DR.

RAM MANOHAR LOHIYA NATIONAL

LAW UNIVERSITY

FINAL DRAFT ; CYBER LAW

A Question of Identity:
What Should Aadhar Be Like?

UNDER THE SUPERVISION OF: SUBMITTED BY:

Dr. Amandeep Singh Nishank Vashistha
Associate Professor (Law) B.A. LL.B. (Hons.)
DR. RMLNLU, LUCKNOW SECTION ‘B’ NO. 93

1
ACKNOWLEDGEMENT

I would hereby extend a bouquet of thanks to my cyber law teacher, Dr. Amandeep Singh
Lecturer in who encouraged me to make a project on such a comprehensive topic. This
was really a tedious job but speaking truth, this truly enlightened my mind and provided
me with great knowledge about the subject.

I would also like to extend my gratitude towards my friends and seniors who supported
me through thick and thin. They are always ready for any kind of help I needed in the
hardest times.
I also wish to acknowledge that this project couldn’t be completed without the help of my
university Library Dr. Madhu Limaye Library and through university’s internet.

Thanking all.

2
 TABLE OF CONTENTS

A QUESTION OF IDENTITY:........................................................................................3

WHAT SHOULD AADHAR BE LIKE?.........................................................................3

ABSTRACT:.......................................................................................................................3

INTRODUCTION.............................................................................................................4

ANALYSIS.........................................................................................................................5

RIGHT TO PRIVACY.......................................................................................................5

CONSEQUENTIAL ORDERS.........................................................................................6

DATA PROTECTION PRINCIPLES..............................................................................7

LESSONS SO FAR............................................................................................................7

Conclusion.........................................................................................................................13

3
 A QUESTION OF IDENTITY:

WHAT SHOULD AADHAR BE LIKE?

ABSTRACT: A national identity scheme has long-term and large-scale implications to

the welfare of the people, efficiency of governance and law enforcement, individuals’
fundamental right to privacy and national security. Motivated by several issues surfaced
by the implementation of Aadhaar, and several privacy and security concerns that have
been pointed out, I develop a (non-exhaustive) list of technical guidelines for national
identity schemes. I observe that the current Aadhaar design significantly deviates from
these guidelines, strongly suggesting that to address the root causes of the issues that
have manifested so far, many parts of the system require major redesign. I also put forth
several policy guidelines, which I believe are crucial to the success of a national identity
scheme in India.

Digital technology is a powerful tool, and India, like any other modern nation, can ill
afford to keep away from exploiting the promises it offers. Yet, one needs to wield this
technology with caution, like a scalpel rather than a sledge hammer, especially when it is
applied at a national scale and affects millions of the poorest and most vulnerable. One
should also bear in mind that any cyber infrastructure that is being developed today will
become targets for cyber warfare in the future. Developing a secure and privacy
preserving national ID scheme presents an unprecedented challenge for which no amount
of expertise will be excessive. In this whitepaper I offer an analysis of some fundamental
principles that such a system should aim for, based in no insignificant way on lessons
drawn from the current Aadhaar experiment and the lively debate that it has resulted in.

4
 INTRODUCTION

At the end of September, the Supreme Court of India, in Justice Puttaswamy (Retd.) and
Anr. v Union of India and Ors.,1 upheld the overall validity of the Aadhaar (Targeted
Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the
"Aadhaar Act").
The Aadhaar Act was held to be constitutional to the extent it allowed for Aadhaar
number-based authentication for establishing the identity of an individual for receipt of a
subsidy, benefit or service given by the Central or State Government funded from the
Consolidated Fund of India.
However, the Supreme Court disallowed the use of individual Aadhaar numbers by any
private entities for establishing the identity of the individual concerned for any purpose
pursuant to a contract, on the basis that it was contrary to the fundamental right to
privacy. The Supreme Court also ruled on a number of laws, circulars and directions,
which required the mandatory linking of Aadhaar for receiving relevant services.
This alert analyses the tests adopted by the Supreme Court, specifically in relation to the
right to privacy of an individual, in arriving at the conclusions mentioned above. Further,
it briefly discusses the orders passed regarding existing requirements for the mandatory
linking of Aadhaar numbers. Finally, the alert analyses the data protection principles
recognized by the Supreme Court in this judgement, in light of the Personal Data
Protection Bill, 2018 (the "Bill").

ANALYSIS

RIGHT TO PRIVACY
The Aadhaar Act entitles resident individuals to obtain an Aadhaar number by submitting
certain biometric information and demographic information as part of the enrolment
process. Subsequently, each time the identity of the individual is required to be verified
by the Government or private entities, the Aadhaar number and biometric information, in
some cases, was requested as part of the individual identification process, for

5
authentication. As part of the authentication process, certain transaction details are
recorded at a central database, arguably creating the framework for a surveillance state.
The Supreme Court was primarily required to assess if the provisions of the Aadhaar Act
Ire contrary to the right to privacy, which has been established as a fundamental right by
the Supreme Court in 2017. In this regard, it is relevant to note that a number of services
provided by both private entities and Government, was contingent on an individual
linking their Aadhaar number for authentication, which indirectly made it mandatory for
most individuals to obtain an Aadhaar number. Therefore, the question was not so much
whether this was an infringement on the right to privacy, but whether it was a reasonable
exception to it.
The Supreme Court held that the right to privacy cannot be impinged without a just, fair
and reasonable law. This required existence of a law, which serves a legitimate state aim
and is proportionate to the objective sought to be achieved. The Supreme Court further
clarified that the proportionality test includes the following four aspects
a. Legitimate goal - The measure restricting the right must have a legitimate goal.
b. Rational connection - It must be a suitable means of furthering the goal.
c. Necessity - There must not be any less but equally effective alternative.
d. Balancing. - The measure must not have a disproportionate impact on the right
holder.
The Supreme Court struck or read down certain portions of the Aadhaar Act, which did
not fulfill the above proportionality test. However, aside from these provisions, the
Supreme Court held that the Aadhaar Act, on the whole, as a law, serves a legitimate state
aim and is proportionate, thereby being a reasonable exception to the right to privacy.
Section 7 of the Aadhaar Act, making the Aadhaar number mandatory for receiving
subsidies, benefits and services from the Government (for which expenditure was drawn
from Consolidated Fund of India) was therefore held to be valid.
However, the most relevant provision which was read down by the Court was Section 57
of the Aadhaar Act. This provision allowed Government entities, body corporates and
individuals to use the Aadhaar number for establishing the identity of an individual for
any purpose, pursuant to any law or contract.

6
Firstly, the Supreme Court held that the phrase 'any purpose' is not proportionate, too
wide and susceptible to misuse. The Supreme Court laid down that the purpose has to be
'backed by law'.
Secondly, the possibility of collecting and using Aadhaar numbers for authentication
pursuant to a contract was disallowed since this may result in individuals being forced to
give their consent in the form of a contract for an unjustified purpose. The Supreme Court
laid down that the contract has to be 'backed by law'.
Thirdly, private entities are not permitted to use Aadhaar numbers for the purpose of
authentication, on the basis of a contract with the concerned individual, since it would
enable commercial exploitation of an individual's biometric and demographic information
by private entities. This effectively prevents companies from using Aadhaar based e-KYC
authentication of an individual's identity, which was primarily the way in which many
companies complied with the relevant know your customer (KYC) requirements.

CONSEQUENTIAL ORDERS
The Supreme Court was also tasked with deciding the validity of certain directions from
different departments of the Government (brought in through laws or otherwise), which
mandated the linking of Aadhaar numbers to benefit from certain services. This was
specifically analyzed in the context of the linking of Aadhaar numbers to Permanent
Account Numbers (PAN) (relevant for income tax filings), bank accounts and mobile
phone numbers. The Supreme Court noted the following.
1. The requirement to mandatorily link Aadhaar numbers to PAN was held to be
valid, since it was based on a law, serving a legitimate state interest and
was proportionate.
2. The requirement to mandatorily link Aadhaar numbers to bank account numbers
was held not to be valid since it did not meet the proportionality test.
3. The requirement to mandatorily link Aadhaar numbers to mobile numbers was
held not to be valid since it did not serve a legitimate state aim and
was disproportionate in its encroachment on individual liberties.

7
DATA PROTECTION PRINCIPLES
The Supreme Court categorically recognized certain data protection principles such as
data minimization (restricting collection of data to data necessary for stated objects or
purpose), purpose limitation (limiting the scope of purpose and using the data only for
such purpose), data retention (retaining the data only for a limited period necessary for
the purpose) and data security as relevant factors in determining whether the provisions
of particular legislation, including the Aadhaar Act, was in conformance with an
individual's right to privacy.
While the Supreme Court discussed various data privacy principles from the United
States and European Union jurisdictions, it did not specify which of those principles
should be adopted in the Indian context. The Supreme Court also recognized and
discussed a number of provisions from the Bill, again without much clarity on which of
those principles should be imported into judicial reasoning.

LESSONS SO FAR
The scale and speed at which Aadhaar enrolments have been implemented, reaching out
to over a billion Indians, is quite impressive. Yet, the current Aadhaar design has attracted
much criticism on various fronts. I briefly examine how it fares with respect to the
expectations above.
With respect to ensuring social inclusion, Aadhaar’s potential is arguably on par with that
of the other identity schemes existing in India. While Aadhaar has enrolled a large
fraction of the population, almost all of these individuals already possessed other identity
documents. On this1 front, the exact nature of the identity scheme is perhaps not as
critical as just reaching out to the people with basic services and establishing a steady
communication channel between the populace and the responsible authorities. But
unfortunately, the way Aadhaar has been deployed on ground, perhaps with a singular
focus on fraud prevention, appears to have led to much social exclusion. This relates to
the next expectation in our list above: While in principle, providing everyone with a
uniform identity document could streamline administrative processes, the move to use

1
As of October 2016, with over 105 crore residents already enrolled, less than 0.1% did not have alternate
identity and residence proofs.

8
Aadhaar-based authentication in the Targeted Public Distribution System (TPDS) and
pension schemes has led to several alarming reports of denied services.

With respect to preventing identity fraud too, the current system has revealed several
cracks. It has been seen to place too much trust on third-party service providers (e.g.,
mobile phone operators and payment banks) and numerous enrolment agencies,
providing them, as Ill as others, with new opportunities to commit identity fraud. Several
mobile applications and online services built on top of the Aadhaar ecosystem have been
revealed to have serious security vulnerabilities.

One2 particularly concerning set of applications involve the use of Aadhaar authentication
as part of authorization. This was illustrated by a case of diversion of Direct Benefit
Transfers to payment bank accounts opened without the knowledge of the users. As
another example, a protocol for3 “e-registration” of property rental agreements in
Maharashtra leaves open the possibility of agreeing on one document with a party while
actually registering a different one, without the party realizing the switch. In fact, given
the ubiquitous use of biometrics in the Aadhaar ecosystem, it is also possible to obtain the
requisite fingerprints in the pretext of carrying out an entirely different transaction.
Another set of vulnerabilities arise from the manner in which Aadhaar has been linked to
various services, leading to a major risk of phishing attacks.

I note that some of the above vulnerabilities can be traced to the confusion among the
multiple roles Aadhaar plays. The current Aadhaar ecosystem is being used for unique
identification (by UIDAI as Ill as by third party service providers), for authentication
(i.e., matching an individual with their ID), for “KYC” (i.e., obtaining and verifying
information associated with an ID), for authorization (i.e., creating a proof that a
transaction was approved by an individual), as a convenient repository for multiple
certificates/documents (called DigiLocker), etc. Further, Aadhaar is used to uniformly
authenticate individuals with a variety of big and small service providers, who may not
all need the same level of authentication of their customers.
2
"Insecure App Making." Karana, September 2017
3
E.g., see "The Airtel-Aadhaar fix." Frontline. January 2018.

9
Finally, Aadhaar has received a lot of criticism on the privacy front. Aadhaar ID, by
design is a perfect instance of personally identifiable information and, when part of
leaked data, it compromises the privacy of the affected individuals in an unprecedented
manner. Unfortunately, it is virtually impossible to guarantee that data leaks will not
occur from any of the various governmental and private services that use Aadhaar IDs,
irrespective of how secure the central database itself is. Another major privacy concern
arises from the hundreds of Authentication User4 Agencies (AUAs) that funnel
authentication requests from several service providers to UIDAI: these loosely regulated
entities can track individual users across multiple service providers who use their
services.

Use of Biometrics: Lessons from Around the World General purpose, centralized
national identity databases, with personal information like photographs or other
biometrics, have been considered in several countries over the years. One of the earliest
proposals for such a database was the Australia Card initiative (proposed in 1986), but it
was never enacted. In the United Kingdom, such a scheme was implemented, but then 5
withdrawn. A similar debate arose recently in Israel, over a national identity scheme
which6 originally mandated collecting biometrics of citizens. Among other protests,
several Israeli cybersecurity and cryptography experts raised security and privacy
concerns. The eventual law7 enacted last year made providing fingerprints optional, while
mandating photographs. Countries8 like Estonia and Belgium have advanced national
identity schemes that do not collect biometrics9.

4
One such leak in April 2017 exposed over a million pensioners’ details (including Aadhaar ID and details
of their pensions). Over 200 such instances involving governmental agencies had been recorded by July
2017
5
"Just Another Piece of Plastic for your Wallet: The 'Australia Card' Scheme." Roger Clarke. June 1987.
6
"Success Story: Dismantling UK’s Biometric ID Database." The Electronic Frontier Federation
7
Three letters (in Hebrew) were written to the Members of the Knesset over a 6 year period, with the last
one gathering signatures from 74 prominent scientists. This report summarizes the contents of the letter in
English.
8
"Israel Adopts Biometric Database Despite Security Concerns." Bloomberg BNA. March 2017.
9
Identification for Development (ID4D) Integration Approach - Study. World Bank (2015)

10
In Portugal’s Citizen Card system biometrics are stored only on each individual’s card,
and biometric matching is carried out “on-card.” Many countries, including most
European Union countries, use electronic-passports that contain fingerprint information
of the passport holder, but do not store this information in a central database (nor use this
information outside of border-control purposes). In these cases, proposals for storing
biometrics in centralized databases10 have always been avoided or have led to strong
resistance.

On the other hand, several other countries in the developing world have nation-level
biometric identity systems being built, many of them with support from The World
Bank’s “ID4D” initiative11.Pakistan and South Africa have built national biometric
databases with scores of millions of fingerprints. Reports indicate that China is building
an extensive multi-modal biometric database of its residents. Also, many governments,
including in the European Union and the United States 12, maintain biometric databases of
non-citizens who enter their territories.

I note that when biometrics are used, sometimes it is used for deduplication (ensuring that
one individual is not given multiple identities) and sometimes for authentication (as a
means to check that the individual presenting an ID is the same as the individual to whom
it was issued). The former use often involves capturing significantly more biometrics than
the latter (e.g., all 10 fingerprints instead of just two). In much of the developed world,
citizens’ biometrics, if at all used, are used for narrowly defined purposes of
authentication in highly controlled settings (e.g., border crossings). It has been observed
that the use of biometrics for social transfers is correlated with a poor democratic record.

The best estimates of biometric matching failures in Indian conditions is provided by the
current Aadhaar system itself. Estimates for the rate of biometric authentication failures
in the field (when users who had already successfully enrolled in the Aadhaar system try
to authenticate themselves using biometrics to third-party service providers) are
10
"Biometric passport." Wikipedia
11
ID4D Annual Report (2017) (pg. 21) lists its engagement with 32 countries. 23 "Pakistan's experience
with identity management." BBC News, June 2012.
12
"China: Voice Biometric Collection Threatens Privacy." Human Rights Watch. October 2017

11
significantly higher than that during the registration process. I note that if there are crores
of authentication requests per day, even an accuracy rate of 99.95% leaves lakhs of
people affected every month.

TECHNICAL DESIGN GUIDELINES

I list a few “principles” that I believe a robust Aadhaar system should adhere to. I do not
yet offer a solution ourselves, but rather collect guidelines against which the current and
future designs can be evaluated. These desiderata are motivated by the lessons above (as
Ill as basic security and privacy considerations). But I caution the readers that this should
only be taken as a preliminary list. Indeed, I am guided by the point of view that a
complex system such as Aadhaar, with multiple human and socioeconomic factors
affecting and affected by it, should be designed with inputs from many experts, over
several iterations of design, (shadow) deployment and analysis, and I do not intend to
contradict that view here. Below, for the sake of familiarity, I shall write UIDAI to denote
the authority in charge of implementing the identity scheme. (But as mentioned above,
there could be several such authorities who interact with each other.)
 Separation of well-specified functions: If the Aadhaar ecosystem is used for
different functions (like identification, authentication and authorization), each
function should be formally Ill-specified, including its goals and operating
assumptions. Users should have fine-grained control over (and knowledge of) the
functions invoked at any point.

 Minimal dependence on biometrics: If biometrics are used, it should only be used

by UIDAI for “deduplication.” Third-party service providers should not require
users to provide biometrics to devices at their premises (and instead rely on other
more reliable and resettable mechanisms like OTP, Chip and PIN, etc. for
authentication).

 Minimal need for interaction with remote servers: Centralized servers present
several problems: they are prime targets for cyber attacks, network connectivity
failure is bound to occur at a non-negligible rate, and the intermediaries betIen

12
 service providers and such servers create privacy, security and regulatory
concerns. Hence, most of the functionality should be reliably available to users
and service providers without the need to contact a remote server in real-time.

 Minimal collection/storage of information: To reduce the value of UIDAI servers

as a target for cybercrime, the amount of personal data collected or stored should
be minimized. As much as possible, each user’s data will be stored by that user
(e.g., on a smart card) and should not be present in a server. When data is stored
remotely (e.g., for the purposes of deduplication), cryptographic methods should
be used to protect it.

 A strong adversary model and graceful degradation: It must be assumed that

several users and several service providers who use the Aadhaar services
(including government agencies) are “adversarial” (due to malicious intent,
human errors or software glitches).

 Their devices or smart cards could be compromised and they could arbitrarily
collude with each other, and this should not affect anyone else’s security. UIDAI’s
own service centres should be considered vulnerable, and their compromise
should have only limited and revocable impact on the overall system. Equipment
manufacturers and software providers should also be considered as untrusted, and
protected against (e.g. using designs which combine multiple components from
multiple providers, in a fault tolerant manner).

 Responsible tracking: It should be infeasible to track any individual’s Aadhaar

transactions just based on the information collected by UIDAI, or that collected
by a set of service providers. Yet, technically, there can be provisions (protected
by a strong legal framework to prevent abuse) for tracking individuals when there
is due cause, with the active participation of multiple stakeholders and watchdogs.

13
  Be the mechanism of choice for the privacy conscious: I seek to turn Aadhaar
into a platform that will provide strong privacy guarantees, better than what is on
offer without Aadhaar. In particular, by using Aadhaar, individuals can avoid
providing personal information (authenticated or otherwise) to service providers
beyond what is absolutely needed for providing the service.

CONCLUSION
Digitized national identity schemes offer many benefits, if designed safely and securely.
The current Aadhaar implementation effort, despite several problematic design choices,
has set us on a path towards such a scheme. But it is important to bear in mind that
Aadhaar is not a panacea to all the ills of the society. While it may help in fighting large
scale identity fraud and related crimes, it may not by itself offer a solution against
exploitation of the poor and vulnerable. Indeed, though preventing pilferage in the
Targeted Public Distribution System (TPDS) and government subsidies has been seen as
a driving application for Aadhaar, there is much evidence that such a technological
solution does not prevent corruption, but only changes the form in which corruption
manifests. Instead, Aadhaar should be seen as providing an auditing mechanism that can
empower individuals and communities against exploitation. This point of view has an
important implication to the design choices I make: An auditing mechanism should not
disrupt the primary functionality of the services it protects. Hence it becomes incumbent
upon the designers of the system to make it as non-intrusive as possible. One may ask if it
is too late to reengineer a system that has over a billion people already enrolled.
Thankfully, the answer is no.

A new system, as I envisage, can leverage much of the investment that has already gone
into the current system. But much thought, consultation, additional expenses (e.g., for
issuing smart cards) and a few more years will be needed to design and deploy a robust
system that can withstand the myriad challenges faced in screating a modern identity
scheme for the largest democracy in the world.

14