Abstract

With an aim to issue unique identification number to its every individual and to avail them with
different schemes like gas subsidy, Mahatma Gandhi National Rural Employment Guarantee Act
(MGNREGA) like benefits, Government of India initiated the process of Aadhar. However it has
come across some privacy issues from different strata of society. There have been different
perspectives of people, legal and Government on leakage of privacy and IT laws thereby trying
to conclude whether there is an infringement of the privacy as raised by some dignities. It has
been found that the population who are being asked to link their personal documents, identity
and information to their Aadhar Card are wary about the possible loss of privacy. While
according to the legal perspective, successive judges in their judgments have dealt with different
aspects of privacy with regards to Aadhar and its linking. These judgments would help as a
stepping stone for evolution of the idea of protection of privacy of the people of this nation state,
within the framework of a secured and socially justified environment attained because of Aadhar
Link Program. However the Government on many occasions argued that the fundamental right
status does not make privacy the absolute right and hence is superseded by other major concerns
of the nation state viz national security of its people, frauds and fake registrations.

Introduction

Aadhar, which in Indo Aryan Language means Foundation or base is a 12 digit unique
identification number provided to all the Indians based on their biometric and demographic data.
As the world‘s largest democracy, advances its expedition towards becoming a third major
economy to reckon with, it still struggles in its quest for identity, not for itself, but for its huge
population, that comprises one fifth of the world‘s population and boasts of becoming the most
populous nation by 2024. India at this movement is the fourth fastest growing economy of the
world and The Indian administration has taken bold moves in the recent years towards cleansing
the festering sores like black money, corruption and terrorism through demonetization followed
by complete revamp of its indirect tax regime and introduction of comprehensive goods and
services tax. This coupled with large scale investments promised by the administration and
floating of schemes, encouraging entrepreneurship, steep fall in interest rates, all indicate a very
promising future for the nation which is ready to take a giant leap towards its much aspired
position of becoming a developed country. India has a vast coastline of about 4671 miles
surrounded by the Indian ocean in the south and it shares its land boundaries with developing
countries like China, Pakistan, Nepal, Bhutan, Myanmar and Bangladesh. The land borders
measure upto 9445 miles and the coastline is of 4671 miles. These boundaries are guarded by 1.4
million active personnel and 1.3 million paramilitary, which makes it the largest military forces
in the world. These lengthy borders are characterized by harsh weather and geographical
conditions making it very difficult to monitor the movement of people across the border. India
has shared the porous border with its neighbors and owning to its comparatively better living
conditions and conducive environment has been subject to large scale illegal inward immigration
on many occasions. Here arises the need for a system to differentiate on the identity of its
citizens from the immigrants. This and many other similar issues gave rise to the concept of
Aadhar card.

The concept of Aadhar card came into existence in 2004 with the amendment of citizenship act
by the then ruling Indian National Congress led UPA government to make way for the National
Population Register (NPR), a database record of all the residents of India maintained by the
Register General and Census Commissioner of India .With the administrative approval for the
project ―Unique ID for Below Poverty Line (BPL) families in 2006 by the ministry of
Communication and Information Technology, the first work regarding issuing Unique IDs to
BPL residents of India actually started in Year 2008 saw the amalgamation of National
Population Register (NPR) under the Citizenship Act, 1955 with the UID project—to conceive
Aadhaar. This process underwent several improvements put forth later on including constitution
of Unique Identification Authority of India (UIDAI) appointing Nadan Nilekani (Infosys co-
founder) as the first chairman in 2009, Supreme court‘s decision on violation of individual‘s
privacy in case of Aadhar thereby losing legislative backing in 2012. Supreme court‘s judgment
on obstructing from transferring biometric information with an Aadhar number to any other
agency without the individual‘s consent in writing in 2014, apex court‘s decision on making it
mandatory for public distribution system (PDS), and subsidies on cooking gas and kerosene and
not mandatory to avail of benefits from government programmes in 2015, statutory backing and
passing of Aadhar bill (Targeted delivery of financial and other subsidies, benefits and services )
Bill, 2016 as a Money Bill, rejecting Rajya Sabha recommendations in 2016, making Aadhar
mandatory in 2017 for 3 dozen schemes including midday meal scheme and universal education
by the government against Supreme Court‘s saying that it cannot be made mandatory for welfare
schemes.

Some countries around the world have also used similar concept like Aadhar in their respective
territories. Whether it is America to have its Security Number for its residents for getting a job or
availing of Government Benefits and taxation purpose or China to issue National Residents
Identity Cards to identify the status of citizens since 1986 or National identity cards issued by the
governments of all European Union member states to their citizens as the identity and travel
document. Thus, a number of countries have unique identity system, but most of them are facing
security and privacy issues, all have faced pros and cons in their journey.

The world's largest biometric ID system, Aadhaar has got enrollment of over 1.171 billion
members as of 15 Aug 2017. According to public data portal record, over 99% of Indians aged
18 and above had been enrolled in Aadhaar so far.

Identity verification vs authentication

Aadhaar is a national identity project, but the subtle difference between identity verification and
authentication is itself not well understood, and this leads to confusions in policy making and
deployment. Below, we attempt to first demarcate the two concepts. According to standard
notions of digital authentication, a security principal (a user or a computer), while requesting
access to a service, must provide two independent pieces of information - identity and
authentication. Whereas identity provides an answer to the question “who are you?”,
authentication is a challenge-response process that provides a “proof of the claim of identity”,
typically using an authentication credential. Common examples of identity are User ID (Login
ID), cryptographic public keys, email ids, ATM or smart cards; some common authentication
credentials are passwords (including OTPs), PINs and cryptographic private keys. Identity may
be considered public information but an authentication credential must necessarily be private - a
secret that is known only to the user. Moreover, authentication must be a conscious process that
requires active participation by a user, but not necessarily so for identity verification. As example
use cases, 5 a bank may want an identity verification while opening an account at which stage no
secret like a password is usually necessary, but a user needs to authenticate with a PIN for
transactions like ATM withdrawals. No publicly known information should be used as an
authentication credential.

Literature Review

Biometric identification, Aadhar has been made mandatory for various schemes including all the
post office deposits, Public provident funds (PPFs), National savings certificate schemes and
Kisan Vikas Patra. The Government is studying the viability of making the Aadhar card
mandatory for filing of Income Tax returns as well as for applying for a PAN Card. RBI, the
banking regulator in India clarified that the linking of Aadhar with bank accounts is mandatory.

There will be intrusion of privacy but we have to look at the merits and demerits. The state
government should scrutinize the matter thoroughly in view of Supreme court‘s directives to
state governments with regards to privacy. In case of Ration card, the Central government gave
clear cut mandate to all the states not to make it compulsory to people for linking their Aadhar
card with their ration card after the incidence of Jharkhand State of India where 11 year old girl
died when she didn‘t receive food grains from ration card authority. ―Section 7 specifies that till
Aadhar number is prescribed, the benefits should be given through alternate means of
identification Ajay BhushanPandey (CEO, UIDAI) said.

The Election commission of India is considering linking of Aadhar card number to Voter IDs.
Linking Aadhar with Voter ID card will remove duplicity in voter list Correct demographic
information of an individual is collected via Aadhar system like gender which should match with
the proper person as and when required. It is also meant to ensure that transactions based on the
Aadhar system are non – duplicative in Journal of International Pharmaceutical Research, ISSN:
1674-0440 137 nature and can be tracked from anywhere in India, through online or other
electronics means.

Aadhar users can validate their identity by receiving and then using Personal Identification
Number or PIN on their mobile phones on biometric reader. The central database of Aadhar can
be used by numerous individuals and entities including employers, bank authorities, law
representatives in real or near real time. These centralized database system’s authenticity has
been questionable on many occasions specially due to security risk that it possesses and also data
infringement, policy paralysis, deliberate leakages from unauthorized sources Many past cases
have shown that Aadhar system is facing security leakages problem which invades an
individual’s privacy. In early 2017, a large number of similar articles were published about how
easily excel files containing demographic data can be retrievable through a simple Google
search. One breach occurred from programming error disclosing banking data detail in public
platforms. The details of lot of enrollees have been posted online by a handful of Indian
government website. Two accused held in Indore for making fake Aadhar Cards busting a racket
involved in preparing forged Aadhar cards, crime branch of police arrested two persons and
recovered large quantity of dummy cards and equipment used to print them.

Regarding policy risks, India‘s Aadhar system has manifested notable weakness regarding policy
paralysis, also including policies regarding basic data protection and privacy practices. The
government of India has carried out a slew of activities to enact data protection and privacy
legislation for the Aadhar system.

There have been reports of leniency in handling UID project‘s demographic and biometric
information of users which put liberty of Indian residents at jeopardy. Applying for Aadhar card
enrollment is voluntary but its enrollment is mandatory for taking government schemes benefits
and services. There is also a concern among authorities that personal information of a person
might be misused by its possessor. While many issues have been surfacing around Aadhar, right
to privacy has been amongst one such issue which is now a days becoming prevalent as some
people are becoming reluctant to link their ID cards with Aadhar citing privacy reasons. Right to
privacy has many perspectives. There are legal, political as well as people’s perspectives.

However, whether breach of privacy is inevitable, and whether there may exist technological and
legal provisions which can make Aadhaar safe are important questions that have not been
adequately addressed. We note that some crucial lacunae in the identification and authentication
processes of Aadhaar have been pointed out in (Centre for Internet & Society, 2016), which also
makes several important suggestions including implementation of recommendations of Shah
(The Planning Commission: Government of India, 2011) and Sinha (Lok Sabha Secretariat: New
Delhi, 2012) committees. Despite these, thorough analyses of the possible ways in which privacy
can be breached, and possible countermeasures both from technological and legal perspectives,
remain missing.
Legal perspective

Neither a law nor any privacy provision for data was in place while UIDAI project started its
enrollments for Aadhar in 2010. The first bill in regards to privacy protection was the National
Identification Authority of India Bill 2010 but was rejected by the parliamentary Standing
Committee. (43)The second bill to curb privacy of data issue was put forth in 2012 the Privacy
Bill, 2011 which was also not got passed in parliament. As per legal expert Usha Ramanathan,
the main reason behind rejection of these bills was the disorganization. Due to lack of privacy
protection law, many illegal immigrants too were got enrolled. Headed by Justice A.P. Shah, a
group of judges formally considered and evaluated applicable international privacy standards for
India. Submission of a report containing nine principles related to privacy protection was done
finally in 2012. These Nine principles were inspired from the Organization for Economic
Cooperation and Development‘s (OECD) Fair Information Practices (FIPs). This 91 pages report
was the first concrete step towards privacy protection in case of Aadhar data. Justice A.P. Shah
stated: ―These principles, have been included from best practices internationally, and adapted
suitably to an Indian context, will be able to regulate the baseline Journal of International
Pharmaceutical Research, ISSN: 1674-0440 140 level of privacy protection to all individual data
subjects. Finally a new bill in 2014 came into existence which incorporated recommendations
from the group of experts. However, the 2014 bill has grown weak. Chief Justice H.L. Dattu
directed that the ―enrollment for Aadhar card was voluntary in nature and obligation of it
cannot be done on an individual. The bench further stated that the voluntary nature of Aadhar
would continue to be in place until a larger Supreme Court bench of judges decided whether the
biometric authentication scheme violated the privacy of Indians. The Supreme Court in its
judgment has overruled verdicts given in the M.P. Sharma case in 1958 and the Kharak Singh
case in 1961, both of which said that the right to privacy is not protected under the Indian
constitution. On 27 March 2017, the Apex Court mandated that Aadhaar card compulsion for
availing benefits under welfare schemes cannot be done though government can check feasibility
of making it mandatory for other purposes (such as income tax filings, bank accounts etc.).
Supreme court is studying the validity of aadhar on privacy issue. As of April 2017, a
constitution Bench of the apex court is taking into consideration the legal validity of Aadhar on
right to privacy grounds. A nine-judge bench of the Supreme Court has given verdict that
citizens of India enjoy a fundamental right to privacy that it is intrinsic to life and liberty and
thus comes under Article 21 of the Indian constitution. Regarding privacy issue the Supreme
court directed concerned government authorities not to share personal information of Aadhar
card holders with any private or unauthorized sources. Legal Expert Usha Ramanathan
commented that rather than focusing on the use or benefits of Aadhar in future, government is
giving emphasis on the number of enrollments. As private agencies or an undesirable person or a
group might have catch hold of Aadhar‘s data, it will be difficult to maintain the privacy of an
individual intact. Some judges have different opinions on how privacy should be defined.
According to Justice Chelameswar definition of privacy comprises of three aspects: ―repose,
sanctuary and intimate decision‖. Repose means essentially an individual is independent of
unwanted stimuli, sanctuary contains protection against invasive observation and intimate
decision is giving preference to personal life choices. This judgment will be helpful in future in
order to make Aadhar system more secured. Justice Sanjay Kishan Kaul in his judgment stated
that the security environment throughout the world makes the safety of all to be balanced against
the right to privacy. The Supreme Court Judges Justice Chelameswar and Justice Nariman stated
that the right to privacy will have impact on other domains such as Section 377 based on case to
case basis. The laws that attempt to restrict privacy must be fair and affordable but also serve
some compelling state interest.

Though the Court mandated about the voluntariness of Aadhar Card enrollment in March 2016,
the government proposed the Aadhar Act. The Targeted Delivery of Financial and Other
Subsidies, Benefits and Services) Act, 2016 was passed in the LokSabha on 11 March 2016. On
26 March 2016, this Act was notified in the Gazette of India. The Aadhar Act has many lacunas
including no privacy provisions, no data security measures as comprised in the Privacy Bill of
2014. On the contrary, IT minister Ravi Shankar Prasad in his statement over twitter said that the
government is in favor of a fundamental right to privacy. Prasad also pointed out that the
Supreme Court has not admitted privacy to be an absolute right and rather than that it would be
balanced by certain reasonable restrictions. However Rohatgi and Venugopal‘s perspective was
that privacy as a concept was too vague to be called a fundamental right and concretely opposed
it in court. In other argument privacy was an elitist concept and impoverished Indians do not fall
in it. Finance Minister Arun Jaitley as a government representative in Rajyasabha supported right
to privacy as a fundamental right of an individual but Government did not take similar stand
before Supreme Court. A UIDAI Report of 2010 opined that the people have fright of coming
into government‘s scrutiny with UID unnecessarily, so they are losing trust and confidence in
Government. In addition to this, there are also cases of disagreements within the government
mechanism. The Registrar General of India is not in favor of data collection procedure through
private organization which could lead to data leakages and eventually hampering privacy in
some cases. Also the Ministry of Home Affairs declared not to accept the data unless and until
proper processes are followed. The Chief Information Security officer of the ministry of home
affairs, Dr. Rudra Murthy has given assurance about the Aadhar card system‘s data and safety.
He also pointed out that it is very difficult to hack the Aadhar card data. This project has been
opposed by some civil liberty groups, like Citizens Forum for Civil Liberties and Indian Social
Action Forum (INSAF), citing Journal of International Pharmaceutical Research, "I am opposed
to the UID project on grounds of civil liberties. Let us not be naive. This is not a social policy
initiative - it is a national security project. The Government has been criticized for forcing people
to link Aadhar cards with their mobile connection over privacy invasion issue. So it is
considering the option of allowing other identity proofs to complete the verification process.
Apex court has directed to have a credible authentication mechanism.

IT Perspective

Data Protection refers to the set of privacy laws, policies and procedures that aim to minimise
intrusion into one's privacy caused by the collection, storage and dissemination of personal data.
Personal data generally refers to the information or data which relate to a person who can be
identified from that information or data whether collected by any Government or any private
organization or an agency. The (Indian) Information Technology Act, 2000 deals with the issues
relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful
disclosure and misuse of personal data and violation of contractual terms in respect of personal
data.

However, under section 69 of the IT Act, any person, authorised by the Government or any of its
officer specially authorised by the Government, if satisfied that it is necessary or expedient so to
do in the interest of sovereignty or integrity of India, defence of India, security of the State,
friendly relations with foreign States or public order or for preventing incitement to the
commission of any cognizable offence relating to above or for investigation of any offence, for
reasons to be recorded in writing, by order, can direct any agency of the Government to
intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any
information generated, transmitted, received or stored in any computer resource. The scope of
section 69 of the IT Act includes both interception and monitoring along with decryption for the
purpose of investigation of cyber-crimes

Possible ways of breach of privacy - The various ways in which the privacy of an individual
can be compromised in a setting such as in Aadhaar.

1. Correlation of identities across domains: It may become possible to track an individual’s

activities across multiple domains of service (AUAs) using their global Aadhaar ids which are
valid across these domains. This would lead to identification without consent.

2. Identification without consent using Aadhaar data: There may be unauthorised use of
biometrics to illegally identify people. Such violations may include identifying people by
inappropriate matching of fingerprint or iris scans or facial photographs stored in the Aadhaar
database, or using the demographic data to identify people without their consent and beyond
legal provisions.

3. Illegal tracking of individuals: Individuals may be tracked or put under surveillance without
proper authorisation or legal sanction using the authentication and identification records and
trails in the Aadhaar database, or in one or more AUA’s databases. Such records will typically
also contain information on the precise location, time and context of the authentication or
identification, and the services availed. We wish to emphasize that insider attacks are the most
dangerous threats in this context. For instance, the second and third attacks above are much more
likely if the attacker can collude with an insider with access to various components of the
Aadhaar system.

Privacy protection: To determine the extent to which security and privacy are achieved, we
must first define the desired expectations in this context.

1. Authentication without consent should never be possible under any circumstances.

Identification without consent should also not be possible except in some special situations like
disaster management, identification of accident victims, law enforcement and such others. It
should be noted that providing one’s identity for obtaining services in any local context is always
with consent.

2. Unapproved profiling, tracking and surveillance of individuals should not be possible. There
should be sufficiently strong measures to prevent such breaches in privacy, with user-verifiable
proof of the same.

3. The technical implementation of privacy and security must be provably correct with respect to
the legal framework. The legal framework, in turn, needs to be suitably enhanced with special
provisions to protect the privacy of individuals and society in an advanced information
technology setting.

Criminal liability under IT Act

Section 72 of the Information Technology Act imposes a penalty on “any person” who, having
secured access to any electronic record, correspondence, information, document or other material
using powers conferred by the Act or rules, discloses such information without the consent of the
person concerned. Such unauthorized disclosure is punishable “with imprisonment for a term
which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

Section 72A of the IT Act imposes a penalty on any person (including an intermediary) who

 has obtained personal information while providing services under a lawful contract and

 discloses the personal information without consent of the person,

 with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss
[56]

Such unauthorized disclosure to a third person is punishable with imprisonment up to three years
or with fine up to Rs five lakh, or both.

Conclusions
The above discussion on the right of privacy and dignity with respect to UID clearly shows that
the right to privacy and dignity guaranteed under the Constitution, and would cause serious
implications upon the freedom and choices of the Indian citizen. The UID could also lead to a
situation of increased state surveillance, causing an invasion of the right to privacy, and in turn
affecting the dignity of individuals. Furthermore, the developmental claims by the UID of
security and administrative efficiency cannot be a valid justification for infringement on the right
of life under the Article 21 and the right to freedom of expression and movement as provided in
the Article 19 of the Constitution. Information, they say, is power. Allowing governments to
exercise this power over us without thought for the rule of law constitutes the ultimate
submission possible in a democratic nation-state.

While the Indian judiciary in its judgments during 2011-17 became more protective about
privacy of the population with regards to Aadhar card, no judgment straight away scrapped the
Aadhar scheme totally. Broadly they mentioned that Aadhar could not be made compulsory for
provision of basic services. Nevertheless, many consecutive judges have had differing opinions
on this issue and the Supreme Court‘s opinion kept on changing with the judges. The 2017 apex
court judgment refrained Government from making Aadhar compulsory for welfare schemes
although it empowered Government to make it mandatory for financial services and tax
payments. Right to privacy was accorded the status of fundamental right, in 2017, but here again,
no observation was made about ALP infringing this right. Successive judges in their judgments
have dealt with different aspects of privacy with regards to Aadhar and its linking. These
judgments would help as a stepping stone for evolution of the idea of protection of privacy of the
people of this nation state, within the framework of a secured and socially justified environment
attained because of ALP.

The Aadhaar project from the points of view of privacy and security and have pointed out some
technical weaknesses and possible remedies.

1. The Aadhaar number, which is a single global identifier that is supposed to work across
application domains, makes individuals vulnerable to privacy breaches. A design
alteration can however make it safe.
2. 2. The slightly different concepts of authentication and identity verification need to be
well demarcated, and careful use case analysis is required to determine precisely what is
required for each application. The legal framework must also make note of these.
3. In an Aadhaar like setup, the biggest threat to privacy comes from potential insider leaks.
The Aadhaar technology architecture does not seem to have been explicitly designed to
have strong protections against such insider leaks. We believe that effective protection
against insider leaks necessarily requires a third party auditor under independent
administrative control. With such a provision in place there are several tools from
computer science that can provide reasonable guarantees for security and privacy
protection.