March 18 , 2013, Kamayani Bali Mahabal, Mumbai
The Bombay High Court today directed the Unique Identification Authority of India and Central government to decide within three months on a representation questioning the lack of safeguards in the Aadhaar card and UID . The Court was hearing a Public Interest Litigation filed by Vickram Krishna, Kamayani Bali Mahabal, Yogesh Pawar, Dr Nagarjuna G, and Prof. R. Ramkumar ( TISS).
The Standing Committee has found the project to be “full of uncertainty in technology as the complex scheme is built upon untested, unreliable technology and several assumptions”. This is a serious concern given that the project is about fixing identity through the use of technology, especially biometrics. As early as December 2009, the Biometrics Standards Committee set up by the UIDAI had reported adversely on the error rate. Since then, neither the Proof of Concept studies nor any assessment studies done by the UIDAI have been able to affirm the possibility of maintaining accuracy as the database expands to accommodate 1.2 billion people. The estimated failure of biometrics is expected to be as high as 15 per cent.
Advocate for the peititoners, Mihir Desai, told the court, that there were severe concerns on the issue of safety systems, privacy and security of the People. A data base of this scale of 1.2 billion people’s finger prints and iris scans has never been created. Thus the entire proposition for a population base such as India is completely untested and unproven. The ID system inUK ID Cards’ non-duplication was entirely scrapped. It is estimated that approximately five per cent of any population has unreadable fingerprints, either due to scars or aging or illegible prints. In the Indian environment, experience has shown that the failure to enrol is as high as 15 per cent due to the prevalence of a huge population dependent on manual labour.
One of the biggest illegalities being committed under the Aaadhaar scheme is by making it mandatory through coercive conditions. UID has always, repeatedly stated that Aadhaar is a voluntary scheme. Thus, enrolment for Aadhaar is a voluntary act. The NIAI draft Bill, which seeks to legitimatize the functioning of the first Respondent, is so worded to establish that Aadhaar is optional and not compulsory. However, in its premature implementation, in practice the scheme is gradually being made non-voluntary and mandatory. This is made worse by adoption of coercive pre-conditions by different government departments.
The Hon’ble Supreme Court of India has repeatedly upheld the right to privacy within the right to life in Article 21, and any restriction must be justified through a rational and reasonable statutory procedure. UIDAI, as it presently stands is prima facie unconstitutional for contravening the right to privacy without providing any safeguards, procedures and guidelines
Adv Mihir Desai argued that The UID was promoted as a `voluntary’ `entitlement’. Now, people are being threatened that they cannot access any services or institutions unless they are enrolled for a UID. The petition submitted stated that the enrollment for Aadhaar is working on an extremely fast pace that it has become impossible to avoid attempts at enrolment. The Petitioners submit that such mandatory, non-voluntary and coercive enrolment for Aadhaar is an affront to their to personal integrity, right to make decisions about themselves and the right to dignity all enshrined and developed as indivisible elements of the Right to Life under Article 21 of the Constitution.
Download PIL ORDER
Read thE full petition below
IN THE HIGH COURT OF JUDICATURE AT BOMBAY
ORDINARY ORIGINAL CIVIL JURISDICTION
PUBLIC INTEREST LITIGATION NO. OF 2011
In the matter of the public interest of protecting the rights of privacy, autonomy, dignity and free and full enjoyment of life of the citizens of India, guaranteed under Articles 19 and 21 of the Indian Constitution;
In the matter of non-voluntary and premature implementation of “Aadhaar” in strict breach of Article 21 of the Indian Constitution
In the matter of excessive delegation of essential function without any guidelines, rules or police framework in Notification Dated 29th January 2009 creating the UIDAI
In the matter of potential breaches of the right to privacy of citizens of India, through the
means of data collection, storage and sharing by the UIDAI, without any legitimate and rational nexus of improving the public welfare system
In the matter of standing committee of the Parliament Report report dated 13th December 2010 rejecting the proposed National Identification Authority of India Bill, 2010
- Vickram Krishna, Kamayani Bali Mahabal, Yogesh Pawar, Dr Nagarjuna G, and Prof. R. Ramkumar, …Petitioners
- UNIQUE IDENTIFICATION AUTHORITY OF INDIA,
Government of India,
3rd Floor, Tower II,
Jeevan Bharati Building,
New Delhi 110001
- Mr. A. B. Pandey.
Deputy Director General, UIDAI,
Mumbai Regional Office,
5th & 7th Floor, MTNL Building,
BD Somani Marg, Cuffe Parade,
Mumbai 400 005
2. The Chairperson, Planning Commission of India,
Yojana Bhavan, Sansad Marg,
- National Informatics Centre
Department of Information Technology,
Ministry of Communications and Information Technology,
A-Block, CGO Complex,
Lodhi Road, New Delhi – 110 003 India
- Union of India
Through the Ministry of Finance
- Union of India
Through the Ministry of Home Affairs
New Delhi. … RESPONDENTS
THE HON’BLE CHIEF JUSTICE
AND THE OTHER HONOURABLE PUISNE
JUDGES OF THIS HON’BLE COURT
THE HUMBLE PETITION
OF THE PETITIONER ABOVENAMED
MOST RESPECTFULLY SHOWETH:
PUBLIC INTEREST LITIGATION PETITION
- Particulars of the cause/ order against which the Petition is made: The Petitioners are filing this public interest litigation to challenge the Notification dated 29th January 2009that created the Unique Identity Authority of India (U.I.D.A.I.), an agency established under the aegis of the Planning Commission to issue Unique Identity Numbers (UID) to every Indian citizen.
- The Petitioner submits that UIDAI was created through an executive fiat to enable the process of issuing UID cards across India, without any rules, procedures, or guidelines. Its further extension, universalisation and implementation across the nation remains must contingent upon both an initial success together alongwith legislative passage of the proposed National Identification Authority of India Bill, 2010 (hereinafter referred to as the NIDAI Bill). The Petitioners submit that in further developments by a report dated 13th December 2011, the Standing Committee of the Parliament has rejected the present draft of the NIDAI as not meeting the required constitutional standards.
- However, in complete disregard to both, UID numbers without any safeguards against the tremendous breach of privacy entrenched in the scheme as it presently stands are being issued across the country without any legislative framework. Aside from this an ostensively optional and a premature scheme is being converted into a mandatory requirement with the aid of different government agencies and state governments.
- PARTICULARS OF THE PETITIONERS
- Petitioner No. 1 is an engineer and manager by training. He is engaged with an ongoing project to understand issues around awareness of personal privacy rights across Asia. In the course of earlier globally recognised projects to develop specialised software for the profoundly disabled and communication solutions for poverty-stricken rural and urban dwellers, he has together with colleagues observed empirically that privacy concerns are palpable across different strata of society. The Petitioner submits that the present move to tag every Indian resident with unique numbers, a massive project of unknown scope and questionable possibility of success, is made increasingly dangerous as it may lead to access to personal information by third parties.
- Petitioner No. 2 is a human rights activist with background in clinical psychology, journalism and law. She is an expert on gender, health and human rights and part ofvarious networks and campaigns related to these issues. She has been active in ‘Say No to UID” campaign which has disseminated much needed information about the UID in various forums including colleges, slums and NGOs in order to generate a much wider public discussion on the subject.
- Petitioner No. 3 is a social work graduate from Tata Institute of Social Sciences. He has been a counsellor for two years and then crossed over into Journalism. For the past 15 years he has been a journalist with The Indian Express, rediff.com, NDTV and DNA. His forte has been reporting on issues of development and public interest.Since the launch of UID the Petitioner has been reporting on the issue through both news reports and columns against it and the regime it unleashes.
- Petitioner No. 4 is a social activist. She is a double post-graduate in English Literature and Sociology. She has also has a diploma in journalism. As a social worker the Petitioner has worked on issues of civic governance and ensuring that targets on sanitation, and access to basis services are met. Through her journalism work the Petitioner has also successfully exposed some of the misuse and pitfalls of the UID scheme.
- Respondent No. 1 is the impugned UIDAI authority which functions under an executive authority, through the impugned executive notification dated 28th January 2009. Respondent No. 2 is the regional UIDAI authority for the Mumbai Region, responsible for registering and enrollment for the UID scheme through the help of government agencies and private parties. Respondent No. 3 is the Planning Commission of India which has played a crucial role in conceiving the UID scheme and its current planning and implementation.
- Respondents Nos. 4– 6 are different agencies and ministries that have independently expressed concerns about duplication, lack of safeguards, excessive expenditure with the present UID scheme before the Standing Committee of the Parliament. Quoting from the report of the Standing Committee:
“The Committee regret to observe that despite the presence of serious difference of opinion within the Government on the UID scheme as illustrated below, the scheme continues to be implemented in an
- The Ministry of Finance (Department of Expenditure) have expressed concern that lack of coordination is leading to duplication of efforts and expenditure among at least six agencies collecting information (NPR, MGNREGS, BPL census, UIDAI, RSBY and Bank Smart Cards);
- The Ministry of Home Affairs are stated to have raised serious security concern over the efficacy of introducer system, involvement of private agencies in a large scale in the scheme which may become a threat to national security; uncertainties in the UIDAI‟s revenue model;
- The National Informatics Centre (NIC) have pointed out that the issues relating to privacy and security of UID data could be better handled by storing in a Government data centre;
- The Ministry of Planning have expressed reservation over the merits and functioning of the UIDAI; and the necessity of collection of iris image;
- Involvement of several nodal appraising agencies which may work at cross-purpose; and
- Several Government agencies are collecting biometric(s) information in the name of different schemes.”
All the Respondents are amenable to the Writ Jurisdiction of this Hon’ble Court.
- DECLARATION AND UNDERTAKING OF PETITIONERS
- That the present Petition is being filed in public interest. Petitioners No.1, 2 and 3 do not have any personal interest in the matter. Petitioners No. 4 to 7 have personal interest which is disclosed in para 9 above.
- That the entire litigation costs, including the Advocates fees and other charges are being borne by the Petitioners.
- That a thorough search has been conducted in the matter raised through the Petition and all the material concerning the same has been annexed to this Petition.
- That to the best of the Petitioners knowledge and research the issue raised was not dealt with or decided and a similar or identical petition was not filed earlier by the Petitioners.
- That the Petitioners have understood that in the course of hearing of this Petition the Court may require any security to be furnished towards costs or any other charges and the Petitioners shall have to comply with such requirements.
- In the absence of parliamentary approval, and in the light of the scathing review of the performance of the UIDAI by the Parliamentary Standing Committee on Finance, citizens are left with no alternative but to approach the Hon’ble Court to place an embargo on Aaadhaar, until it undergoes full Parliamentary scrutiny to evaluate its effectiveness and Constitutionality.
- The Petitioners submit that through this PIL they represent a much wider discontent with the UID scheme that has been expressed in numerous foras. A recent letter by prominent writers, lawyers, historians, and judges has argued strongly for constitutional safe guards in UID. To reproduce the content of the letter below:
“A project that proposes to give every resident a “unique identity number” is a matter of great concern for those working on issues of food security, NREGA, migration, technology, decentralisation, constitutionalism, civil liberties and human rights. The process of setting up the Unique Identification Authority of India (UIDAI) has resulted in very little, if any, discussion about this project and its effects and fallout. It is intended to collect demographic data about all residents in the country.
Before it goes any further, we consider it imperative that the following be done:
(i) Do a feasibility study: There are claims made in relation to the project, about what it can do for the PDS and NREGA, for instance, which does not reflect any understanding of the situation on the ground. The project documents do not say what other effects the project may have, including its potential to be intrusive and violative of privacy, who may handle the data.
(ii) Do a cost-benefit analysis: It is reported that the UIDAI estimates the project will cost Rs. 45,000 Crores to the exchequer in the next four years. This does not seem to include the costs that will be incurred by the registrars, enrollers, the internal systems costs that the PDs system will have to budget if it is to be able to use the UID, the estimated cost to the end user and to the number holder.
(iii) In a system such as this, a mere statement that the UIDAI will deal with the security of the data is obviously insufficient. How does the UIDAI propose to deal with data theft?
(iv) The involvement of firms such as Ernst & Young and Accenture PLC raises further questions about who will have access to the data, and what that means to the people of India. The questions have been raised which have not been addressed so far, including those about:
- Privacy: It is only now that the Department of Personnel and Training is said to be working on a draft of a privacy law, but nothing is out for discussion,
- Surveillance: This technology, and the existence of the UID number, and its working, could result in increasing the potential for surveillance,
- Tracking, and
- Convergence, by which those with access to state power, as well as companies, could collate information about each individual with the help of the UID number. National IDs have been abandoned in the US, Australia and the UK. The reasons have predominantly been costs and privacy.
If it is too expensive for the US with a population of 308 million, and the UK with 61 million people, and Australia with 21 million people, it is being asked why India thinks it can prioritise its spending in this direction. In the UK the home secretary explained that they were abandoning the
project because it would otherwise be “intrusive bullying” by the State, and that the government intended to be the “servant” of the people, and not their“master”. Is there a lesson in it for us?
This is a project that could change the status of the people in this country, with effects on our security and constitutional rights. So a consideration of all aspects of the project should be undertaken with this in mind.
We, therefore, ask that the project be halted; a feasibility study be done covering all aspects of this issue; experts be tasked with studying its constitutionality; the law on privacy be urgently worked on (this will affect matters way beyond the UID project); a cost-benefit analysis be done; a public, informed debate be conducted before any such major change be brought in.
Justice V R Krishna Iyer,
K G Kannabiran,
S R Sankaran,
Justice A P Shah,
Till date there is no response from the Respondents to numerous such representations. Copy of the aforesaid letter is annexed hereto and marked as Exhibit A.
- The rejection of the UID Scheme as represented through the NIDAI Bill by the Standing Committee of the Parliament, calls for an immediate cessation of the executive scheme of UID.
- Aadhaar/UID scheme needs to be quashed for breach of Articles 14, 15, 19 and 21 of the Indian Constitution.
- The Aaadhaar numbers scheme as it stands is unconstitutional as it vests in the State immense power to monitor the activities of Indian residents and violate their fundamental right to privacy.
- There is no rational nexus between the collation and convergence of personal data of every citizen and the stated objective of UID, which is primarily to improve the distribution of welfare services.
- Given that biometrics cannot succeed in creating a unique identification, the objective of non-duplication cannot rationally be achieved by invasive means of collecting personal information, which is a grave beach of the right to privacy. Any subsequent tampering of the biometric information contained in the proposed database of personal information will result in unprecedented damage to the right to life and liberty of the affected person or persons.
- The technology adopted by UIDAI for the capture of biometric information ie digital fingerprint recording, is known to be insufficiently accurate to function as an identifier. An additional biometric identifier, iris scanning, has been found to be too expensive to be universally deployed. Thus the use of biometric identification to uniquely authenticate and verify the identities persons residing in India, upwards of 130 crore persons at the time of filing this petition, is unsuitable, leaving UIDAI’s proposed solution to the problem of issuing persons in India unique identity numbers infructuous and necessitating cessation of this risky, invasive and expensive project.
- Collection of data by outsourcing enrolment for Aadhaar has huge implications on privacy
- Convergence and collation of personal information in a digital form and unrestricted access to such information by the National Intelligence Grid, without any legislated and constitutional safe guards is a grave breach of the right to privacy enshrined in Article 21 of the Constitution.
- Should the Courts not intervene to put an embargo on Aadhaar, until it undergoes parliamentary scrutiny to evaluate its effectiveness and constitutionality?
- The non-mandatory nature of implementation of Aadhaar, through excessive delegation of powers to sub-registrars under the scheme has both gone beyond the voluntary nature of the scheme, and created greater potential for leakage and misuse of sensitive personal information; without any legislative safeguards.
- FACTS IN BRIEF CONSTITUTING THE CASE.
- The Unique Identity Project (the “UID”), a brainchild of the Planning Commission, was announced with the ambitious agenda of collecting and documenting biometric and other information of the entire Indian population. To this end, the Planning Commission also set up an independent authority, through an executive order of the Central Government, with the mandate of implementing the UID. UID aims at becoming the primary basis for efficient delivery of welfare schemes by converting itself into a statutory corporate body which would go by the name of the National Identification Authority (the “Authority”).
- Unique Identity Number is in addition to other identities and is issued to all the citizens from time to time like PAN Card, Passport, Ration Card, Driving License, BPL Cards, NREGA Card and similar cards issued by both State and Central Government. However, unlike these identities issued by the government to various citizens of India, the UID number is issued to every resident in India. It is stated that the said identity number is an option that a resident can choose to take as it would be easy to authenticate a person’s identity anywhere and thus is portable. The identity will be stored in a central database with individuals biometric and demographic data linked to a randomly generated unique number. The identity would be authenticated by querying the database. Thus, it may be seen that even a person possessing the UID or AAADHAAR card cannot authenticate his or her identity, but only those in charge of the UID database have the means and authority to authenticat the person’s identity. The 12 digit number would be assigned as UID to every resident would be integrated with biometric and demographic data of the person. Demographic data here means the details of the person that is his name, name of the father (only in case of a child below the age of five years), age, residential address, telephone number, email address, details of bank accounts.Biometric data is collection of digitized images of all the fingerprints and scanning of irises and image of the face. A copy of the application form is annexed hereto and marked as Exhibit B. Copy of the UID Strategy Overview dated April 2010 issued by Respondent No. 1 is annexed hereto and marked as Exhibit C. Copy of a detailedalternative note that critically explains the functioning of the UID titled “UID for Dummies” authored by Simi Chacko and Pratiksha Khanduri dated 12th September 2011, is attached hereto and marked as Exhibit C-1.
- The Petitioners submit that the twin proposals to create both a National Population Register by an amendment to the Citizenship Rules and UID, were brought into the purview of an empowered group of Ministers (EGoM) constituted on 4th December 2006. The recommendations of the EGoM for kickstarting the UID project are annexed hereto and marked as Exhibit D.
- Initially the UIDAI may be notified as an executive authority and investing it with statutory authority could be taken up for consideration later at an appropriate time.
- UIDAI may limit its activities to creation of the initial database from the electoral roll/EPIC data. UIDAI may however additionally issue instructions to agencies that undertake creation of databases to ensure standardization of data elements.
- UIDAI will take its own decision as to how to build the database.
- UIDAI would be anchored in the Planning Commission for five years after which a view would be taken as to where the UIDAI would be located within Government.
- Constitution of the UIDAI with a core team of 10 personnel at the central level and directed the Planning Commission to separately place a detailed proposal with the complete structure, rest of staff and organizational structure of UIDAI before the Cabinet Secretary for his consideration prior to seeking approval under normal procedure through the DoE/CCEA.
- Approval to the constitution of the State UIDAI Authorities simultaneously with the Central UIDAI with a core team of 3 personnel.
- December 2009 was given as the target date for UIDAI to be made available for usage by an initial set of authorized users.
- Prior to seeking approval for the complete organizational structure and full component of staff through DoE and CCEA as per existing procedure, the Cabinet Secretary should convene a meeting to finalize the detailed organizational structure, staff and other requirements.
Copy of the recommendations dated 04 November 2008 is annexed hereto and marked as Exhibit E.
- In pursuance of the recommendations of the Committee of Secretaries and the Empowered group of Ministers’ the Unique Identification Authority of India was constituted and notified by the Planning Commission on 28 January 2009 as an attached office under the aegis of Planning Commission with an initial core team of 115 officials. The role and responsibilities of the UIDAI was laid down in this notification. The UIDAI was given the responsibility to lay down plan and policies to implement UIDAI scheme and own and operate the UIDAI database and be responsible for its updation and maintenance on an ongoing basis. Copy of the Notification dated 28th January 2009 is annexed hereto and marked as Exhibit F. The said impugned Notification outlined the following tasks to be carried out under the UID banner:
- Generate and assign UID to residents
- Define mechanisms and processes for interlinking UID with partner databases on a continuous basis
- Frame policies and administrative procedures related to updation mechanism and maintenance of UID database on an ongoing basis
- Co-ordinate/liaise with implementation partners and user agencies as also define conflict resolution mechanisms
- Define usage and applicability of UID for delivery of various services
- Operate and manage all stages of UID lifecycle
- Adopt phased approach for implementation of UID specially with reference to approved timelines
- Take necessary steps to ensure collation of NPR with UID (as per approved strategy)
- Ensure ways for leveraging field level institutions appropriately such as PRIs in establishing linkages across partner agencies as well as its validation while cross linking with other designated agencies
- Evolve strategy for awareness and communication of UID and its usage
- Identify new partner/user agencies
- The Petitioner submits that subsequent to the notification the Government appointed Shri. Nandan M. Nilekani as Chairman of the Unique Identification Authority of India, in the rank and status of a Cabinet Minister for an initial tenure of five years. Mr. Nilekani has joined the UIDAI as its Chairman on 23 July 2009. Copy of the notification appointing Nandan M. Nilekani as chairman is annexed hereto and marked as Exhibit G.
- The Petitioner submits that although set up through an executive fiat, the UIDAI was always intended to be brought under the purview of a legislative scheme. In the meanwhile, an advisory council presided by the Prime Minister’s was set up on 30 July 2009. The Council is to advise the UIDAI on Programme, methodology and implementation to ensure co-ordination between Ministries/Departments, stakeholders and partners. Further, the activities of the UIDAI were to be supervised and monitored by a Cabinet Committee headed by the Honourable Prime Minister and consists of the Minister of Finance, Minister of Agriculture, Minister of Consumer Affairs, Food and Public Distribution, Minister of Home Affairs, Minister of External Affairs, Minister of Law and Justice, Minister of Communications and Information Technology, Minister of Labour and Employment, Minister of Human Resource Development, Minister of Rural Development and Panchayati Raj, Minister of Housing and Urban Poverty Alleviation and Minister of Tourism. The Deputy Chairman Planning Commission and Chairman UIDAI are special invitees.
- Thus it is clear that in its present form UIDAI is an executive body with no legislative authority intended at this juncture to create the systems for the long term universal implementation of UIDs pursuant to the enactment of a legislative scheme and an appropriate regulatory authority. The Petitioners submit that before the legislative scheme is enacted, the Parliament as a sovereign body, will scrutinize the “suspect” claims made by UID and the effectiveness, feasibility and constitutionality of its objectives. The Petitioners submit that the constitutionality of the UID as an executive scheme without any legislative backing is further suspect pursuant to the rejection of the NIDAI Draft Bill by the Standing Committee of the Parliament, for falling short of meeting minimum constitutional standards.
- The Petitioners submit that the eventual aim of the aaadhaar numbers scheme is to streamline the delivery of services to Indian residents and avoid corruption and misuse of public funds and subsidies. UIDAI claims that the UID will achieve the two following objectives:
- Revolution in public service delivery. By providing a clear proof of identity, Aaadhaar will empower poor and underprivileged residents in accessing services such as the formal banking system and give them the opportunity to easily avail various other services provided by the Government and the private sector. The centralised technology infrastructure of the UIDAI will enable ‘anytime, anywhere, anyhow’ authentication. Existing identity databases in India are fraught with problems of fraud and duplicate or ghost beneficiaries. To prevent these problems from seeping into the Aaadhaar database, the UIDAI plans to enrol residents into its database with proper verification of their demographic and biometric information. This will ensure that the data collected is clean from the beginning of the program. However, much of the poor and under-privileged population lack identity documents and Aaadhaar may be the first form of identification they will have access to.
- Overhaul internal security and assist the investigating agencies.
- To achieve its objective as stated above, UID has set out to undertake its main task that is of Data Collection, without the legislative passage of the NID Bill. The Petitioner submits that the creation of a national identity card or number requires the following activities:
- DATA COLLECTION: Information relating to the individual necessary for identification is collected and stored in a register under the supervision of a governmental authority. This may include different categories of sensitive, personal information about individuals from their health records, to bank transactions, to the number of times they may use public transport every week.
- DATA PROCESSING: The Authority either discloses or verifies the information in the register upon any requests regarding any individual permitted under any law; and
- DATA PROTECTION: The government is duty bound to protect such information.
- DATA DESTRUCTION: The government is duty bound to destroy such sensitive, personal information as is not absolutely needed for the functioning of a scheme of authentication of identity cards or numbers, and has been collected for that purpose, and should not be retained or used for any other purpose without the full informed consent of each and every enrollee.
- The main function of the Authority is to collect relevant personal details together with unique biometric information from the population and use this information as the basis for issuing unique identification numbers to the population. The unique numbers, which are referred to as aaadhaar numbers, are to be used as the basis of authentication of the identity of Indian residents seeking to avail certain services, either from the State or private parties. While authenticating the identity of a user, the proposed Authority only confirms or denies the authenticity of the number and its holder, i.e., by way of a simple ‘Yes’ or ‘No’ answer. The UIDAI has stated that the proposed authority does not propose to disclose, to a third party, any of the personal details it may have collected in order to issue the aaadhaar number. However, the Authority in a central database willstore details of all authentication requests received for a particular aaadhaar number. On analyzing these authentication requests it is possible to track the location and utilization of services by the holder of an aaadhaar number. This can create immense potential for misuse of information, leaking of personal information in the wrong hands. Apart from this, UID, in an open premise has committed itself to sharing all information collected by it with the National Intelligence Grid. Copy of a detailed scientific study by Paul Ohm titled “Broken Promises of Privacy: Responding to the surprising failure of Anonymisation” that illustrates how central identity databases facilitate the reverse audit trail of personal information is attached hereto and marked as Exhibit H.
- The UIDAI has conducted a so-called ‘proof of concept’ study that determined the expected rate of failure of biometric measurement as an identification method. The report is attached hereto and marked Exhibit I. An analysis of the reported figures reveals that the conclusions drawn in this report are insufficiently precise, and in fact, the incidence of so-called ‘false positives’ (persons incorrectly identified by the measuring system) will be impossibly high. A copy of this analysis by David Moss, a British engineer responsible for similar studies that showed the impossibility of the now-cancelled (at a loss of substantially over stg 800 million, approximating Rs 6,500 crores) UK ID cards system is attached as Exhibit J.
- The draft NIDAI Bill lays out a regulatory framework identifying the powers and responsibilities of the proposed Authority along with criminal sanctions for unauthorized disclosure of information collected by the Authority. However, the same are highly inadequate and fail to meet the minimum standards of safeguards necessary. In a legal atmosphere with no legislated right to privacy, the enforcement of weak criminal sanctions against any breach of privacy becomes difficult. Copy of the UIDAI Bill is annexed hereto and marked as Exhibit K. Copy of an article titled “A Unique Identity Bill” by Prof. Usha Ramanthan, a prominent advocate on the right to privacy in India, is annexed hereto and marked as Exhibit L.
- The Petitioners submit that the UIDAI draft as it was tabled in the Parliament has been rejected by the Standing Committee by its report dated 13th December 2011, by the making the following observations:
- Lack of clarity
- Overlap between UID and NPR
- No statutory power to address key issues of defaulters and penalties
- Aadhaar will not completely eradicate the need to provide other documents for identification
- Estimated failure of biometrics is expected to be as high as 15% due to a large chunk of population being dependent on manual labour.
- It is also not clear that the UID scheme would continue beyond the coverage of 200 million of the total population, the mandate given to the UIDAI.
- Considering the huge database size and possibility of misuse of information has not been carefully considered.
Copy of the detailed report of the Standing Committee dated 13th December 2011 is annexed hereto and marked as Exhibit M.
- RIGHT TO PRIVACY
- The Petitioner submits that the proposal of data collection, storage and sharing as laid out above makes heavy inroads into the right to privacy and its constitutionality must be tested against the breach of the right of privacy itself enshrined under Article 21 and also for rationality and non-arbitrariness by examining the objective behind UID. The Petitioner submits that UIDAI attempts to undertake the task of collecting personal information for the entire Indian population, which constitutes a total of 1.2 billion people. The privacy implications of the same are numerous and as follows:
- Date Collection:
- Sub Registrar: UIDAI in order to expedite the collection of information has entered into MoUs with several agencies, be it Banks, Insurance Agents, other Government Departments to enrolls citizens for the UID card. Even though UIDAI , only allows for collection of non-sensitive personal information, through the decentralization and delegation of data collection, the Sub-Registrar has been provided with the freedom to ask for additional information. Thus, for example, every Aadhaar form has the option of linking your bank account with the Aadhaar number. The Petitioners submit that in many reported cases, the Banks acting as Sub-registrars, automatically link the bank accounts with the Aadhaar while registering new entrants. Some of the excessive information sought from sub-registrars includes:
- Resident’s name, his/her father’s name, his/her spouse’s name, names of his/her children, his/her age, residential address, his/her income, whether he/she owns any car? Whether he/she owns any scooter? Whether he/she owns any other vehicle? His/her telephone and cell phone numbers both office and residence, his/her deposits, insurance policies, investments, the companies in which he/she has interest and other details;
- Similar details regarding spouse and children, linked with the Aadhaar number are collected. All these details are not collected under the Aadhaar form. However, all these particulars are mandated through the concept of ‘Know Your Customer’ from the banks by a RBI directive. When all these details of each resident is integrated, the state would be virtually accessing and intruding into the life each and every resident of India, through Dr. Usha Ramanathan’s argument on convergence of different silos of information.
- Excessive Delegation: By appointing several sub-registrars and empowering them with data collection and registration, sensitive personal information about citizens instead of going directly to the UIDAI data base also becomes available in a parallel format with the Sub-Registrar, who is not bound by any rules, regulations or legislative framework to protect. Copy of recent news report of theft and sale of enrolment data from private agencies in Punjab is annexed hereto and marked as Exhibit N.
- Data Storage in One Central Database: It further contemplates storage of that entire information in one central data base. The Respondents also claim that it will be safe.It is submitted that biometric and demographic information of 1.3+ billion residents of India mean 6 petabytes (6,000 terabytes or 6,000,000 gigabytes). It will be the world’slargest database. The technological challenges are enormous and involve system performance, reliability, speed and resolution of accuracy and errors. But a more serious issue is regarding the security. The information can be hacked. The Petitioners respectfully submit that hacking of data is not a theoretical fear, but a practical reality. The implications of this cannot be settled just through a Proof of Concept.
- Data Protection
- Audit Trail: According to UIDAI, when you enter into a transaction where you had to produce your ID card, the design of the system was such that a record would be kept of every such verification. It provides a detailed record of every transaction done, which can be of interest to either people browsing the database or to security services or whoever. UIDAI, argues that the record here is limited to verification and thus even if traced back to the source of service accessed, it remains harmless. However, the record here wouldn’t be just the verification of identity; there would be a little more data associated with the transaction. In a recent published interview, a scholar working on the conflict between privacy and National ID cards, cites the following apposite example:
“For example, you went to Health Clinic Number 45. They used your card and your fingerprint there for verification. They did this at 12:37 hours. There is a series of metadata associated with that visit that would be there in the audit trail. And, of course, it wouldn’t take very long to realise that, actually, Health Clinic Number 45 is a sexual health clinic. If the audit trail also shows that you were there on a number of occasions, it might be reasonable to infer certain kinds of things that you perhaps do not want to disclose. Some things are not necessary to be disclosed, but which are being recorded and stored in an accessible way to various people because of the way the system is designed.” A copy of the Edgar Whitley interview printed in Frontline is annexed hereto and marked as Exhibit O.
- Disclosure of Information: The potential of audit trail misuse is an important reality. In the present form UIDAI has no mechanisms for preventing the sharing of any information, or safeguards/penalities for leaks and misuse of verification records. The NID Bill, however contemplates misuse and hence provides the following framework:
- Cl. 33” Nothing contained in the sub-section (3) of section 30 shall apply in respect of – (a) any disclosure of information (including identity information or details of authentication) made pursuant to an order of a competent court; or (b) any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge.
Clause 33, is highly inadequate, as firstly it excludes information sought for nsecurity reasons from judicial scrutiny. This in itself is a recipe for grave misuse of private information. On the other hand court orders are not subject to the rule of audi alteram partem.
- Destruction of Data: The UIDAI has described its operational method for authentication of enrollees as requiring the person to present the number and biometric information (initially, fingerprints, up to ten; however it has been asserted from time to time that only two fingerprints will be necessary for authentication; in the absence of any trials of the system, such fine details are not known at present. The need for iris scans has also been expressed, however, the budget for recording iris scans has not been approved, nor have the present numbers of the population, said to be over 10 cr, had iris scans taken at the time of enrolling with UIDAI). The information will be matched with the information in UIDAI’s central database and a simple yes/no reply will be generated. No personal details of any kind can be sought from the database through this system. It is obvious that other personal details are only taken for the purpose of verifying the accuracy of the basic information ie matching the fingerprints with the person. It is not needed for the further functioning of the system, as claimed by UIDAI. It is therefore essential that the additional data collected be destroyed in order to protect citizens from any illegal access to the UIDAI database and subsequent misuse of that breach of privacy in any way whatsoever. UIDAI has not made any provisions at all for data destruction, although it is well known in technological circles that destruction of digital data is an expensive and tedious task.
- It is important to note that the Right to Privacy especially in the context of wrongful access to personal information about individuals and controlling excessive interference from the State into private lives of individuals, is well recognized in Indian law. It has been held that the Right to Privacy is an integral part of the Right to Life under Article 21.
- In Kharak Singh v. State of Uttar Pradesh1, a person with a criminal record, had challenged the constitutionality of certain police regulations which permitted surveillance of his house as also ‘domiciliary visits’ to his house at any time. In this case the petitioner had attempted to put forth the argument that the regulations in question violated his right to privacy which could be read into the fundamental right to life and liberty in Article 21 of the Constitution. The majority judgment of the Court however rejected this argument that Article 21 of the Constitution provided for a fundamental right to privacy. The minority judgment by Justice Subba Rao and Justice Shah however favoured a broader interpretation of the term ‘personal liberty’ in Article 21. In pertinent part, Justice Rao held that “It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.”
- The debate over ‘privacy as a fundamental right’ cropped up once again in the case of Gobind v. State of Madhya Pradesh. The petitioner in this case had challenged certain police regulations on the grounds that the same had invaded the petitioner’s fundamental right to privacy. In this judgment a full bench of the Supreme Court was more willing to link the ‘right to privacy’ to the fundamental rights enshrined in Part III of the Constitution. The Court has held that the Right to Privacy clearly means one has a right to be left alone within one’s home.
“Rights and freedoms of citizens are set forth in the Constitution in order’ to guarantee that the individual, his personality and those things stamped with his personality shall be free from official interference except where a reasonable basis for intrusion exists. ‘Liberty against government” a phrase coined by Professor Corwin expresses this idea forcefully. In this sense, many of the fundamental rights of citizens can be described as contributing to the right to privacy.”
- The aforesaid quote is pertinent in understanding the kind of unfettered intrusion access UIDAI and the NID Bill allow into the State and many other private agencies into the personal lives of citizens of India, without any legislative procedures, safeguards and remedy. Thereafter, the right to privacy has been recognized in a number of judgments of this Court and of the High Courts in a number of cases including PUCL v. Union of India (1997) 1 SCC 301, Sharda v. Dharampal (2003) 4 SCC 493, R. Rajgopal v. State of Tamil Nadu (1994) 6 SCC 632, Phoolan Devi v. Shekhar Kapur (57 (1995) DLT 154), Khushwant Singh v. Maneka Gandhi AIR 2002 Del 58.
- And more appositely, in the case of District Registrar and Collector, Hyderabad v. Canara Bank (2005) 1 SCC 632, section 73 of the Andhra Pradesh Stamp Act was challenged. The impugned section required any public officer or any other person having in his custody records, registers, books, documents, the inspection of which may result in discovery of fraud or omission of duty, to allow any person authorized in writing by the collector to enter any premises to conduct an inspection of the same which may also be impounded by the person so authorized after due acknowledgement of the same.
- This provision was struck down by the High Court of Andhra Pradesh on the grounds that it was arbitrary and unreasonable and the same was upheld by the Supreme Court. In arriving at its conclusions the Court held that legislative intrusions into a person’s privacy “must be tested on the touchstone of reasonableness as guaranteed by the Constitution and for that purpose the Court can go into the proportionality of the intrusion vis-à-vis the purpose sought to be achieved.” In a later portion of the judgment the Court while harshly criticizing the lack of any procedural safeguards or mechanism in the impugned provision went on to cite its own precedent in the case of “Air Indiav. Nergesh Meerza & Ors., (1981) 4 SCC 335, where “it was held that a discretionary power may not necessarily be a discriminatory power but where a statute confers a power on an authority to decide matters of moment without laying down any guidelines or principles or norms, the power has to be struck down as being violative of Article 14.”
- Rational Nexus between UID and the Policy Objective\
- The Petitioners submit that the UIDAI has made statements in public that through a study titled, ‘PROOF OF CONCEPT’ they have developed a full proof method and with minimal error margin. The Petitioners submit that the purpose of any feasibilithy study must be to conclusively established that the objectives sought to be achieved will be accomplished through the exercise, especially when a vast amount of public money is at stake.
- Thus, in the case of the UID project, where the objectives, according to the statements of the Respondents, are to ensure welfare benefits reach the intended beneficiaries, it would be necessary for the PoC exercise to show how beneficiaries would receive these benefits. This means, that the study would involve, not merely the collection of fingerprint data, but the use of the data to authenticate the BPL beneficiaries who come to collect PDS rations from designated shops and their receiving the goods over a reasonable period of time through the process envisaged in the project. Thus in a nutshell a feasibility study should not be a theoretical, imaginative exercise like the POC, but something that is tested in practice over a period of time.
- The Petitioner submits that the primary purpose of UIDAI is said to be to improve the welfare system in the country by eradicating identity theft through duplication of identity. Thus non-duplication has been championed as both the solution for fixing the old Public Distribution System, and UID as the “unique” method of achieving it.
- The Petitioners submit the foremost assumption in the aforesaid is that due to lack of identity the poor do not receive government welfare benefits. Secondly, the Respondents assume that fake and duplicate identities are the causes for leakage (that is siphoning) of welfare funds. Both these are unproven assumptions. They are not based on any study or investigation. Several studies have increasingly shown that the PDS system is actually improving, and that by introducing an untested new Aadhaar, universally and across the board in a rushed manner, may actually end up excluding a lot of intended beneficiaries. Copies of detailed reports, analysis and studies conducted on the efficacy of UIDAI to address welfare distribution issues conducted and written by Prof. Reetika Khera are annexed hereto and marked collectively as Exhibit P.
- UIDAI argues that through the combination of name, photograph, fingerprinting and iris scans they can create an irrefutable identity that is linked to the person itself, and does not require any external proof – like ration cards or passports for identification. The person herself is the identifier through fingerprinting and iris scans.
- However, there are many problems with this proposition. Firstly, a data base of this scale of 1.2 billion people’s finger prints and iris scans has never been created. Thus the entire proposition for a population base such as India is completely untested and unproven. Quoting an analogy that criticizes the similar UK ID Cards’ non-duplication strategy which was entirely scrapped:
There were far better performance results on a 1:1 match. So, this is Edgar’s fingerprint on the database, here is Edgar, we do 1:1 match; this is more likely to work. But that was not how the U.K. was planning to use it. The U.K. was trying to use biometrics to also prevent duplicate identities. The idea was that even if I try to enrol twice, and even if I had created a fake biographic identity (say, a John Smith with a different address), when my fingerprint came in for a second time, the system should come along and say: “We know this fingerprint, and this belongs to Edgar Whitley” and not say, John Smith. Here, you have to match every single biometric with every single previous biometric.”
- Thus biometrics requires not just matching a fingerprint with its true origin, but also with others to avoid non-duplication. Apart from this exercise, the very reliability of finger prints in India is not 100 percent. An assessment report filed by 4G Solutions, contracted by UIDAI to supply biometric devices, notes:
“It is estimated that approximately five per cent of any population has unreadable fingerprints, either due to scars or aging or illegible prints. In the Indian environment, experience has shown that the failure to enrol is as high as 15 per cent due to the prevalence of a huge population dependent on manual labour.”
Copy of the 4G Solutions Report is annexed hereto and marked as Exhibit Q.
- The report of the UIDAI’s “Biometrics Standards Committee” actually accepts these concerns as real. Its report, notes that “fingerprint quality, the most important variable for determining de-duplication accuracy, has not been studied in depth in the Indian context.” Thus, the very premise of UIDAI is not something that has scientific backing.This consideration has formed an important basis behind the decision of the Standing Committee rejecting the UIDIA bill and scheme as it presently stands. Copy of the Biometrics Standards Committee report commissioned by the UIDAI is annexed hereto and marked as Exhibit R.
- Mandatory and Coercive
- The Petitioners submit that one of the biggest illegalities being committed under the Aadhaar scheme is by making it mandatory through coercive conditions. UID has always, repeatedly stated that Aadhaar is a voluntary scheme. Thus, enrolment for Aadhaar is a voluntary act. The NIAI draft Bill, which seeks to legitimatize the functioning of the first Respondent, is so worded to establish that Aadhaar is optional and not compulsory. However, in its premature implementation, in practice the scheme is gradually being made non-voluntary and mandatory. This is made worse by adoption of coercive pre-conditions by different government departments.
- A recent gazette notification dated 26 Sep 2011, of the Petroleum Ministry has made Aadhaar a mandatory condition for LPG users. Copy of the news report announcing the change in policy is annexed hereto and marked as Exhibit R.
- Government of Maharashtra through its GR dated April 2011, plans to make Aadhaar a compulsory requirement for government employees for accessing their salary benefits. Copy of the aforesaid circular is annexed hereto and marked as Exhibit S.
- The Petitioners submit that the enrollment for Aadhaar is working on an extremely fast pace that it has become impossible to avoid attempts at enrolment. The Petitioners submit that such mandatory, non-voluntary and coercive enrolment for Aadhaar is an affront to their to personal integrity, right to make decisions about themselves and the right to dignity all enshrined and developed as indivisible elements of the Right to Life under Article 21 of the Constitution.
- The Petitioners submit that by insisting on a mandatory requirement and making access to every service contingent upon Aadhaar, the Respondents are creating a class of excluded non-Aadhaar holders who will be left out of welfare schemes, because they have consciously chosen to not enroll in an untested, premature and at present completely unreliable scheme.
- The Petitioners submit that Aadhaar must be enacted not only under the supervision and protection of a strict national privacy law, but even in its implementation it must only be brought in through a phased manner, and not the sudden immediate implementation as at present.
- The UIDAI-Aadhaar scheme as it presently stands as a mere executive fiat, is illegal, arbitrary and unconstitutional by granting wide, unrestricted powers to an unaccountable independent body knows as UIDAI, and also to private agencies; leading to huge breaches on the right to privacy and dignity of Indian citizens;
- The co-extensive executive power exercised to implement UIDAI cannot be untrammeled and function towards restricting fundamental rights without any due procedure, guidelines and safety mechanism, which can only be ensured through a statutory framework;
- The Hon’ble Supreme Court has repeatedly held that executive power cannot be used to restrict fundamental rights;
- The mandatory enforcement UIDAI-Aadhaar scheme contravenes Article 21 by restricting the right to decision making, personal integrity, choice and dignity;
- The impugned notification dated 4th November 2008 is illegal, arbitrary and bad in law for setting out an extensive task of launching UID way beyond the executive competence, without any guidelines, rules and procedure;
- The aforesaid impugned notification is illegal, arbitrary and unconstitutional and in breach and contravention of Article 14 for assigning the most essential function of data collection via enrollment for Aadhaar to private agencies;
- The aforesaid notification is further illegal as it delegates excessive powers with the UIDAI without any guidelines or procedure, leading to further unrestricted delegation of powers to private parties creating great potential for data leakages, and breaches of sensitive private data leading to Indian Citizens;
- Cross-referencing service usage of a particular individual through a single numeric bio-metric identity has huge implications for building State inroads into every private activity and service accessed by that individual, this is further complicated by the possibility of private actors also accessing similar information. This convergence of silos of information will completely abolish the veneer of privacy that protects the daily lives of individuals.
- The Hon’ble Supreme Court of India has repeatedly upheld the right to privacy within the right to life in Article 21, and any restriction must be justified through a rational and reasonable statutory procedure. UIDAI, as it presently stands is prima facie unconstitutional for contravening the right to privacy without providing any safeguards, procedures and guidelines
- The UIDAI is further frought and arbitrary for failing to provide a rational nexus between means adopted of obtaining sensitive personal information in a central database through private, or public-private partnerships for verification purposes in a central database and the ultimate objective of improving public welfare; wherein the whole premise is based on non-duplication of identity through biometrics, which still remains unproven.
- The aforesaid impugned scheme is further in breach of right to dignity and personal autonomy enshrined under Article 21, by making the Aadhaar mandatory, thereby forcing people to submit themselves to an unreliable, untested, premature scheme which has no statutory standing and compromises their personal lives.
- For a Writ of Certiorari or any writ, order, direction in the nature of certiorari or any other appropriate writ, order of direction quashing the notification dated 29th January 2008 annexed at Exhibit F;
- For a writ of Prohibition or a writ, order or direction in the nature of prohibition or any other appropriate write, order of direction restraining the Respondents from taking any further steps of any nature whatsoever in relation to UID;
- Till the final hearing and pendency of this Public Interest Litigation, this Hon’ble Court may be pleased to stay the operation of the impugned dated 29th January 2008 annexed at Exhibit F;
- Till the final hearing and pendency of this Public Interest Litigation, this Hon’ble Court may be pleased to restrain the Respondents from taking any further steps of any nature whatsoever in relation to UID;
- For ad interim relief in terms of prayers C and D;
- For any other orders that this Hon’ble Court may deem fit;
1 AIR 1963 SC 1295 at para 18