Indian Supreme Court rules on Aadhaar: Delayed scrutiny

This article first appeared on October 1st, 2018 in the Times of India print edition.

The Aadhaar judgment holds important lessons (and warnings) for how courts and the polity should respond to the technological vision of the state. The task before the Supreme Court was to evaluate the constitutionality of a specific choice and design of technology made by the government. Note that this choice, of a single biometric identifier for each resident linked to a centralised database, was made almost a decade ago. And decisions about this project have largely evolved within the closed quarters of the executive, including the one to roll it out, and the subsequent call to link Aadhaar to essential services. All this was done without any statutory backing, until its hurried passage as a money bill in 2016.

As one reads through the decision of the three judges that formed the majority opinion, it becomes clear that there are limits to this delayed judicial scrutiny of a technology-driven project that has already reached scale (over 99% of the population is already enrolled). While the judgment does well to impose limits on its scope, it disappoints in its reluctance to engage with its underlying technical and evidentiary claims, and the application of weak legal standards.

Take the issue framed by the majority opinion as “whether the Aadhaar project has the tendency to create a surveillance state.” The judges offer a very cursory analysis of security safeguards already in place, accepting UIDAI’s claim that the database is “sufficiently secure” and “strongly regulated”. The contrary evidence put forth by the petitioners is largely ignored, including the fact that 49,000 Aadhaar enrolment agencies have been blacklisted for fraud by UIDAI itself.

They do not engage with multiple news reports of recent security breaches, reasoning that this evidence came after the hearings concluded, but noting that these too have been “emphatically denied by the UIDAI.” They conclude that the project cannot be shelved “only (based) on apprehensions.” So while concerns of unrealised (or imperceptible) state surveillance are treated as anxieties that must be soothed, UIDAI is rewarded with the benefit of doubt to not overstep the limits it has set for itself.

On the other hand Justice Chandrachud, who dissents from the majority, pulls us out of this false fait accompli and finds the project to be wholly unconstitutional. He reframes the question in terms of power and asks how the technological architecture of Aadhaar, specifically its use of biometric data and the ability to link distinct databases, could alter the power relationship between citizen and the state. Not only does he differ in his factual analysis of the surveillance capability of Aadhaar as it appears today, he also takes seriously possible future risks to individual liberty.

The court separately considers the issue of whether the Aadhaar project violates the fundamental right to privacy. While the judges all accept that Aadhaar enabled some degree of state intrusion into the privacy of individuals, they differ on whether such intrusion could pass the test of proportionality. Asserted most recently in the case of Puttaswamy vs Union of India, this test is by no means straightforward. In an analysis that eventually rests on weak factual and legal foundations the majority judgment in the Aadhaar case only adds further ambiguity.

On facts, they find that Aadhaar collects “minimal data”, simply because information like names and photos are already routinely collected by a variety of services. This misunderstands a fundamental precept of data privacy. There is risk associated with collecting sensitive information like biometrics in the first place. However, there is potential for even greater harm when an individual’s personal data is linked with other datasets and used across contexts. Given this finding of “minimal data” use, they conclude that individuals have no “reasonable expectation of privacy” in such data, and therefore the intrusion is proportionate. It is worth noting that in the Puttaswamy judgment, Justice Nariman categorically rejected this legal standard, reasoning that our right to privacy cannot be reduced only to the subjective notion of what an individual may “reasonably expect”, and instead, that the law must in fact set out how our privacy should be protected.

The infirmities of the majority’s judgment aside, it seems there is a broader issue with courts being forced to constantly catch-up with technological choices, resigned to scrutinise them in hindsight and to lessen the blow with safeguards. With Aadhaar, this need not have been the case. The rollout of this project should have been preceded by rigorous evidence, independent evaluation of technical and security claims, and scrutiny by the public and Parliament. The ability to highlight errors in software design or in implementation depends on the degree to which systems are open to external audit. A project that has affected every resident of this country and has largely grown through coercion (and for the poor, more harshly than others), should have been open and accountable by design.

Aadhaar might be the largest example of a technology-driven decision system in India, and the first to be legally adjudicated, but both globally and in India such systems are increasingly finding their way into various spheres of government, including criminal justice, healthcare and employment. We must be prepared to ask difficult questions of both the technical claims and the political and economic motivations that drive such proposals.

This article first appeared on October 1st, 2018 in the Times of India print edition. Available here.