“We kill people on the basis of metadata.”
-Unrepenting admission of Michael Hayden, former head of USA’s NSA and CIA, quoted in the Draft Resolution on Mass Surveillance, The Committee on Legal Affairs and Human Rights, Parliamentary Assembly of the Council of Europe dated 18 March 2015
“If once people become inattentive to the public affairs, you and I, Congress and Assemblies, judges and Governors shall become wolves.”
-Thomas Jefferson, author of the Declaration of Independence and the third president of USA in a letter dated 16 January, 1787
The Supreme Court’s seven-judge constitution bench is all set to decide India’s first metadata case which pertains to four existing Aadhaar databases. The first database is the ‘person database’ which stores the personal attributes of a person (name, address, age, etc) along with his/ her Aadhaar number. The second is the reference database which stores the Aadhaar number of a person along with a unique reference number (which has no relationship with the Aadhaar number of an individual). The third database is the biometric database which stores the biometric information of a person along with the unique reference number and the fourth database is the verification log which records all ID verifications done in the past five years. The matter is listed for hearing on 30 January 2024.
The “metadata is not defined in the Aadhaar Act.” Metadata is information about the time and location of a phone call or email or electronic transaction, as opposed to the actual content of those conversations or messages or transactions.
As part of the 44th chief justice of India (CJI) led 9-judge constitution bench in the Aadhaar case, Dr Chandrachud authored the leading order dated 24 August 2017 wherein he mentions 'metadata' only once but with a very categorical emphasis. He underlined that metadata has the ability to redefine human existence in ways that are yet fully to be perceived. He drew on the paper of Christina Moniodis titled "Moving from Nixon to NASA: Privacy’s Second Strand- A Right to Informational Privacy.' Dr Chandrachud cites her with approval. He states that metadata “results in the creation of new knowledge about individuals; something which even she or he did not possess. This poses serious issues for the Court. In an age of rapidly evolving technology, it is impossible for a judge to conceive of all the possible uses of information or its consequences.”
He quoted Moniodis saying, “…The creation of new knowledge complicates data privacy law as it involves information the individual did not possess and could not disclose, knowingly or otherwise. In addition, as our state becomes an “information state” through increasing reliance on information –such that information is described as the “lifeblood that sustains political, social, and business decisions. It becomes impossible to conceptualise all of the possible uses of information and resulting harms. Such a situation poses a challenge for courts who are effectively asked to anticipate and remedy invisible, evolving harms.”
Notably, her paper drew on Elbert Lin's "Note on Prioritizing Privacy: A Constitutional Response to the Internet" and Andrew M Ballard's report about "3.6 Million SSNs Exposed in Hack of South Carolina Tax Agency's System" on social security number (SSN) which prompted the governor of South Carolina to issue an executive order upbraiding the state’s information technology policy in 2012.
Drawing from Yvonne McDermott’s paper "Conceptualising the right to data protection in an era of Big Data", Dr Chandrachud observes, “The contemporary age has been aptly regarded as “an era of ubiquitous dataveillance, or the systematic monitoring of citizen’s communications or actions through the use of information technology”. It is also an age of “big data” or the collection of data sets. These data sets are capable of being searched; they have linkages with other data sets; and are marked by their exhaustive scope and the permanency of collection.”
One can hear the echo of what Dr Chandrachud wrote in the book Permanent Record by Edward Snowden who makes 24 references to 'metadata' and explains it. The content of our communications is not as revealing as “the unwritten, unspoken information that can expose the broader context and patterns of behaviour.” USA’s national security agency (NSA) calls the unwritten, unspoken information 'metadata'. It use the term 'meta' in the sense of 'about'. It implies that “metadata is data about data. It is, more accurately, data that is made by data—a cluster of tags and markers that allow data to be useful. The most direct way of thinking about metadata, however, is as ‘activity data,’ all the records of all the things you do on your devices and all the things your devices do on their own.” It emerges from Snowden’s book that metadata is not some benign abstraction, but the very essence of content: it is precisely the first line of information.
The seven-judge Constitution bench is going to decide the constitutionality of the Aadhaar Act which enables indiscriminate collection of metadata besides other legislations. The bench, comprising 50th CJI, Dr DY Chandrachud, justices Sanjay Kishan Kaul, Sanjiv Khanna, BR Gavai, Surya Kant, JB Pardiwala and Manoj Misra, has issued directions for the pre-hearing steps in various matters before the seven-judge Constitution bench and the nine-judge Constitution bench. In its 12 October 2023 order, it instructed that the compilation of documents, pleadings, and precedents must be filed in three weeks along with written submissions.
The Supreme Court’s decision dated 13 November 2019 had referred the illegitimate enactment of the Aadhaar Act as a 'Money Bill' for consideration by a seven-judge constitution bench to hear the Roger Mathew vs South India Bank Ltd
case as a consequence of the verdict by the 46th CJI led five-judge constitution bench.
This 46th CJI led bench detected an unprecedented blunder in the majority verdict
dated 26 September 2018 by the 45th CJI, justices AK Sikri, AM Khanwilkar and Ashok Bhushan regarding the Money Bill and UID/ Aadhaar being a 12-digit number, not a 'card'.
As part of the blunder, justice (now retired) AK Sikri tortured the word 'resident' in the Aadhaar Act/Money Bill verdict. As the author of the majority order, he compelled the 'resident' word to confess that it has two names- its other name is 'citizen'. He empowered himself with such unlimited power he would have the world believe that the 'resident' word can be tortured to confess that it is the same as 'citizen'. But such third-degree torture of words has failed to get its meaning changed from the dictionary.
The seven-judge constitution bench is likely to save every 'resident' of India from automatically becoming a 'citizen' without their consent.
It is germane to underline that every person, including the public institutions, parties, editors, donors, advertisers and judicial officers who refer to the 12-digit unique identification (UID) number branded as 'Aadhaar' as 'card', betrays their colossal ignorance about the world’s biggest data transfer project. This is a unique number that can be authenticated digitally, not a 'card'.
The Unique Identification Authority of India (UIDAI) is responsible for the processes of enrolment and authentication and “other functions” assigned to it under the planning commission's notification dated 28 January 2009 and subsequently the Aadhaar Act, 2016. These 'other functions' include ownership of the central identities data repository (CIDR), a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding "demographic information and biometric information of such individuals and other information". The 'other information' includes metadata which is under the control of UIDAI as part of its 'other functions'.
After the promoters of CIDR of Aadhaar numbers were proven wrong by the nine-judge bench with regard to their flawed claim that the right to privacy was not a fundamental right, a five-judge bench led by the 45th CJI was set up. Justice Sikri (on behalf of the 45th CJI, himself and justice AM Khanwilkar), Dr Chandrachud and justice Ashok Bhushan pronounced three separate judgements of the bench. Justice Bhushan agreed with the justice Sikri authored order on the enactment of the Aadhaar Act as Money Bill. Dr Chandrachud disagreed with them and termed the enactment of the Aadhaar Act as Money Bill as a fraud on the constitution of India.
Significantly, the 1,448-page-long verdict on the Aadhaar Act makes some 50 references to metadata'. The Union government informed the Court about three types of meta-data: technical, business and process metadata. Process metadata describes the results of various operations such as logs key data, start time, end time, CPU seconds used, disk reads, disk writes, and rows processed. This data is valuable for purposes of authenticating transactions, troubleshooting, security, compliance and monitoring and improving performance. The government has submitted that the metadata contemplated under the regulation framed under the Aadhaar Act is process metadata.
In a glaring omission, the government chose not to reveal anything about the “Standard for Preservation Information Documentation of Electronic Records, which would enable standardised metadata dictionary and scheme for describing the ‘preservation metadata’ of an electronic record” framed in 2013. But the Court was kept in the dark about it.
The first reference to 'metadata' in the 1448-page-long verdict on the Aadhaar Act reproduces Dr Chandrachud’s observation about 'metadata' made as part of a nine-judge bench.
The verdict refers to the decision of the Court of Justice of the European Union (CJEU) Tele2 Sverige AB vs Post-och telestyrelsen (2016) wherein it was seized with the issue about whether in light of Digital Rights Ireland, a national law which required a provider of electronic communications services to retain meta-data (name, address, telephone number and IP address) regarding users/ subscribers for the purpose of fighting crime, was contrary to Article 7, 8 and 11 of the Charter of Fundamental Rights of the European Union. The CJEU struck down the provision allowing collection of such metadata on grounds of lack of purpose limitation, data differentiation, data protection, prior review by a court or administrative authority and consent.
The operative order of the Indian Court’s verdict referred to the decision of CJEU in Maximillian Schrems vs Data Protection Commissioner (2016), which struck down the transatlantic US-EU Safe Harbor agreement that enabled companies to transfer data from Europe to the United States on the ground that there was not an adequate level of safeguard to protect the data. It held that the US authorities could access the data beyond what was strictly necessary and proportionate to the protection of national security. The subject had no administrative or judicial means of accessing, rectifying or erasing their data.
These judgements of foreign courts are quite relevant for India because the contract agreement between USA’s Accenture and UIDAI enables the transfer of data from India to USA. The US government can access the data of all the residents of India including all the present and future citizens in complete disregard of national security. The data of Indians is in the possession of US agencies under the USA Patriot Act, 2001.
The US government has access to data through UIDAI’s contract agreement with L1 Identities Solution company, a US company which got bought over by Safran, a French conglomerate on 26 July 2011. It implies that the French too have access to it. UK’s Ernst & Young too have signed a similar contract agreement. Indians have no administrative or judicial means of accessing, rectifying or erasing their data which is in the possession of these foreign entities.
As part of his order, Dr Chandrachud has recorded the submission of the government with regard to the process of authentication and metadata retained under the Aadhaar Act. It records that “metadata allows officials to make precise conclusions about a person’s private life, and dragnet data collection creates a chilling effect based on the sense that one’s life is subject to surveillance at all times.”
On the nature of metadata, the Court observed that: “Taken as a whole, [metadata] may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.” The only data, which has been excluded from retention is the purpose of authentication.
Dr Chandrachud’s order takes note of a report titled as Analysis of Major Concern about Aadhaar Privacy and Security – 4 March 2018, authored by professor Manindra Agrawal who is a professor at IIT Kanpur and is a member of the technology and architecture review board (TARB) and of the security review committee of UIDAI.
Professor Agarwal’s report reveals that for each verification, the biometric data, Aadhaar number, and ID of the device on which verification was done, is stored. The report analyses the situation if any of the databases get leaked. The report points out that “Its leakage may affect both the security and the privacy of an individual as one can extract identities of several people (and hence can keep changing forged identities) and also locate the places of transactions done by an individual in the past five years.”
A breach in the verification log would allow a third party to access the location of the transactions of an individual over the past five years. The report indicates that it is possible, through the Aadhaar database, to track the location of an individual.
In this backdrop, it is noteworthy that the operative part of the verdict states that Section 2(d) of the Aadhaar Act “which pertains to authentication records, such records would not include metadata as mentioned in regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016. Therefore, this provision in the present form is struck down.” The government’s explanation that metadata refers to process data only does not find specific mention in the law. This deliberate silence of the law makes the law illegitimate and is fraught with genocidal implications.
In his book, Snowden says, “Intelligence agencies are far more interested in the metadata—the activity records that allow them both the ‘big picture’ ability to analyse data at scale, and the ‘little picture’ ability to make perfect maps, chronologies, and associative synopses of an individual person’s life, from which they presume to extrapolate predictions of behaviour.” It is evident that metadata acts as a digital panopticon and is a tool for indiscriminate unlimited mass surveillance. The marriage of metadata with biometric data by State and non-State actors seems to be aimed at ensuring the extinction of the natural rights of human beings.
In April 2022, the audit report of the comptroller auditor general (CAG) of India revealed “flaws in the management of various contracts entered into by UIDAI”. The report states that “statistical information on generation, update and authentication services of Aadhaar and financial information referred to in the Report have been updated up to March 2021, to the extent as furnished by UIDAI.”
It implies that UIDAI has not been furnishing all the information required for audit by CAG. The audit report also discloses that “The decision to waive off penalties for biometric solution providers was not in the interest of the Authority giving undue advantage to the solution providers, sending out an incorrect message of acceptance of poor quality of biometrics captured by them."
It shows that the rejection of the bharatiya automated fingerprint identification system (BAFIS) in favour of foreign firms was a flawed decision of the Indian government. The audit report corroborates the findings of the report titled Biometric Recognition: Challenges and Opportunities (2010). It has concluded that biometric identification systems are 'inherently fallible'. It was funded by the US Pentagon's defence advanced research projects agency (DARPA), the National Science Foundation, the Central Intelligence Agency (CIA) and USA’s department of homeland security.
The 42nd report of the Yashwant Sinha-headed parliamentary standing committee on finance submitted to the Parliament revealed that BAFIS was launched in January 2009. It was funded by the department of information technology, ministry of communications and information technology, for the collection of biometric information of the people of the country.
But UIDAI did not use it because, according to the government, “The quality, nature and manner of collection of biometric data by other biometric projects may not be of the nature that can be used for the purpose of the Aadhaar scheme and hence it may not be possible to use the fingerprints captured under the Bharatiya-AFSI project.”
The Supreme Court’s operating order refers to this parliamentary report which shows that the government reached the conclusion that biometric technology of foreign firms is better than the existing Indian one from the point of uniqueness without any comparative study with regard to the quality, nature and manner of collection of biometric data. This parliamentary report has underlined that the “estimated failure of biometrics is expected to be as high as 15% due to a large chunk of population being dependent on manual labour.”
The CAG’s audit report reveals that foreign biometric technologies are no better than the Indian one. In any case, it has been conclusively established that the biometric identification system is fallible and unreliable.
The CAG’s audit report reveals that "UIDAI had not ensured that the client applications used by its authentication ecosystem partners were not capable of storing the personal information of the residents, which put the privacy of residents at risk. The Authority had not ensured the security and safety of data in Aadhaar vaults. They had not independently conducted any verification of compliance to the process involved."
On 17 July 2022, the government informed the Lok Sabha that the “Recommendation of CAG’s Audit Report No.24…on ‘Performance Audit on Functioning of UIDAI’ has been accepted for implementation. Action taken report on CAG's report on 'Performance Audit of UIDAI' uploaded on Audit Para Monitoring System (APMS) (https://apms.nic.in
).” It could not be traced on this website. This report does not appear to be in the public domain.
It may be recalled that annexure 1 of the notification of the government of India dated 28 January 2009 constituted UIDAI deals with the role and responsibilities of UIDAI. It states: "implementation of UID scheme will entail” taking “necessary steps to ensure collation of NPR with UID (as per. approved strategy).” NPR refers to the national population register. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 subsumed the government’s notification dated 28 January 2009. The convergence initiatives of MHA like NPR and UIDAI’s UID/ Aadhaar use myriad fish baits like goods, services and subsidies besides mandatory quoting for PAN to entrap the present and future generation of citizens, the data subjects at the behest of transnational commercial and surveillance technology czars.
A joint reading of two orders of justice Subramonium Prasad, Delhi High Court dated 6 September 2023 in Mathew Thomas vs Union of India (2014) case and 5 October 2023 in Prashant Reddy v. CPIO, UIDAI (2023) case shows that all the contracts of UIDAI and foreign firms come under the Right To Information Act. There is a logical compulsion for the Supreme Court to examine these contracts with reference to Section 57 of the Aadhaar Act and Section 139 AA of the Income Tax Act, 1961 as well.
Notably, the justice Sikri authored judgement by a division bench comprising justice Bhushan in Binoy Visman vs Union of India (2017) on Section 139 AA was given at a time when the constitutionality of enactment of the Aadhaar Act was not adequately adjudicated. It pre-dates the pronouncement about the unconstitutionality of Section 57.
Against such a backdrop, in the aftermath of the revelations by the CAG about contracts awarded to foreign firms which are involved in UIDAI’s CIDR and the home ministry’s NPR, this national security-related case deserves utmost priority. Structurally, Aadhaar and NPR is part of one initiative being pushed by the World Bank Group which admits its central pillar to be surveillance including military surveillance. It emerges that the Aadhaar Act has put the privacy and security of present and future residents, citizens, prime ministers, chief ministers, judges, legislators, soldiers, civil servants, editors, intelligence officials and their families at risk by transferring demographic data, biometric data and metadata to foreign State and non-State actors. It is hoped that attempts by foreign entities, which are subverting public institutions through anonymous and limitless donations, are being resisted by the judiciary.
You may also want to read…
(The author is a lawyer and philosophy and law researcher. He had appeared before the Parliamentary Committee that examined the National Identification Authority of India Bill, 2010 that was withdrawn in 2016 and enacted later as Aadhaar Act 2016.)