Above: UIDAI has announced taking on-the-spot live pictures as a new measure for every authentication that requires Aadhaar

UIDAI rolls out an additional feature though the Supreme Court verdict on making Aadhaar mandatory for services is still awaited

~By Sujit Bhar

The Unique Identification Authority of India (UIDAI) has announced that it will be rolling out face recognition software as an additional biometric feature for Aadhaar verification, targeted initially for telecom service providers. While this is said to be an added security feature, it flies in the face of the Supreme Court’s directive that UIDAI should put on hold the rampant linking of Aadhaar to all and sundry services. The judgment on the matter was reserved earlier this month by a five-judge constitution bench after marathon hearings that went on for over four months, but it appears that UIDAI has acquired some extra-judicial muscle and has little concern about directives from the country’s apex court.

Face-recognition software would intrinsically infringe on the privacy of a private citizen and would also violate issues related to the privacy judgment. It is pertinent to note that the top court had raised privacy to the level of a fundamental right, and any move by the Centre to the contrary could be ultra vires.

Aadhaar has invited a slew of complaints and fuelled massive scandals, with the details of individuals leaked out of government websites as well. Recently, the Delhi High Court admitted a plaint which accuses the UIDAI of data leaks. Also, Edward Snowden, the world’s most famous whistleblower, has stated that the government is using Aadhaar in a manner that will turn India into a surveillance state. At a recent video interaction during the Talk Journalism conference in Jaipur, he compared the Indian government’s reaction of telling its citizens that all data was safe to Hitler’s Propaganda Minister Joseph Goebbels’ comments.

“In a free society… you don’t need to explain why you have a right (to privacy)… Today in India everyone wants your Aadhaar number. Eventually you will not be able to do anything without showing it,” Snowden said. He was echoing senior counsel Shyam Diwan who had said during the Aadhaar linkages hearings before the constitution bench of the Supreme Court headed by Chief Justice Dipak Misra, “Through this (Aadhaar), a person can be tracked and remain under electronic surveillance throughout his life.”

As far as data protection is concerned, another judgment on data privacy is also awaited, reserved as it has been by the top court. And though the Justice Srikrishna-headed Committee of Experts’ recommendations will not be included in arriving at a verdict, this vital judgment is allied to the other two judgments and is immensely important in developing a proper data protection law. The recent UIDAI order also completely disregards the probability that this court’s decision could go against it. It must be remembered that the entire exercise of the Srikrishna Committee was to help formulate an exhaustive data protection law, and this report will likely be debated in the winter session of parliament.

In fact, the committee’s recommendation that a Data Protection Authority also be set up to “protect the interests of data principals” by preventing the misuse of personal data at “data fiduciaries” (or those who process such data) would run in the face of acquiring facial recognition data with or without the consent of the data principal. At the Aadhaar authentication centres, many of which are in private hands, such data could prove potentially explosive ammunition for hackers, terrorists and the like.

Union Law Minister Ravi Shankar Prasad has said that formulating this new law (on data protection) would be a huge exercise and there needs to be several debates in parliament and several standing committees before a draft bill is agreed upon. It is thus baffling that, knowing the immensity of the task at hand, the UIDAI unilaterally decided to roll out this invasive technology.

Face recognition software has the ability to take away a person’s right to be left alone, a plinth on which the privacy judgment has been based. The judgment clearly says: “Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone.”

The judgement also makes an important observation: “…privacy is not lost or surrendered merely because the individual is in a public place. Privacy attaches to the person since it is an essential facet of the dignity of the human being…”. It’s a statement that nails the objective of face-recognition software.

Which software would be incorporated into the UIDAI’s effort is not clear, but software in this field has progressed to mind-boggling levels across the world. It has been said that in China software for such surveillance can scan and pinpoint a particular face from within hundreds in a crowd, even from weird angles. This means that a person isn’t excluded from surveillance even in a public space, a concept the Supreme Court wanted to address.

However, new facial recognition technology is now used worldwide by governments and private security agencies with different types of software across facilities. Even in the West, debate rages whether it is legal or not with citizens zealous about protection of their right to privacy and personal liberty. A report published recently in the Washington Post by Ben Sobel, a Fellow at the Center on Privacy & Technology at Georgetown Law, says the entire gamut of such software may be completely illegal. It talks about software developed and patented by Microsoft in which a billboard can identify passersby and “serves ads personalised to your purchase history”.

The report also says that an app “called NameTag claims it can identify people on the street just by looking at them through Google Glass”. In fact, a recent lawsuit filed in Illinois alleged that Facebook violated the “state’s Biometric Information Privacy Act by taking users’ faceprints ‘without even informing its users—let alone obtaining their informed written consent”. It was perhaps the first such case of user consent, exactly what India is talking about today.

This rollout was supposed to have happened from July 1, but was later pushed to August 1 and now this new deadline has been set. The pressure that the UIDAI will be putting on telecom companies to implement this will be immense. It is said there will be severe monetary disincentives for telecom service providers who do not adhere to the new policy. Technically, this imposition should draw contempt of court proceedings from the Supreme Court, since it will be at variance with the top court’s order regarding further linkages. Moreover, the top court’s order was initiated by complaints that the telecom companies were insisting on Aadhaar linkages for all new connections, as well as for renewals.

The UIDAI has said that this new order is to curb the possibility of fingerprint spoofing or cloning with a view to better security audit in the activation of SIMs, but its very statement is an admission of the loose manner in which fingerprint collection has been done. It is also proof that security of the entire database was woven around assumptions. Worse, when these were proved wrong, new systems were put in place with nary a thought about consequences.