DR.

RAM MANOHAR LOHIYA NATIONAL LAW UNIVERSITY, LUCKNOW

SESSION 2019-20

SUBJECT: CYBER LAW

FINAL DRAFT

ON

AADHAR JUDGMENT AND CYBER SECURITY

Submitted to: Submitted by:

Dr. Amandeep Singh Sankalp Patel

Assistant Professor (Law) BA.LLB (Hons) 7th Sem

Enrollment No. - 160101131

 ACKNOWLEDGMENT

I would like to express my gratitude to all those who gave me the possibility to complete this
project. This project is the result of extensive literature study, hard work and labour put in to
it to make it worth reading. I extend my heartily thank to Dr. Amandeep Singh who inspired
me to do this project. I am deeply indebted to him.

I further extend my thanks to library staff of DR. RAM MANOHAR LOHIYA NATIONAL
LAW UNIVERSITY who helped me in getting all the materials necessary for the project.
 RESEARCH METHODOLOGY
 
Method of Research
The researcher has adopted a purely doctrinal method of research. The researcher has made
extensive use of the library at the Dr RMLNLU and also the internet sources.
 
Aims and Objectives:
The aim of the project is to present a detailed study of the “Aadhar Judgment and Cyber
Security”.
Sources of Data:
The following secondary sources of data have been used in the project-
1. Books
2. Websites

2
 TABLE OF CONTENTS

 TRACKING THE HISTORY OF AADHAR

 REASON BEHIND ITS CREATION

 PROBLEMS THAT EXISTED WITH THE EARLIER SYSTEM
 ANALYSIS OF AADHAR JUDGMENT
 AADHAR JUDGMENT AND CYBER SECURITY

 CYBER SECURITY STILL A CHALLENGE TO AADHAR

 CONCLUSION

3
TRACING THE HISTORY OF AADHAR

On January 28, 2009, the Government of India setup the Unique Identification Authority of India
(UIDAI) via a gazette notification.1 This agency was setup with the objective of collecting
the biometric and demographic data of residents, storing them in a centralized database, and thus,
issuing a 12-digit unique identity number called Aadhaar to each resident.2 As per the
notification, the UIDAI has been given the responsibility to lay down plan and policies to
implement UID scheme, to own and operate the UID database and be responsible for its updation
and maintenance on an ongoing basis. The implementation of UID scheme entails generation and
assignment of UID to residents; defining mechanisms and processes for interlinking UID with
partner databases; operation and management of all stages of UID life cycle; framing policies
and procedures for updation mechanism and defining usage and applicability of UID for delivery
of various services among others.3The purpose of implementing a broad identification system
was to successfully address the concerns of national security, corruption, and anti-poverty
efforts.

REASON BEHIND ITS CREATION

Prior to the creation of Aadhaar, India did not have a nationally or universally accepted method
for providing identification to its residents. Due to the lack of a uniform and standard approach,
Aadhaar was conceived as a unique and innovative project to deal with this problem. The first
phase of today's UID project was initiated in 1999 by the NDA government in the wake of the
Kargil War. Following the reports of the “Kargil Review Committee” in 2000, and a Group of
Ministers in 2001, the NDA government decided to compulsorily register all citizens into a
“National Population Register” (NPR) and issue a Multi-purpose National Identity Card (MNIC)
to each citizen. To ease this process, clauses related to individual privacy in the Citizenship Act
of 1955 were amended in 2003.4
1
Gazette Notification dated January 28, 2009, Government of India, accessed on February 1, 2016,
http://www.uidai.gov.in/images/notification_28_jan_2009.pdf.
2
Roger J. Chin and Gregory Hennessy,“India’s Aadhar Project…”, Journal of Administration and Science (Vol 12,
Issue 1, 2015) 2.http://www.rmc.uitm.edu.my/images/stories/JAS/vol12-no1/1.pdf
3
Gazette Notification dated January 28, 2009, Government of India, accessed on February 1, 2016,
http://www.uidai.gov.in/images/notification_28_jan_2009.pdf.
4
“What the UID conceals”, R. Ramkumar, The Hindu, accessed on February 5, 2016,
http://www.thehindu.com/opinion/lead/what-the-uid-conceals/article839590.ece;
http://pib.nic.in/archieve/lreleng/lyr2001/rmay2001/23052001/r2305200110.html;
http://www.prsindia.org/uploads/media/vikas_doc/docs/acts_new/1167485133_citizenship_amendment.pdf

4
Previous methods and more traditional approaches to dealing with the problem had failed as the
government officials and the public sector would attempt to resolve the issue in isolation without
coordinating with public and private efforts. Similar to most countries, India’s public and private
service providers require proof of identity prior to rendering services to any person. But without
a dominant national identification mechanism, service providers used to furnish their own
protocols and benchmarks for establishing identification. The lack of a national identification
mechanism often leads to the denial of critical services and increases corruption because
residents have to bribe government officials in order to obtain services to which they are
legitimately entitled.5 Some of the standard approaches for identification in India include voter
identification, passport, Permanent Account Number (PAN) card, and ration cards. The plethora
of identification mechanisms lead to multiple and fake identities. The implementation of
Aadhaar was meant to curtail these problems and to make obtaining a false identity more
difficult by tying Aadhaar enrollment to harder-to-falsify biometric data.6

PROBLEMS THAT EXISTED WITH THE EARLIER SYSTEM

Voter identification cards and Passports are prone to duplications since voters migrate from one
area to another and then register for a new card.7 Passports are rarely used by the underprivileged
since they are unable to afford the cost of obtaining a passport and are even less likely to travel.
PAN Cards do not require physical verification during the enrollment process, may not have the
person’s current address, and are not cancelled or withdrawn upon the death of the cardholder.
Ration Cards are primarily given to residents at the bottom of the socioeconomic pyramid and
are uncommon among middle and upper tier residents. Perhaps more importantly, there is no
centralized database that stores information about recipients assigned ration cards. By
centralizing and standardizing identity, Aadhaar aimed to address these and other shortcomings
of the prevalent systems while also reducing the inefficiency, corruption, and malfeasance
endemic in them. Aadhaar’s attempt was to consolidate the identification processing associated
with each of these agencies into a single mechanism with a standardized procedure.

PROPOSED IMPLEMENTATION PROCESS

5
About UIDAI, Unique Identification Authority of India (UIDAI), 2014, accessed on February 1, 2016,
http://www.uidai.gov.in.
6
Das, J., Maitra, S., &Bagchi, D, ‘Unique identification number: The new identity paradigm’, Globsyn Management
Journal, (2011) 5(1/2) 11-18.
7
Surpa note 2, http://www.rmc.uitm.edu.my/images/stories/JAS/vol12-no1/1.pdf.

5
After the Gazette Notification was issued, the former Chairman of Infosys, NandanNilekani, was
appointed to lead UIDAI8 After a great deal of consideration, Nilekani and his team determined
that to ensure uniqueness and to prevent fraud, biometric technology would play a central role in
the system. he technological and institutional infrastructure of Aadhaar had to be able to
eliminate any duplication efforts or fake identities that were well known to impede the current
system.

In order to successfully reach the ambitious objectives of Aadhaar, the project was designed as a
collaborative partnership between public and private sector organizations. 9 Regardless of how
innovative and influential a single organization or government agency might be, the project’s
immense size called for an approach that could draw upon the resources and talents of a range of
organizations. Through collaboration across organizations, the Aadhaar project was designed to
leverage both public and private sector resources through the development of sustainable and
cost-effective networks. The partnership enabled the various stakeholders to meet the technical,
regulatory, and legal obligations of the project. Through a collaborative network of public and
private partners, UIDAI began issuing unique Aadhaar identification numbers in September 2010
with the goal of covering 600 million residents by 2014.

ANALYSIS OF AADHAR JUDGMENT

Validity of Aadhaar has been the topic of broad and current interest. Whether it is individuals or
corporations, government or those who belong to the legal fraternity, the judgment on whether or
not Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,
2016 (“Aadhaar Act”) is constitutional has been eagerly awaited. The Aadhaar Judgment
extensively comments upon the Aadhaar architecture in the country. Right from when the
Unique Identification Authority of India (“UIDAI”) was established in January 28, 2009 to the
notifications issued by various governmental authorities mandating the disclosure of Aadhaar in
2016/2017, the Aadhaar judgment critically analyses the history and evolution of Aadhaar.
Furthermore, the Aadhaar Judgment in itself is a deep analysis of the technical and security
8
Official Website of UIDAI (PM’s Council) - http://uidai.gov.in/all-about-uidai.html; Newspaper article covering
the same – “NandanNilekani Appointed as Chairperson of UIDAI”, Business Standard, June 25, 2009.
http://www.business-standard.com/article/press-releases/nandan-m-nilekani-appointed-as-chairperson-of-uidai-
109062500107_1.html
9
Klitgaard, R., &Treverton, G. (2003). Assessing partnerships: New forms of collaboration. New Ways to Manage
Series. Washington, D.C.: IBM Endowment for the Business of Government.

6
measures systemized to ensure the protection of citizens who enroll for Aadhaar. Multiple claims
about lack of data protection norms and privacy laws vis-à-vis the architecture designed to give
unique identity to the citizens of the country have been dealt with by the judges. It also discussed
various facets of the Personal Data Protection Bill, 2018.

The Objective:

Judicial precedents have established that the objective with which legislation is enacted shall be
given paramount importance when a question for determination of its validity arises. The
Aadhaar Judgment is all praises for the aim of the Aadhaar Act and highlights that “In a welfare
state, where measures are taken to ameliorate the sufferings of the downtrodden, the aim of the
Aadhaar Act is to ensure that these benefits actually reach the populace for whom they are
meant.”  The court hence held that the Aadhaar Act has alegitimate state aim and that plugging
the loopholes will be an adequate remedy for the concerns raised rather than axing the Aadhaar
project. Overall, the Aadhaar Judgment lauds the governments’ intent for establishing Aadhaar
and states that given the legislative aim, the provisions of the Aadhaar Act withstand the test of
proportionality.

The Rationale:

Every claim raised against Aadhaar is evaluated on the basis of a three-fold test i.e. whether there
is existence of a law; whether the same has a ‘legitimate state interest’; and lastly, whether such
law passes the ‘test of proportionality’. The 1448 pager judgment boils down to:

a)       The Aadhaar Act was legitimately passed as a Money Bill and its constitutionality upheld
by majority vote;

b)      The Aadhaar has a valid and legitimate state interest; 

c)       The Aadhaar judgment analyses every claim and weighs the same with the test of
proportionality to ensure a rational nexus between the objects and the means adopted to achieve
them under the Aadhaar Act.

Aadhaar as a Money Bill:

7
On March 3, 2016, Aadhaar Act was introduced as a money bill in the Parliament that gave
legislative backing to Aadhaar project. After receiving legislative assent, the Aadhaar Act was
notified in the Gazette of India on March 26, 2016. The constitutional validity of Aadhaar was
challenged on the ground that the Aadhaar Act does not fall under the ambit of a money bill and
hence the passing of the same as money bill, in principle, results in the Aadhaar Act being
unconstitutional. The five judge bench, by a majority vote of 4:1, upheld the constitutional
validity of the Aadhaar Act. The consenting judges were of the opinion that the aim of the act is
ensuring targeted delivery of subsidies, benefits and services. Article 110 of the Constitution of
India, 1949, enlists matters which if dealt by a bill, the bill will deemed to be a money bill. One
such matter enlisted in Article 110 is the “receipt of money on account of the Consolidated Fund
of India or the public account of India or the custody or issue of such money or the audit of the
accounts of the Union or of a State”. The Aadhaar Judgment states that the core of the Aadhaar
Act is Section 7, by virtue of which Aadhaar is mandated for the receipt of a subsidy, benefit or
service and the provision of the same is taken care by the Consolidated Fund of India. It is on the
basis of this Section, that the judgment upheld the constitutional validity of Aadhaar even though
the same was passed as a money bill. However, Justice Chandrachud was in disagreement with
the above view and further recognized that given that the Aadhaar Act deals with data protection
and privacy of the individuals, under no circumstances could it be considered as a money bill and
hence should be declared unconstitutional. The Aadhaar Judgment also validates all actions
taken by the government from 2009 till 2016 i.e. until the Aadhaar Act was passed on the ground
that due consent of the citizens was procured by the government authorities.

Protection of the Right to Privacy:

The Aadhaar Judgment cherishes the nine judge bench view on the right to privacy as a
fundamental right. It further throws light on the evolution of the concept of human dignity and
privacy and discusses the rationale of the progressive judgments of the courts of law on the
subject. The judges also touched upon other landmark judgments related to the fundamental
rights and rule of law and the limitations and permissible restraints on exercising fundamental
rights. A number of arguments were dealt with and commented upon by the bench. Whether
Aadhaar challenges the concept of limited government, whether the state will have complete
control on biometric and demographic data of the citizens and that given that everything at all

8
times will be linked to Aadhaar, will every citizen be under the gaze of the government, are few
points which have been deliberated upon. The Aadhaar Judgment considered the arguments
advanced against Aadhaar and compared the same with the benefits which Aadhaar would bring
and further, subject to certain restrictions, held that it overall passes the test of proportionality.
The court also stressed upon the need for security monitoring, data protection, conducting data
audits and having a robust system in place to ensure data safety. The Aadhaar Judgment also
stated that suitable provisions to deal with the need of altering information and those related to
accepting alternate means of identity in case the biometric/ demographic information changes as
a result of age, injury, surgeries, etc. shall be introduced. However, to ensure that the right to
privacy is considered as fundamental, the court regarded the following sections and concepts
as UNCONSTITUTIONAL:

 Section 33(2) of the Aadhaar Act: The said section of the Aadhaar Act provides for
disclosure of the information in the interest of national security pursuant to a direction of
a competent officer not below the position of Joint Secretary. The argument that was
raised was that the said provisions violate Article 20(3) of the Indian Constitution which
deals with self-incrimination and further given that there is a lack of boundaries,
information can be misused. The court held that even though national security is a fair
exception for enforcement of fundamental rights, such an important power has to be
judiciously entrusted and the same cannot be entrusted to the Join Secretary, hence
striking down Section 33(2). 

 Section 47 of the Aadhaar Act: The judgment has struck down Section 47 of the Act,
which stated that criminal complaints for data breach can be filed only by UIDAI. The
exclusion of individuals from filing complaints was held to be arbitrary and hence was
fairly struck down. This is considered as a celebrated move since it recognizes that the
right to privacy being a personal and fundamental right, the enjoyment of the same
cannot be unduly restricted. 

 Section 57 of the Aadhaar Act: Section 57allows private entities to use Aadhaar

numbers for the purpose of establishing identity. The Section states that the Aadhaar
numbers can be procured by the private entities “for any purpose”. The court recognized
that allowing such unrestricted use of Aadhaar by private bodies that are not regulated by

9
 the government will lead to commercial exploitation of the personal data of individuals
and could also lead to individual profiling. The Court further recognized that in such a
scenario, the individuals may be forced to disclose their information pursuant to any
contract that they may have previously entered into and hence struck down Section 57 as
the same would intrude an individual’s right to privacy. 

 Minors Aadhaar:  Article 21A recognizes right to education for children between 6

years and 14 years as a fundamental right and on the basis of the aforementioned Article,
Aadhaar cannot be made mandatory for any educational purposes or receiving any
benefits related to education. Since the privacy of children would need special protection,
the Aadhaar Judgment enlists guidelines for procuring Aadhaar information of children
and those related to their consent. 

 Exclusion of Earned Benefits: The court specified that where Aadhaar linking for
subsidiaries and government schemes can be mandated, Aadhaar should in no way be
linked to any earned benefits that an individual earns, such as those related to pension,
even when the same are regulated by government authorities.

The Aadhaar Network:

 Linking PAN-Aadhaar:

The Supreme Court in Binoy Viswam v Union of India 10decided on whether Section 139AA of
the Income Tax Act, 1961 is unconstitutional. The Aadhaar Judgment, on the rationale of the
abovementioned judgment and further upholding the same, states that the section which
mandates linking of Aadhaar and PAN of an individual’s meets the tri-partite test and hence is
valid on the grounds of proportionality. The Aadhaar Judgment analyzed all activities under the
Income Tax Act, 1961 where PAN is required to be disclosed and stated that with the aim of
curbing tax invasion, the step towards linking Aadhaar and PAN is in the right direction. 

 Linking Aadhaar-Bank Account: 

The amendments made to the Prevention of Money Laundering Act and the Rules made
thereunder which mandate the linking on Aadhaar and Bank Accounts have been, by majority,
10
(2017) 7 SCC 59.
10
held unconstitutional. Amendments which stated that the customers will not be allowed to access
their accounts in case the same is not linked to Aadhaar are held arbitrary since the same would
result in the depriving individuals of their own property. Further, even though the amendment is
in furtherance of the objective of prevention of money laundering, the Aadhaar Judgment states
that there cannot be a sweeping provision that targets all individuals as suspects and hence the
presumption of criminality does not withstand the test of proportionality.

 Linking Aadhaar-SIM: 

Another claim that the Aadhaar Judgment deals with is whether the Circular dated March 23,
2017 issued by the Department of Telecommunications mandating linking of mobile number
with Aadhaar is illegal and unconstitutional. The court has held the abovementioned circular to
be unconstitutional giving the same reason as stated in the case of linking Aadhaar-Bank
Account and further upheld the stance taken in Lokniti Foundation v/s Union of India11.
Considering that the SIM and mobile are a storehouse of characteristic, linking the same to
Aadhaar will result in grave dangers to personal autonomy. Further, a blanket requirement to link
Aadhaar and SIM has not taken into consideration the fact that a number of foreign nationals also
procure telecommunication services in India.

AADHAR AND CYBER SECURITY

The World Economic Forum's (WEF's) Global Risks Report 2019, says, "The largest (data
breach) was in India, where the government ID database, Aadhaar, reportedly suffered multiple
breaches that potentially compromised the records of all 1.1 billion registered citizens. It was
reported in January 2018 that criminals were selling access to the database at a rate of Rs500 for
10 minutes, while in March a leak at a state-owned utility company allowed anyone to download
names and ID numbers."12

According to Avast, between August 2017 and January 2018, Aadhaar numbers, names, email
and physical addresses, phone numbers, and photos of almost 1.1 billion Indians were found

11
(2017) 7 SCC 155.
12
https://www.moneylife.in/article/aadhaar-data-breach-largest-in-the-world-says-wefs-global-risk-report-and-
avast/56384.html

11
susceptible to data breach. Indane, a brand owned by the Indian Oil Corp (IOC) for liquefied
petroleum gas (LPG), is found leaking data of millions of Aadhaar numbers of customers and
information of dealers and distributors, finds a French researcher. Baptiste Robert, who goes by
the online Twitter handle Elliot Alderson and has exposed Aadhaar leaks in the past, wrote in a
blog post on late-Monday that the Aadhaar data of nearly 6.7 million dealers and distributors of
Indane, accessible only with a valid username and password, was left exposed."Due to a lack of
authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar
numbers of their customers. Indane has 11062 dealers. Total number of affected customer is
around 6,791,200,

As several experts have been pointing out, Aadhaar does not establish anything. In fact, in
response to a right to information (RTI) application, the Unique Identification Authority of India
(UIDAI) itself had admitted that it does not certify the identity, address, date of birth, resident
status or existence of any individual or any Aadhaar number.

 CYBER SECURITY STILL A CHALLENGE TO AADHAAR

The Supreme Court verdict, responding to 27 petitions against the ‘draconian’ nature of Aadhaar,
has been a mixed bag. While the majority opinion of the five-judge Constitution bench has
addressed many of the concerns that had been repeatedly raised, the single dissenting opinion
needs to be considered very seriously. 13he judgment’s most welcome part is the scrapping of
Section 57 of the Aadhaar Act, which allowed private entities to use Aadhaar for verification
purposes. Far too many people have been duped into opening accounts in mobile phone payment
banks while being forced to conduct an e-KYC (know your customer) procedure with Aadhaar
for their SIM (subscriber identity module) cards.

This was an ethical and legal violation of even the existing Article 57, leading to abuse as serious
as serious as the redirection of LPG (liquefied petroleum gas) subsidies.

13
//economictimes.indiatimes.com/articleshow/65970934.cms?
utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

12
Even though the data at the Central Identities Data Repository (CIDR) may be safe — and kept
behind a ‘13×5 ft wall’, as claimed by the attorney general during the Aadhaar case hearing
before the Supreme Court — the ecosystem has been leaking, is poorly protected, and any data
store seeded with Aadhaar data has potential points of vulnerability.

There were instances in the news where hackers were found to have created 26 patches to the
Aadhaar enrolment software. This would allow the GPS (global positioning system) tracking the
device’s location to be disabled and bypass the need to authenticate the enrolment operators by
running the image file of the operator’s biometric.

In effect, an enrolment station could be set up anywhere in the world. The original intent of the
software was to have the device GPS-locked, so that no one could operate an enrolment centre
outside India. What became clear was that with a copy of the enrolment software along with
these patches, one could run the enrolment operation anywhere in the world.

So, as a banker or a telecommunication operator, if you feel that authenticating someone through
Aadhaar is good enough proof of the person’s identity, you are mistaken. After the news of the
latest breach came out, the UIDAI had claimed that their de-duplication software is so precise
that no one person can create two Aadhaar numbers. But that was not the attack model exposed
in the news story.

The accuracy of the de-duplication software is not 100%. With more than one billion people,
even a 1% lack of accuracy can lead to many duplicate Aadhaar numbers. The fact that the
database may already contain data of people outside India who do not meet the criteria of having
an Aadhaar should be considered as a serious problem.14

Conclusion:

14
Sandeep Shukla (cyber security researcher and faculty member, IIT Kanpur) at
https://economictimes.indiatimes.com/news/politics-and-nation/aadhaar-verdict-why-privacy-
still-remains-a-central-challenge/articleshow/65970934.cms.

13
The Aadhaar Judgment respects the right to privacy and further stresses upon the need of having
adequate measures in place in the Aadhaar Era to ensure data privacy. In essence, it recognizes
that the threat of privacy does not arise from personal identification related to biometric and
demographic data but from the ability of third persons to access it. Where most of the facets of
the judgment are celebrated, whether or not Aadhaar Act could be introduced as a money bill is
still a topic in debate.

Moreover the instances of cyber attacks and not having a 100% defence plan to deal with it is
still a question that needs to be seen because the privacy, liberty and autonomy is to be
considered deeply as said by J. Chandrachund in his dissenting opinion.

14