Vombatkere, S.G., “Privacy and National Security – Aadhaar Bill”;
Deccan Herald, Bengaluru, March 16, 2016, p.10.
Deccan Herald, Bengaluru, March 16, 2016, p.10.
Maj Gen S G Vombatkere (rtd) , March 16, 2016, DHNS
AADHAAR BILL
At present, there is no law on privacy, but in Rajagopal Vs State of Tamil Nadu (1994), the Supreme Court opined that privacy is inherent in an individual’s right to personal liberty. Also, Section 8(1)(j) of the RTI Act 2005, protects the private individual against unwarranted invasion of his/her privacy, proof enough that privacy is a right even if it is not a fundamental right.
On whether privacy is a fundamental right, the Government of India succeeded in convincing a 3-judge Supreme Court bench hearing a bunch of petitions challenging Aadhaar on multifarious grounds, that privacy is important enough an issue to warrant consideration by a Constitution bench.
There is little doubt that mass surveillance for suspicionless, untargeted snooping into people’s private spaces to identify a possible threat to security, is questionable. The privacy issue was brought to international attention in 2013, with the USA admitting that its National Security Agency had been clandestinely collecting billions of pieces of information worldwide including personal data and emails from computer networks and telephones. India was one of USA's many surveillance targets.
Today, the technical capability of shadowy agencies for mass surveillance to collect, sort and process enormous quantities of data or meta-data has multiplied enormously. Hacking into databases for data is not very difficult for a person with the necessary motivation, skills and time, and it is quipped that systems are hack-proof only until the first hack. Cyber security concerns in the face of clandestine, untargeted surveillance are not only about national security but also citizens’ right to privacy.
The Aadhaar system: Whether or not it succeeds in its declared primary aim of targeted welfare services for the poor, Aadhaar enables surveillance and tracking. Aadhaar promoters claim that access to its data base will not be permitted to any agency, and will be secure from intelligence agencies that spy on citizens.
This claim is questionable since, according to its website, the Unique Identification Authority of India (UIDAI) is contracted to receive technical support for biometric capture devices from L-1 Identity Solutions, Inc (now MorphoTrust USA), a US-based intelligence and surveillance corporation. According to the corporation's website, its top executives are acknowledged experts in the US intelligence community.
Other companies awarded contracts for key aspects of the Aadhaar project are Accenture Services Pvt Ltd (implementing biometric solution for UIDAI) which works with the US Homeland Security, and Ernst & Young (setting up of Central Identities Data Repository (CIDR) and Selection of Managed Service Provider (MSP)).
It is difficult to have confidence in the security of sensitive national information when the technical provider which creates, holds or manages the database is a business corporation with strong connections to foreign intelligence organisations. Furthermore, the US corporations are mandated by the US law to reveal to the US government, information obtained during their legitimate operations, when called upon to do so.
The extent to which India’s cyber security has already been invaded by surveillance is not even known, and when the security of the Aadhaar system is not water-tight, compromise of the Aadhaar system’s security will tantamount to compromise of national security.
When the cyber systems of high-security organisations like USA’s NASA or India’s DRDO have been repeatedly hacked, UIDAI’s self-certification of its database security rings hollow. As far as institutional cyber security in India is concerned, barring one database protected by an indigenously developed network security system, official databases in India, including Aadhaar’s Central ID Repository (CIDR), are protected by purchased commercial network security and cryptographic products.
Database vulnerability
There is little need to emphasise the vulnerability of the Aadhaar database to access by unauthorised persons/ agencies for data destruction, corruption or simply copying by surveillance or hacking. The effect on individual privacy is unquestionably adverse.
Intelligence agencies operate by conducting general surveillance on citizens in public places and linking this with personal information available in various databases maintained by banks, income tax offices, ration cards, electoral rolls, airline and railway ticketing, internet and telecom service providers etc.
Since the Aadhaar number is “seeded” in these various data bases, Aadhaar itself will inevitably be at the core of a system to enable profiling and tracking of any and every private individual. Therefore, Aadhaar is a prize target for intelligence agencies to hack or surveil to acquire data to invade individual privacy and compromise national security.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, has two aspects: the Opposition objects to its being tabled as a “money bill” to avoid its being placed before the Rajya Sabha, and that there have been a host of objections – especially including those of privacy and security – to the Aadhaar scheme since its inception, with several petitions still pending before the Supreme Court.
The Aadhaar Bill fails to address the serious systemic issues of national security and individual privacy and indeed, the word “privacy” is absent from its text. However, concerning the security and confidentiality of information, the value of individual privacy is indirectly acknowledged in Section 33(2), by specifying that an individual’s Aadhaar number, and biometric and demographic information may be revealed in the interest of national security, only by a specially authorised officer not below the rank of Joint Secretary of the Government of India.
Genuine national interest may dictate that laws on data/ digital privacy protection and cyber security be urgently enacted and linked with the Aadhaar Bill, before it becomes law.
(The writer, who retired as Additional DG, Discipline & Vigilance in Army Headquarters, holds a PhD degree in Structural Dynamics from IIT, Madras)
On whether privacy is a fundamental right, the Government of India succeeded in convincing a 3-judge Supreme Court bench hearing a bunch of petitions challenging Aadhaar on multifarious grounds, that privacy is important enough an issue to warrant consideration by a Constitution bench.
There is little doubt that mass surveillance for suspicionless, untargeted snooping into people’s private spaces to identify a possible threat to security, is questionable. The privacy issue was brought to international attention in 2013, with the USA admitting that its National Security Agency had been clandestinely collecting billions of pieces of information worldwide including personal data and emails from computer networks and telephones. India was one of USA's many surveillance targets.
Today, the technical capability of shadowy agencies for mass surveillance to collect, sort and process enormous quantities of data or meta-data has multiplied enormously. Hacking into databases for data is not very difficult for a person with the necessary motivation, skills and time, and it is quipped that systems are hack-proof only until the first hack. Cyber security concerns in the face of clandestine, untargeted surveillance are not only about national security but also citizens’ right to privacy.
The Aadhaar system: Whether or not it succeeds in its declared primary aim of targeted welfare services for the poor, Aadhaar enables surveillance and tracking. Aadhaar promoters claim that access to its data base will not be permitted to any agency, and will be secure from intelligence agencies that spy on citizens.
This claim is questionable since, according to its website, the Unique Identification Authority of India (UIDAI) is contracted to receive technical support for biometric capture devices from L-1 Identity Solutions, Inc (now MorphoTrust USA), a US-based intelligence and surveillance corporation. According to the corporation's website, its top executives are acknowledged experts in the US intelligence community.
Other companies awarded contracts for key aspects of the Aadhaar project are Accenture Services Pvt Ltd (implementing biometric solution for UIDAI) which works with the US Homeland Security, and Ernst & Young (setting up of Central Identities Data Repository (CIDR) and Selection of Managed Service Provider (MSP)).
It is difficult to have confidence in the security of sensitive national information when the technical provider which creates, holds or manages the database is a business corporation with strong connections to foreign intelligence organisations. Furthermore, the US corporations are mandated by the US law to reveal to the US government, information obtained during their legitimate operations, when called upon to do so.
The extent to which India’s cyber security has already been invaded by surveillance is not even known, and when the security of the Aadhaar system is not water-tight, compromise of the Aadhaar system’s security will tantamount to compromise of national security.
When the cyber systems of high-security organisations like USA’s NASA or India’s DRDO have been repeatedly hacked, UIDAI’s self-certification of its database security rings hollow. As far as institutional cyber security in India is concerned, barring one database protected by an indigenously developed network security system, official databases in India, including Aadhaar’s Central ID Repository (CIDR), are protected by purchased commercial network security and cryptographic products.
Database vulnerability
There is little need to emphasise the vulnerability of the Aadhaar database to access by unauthorised persons/ agencies for data destruction, corruption or simply copying by surveillance or hacking. The effect on individual privacy is unquestionably adverse.
Intelligence agencies operate by conducting general surveillance on citizens in public places and linking this with personal information available in various databases maintained by banks, income tax offices, ration cards, electoral rolls, airline and railway ticketing, internet and telecom service providers etc.
Since the Aadhaar number is “seeded” in these various data bases, Aadhaar itself will inevitably be at the core of a system to enable profiling and tracking of any and every private individual. Therefore, Aadhaar is a prize target for intelligence agencies to hack or surveil to acquire data to invade individual privacy and compromise national security.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, has two aspects: the Opposition objects to its being tabled as a “money bill” to avoid its being placed before the Rajya Sabha, and that there have been a host of objections – especially including those of privacy and security – to the Aadhaar scheme since its inception, with several petitions still pending before the Supreme Court.
The Aadhaar Bill fails to address the serious systemic issues of national security and individual privacy and indeed, the word “privacy” is absent from its text. However, concerning the security and confidentiality of information, the value of individual privacy is indirectly acknowledged in Section 33(2), by specifying that an individual’s Aadhaar number, and biometric and demographic information may be revealed in the interest of national security, only by a specially authorised officer not below the rank of Joint Secretary of the Government of India.
Genuine national interest may dictate that laws on data/ digital privacy protection and cyber security be urgently enacted and linked with the Aadhaar Bill, before it becomes law.
(The writer, who retired as Additional DG, Discipline & Vigilance in Army Headquarters, holds a PhD degree in Structural Dynamics from IIT, Madras)
