By: Digvijay Chaudhary

---

“1.3 billion Indians may be poor, but we are a goldmine of commercial information”

– Justice D.Y. Chandrachud

The Aadhaar Act (hereinafter ‘the Act’) has been challenged in the Supreme Court and the decision is expected in the next few days. The act was challenged for being unconstitutional and giving rise to major unprecedented concerns; surveillance and profiling (the state has its eyes and ears over all the actions of individuals); usage of Aadhaar platform by private entities; exclusion by the act; question of Aadhaar being a money bill; act giving rise to excessive delegation and other concerns. This series will proceed in that order too. I wouldn’t be touching the constitutional aspect of the act, i.e., how it violates article 14, 19 and 21. I will, through a series of writings be elaborating on what the concerns in the act are and why they came into being. I’ll simply stick to communicate to you the concerns around the act and not the remedies or the conclusion. That I’ll leave on the readers.

Starting with surveillance and profiling, I’ll try to answer that what in the act gives rise to profiling and surveillance. Before that, we need to know what is surveillance and profiling. Surveillance means the monitoring of behaviour, activities, or other changing information for the purpose of influencing, managing, directing, or protecting people.[1] Mass surveillance will then mean surveillance of a large population, the entire country perhaps. Profiling in this is the process of assembling information about a particular individual or group in order to generate a profile – that is, a picture of their patterns and behaviour. Profiling can be an extremely powerful tool for psychological and social network analysis. A skilled analyst can discover facts about a person that they might not even be consciously aware of themselves.[2] Naturally, these two procedures go against the interpretation of article 19 and 21.

A major portion of surveillance and profiling fear is instilled by the Central Information Data Repository (hereinafter ‘CIDR’). The CIDR is a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto. The information contained in the CIDR is not limited to the demographic and biometric information but extends to “other information related thereto”. The fears of profiling and surveillance wouldn’t be realized if we did not know about the information that the act authorises the CIDR to maintain and what all information comes under “other information related thereto”.

First, let us understand the sections involved in profiling and surveillance. There are two sections of our concern here: Section 8 (4) and section 32 (1) of the act. It’ll be useful to lay down the provisions below:

Section 8 deals with authentication of Aadhaar number and provision 4 of this section states the following: “The Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information“.

Section 32 which speaks about access to own information and records of requests for authentication, in provision 1 states: “The Authority shall maintain authentication records in such manner and for such period as may be specified by regulations”.

The fear of surveillance and profiling is generated from here. The problem with section 8 (4) are the words, “any other appropriate response”. This provision does exclude core biometric information (fingerprint, iris scan, or such other biological attribute of an individual as may be specified by regulations) from its ambit but phrases and words like these, which raise vagueness, are common in the entire act. The only information excluded in a response by the authority to the requesting entity is the biological attributes of a person: core biometric information. This paves way for an interesting question: What data does a person voluntarily submits to the authority?

A person submits two types of information for obtaining an Aadhaar number; biometric information and demographic information. Biometric information includes photograph, fingerprint, iris scan, or such “other biological attributes” of an individual as may be specified by regulations. Demographic information includes, information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history. The above section is clear that demographic information is also not an exclusive provision; it does enumerate the information not to be collected but leaves room for “other relevant information”, which will be specified by regulations. This is also part of the information that a person submits voluntarily for obtaining an Aadhaar number. The “other information” now includes “other relevant information” from demographic information and “other biological attributes” from biometric information. This is the information that an individual voluntarily submits to the authority.

Moving further, the authority, by way of Section 32(1) is mandated to collect records of the time of authentication and identity of the requesting entity and the response provided by the authority thereto (authentication records). Now, the CIDR has our biometric information, demographic information and “other information” which now includes “other biological attributes” from biometric information, “other relevant information” from demographic information and authentication records. This is all the information about a person that is stored in the CIDR. This still doesn’t raise eyebrows as we do not yet understand the meaning and extent of all this information.

Allow me to expand the “other information” part first. “Other biological attributes” opens a window for DNA collection, urine samples and semen samples. Personal information included in the genetic material, such as markers that identify various genetic diseases, physical and behavioural traits, could be used for discriminatory profiling and its collection may constitute an invasion of privacy. Even a slight chance of introduction of DNA collection by government authorities gives rise to a whole new civil liberties debate. Second, “other relevant information” from demographic information also needs to be exclusive. The fact that biometric and demographic information is open-ended and thus raises concern is not a newly-founded fear. Demographics are quantifiable characteristics of a given population. The act does forbid the collection of race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history as demographic information. It is natural to raise the question that what else can fall under “other relevant information” in demographic information? Sex, age, education status, employment status, marital status, migration records, choices of an individual, home ownership, internet access, consumer behaviour, voting patterns, etc. One can easily comprehend how open-ended this provision is and what all can come under its ambit. No limits on such information may lead to demographic profiling, which is a tool utilized by marketers so that they may be as efficient as possible with advertising products or services and identifying any possible gaps in their marketing strategy.

We are still not done with the information the UIDAI may collect and the act, if not facilitating, does not stop it from gathering such information. There’s the third type of information left to explore – authentication records. Authentication records as explained earlier, are records of the time of authentication and identity of the requesting entity and the response provided by the Authority thereto. Time, identity and response; these three will be retained by the authority for a time period of 6 months and then they’ll get archived for 5 years. This means that the authentication records of an individual cannot be accessed by an individual after 6 months. What is problematic here is, for how much time will the authority keep collecting authentication records of an individual? The regulation says that the authority is mandated to retain records for 6 months.

To fully unravel the problem with “authentication records” is a bit complex, but nonetheless. Introduction and definition of a new term are required here: Metadata. Metadata has not been defined in the act but broadly, it means such data that gives information about other data. The authority is mandated to collect Metadata.

‘Metadata’ gives an insight into an individual’s behaviour, social relationships, private preferences and identity that go beyond even that conveyed by accessing the content of a private communication, thus, profiling the individual all along. Communications metadata may create a profile of an individual’s life, including medical conditions, political and religious viewpoints, associations, interactions and interests, disclosing as much detail as, or even greater detail than would be discernible from the content of communications. Today, each of these types of information when analysed collectively, reveal a person’s identity, behaviour, associations, physical or medical conditions, race, colour, sexual orientation, national origins, or viewpoints; and enable the mapping of the person’s location, movements or interactions over time.

Such as, a yes or no answer to a query might reveal the interest of a person in that thing, which would eventually help in demographic profiling. Whenever there is a query; consider (for the purpose of understanding) a bank wants your Identity information. For this, it’ll ask for your biometric information (to authorize you) and will subsequently be given the identity information it requires. Now, the time at which the bank asked for information, the identity of the requesting entity (bank) and the response provided by the authority to the bank; are all stored with the authority (Metadata). We are now aware of all the information of an individual that is stored in the CIDR. However, no surveillance and profiling will be possible if there’s no dissemination of information from the authority or the CIDR. This is where section 10 and 57 of the act come into play. Both are reproduced below:

Section 10: “The Authority may engage one or more entities to establish and maintain the Central Identities Data Repository and to perform any other functions as may be specified by regulations”.

Section 57: “Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or anybody corporate or person, pursuant to any law, for the time being in force, or any contract to this effect: Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI”.

Section 8 speaks about the Authentication of Aadhaar number and Chapter VI speaks about Protection of Information and enlists the obligation of security and confidentiality to be followed by the authority to protect the information.

The point here is that private entities have access to the data stored in CIDR. This is where dissemination occurs. Uses of such data by private entities make us realise the ever daunting fears of an authoritarian regime. This giving of number to several entities will compromise an individual when the said number is combined with other information available. This exposes an individual and would enable the State to track him/her. Further, this would allow bad actors to “build confidence in the digital world and compromise the individual.”

It will be easy if we think of it in such a way. CIDR is one repository of information; others are Income Tax, Banks, etc. Now, Aadhaar is the connecting link between all these repositories. Couple all this information with the information that CIDR has on an individual. Even a small part of this information carries the ability to compromise an individual. This is how surveillance and profiling are enabled by the act. The next section will elaborately deal with the use of Aadhaar by private entities.

[1]  David Lyon, Surveillance Studies: An Overview (Cambridge: Polity Press 2007).

[2]  Mireille Hildebrandt & Serge Gutwirth (eds), Profiling the European Citizen: Cross-Disciplinary Perspectives (Springer 2008).

---

(Digvijay is currently a student at Dr. Ram Manohar Lohiya National Law University, Lucknow.)