was only with the specific airline. He says that it was because of the perils of storage of information that the UK destroyed its national biometric identity program.
Justice Sikri jokingly referred to an incident when Justice Chandrachud had gone for a Chinese dinner with his wife and when he couldn’t recall the name of a dish he had had there earlier, the waiter returned with a bill from 5 years before! Justice Chandrachud laughted as well, and remarked that he had honestly found it scary. (Some light hearted comments followed with Mr. Sibal claiming to envy Justice Chandrachud, because he hadn’t been to a Chinese dinner as a couple in a long time.)
Mr. Sibal moved on to a technical note on Aadhaar that listed and explained specific features:
- Centralisation. Single point of failure – RBI staff journal report: UIDAI claims it is secure because it is federated. Mr. Sibal cited an RBI report that identified the CIDR as “a single point of attack” and a “single point of failure.” Advocate General said the staff paper has been disowned. Mr. Sibal quipped that it was bound to be.
Justice Chandrachud agrees that theoretically, every centralised database can be hacked. He said that it is only an acknowledgement that you need to take care and is not an admission of vulnerability. Mr. Sibal agreed and said that there are no sageguards.
- Opaqueness of foreign technologies – L-1 and Morpho:. Mr Sibal said that he would give contract copies claiming that all of them were given all data. He distinguished this with card technologies and how they are superior and described the vulnerability and replicability of biometrics. He said that unlike smart cards, most biometric readers in India can be defeated by a child using fevicol and wax.
- Leakage of biometric data completely compromises the system: He stated that it was already compromised and evidence was before this Court. With smart cards, there is no centralised database that can be compromised. Any leakage of biometric data is permanent.
- Leakage of biometrics affects criminal trials:If there is no knowledge of when the biometric data is stolen, it will be difficult to trust future transactions. Mr Sibal briefly described the impact of leakage of biometric data on criminal trials and investigation.
- Aadhaar system is vulnerable to Man In the Middle Attacks: Justice Sikri said that these days phones have fingerprints and iris authentication. Mr. Sibal says that is only stored on the phone. Justice Sikri smiled and said “we understand that distinction.”
- Operating System Vendor: Justice Sikri remarked that all phones are vulnerable for this. Mr. Sibal agreed.
- Hardware Vendor: all ‘these Chinese’ vendors …
- Telecom companies: Airtel payments Bank ‘scam’
- ISPs – USB connector cables used by enrollers etc: He said that UIDAI itself has acknowledged these issues by releasing L0 and L1 security standards, but many machines still don’t meet that standard.
- AUAs – ASAs: The fact that these MITM attacks are possible is acknowledged by UIDAI.
- Parallel databases and black market: SRDH data being available in the open and not secure.
- Aadhaar compromises spatial privacy: Possible to capture location.
Mr. Sibal asserted that there is absolutely no safeguard against anything. He claimed that Aadhaar is also vulnerable to corporate espionage attempts – businesses wanting to know what competitor executives are upto. He said that such was the nature of the digital world.
Mr. Sibal brought up the perils of face recognition and how China had used face recognition ot profile Uighurs.
He said that there was an important question of who owns the biometric data, and that there is nothing in the law that defines this.
Mr. Sibal reiterated the enrolment rejections ratio and described how the margin of error increases with the increase in the size of the database. The larger the database, the more the rejections. At 1 billion, it’s 1 in 146 rejections. He described how manual adjudication on those rejections happens without following principles of natural justice calling it another source of lack of integrity – “so basically, the UIDAI will decide who are the ghosts and who aren’t.”
Another source of lack of integrity he described was the possibility and proof of recent replay attacks. He said it was absolutely not possible to prevent these. UIDAI claims that replay attacks will be dealt with like you deal with forged credit cards. Mr. Sibal asked “but where will you find the evidence from.”
Mr. Sibal argued that Aadhaar impacts federalism.
He stated that Aadhaar denied equal treatment under the law and unequally affects aged people and other vulnerable sections whose biometrics change fast. Aadhaar violates the right to equal treatment. It disproportionately impacts people who are aged, people engaged in manual labour, disabled people, and so on. He said that this is a specific issue with biometrics, as opposed to smart cards. He called it a completely irrational choice of technology.
Mr. Sibal asked how Aadhaar was going to work in hinterlands of West Bengal and Odisha and said that the CJI would know better (Chief Justice Deepak Misra’s home state is Odisha).
Mr. Sibal asked again how a European concept is thrust upon Indian people. He said that what might be appropriate for fighting crime and terror is inappropriate for the daily interactions between citizen and State.
The Bench rose for lunch. No Constitution Bench in the second half. To continue on 8th morning.
Summary of hearing based on tweets by Gautam Bhatia and Prasanna S