Foreign Company Has Source Code of Aadhaar Project; It Has Access To Citizens' Information : Certain Worrying Findings By Justice Chandrachud

The impact of Facebook-Camridge Analytica incident also reverberated in the judgment as Justice Chandrachud acknowledged that profiling of individual preferences could also be used to influence the decision making of the electorate in choosing candidates for electoral offices.Though the majority of Supreme Court Constitution Bench has upheld the validity of Aadhaar project, certain findings in the dissenting judgment of Justice D Y Chandrachud regarding it are worrying, calling for larger public debate on its efficacy and security. Biometric database in the CIDR is accessible to third-party vendors It has been found in his judgment that neither the Central Government nor the Unique Identification Authority of India(UIDAI) have the source code for the de-duplication technology which is at the heart of the programme. The source code belongs to a foreign corporation. UIDAI is merely a licensee. Biometric database in the Central Identities Data Repository(CIDR) is accessible to third-party vendors providing biometric search and de-duplication algorithms. Prior to the enactment of Aadhaar Act in 2016, the UIDAI contracted with L-1 Identity Solutions (an American entity which provided the source code for biometric storage) to provide to it any personal information related to any resident of India. The citizens enrolled in the program without being aware of that and handed over their biometrics to the UIDAI without informed consent.Under the Contract, L-1 Identity Solutions retains the ownership of the biometric software.It has also been provided that L-1 Identity Solutions can be given access to the database of UIDAI and the personal information of any individual."It has been provided in the Contract that L-1 Identity Solutions would indemnify UIDAI against any loss caused to it. However, the leakage of sensitive personal information of 1.2 billion citizens, cannot be remedied by a mere contractual indemnity. The loss of data is irretrievable. In a digital society, an individual has the right to protect herself by maintaining control over personal information. The protection of data of 1.2 billion citizens is a question of national security and cannot be indemnified by a Contract", Justice Chandrachud said.He also took note of the fact that UIDAI had entered into Memorandum of Understanding (MoU) various entities for carrying out the process of enrolment. MOUs signed between UIDAI and Registrars were not contracts within the purview of Article 299 of the Constitution, and therefore, do not cover the acts done by the private entities engaged by the Registrars for enrolment. "Since there is no privity of contract between UIDAI and the Enrolling agencies, the activities of the private parties engaged in the process of enrolment before the enactment of the Aadhaar Act have no statutory or legal backing", said the judgment.Aadhaar Seeding Leads To Individual Profiling It was held that when Aadhaar is seeded into every database, it becomes a bridge across discreet data silos, which allows anyone with access to this information to re-construct a profile of an individual's life. This is contrary to the right to privacy and poses severe threats due to potential surveillance. Illustratively, it was stated :For instance, when an individual from a particular caste engaged in manual scavenging is rescued and in order to take benefit of rehabilitation schemes, she/he has to link the Aadhaar number with the scheme, the effect is that a profile as that of a person engaged in manual scavenging is created in the scheme database. The stigma of being a manual scavenger gets permanently fixed to her/his identity. Linking Aadhaar with different databases carries the potential of being profiled into a system, which could be used for commercial purposes. It also carries the capability of influencing the behavioural patterns of individuals, by affecting their privacy and liberty. Profiling individuals could be used to create co-relations between human lives, which are generally unconnected."If the traces of Aadhaar number are left in every facet of human life, it will lead to a loss of privacy", he said.The impact of Facebook-Camridge Analytica incident also reverberated in the judgment as Justice Chandrachud acknowledged that profiling of individual preferences "could also be used to influence the decision making of the electorate in choosing candidates for electoral offices".He added that privacy protection does not demand that data should not be collected, stored, or used, but that there should be provable guarantees that the data cannot be used for any purpose other than those that have been approved. Therefore, Aadhaar project without the backing of a solid data protection law, raised several concerns.In this regard, it may be noted that majority judgment has struck down the portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek Aadhar authentication. The majority judgment also struck down...

Foreign Company Has Source Code of Aadhaar Project; It Has Access To Citizens' Information : Certain Worrying Findings By Justice Chandrachud

Manu Sebastian

Tags