Five Years Since the Aadhaar Judgment
Today 26.09.2023, marks half a decade since a Constitution bench of the Supreme Court delivered the Aadhaar judgment (KS Puttaswamy & Anr. v. Union of India & Anr. (2019) 1 SCC 1). It appears that a convenient amnesia affects our government as it creates new rules and amendments to the Aadhaar Act that ignore and forget the limitations placed on the use of Aadhaar by that judgment. A link to the judgment is here.
To recap: Five significant limitations on the use of Aadhaar that the majority judgment recognised:
Aadhaar can only be made mandatory for welfare schemes (see Pg. 389, para 320 - 322). It was specifically held that Aadhaar cannot be made mandatory for earned benefits, like pension. The majority judgment also stated “At the same time, we hope that the respondents shall not unduly expand the scope of ‘subsidies, services and benefits’ thereby widening the net of Aadhaar, where it is not permitted otherwise.” (Pg. 391).
Private companies cannot use Aadhaar. Section 57 of the Aadhaar Act which allowed the use of Aadhaar authentication by private companies (body corporates) is unconstitutional (para 219 (e), 412, 447(1)(d)).
Aadhaar cannot be made mandatory for children’s admission to school or for benefits under the Sarva Shiksha Abhiyan. Children cannot be denied benefits for lack of Aadhaar (See Pg. 393, para 325; Pg. 401, para 332).
The storage of transaction data as per Regulation 26 of the Aadhaar (Authentication) Regulations, 2016, was considered impermissible. (para 219 (b))
Authentication records are not to be kept beyond a period of six months (para 219 (a))
In blatant disregard of the limitations established by the judgment, the government continues to expand the use of Aadhaar to promote the UID at the cost of fundamental rights.
Moody’s criticizes Aadhaar
Meanwhile, a reminder - biometrics are inaccurate. It has been widely reported that the credit ratings agency, Moody’s has released a report which highlights concerns with Aadhaar stating that “The system often results in service denials, and the reliability of biometric technologies, especially for manual laborers in hot, humid climates, is questionable”. The government has rebutted the report and says that the claims made are “baseless”.
Most Trusted ID in the world
While rebutting Moody's, the Modi government has made the incredible claim that Aadhaar is the most trusted Digital ID in the world. Criminal groups, always two steps ahead of any game, have been wildly innovative and inventive finding new ways to commit fraud with this most trusted ID. A personal favourite of ours was the UP gang which used toe prints to forge Aadhaar cards, then used by several people fraudulently taking bank loans.
Decode reported this month - “The Bihar police is tired of frauds through the Aadhaar Enabled Payment System. In July this year, the Nawada police formed a special investigating team to arrest two people and recovered 512 cloned thumb impressions made of plastic like substances”. Check out the in depth story which includes interviews with police officials who explain how they believe the frauds are committed.
Earlier in the month, the Hindu reported that in Gujarat two persons were arrested allegedly for having forged two lakh identity proof documents like Aadhaar and PAN cards and sold them for ₹15 to ₹200 each. Just remember, there’s no need to panic because we have a 13ft wall which protects the Aadhaar compound.
Personal Data Protection Act, 2023
What does the Data Protection Act mean for all you Aadhaar watchers out there? Five years after promising the Supreme Court that it would introduce a privacy bill, fourteen years after the cabinet note which led to the beginning of the Unique Identification project, and just a few weeks after one of the largest data breaches India has witnessed yet, the government passed the Digital Personal Data Protection Bill, 2023, which fails to provide us with adequate data protection and creates blanket exemptions for the state and therefore the Aadhaar programme (see Section 17), answering the question that some of us had posed some years ago - Can the Aadhaar project exist along with a Data Protection Act? The answer is yes, because the Data Protection Act does not apply to it.
What does the Aadhaar Act say about sharing Aadhaar data?
Section 29 of the Aadhaar Act 2016, states that core biometric information can never be shared with anyone and can only be used for generation of Aadhaar numbers and authentication. S. 29 (2) says that “The identity information, other than core biometric information, collected or created under this Act may be shared only in accordance with the provisions of this Act and in such manner as may be specified by regulations”. S. 29 (3) states that no identity information available with a requesting entity or offline verification-seeking entity shall be—
used for any purpose, other than the purposes informed in writing to the individual at the time of submitting any information for authentication or offline verification; or
disclosed for any purpose, other than purposes informed in writing to the individual at the time of submitting any information for authentication or offline verification:
Provided that the purposes under clauses (a) and (b) shall be in clear and precise language understandable to the individual.
Exemptions under the DPDP Act do not override the Aadhaar Act. It would appear that the requirement for notice under S. 29 of the Aadhaar Act must still apply to any identity information other than “core biometric information” collected and used under the Act. As well as the Aadhaar (Sharing of Information) Regulations, 2016. Has anyone ever received any notice from the UIDAI or a Requesting Entity about the sharing of their identity information? Let us know if you have!
Violations of privacy and how the police can track you
Two interesting cases raise questions about Aadhaar and the ability of the police to track people. Both cases relate to missing persons who did not want to be found. On 01.09.2023, the Times of India reported “Bhola Yadav, a farmer of Dhobe village, would not let go of his son with whom he was reunited on Thursday after seven years. However, the son said that he never wanted to return home”. The son went missing at the age of 15 and the police traced him by tracking his Aadhaar number. The report says that “During the probe, the police team found a bank account linked with the missing youth’s Aadhaar number. They then tracked his cell phone linked with the account and managed to find him…”
Another report dated 14.09.2023 from the Times of India states that a women went missing in 2018 and her disappearance was linked to a dispute with her husband. After years of pursuit, investigators discovered she had updated her Aadhaar card. The report states that “Police successfully tracked her to Goa where she was found, leading a new life, utilising facial recognition and digital investigation techniques.”
How did the police trace these people using their Aadhaar numbers? Are police personnel able to access multiple linked databases using a single Aadhaar number? Are databases searchable for single Aadhaar numbers? What software and technology is the police using to access people’s Aadhaar linked information? Is facial recognition technology being linked with Aadhaar and used to track residents?
NREGA and Aadhaar
Friends at Libtech India have published an important study correlating the introduction of Aadhaar and deletion of workers names from the MGNREGA. Tracking deletions in the MGNREGA for over a year, they have interviewed over 600 workers between October 2022 and June 2023, and interviewed officials between December 2022 and May 2023. They covered various states, including Andhra Pradesh (AP), Gujarat, Jharkhand, Odisha, and Telangana. They write in the Economic and Political Weekly - “We argue that the complexity of Aadhaar-based interventions and the manner of their rollout has a correlation with the spate of deletions. We begin by unpacking the Aadhaar interventions and assessing their rationale and complexity. We further discuss what official MGNREGA documents say about deletions, and briefly examine deletion practices and resolution procedures on the ground. Finally, we comment on the Aadhaar mandate as a symptom of the union government’s techno-solutionist tendencies.”
Libtech India’s working paper titled '“Assessment of wage payment delays for Aadhaar-based payments and impact on delays due to payments trifurcation by caste” examines technological interventions in the MGNREGA. They write “Many of these interventions were introduced without any consultation or scientific piloting. Consequently, some have violated the clauses of the Act, adversely afecting programme implementation. We demonstrate how two such digital technological interventions in MGNREGA - segregation of wage payments by caste, and Aadhaar-Based Payment System (ABPS) - have violated MGNREGA clauses. Our analysis is based on 31.36 million transactions across 10 states from Financial Year 2021-22 crawled from the programme’s Management Information System (MIS). 63% wage payments were delayed beyond the mandated 7 days by the union government and 42% were delayed beyond 15 days. We use the percentage of transactions processed within the mandated time by the union government as the metric to assess the performance. Notwithstanding delays in wage payments, we find there is a statistically significant diference in the time taken to process payments across caste. This is also the first large-scale data-based evidence demonstrating no statistically significant difference in the time taken to process wage payments through ABPS compared with traditional account-based payments.” This study demonstrates that the Aadhaar based payments system did not make improvements in MGNREGA payments.
Reminder! Spread the word! Aadhaar Voter ID linking is not mandatory!
While Aadhaar continues to be pushed as mandatory for almost everything, remember to spread the word - it is not mandatory to link your UID with your Voter ID, as the Election Commission has so helpfully clarified to the Supreme Court.
Where are we heading?
Five years ago the Constitution Bench of the Supreme Court of India said that Aadhaar could only be made mandatory for welfare. In a separate judgment it had allowed the mandatory linking of Aadhaar and PAN cards. Friends at the Article 21 Trust have compiled a brief list of developments in the UID project since 2016. Today, the Union Government continues to try to thrust Aadhaar into every sphere and aspect of our daily lives, as it creates a data protection law that exempts itself and anyone it chooses from compliance.
The discourse around technology remains hollow. We are expected to treat the Aadhaar programme as a source of national pride while it continues to be linked to hunger deaths and fraud. This hollow nationalism is evoked in the India Stack project, of which Aadhaar forms the basis and beginning. The Internet Governance Project has published an in-depth report on the India Stack, "a set of APIs and associated platforms that operate across three critical sectors: identity, payments, and data". The report documents the use of Aadhaar in the creation of a structure of digital India through private companies that use publicly held resources. The re-branding of Aadhaar as a new “digital public infrastructure” is particularly concerning as it is deeply misleading, obfuscating the history of coercion and exclusion that the project carries. Who is this public infrastructure for? How will the data of millions of Indian residents be used? Five years after the Aadhaar judgment, the future looks full of novel challenges to dignity, privacy and liberty.
All the best to all of us still resisting, writing, thinking
This week we hope to launch a WhatsApp channel for more immediate updates and will keep all of you informed.
As we reflect on five years since the Aadhaar judgment and look to the future, we remind ourselves that our critiques and our resistance remain strong. The work of documenting and thinking about technology, concentration of power, the state and our own liberty continues.
In solidarity,