Privacy continues to remain a contested subject matter. I don’t mean contests over the bounds of privacy (particularly in the digital milieu), but a contest that is rather specific to IP: does privacy really count as a species of IP? IP lawyers (and I count myself as part of this blessed breed) are a covetous lot: seeking to constantly expand our kitty of IP kinds. In fact, so influential is our lot in India that unlike the rest of the world, where the right to publicity (or personality rights) developed from the right of privacy, we had more jurisprudence around the right of publicity (Daler’s dolls, Rajnikant’s mannerisms and what not!), before we even began to take the right to privacy seriously.
But for those that continue to worry about the tenuous link between privacy and IP, remember this is the land of Yoga…we’re meant to stretch! Therefore, please permit me the luxury of presenting a privacy perspective to you on this IP blog. A perspective around Aadhaar: that behemoth of a project that resulted in “privacy” finally taking centre stage in India. And the Supreme Court ruling in no uncertain terms that there is a fundamental right to privacy under Article 21 of the Constitution of India. A ruling that was triggered in no small part by the then Attorney General’s assertion that the government effectively owns our body!
The Aadhaar Act itself came under a separate constitutionality challenge, with the second longest set of hearings ever in Supreme Court history (the first prize going to the landmark Keshavananda Bharathi case that laid down the Basic Structure doctrine). A decision is expected anytime now.
In the meantime, as part of our P-PIL Project at IDIA, I filed a writ petition before the Delhi High Court taking the Aadhaar “Authority” (UIDAI) to task for various privacy breaches and claiming compensation. Not under the Aadhaar Act, which is a bit self serving, but under various common law (tort) theories. Given the poverty of tort jurpsrdence in india (I’ve always wondered why…after all, our judges love crafting their own norms, and tort law provides one of the best avenues for judicial creativity), I hope our judges will bite. Or at the very least appoint a neutral committee to investigate the various Aadhaar breaches. Particularly so, since the Aadhaar authority (UIDAI) has not come clean, but is not more interested in media spins, constantly claming that there has been no breach. And that the Aadhar database is safe and secure behind a 5 foot thick wall.
For those interested, Livelaw, Medianama and Bar & Bench covered this writ petition here, here and here. These articles also link to the petition as filed (where in order to break the monotony of legal lingo, I begin with a poem: an “Ode to Aadhaar”).
I’ve also summarised some of the issues in a piece for the Wire which I reproduce below. Grateful for comments, critiques and suggestions.
Twisting the Truth Around Aadhaar in the Land of Luddites
Joseph Goebbels, the famed guru of Nazi propaganda, is supposed to have once said: “If you repeat a lie often enough, it becomes the truth.”
Goebbels appears to have found a devoted disciple in the UIDAI (Unique Identification Authority of India) and its head honcho, Ajay Bhushan Pandey, who’ve been relentlessly arguing that Aadhaar is one of the most secure systems ever. And that there’ve been no data breaches till date.
Nothing could be further from the truth. Even since its inception, the Aadhaar ecosystem has been characterised by some of the most egregious breaches ever. An undercover investigation by The Tribune demonstrated how Aadhaar details of more than a billion Indians could be accessed for a paltry sum of Rs 500! All thanks to the carelessly cultured regime of Aadhaar enrollment agencies (comprising village-level operators and the like) who were offered wanton access to the database by the “authority”.
A later breach involving an entrepreneurial engineer, Abhinav Srivastava, demonstrated how unauthorised private parties (such as Srivastava) could conduct Aadhaar authentications on their own. All thanks to the sheer callousness of government agencies such as National Informatics Centre (NIC) in opening up their applications (in this case, “e-hospitals”) to surreptitious spoofing. Till date, there has been no known action taken against NIC.
More recently, two cybersecurity experts, Srinivas Kodali and Karan Saini found that a government website effectively permitted unauthorised third parties to access Aadhaar style authentication services. There are countless other horror stories doing the rounds.
And yet, the authority and its creative chairman continually claim that there has been no “breach”. They even go to the extent of branding those that complain against Aadhaar as tech “luddites”.
So consistent has been their stand that that they repeated the same claim in the Supreme Court… on oath! Funnily enough, they even contended that a five-feet thick wall would ensure the perpetual security of Aadhaar data. One wonders who the Luddites really are.
The claims of UIDAI are nothing more than a deliberate attempt to obfuscate and mislead. Worryingly, they also demonstrate an irksome ignorance of basic privacy tenets; not to mention the express provisions of the Aadhaar Act, under whose benevolent umbrella, the chairman and others at UIDAI draw their authority.
Section 28 of the Aadhaar Act makes clear that the UIDAI has to ensure the security and confidentiality of all “identity information” held by it, either directly or through its various partners/affiliates. In fact, so strict is the obligation that the authority has to even protect against the “accidental destruction or loss” of data.
Importantly, protectable data under the Act has been defined to include not only “biometric” data, but also an individual’s Aadhaar number and demographic information (address, telephone number etc).
The Tribune breach more than amply demonstrated that all of the above was compromised: for a paltry Rs 500, one could enter any Aadhaar number and get access to the corresponding demographic information and even biometric data (defined under the Act to include a “photograph”).
I have recounted all of this meticulously in a writ petition filed before the Delhi court, where I’ve sought to make the government accountable for these various breaches; and claimed damages from them for violating my right to privacy.
A right that has now been affirmed by a nine-judge bench of the Supreme Court of India in the Puttuswamy case to merit the highest level of protection under the law of our land; namely as a “fundamental” constitutional right.
Unfortunately however, the Aadhaar Act engenders a classic conflict of interest-type situation, in that it relies on the “authority” to take action against itself! As John Perry Barlow, the founding father of internet freedom, famously said: “Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.”
Fortunately, however, not all is lost. The Information Technology (IT) Act as well as common law doctrines enable the common man to directly sue the authority and its various affiliates and hold them accountable for privacy lapses. Unfortunately, while the remedy under section 43 of the IT Act for a privacy breach is constitutionally suspect, in that it permits a government-appointed person to unilaterally adjudicate upon what is essentially a legal dispute, the various common law doctrines to protect privacy (deriving from an area of law called tort law) are more robust.
I have highlighted all of this in the writ petition mentioned earlier and requested the court to appoint an expert committee that would investigate these various breaches and the level of compliance with reasonable security/privacy policies by the Aadhaar authority. Given the obfuscatory claims around the breaches, such a neutral investigative report would go a long way in helping us understand the true extent of the breaches and the damage(s) caused to privacy interests.
Interestingly, in The Indian Express piece referred to earlier, the pugilistic Pandey attempts to draw a disingenuous distinction between “secrecy” and “privacy”; claiming that Aadhaar numbers are not “secret” and, therefore, need not be protected.
He is wrong on the law, and wrong on the underlying concept. While privacy and secrecy are no doubt inter-related, the right to privacy does not depend on something being an absolute “secret”. Rather, privacy is about the level of control that one has over information pertaining to oneself. I decide how much information I want to give out and to whom. Merely because I dole out my Aadhaar number to a couple of service providers does not mean that other service providers are entitled to access this number without my permission.
The same with my telephone number, email ID and so on. Privacy ultimately is about self-determination and my ability to control my public persona. Even otherwise, the terms of the Aadhaar Act and the IT Act make amply clear that one’s Aadhaar number operates as a “password” and is to be protected as such.
It bears noting that the “Aadhaar” project was never designed with privacy in mind. Much like a number of other programmes in India, it began with one set of objectives, namely to eliminate identity fraud whilst providing for government benefits. This quickly morphed into another set of objectives once its potential for private gain was realised. Indeed, at the heart of the Aadhaar debate today is not just government control over data subjects. But the ability of private corporations to exploit our data (the new “oil”) for their own commercial gain.
Section 57 of the Aadhaar Act enables such private enterprises to ride on the backbone of Aadhaar authentication architecture. Little wonder then that an entire ecosystem of private enterprises have developed around Aadhaar. One such enterprise is iSPIRT, that has the blessings of Nandan Nilekani, the technocratic mastermind behind Aadhaar.
In a now deleted tweet, a colleague of Nilekani’s recounted a dinner conversation where he allegedly quipped that the best way to roll out new projects in India is to “Make it too big to reverse”.
The Aadhaar enterprise is no doubt a “big” one today. But bigger things have been reversed by our courts in the past.
Indeed, the “bigness” of an enterprise should be no consideration for courts that adjudicate on critical issues of civil liberties. Liberties that foster our autonomy and help us blossom to our fullest potential. For in the end, these are what define us as humans and distinguish us from machines, artificially intelligent or otherwise.”