The government passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 as a money bill in Parliament on 11 March 2016. This Aadhaar Bill, in its present form, is apparently an upgraded model from the one the previous government was trying to hawk to the country if you choose to believe the mandarins selling its virtues; if you pay heed to the naysayers, it is a legislation which does not address the basic concerns of the citizenry like privacy and database security.
The irony of the situation is that on the day the Aadhaar Bill was passed, there were advertisements by private companies like TrustID selling background checks of domestic help, drivers etc using Aadhaar-based verification. Whether this signifies a technological leap to simplify lives is not clear but it certainly raises vital concerns about the circumstances of privacy within the Bill.
Does the Bill really address the concerns of the private citizen? Is their data really ring-fenced properly in the system?
While Aadhaar promoters claim that database access will not be provided to any agency and will be secure from foreign intelligence agencies, the fact that UIDAI is itself contracted to receive technical support from outside companies to build the database is a chink in this armour. It is a fact that among others, the biometric capture solution is contracted to a US-based company calledMorphotrust. In addition, the implementation of biometrics is contracted to Accenture Services Private Limited and the setting up of the Central Identities Data Repository (CIDR) is contracted to Ernst and Young , all of which are US corporations. This means that they can be called upon, by US law, to reveal information relevant to legitimate operations in the United States if asked to do so by the US government or its network of security agencies.
Further, the CIDR will be protected by commercial network security and cryptographic products customized for their latent use in the system. These systems are exposed to hacking or intrusion by organizations that specialize in such dark arts. The fact remains that when specialized defence departments and space organizations in India or their allied organizations, which boast of a higher cybersecurity environment than UIDAI, can be hacked, the self-certification of database security is slightly premature and remains untested.
[W]hen specialized defence departments and space organizations... can be hacked, the self-certification of database security is slightly premature and remains untested.
So, does the Bill really address the concerns of the private citizen? Is their data really ring-fenced properly in the system? And, what is the extent or scope of "national security" defined under Section 33(2) of the Bill which allows the disclosure of identity information and authentication records kept with the National Data Repository?
The Supreme Court in Rajagopal (1994) opined that privacy is inherent in an individual's right to personal liberty (even if it is not a fundamental right in itself). To comment on privacy and Aadhaar today is somewhat premature and one can only speculate at this point. The government of the present day has cried itself hoarse and has got experts from relevant fields to back it up to say all the collated data will be protected, adequate safeguards have been added and there is no cause of concern. But, how much of that is practically true? There is an inter-department data transfer involved and we all know how much any two of our departments in the government love each other. What happens in the long run? If the government changes, will the same duty of care be thrust on the incumbents? Can the database be accessed during elections for profiling in the garb of national security? There is an entire section (Section 28) which talks about information protection but will the practical implementation really be effective? In a country where citizens are arrested on the basis of a law which is non-existent because the enforcing authority has no clue of the law of the land, how much on the ground protection can really be provided?
The term "national security" has not been defined in the Bill. It is also not defined in the General Clauses Act or prominently in any other statutory legislation...
Consider this: 2015 was the worst year for federal information security failures on record in the United States. It was so bad that the Mercatus Centre said that the federal government of the United States was facing "a continuing challenge to properly secure its own systems which rendered it a poor candidate for expanded control of the nation's cyber security."
More importantly, the agencies that were entrusted with new data extraction and management responsibilities under the Cybersecurity Information Security Act (CISA) reported alarming security breaches in the years 2014-2015. The Mercatus Center has analyzed this data and has found upwards of 60,000 incidents per year for the last two years. While these incidents are in the public domain (including what sort of data was taken and how many victims there were), in many of them, it is impossible to know to a degree of detail, the complete picture, which allows countermeasures and an effective addressing of the problem for the future. While this remains a burning question related to privacy in developed nations including the United States, consider the same scenario in India, where the systems are painfully behind the Western world and information practically rests in the hands of a superintendent or a secretary in a woefully painted office.
Is the definition of national security in the hands of a bureaucrat sitting in some office in the Home Ministry?
The problem is that even in the case of the largest breaches, there is often a paucity of information about what went wrong. Sometimes, no one wants to know. Sometimes, it is a case of finger-pointing. Sometimes, there are no logs or records of how things happened because of blind spots, code breaks or simply amount of time elapsed. The practice of using a method to explore the cause-and-effect relationship underlying a particular problem is almost non-existent in developing countries like India which follow a knee-jerk process in most situations. What does not happen, given our fear of lawsuits and other phantom menaces, is learning from past mistakes and eventually every passing day, there exists a constant threat that someone somewhere will plug an USB in a port, extract data and sell it to the highest bidder.
Even when an organization starts digging into the problem, it is often hushed up because of the threat of lawsuits, loss of credibility to the ruling elite, or because of the bogey of "national security". Which then brings us to the other important issue in the Aadhaar Bill--its Section 33(2), which allows the exceptional disclosure of information under national security exigencies. This section is painfully hobbled because the term "national security" has not been defined in the Bill. It is also not defined in the General Clauses Act or prominently in any other statutory legislation in the country.
The concerns of the country have still not been addressed in the hasty passing of the legislation.
So, where does that leave us? Certain judgments of the Supreme Court define law and order and have a brief obiter about security of the State but how does it apply to disclosure of information which may comprise the privacy, safety and security of an individual? Is the definition of national security in the hands of a bureaucrat sitting in some office in the Home Ministry? We all know how that worked out in the case of the JNU students, when the Home Minister himself blew a gasket after reading a couple of fake tweets. The point is that there are absolutely no guidelines to define the most important facet of the Bill and the entire section is left open to interpretation of the government machinery. And, in case of a dispute, before judicial intervention can settle the issue, the horse would have bolted the stable, causing utter chaos.
It is true that much of the Bill may have to be administered by delegated legislation including the framing of working rules and so on, but the concerns of the country have still not been addressed in the hasty passing of the legislation. The urgent need of the hour is not the opinions and posturing of the government or its experts but practical answers to some of the questions that are floating around the supposed rosy horizon of this implementation.
Also see on HuffPost: