Ahmedabad: The split Aadhaar verdict (4:1, in favour of it) on 26 September gives us an opportunity to look afresh at the Aadhaar project. As I have written in a forthcoming book on Aadhaar, the primary purpose of the programme was never really to improve inclusion and welfare administration as projected. Welfare was just the sugar coating to facilitate an essentially commercial project. These commercial activities required a digital ID infrastructure such as Aadhaar, which was built using public money.

The dressing up was necessary to speed up enrolment and stall the possibility of the civil liberty concerns preventing the project from taking off. It is pertinent to explore this line of argument because the majority opinion was not convinced, but the dissenting judge accepted several strains of these arguments in Court.

One hint that this was never about welfare comes from the fact that there were hardly any social policy makers involved in the design of the Aadhaar ecosystem. The Unique Identification Authority of India (UIDAI) was dominated by technologists who have now left government and are setting up businesses that will tap the Aadhaar ecosystem. These commercial interests as well as the conflict of interest issues with the project are only just beginning to be documented. For instance, Krishn Kaushik wrote in The Indian Express that those who build the Aadhaar infrastructure as ‘volunteers’ are now using the Aadhaar platform to build businesses.

Another clear indication of this came during the final hearings on Aadhaar in early 2018. Some businesses that are built on the Aadhaar platform intervened in the Supreme Court arguing that “access to the Aadhaar ecosystem…is critical" and declaring Aadhaar illegal will cause them “grave and irreparable harm".

Section 7 and Section 57

It is therefore interesting that it is sections 7 and 57 have been in focus since the judgment came out. Section 7 (among others) is the clause that allows the government to link our Aadhaar number into various government databases. The lack of a clear framework allows the state to collate databases at the back end and create a 360-degree profile of individuals. I explain below how this creates the danger of mass surveillance by the government.

Section 57, on the other hand, is the clause that allows private entities to demand Aadhaar. Businesses such as mobile companies, mobile wallets, aggregators of various types (food, taxis, etc.) can sell anonymized (or deanonymized) metadata to the growing data broking industry. This is mined for targeted advertising and for screening purposes (e.g., for health or car insurance, loans, etc.). Bruce Schneier, a cryptographer, refers to this as ‘corporate surveillance’.

Viewed in this manner, Aadhaar can be described as a project that enables mass government- and corporate- surveillance.

The main challenge to the Aadhaar project in the Supreme Court was that it violates the Right to Privacy, a fundamental right under the Constitution of India. In 2015, the Government of India even challenged whether indeed the right to privacy was a fundamental right. Sadly for them, the nine-judge bench that heard the right to privacy matter delivered a landmark judgment upholding the right to privacy as a fundamental right.

The majority opinion in the Aadhaar verdict delivered on 26 September 2018 upholds the constitutional validity of the Aadhaar project. Even this majority opinion—written by Justice Sikri, and signed by Justice Misra and Justice Khanwilkar— strikes down section 57 as unconstitutional. It has been declared unconstitutional because it fails the test of proportionality. This means that the privacy invasion by private entities inherent in this section is seen to be excessive.

Justice Sikri’s opinion keeps the door open for a law to be framed where the purpose of identification is clearly laid out, but also asks for that law to be subject to judicial scrutiny. Another reason for striking down section 57 is that it provided an opening for the majority judges to uphold the Aadhaar Bill as a Money Bill.

Striking down section 57 provides protection temporarily (at least) from corporate surveillance. This is a big blow (for now) to entities such as India Stack, whose products use Aadhaar at the core of their business. After the judgment, unsurprisingly, the CEO of Aadhaar Bridge launched by Khosla Labs, was disappointed and said that they are looking for the data protection law to restore their access to the central ID repository for the purpose of ID verification.

On the other hand, as far as section 7 is concerned, the section that is an enabler of mass government surveillance, there is very little relief. It has been largely upheld by the majority opinion. The main relief under section 7 is for children and students (for school admissions, they are also given an opt-out facility upon attaining adult age, national eligibility tests such as NEET, are also exempt). But that’s it.

Despite all the evidence on exclusion, hardship and denial from welfare programmes resulting from the compulsory integration of Aadhaar in these programmes, the majority opinion decided to accept at face value the claims and assurances made by the government. These were that Aadhaar was a tool of inclusion, that it had helped combat corruption— and that therefore, in this case, it satisfied the proportionality test. Similarly, the profiling concerns with respect to section 7 did not convince the majority judges. This is the most disappointing aspect of the Aadhaar verdict.

Big Brother meets Big Data

The Aadhaar project is a privacy hazard from several angles—data security, bodily integrity due to the use of biometrics, personal integrity and personal data mining. While any centralized database creates a data security vulnerability, a unique number (“key") such as Aadhaar linking all the data silos, magnifies those vulnerabilities. Of course, this is precisely what creates massive commercial possibilities from personal data mining—information on nature and frequency of travel, who we meet or talk to, what we eat or buy and so on, has great value for targeted advertising and other decision-making algorithms that are being used in more and more spheres. Centralized and inter-linked databases also enable tracking, profiling, leading to self-censorship, which endangers our freedom. The mining of personal data, thus, clashes in a fundamental way with civil liberties, a clash that lies at the heart of the Aadhaar debate.

What sets Aadhaar apart from other examples where the state demands our data (say, the Registration Act or the Social Security Number) is that our biometric and demographic data are being stored in a centralized database and a unique number is associated with our biometric and other information. Further, this unique number was being seeded (added as a new data field) with every possible—public and private—database in the country.

Why is that a problem? Today, information about my life is stored in different data silos—train travel, air travel, bank account, mobile phone, employment history, health and so on. The only person who can easily construct a full picture of my life from these disjointed data silos, is me. This is because only I have the access to these disconnected data silos.

If the Aadhaar number is ‘seeded’ into every database, it integrates these data silos. Aadhaar becomes the bridge across the hitherto disconnected data silos with information about my life. I lose control over who can reconstruct a profile of my life. People in government (who I have not authorized) will be able to ‘profile’ me, by pulling in information from various databases using that single identifier. Just the possibility of such profiling is likely to lead to self-censorship and, as many have documented, is likely to stifle dissent.

When this concern is raised, the government has attempted to obfuscate the issue. For instance, the CEO of UIDAI, Ajay Bhushan Pandey tried to assure people that “no one can build Aadhaar users’ profile". However, he misinterprets profiling. What he is actually talking about is ‘identity fraud’, rather than profiling in the civil liberties sense mentioned above. Similarly, in an interview to Vir Sanghvi, Nandan Nilekani choses to interpret surveillance in the limited sense of ‘physical tracking’ through GPS, etc.

However, the civil liberties interpretation of surveillance is wider as it incorporates keeping an eye on all the activities of a person (shopping, recreation, travel, communications, etc).

In a nutshell, the concern is with the creation of a centralized database, where we don’t have control of our own data and an ecosystem, where a single identifier (i.e., the Aadhaar number) links databases. It becomes an infrastructure for profiling and surveillance. This is the most significant aspect of privacy in the Aadhaar debate. As senior advocate Shyam Divan warned the Supreme Court, the Aadhaar project is an electronic leash to keep people under control.

Among the supporters of Aadhaar, are entrepreneurs and technocrats who want to use technology to “do good". They view this is a great opportunity for data mining and machine learning. The idea is that when an Aadhaar ecosystem is in place (i.e., you can see people’s lives in different spheres), you can learn useful things: some suggest that it may “enable macro level analysis from high frequency micro level data, econometric analysis, epidemiological studies, automatic discovery of latent topics and finding both predictive and causal relationships across multiple domains of the economy" (Banerjee 2017), whereas others believe it will allow data mining for improvement in credit rating infrastructure. This is what Nilekani means when he says “India will be data rich before being economically rich".

The emerging data economy poses new and serious challenges to privacy. There is reason to be concerned about the creation of businesses built on personal data, which will monetize information about people’s personal life ahead of creating adequate digital and legal literacy and safeguards around these issues. This should concern the poor and middle class alike. Loans, insurance and other credit instruments can be tricky business.

As far as poor or barely literate people are concerned, the danger arises from being defrauded by fly-by-night operations that disguise themselves as good savings or investment options. For the middle class, the algorithms that decide your credit score, eligibility for loans, or the premium you pay, can be highly customized by combining very granular data that is available with such data mining techniques. It is worth remembering that fintech companies that use them are in it primarily for profit, not for public service.

Justice Chandrachud

Contrary to the majority judges, who have accepted the government’s assertions as facts as also the government’s assurances where they had concerns (e.g., exclusion), Justice Chandrachud has rejected several such assertions, stating that the government failed to establish these as facts. He rejects the claims of minimal data collection and storage and draws on Professor Manindra Agrawal’s report on differential privacy highlighting the potential to profile individuals.

In his opinion, the Aadhaar Act fails on several counts: it fails “to protect the individual right to informational privacy", fails “in its legislative design to establish and enforce an autonomous regulatory mechanism", fails to “demonstrate that a less intrusive measure will other than biometric authentication will not subserve its purposes", it fails to “justify its actions and to demonstrate why facilitating the targeted delivery of subsidies...automatically entails a sacrifice of the right to privacy when both these rights are protected by the Constitution" and fails “to consider that there were much less rights-invasive measures that could have furthered its goals".

The way forward—not just against section 7, but against the Aadhaar project itself—lies in Justice Chandrachud’s opinion.

(Reetika Khera teaches economics at the Indian Institute of Management Ahmedabad)