India’s First Metadata case: Supreme Court’s Constitution Bench to decide illegitimacy of Aadhaar Act amid Great Data Robbery | Gopal Krishna

“We kill people on the basis of metadata.”
— Unrepenting admission of Michael Hayden, former head of USA’s NSA and CIA quoted in the Draft Resolution on Mass Surveillance, The Committee on Legal Affairs and Human Rights, Parliamentary Assembly of the Council of Europe dated 18 March 2015

“If once people become inattentive to the public affairs, you and I, Congress and Assemblies, judges and Governors shall become wolves.”
— Thomas Jefferson, author of the Declaration of Independence and the third president of USA in a letter dated 16 January 1787 

Supreme Court’s 7-judge Constitution Bench is all set to decide India’s first metadata case which pertains to four existing Aadhaar databases. The first database is the ‘person database’ which stores personal attributes of a person (name, address, age, etc.) along with his/her Aadhaar number. The second is the reference database which stores the Aadhaar number of a person along with a unique reference number (which has no relationship with the Aadhaar number of an individual). The third database is the biometric database which stores biometric information of a person along with the unique reference number and the fourth database is the verification log which records all ID verifications done in the past five years. The “metadata is not defined in the Aadhaar Act.”

“Metadata” is information about the time and location of a phone call or email or electronic transaction, as opposed to the actual content of those conversations or messages or transactions.

As part of the 44th Chief Justice of India (CJI) led 9-judge Constitution Bench in the Aadhaar case, Dr. Chandrachud authored the leading order dated August 24, 2017 wherein he mentions “metadata” only once but with a very categorical emphasis. He underlined that metadata has the ability to redefine human existence in ways which are yet fully to be perceived. He drew on the paper of Christina Moniodis titled “Moving from Nixon to NASA: Privacy ’s Second Strand- A Right to Informational Privacy”. Dr. Chandrachud cites her with approval. He states that metadata “results in the creation of new knowledge about individuals; something which even she or he did not possess. This poses serious issues for the Court. In an age of rapidly evolving technology it is impossible for a judge to conceive of all the possible uses of information or its consequences.”

He quoted Moniodis saying, “…The creation of new knowledge complicates data privacy law as it involves information the individual did not possess and could not disclose, knowingly or otherwise. In addition, as our state becomes an “information state” through increasing reliance on information –such that information is described as the “lifeblood that sustains political, social, and business decisions. It becomes impossible to conceptualize all of the possible uses of information and resulting harms. Such a situation poses a challenge for courts who are effectively asked to anticipate and remedy invisible, evolving harms.” Notably, her paper drew on Elbert Lin’s Note on "Prioritizing Privacy: A Constitutional Response to the Internet" and Andrew M. Ballard’s report "About 3.6 Million SSNs Exposed in Hack Of South Carolina Tax Agency’s System" on Social Security Number (SSN) which prompted the Governor of South Carolina to issue an executive order upbraiding the state’s information technology policy in 2012.

Drawing from the Yvonne McDermott’s paper “Conceptualizing the right to data protection in an era of Big Data”, Dr. Chandrachud observes, “The contemporary age has been aptly regarded as “an era of ubiquitous dataveillance, or the systematic monitoring of citizen’s communications or actions through the use of information technology”. It is also an age of “big data” or the collection of data sets. These data sets are capable of being searched; they have linkages with other data sets; and are marked by their exhaustive scope and the permanency of collection.”

One can hear the echo of what Dr. Chandrachud wrote in the book Permanent Record by Edward Snowden who makes 24 references to “metadata” and explains it. The content of our communications is not as revealing as “the unwritten, unspoken information that can expose the broader context and patterns of behavior.” USA’s National Security Agency (NSA) calls the unwritten, unspoken information “metadata.” It use the terms “meta” in the sense of “about”. It implies that “metadata is data about data. It is, more accurately, data that is made by data—a cluster of tags and markers that allow data to be useful. The most direct way of thinking about metadata, however, is as ‘activity data,’ all the records of all the things you do on your devices and all the things your devices do on their own.” It emerges from Snowden’s book that metadata is not some benign abstraction, but as the very essence of content: it is precisely the first line of information.
The 7-judge Constitution Bench is going to decide the constitutionality of Aadhaar Act which enables indiscriminate collection of metadata besides other legislations. The bench comprising 50th CJI, Dr. D.Y. Chandrachud, Justices Sanjay Kishan Kaul, Sanjiv Khanna, B.R.Gavai, Surya Kant, J.B.Pardiwala and Manoj Misra have issued directions for the pre-hearing steps in various matters before 7-judge Constitution Bench and 9-judge Constitution Bench. In its October 12, 2023 order, it has instructed that the compilation of documents, pleadings, precedents must be filed in three weeks along with written submissions.

The Supreme Court’s decision dated November 13, 2019 had referred the illegitimate enactment of Aadhaar Act as “Money Bill” for consideration by a 7-Judge Constitution Bench to hear the Roger Mathew v. South India Bank Ltd case as a consequence of the verdict by the 46th CJI led 5-Judge Constitution Bench. This 46th CJI led bench detected a UNPRECEDENTED BLUNDER in the majority verdict dated September 26, 2018 by 45th CJI, Justices A. K. Sikri, A.M. Khanwilkar and Ashok Bhushan regarding Money Bill and UID/Aadhaar being a 12-digit number, not a "card". As part of of the blunder Justice ( now retired) A.K. Sikri tortured the word "resident" in Aadhaar Act/Money Bill verdict. As the author of the majority order, he compelled “resident” word to confess that it has two names, its other name is "citizen". He empowered himself with such unlimited power he will have the world believe that "resident" word can be tortured to confess that it is the same as "citizen". But such third degree torture of words has failed to get its meaning changed from the dictionary. The 7-judge Constitution Bench is likely to save every “resident” of India from automatically becoming “citizen” without their consent.

It is germane to underline that every person including the public institutions, parties, editors, donors, advertisers and judicial officers who refer to 12-digit unique identification (UID) number branded as "Aadhaar" as “card” betray their colossal ignorance about the world’s biggest data transfer project. This is a unique number that can be authenticated digitally, not a “card”. The Unique Identification Authority of India (UIDAI) is responsible for the processes of enrolment and authentication and “other functions” assigned to it under Planning Commission’s notification dated January 28, 2009 and subsequently Aadhaar Act, 2016. These “other functions” include ownership of “Central Identities Data Repository” (CIDR), a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding "demographic information and biometric information of such individuals and other information". The “other information” includes metadata which is under the control of UIDAI as part of its “other functions”.

After the promoters of CIDR of Aadaaar numbers were proven wrong by the 9-judge Bench with regard to their flawed claim that right to privacy was not a fundamental right, a 5- Judge Bench led by 45th CJI was set up. Justice Sikri (on behalf of 45th CJI, himself and Justice A.M. Khanwilkar), Dr. Chandrachud and Justice Ashok Bhushan pronounced three separate judgments of the Bench. Justice Bhushan agreed with the Justice Sikri authored order on the enactment of Aadhaar Act as Money Bill. Dr. Chandrachud disagreed with them and termed the enactment of Aadhaar Act as Money Bill as a fraud on the Constitution of India.

Significantly, the 1448 page long verdict on Aadhaar Act makes some 50 references to “metadata”. Union government informed the Court about three types of meta-data:technical, business and process metadata. Process metadata describes the results of various operations such as logs key data, start time, end time, CPU seconds used, disk reads, disk writes, and rows processed. This data is valuable for purposes of authenticating transaction, troubleshooting , security, compliance and monitoring and improving performance. Government has submitted that the metadata contemplated under the Regulation framed under Aadhaar Act is Process metadata.

In a glaring omission, the government chose not to reveal anything about the “Standard for Preservation Information Documentation of Electronic Records, which would enable standardized metadata dictionary and scheme for describing the "preservation metadata" of an electronic record” framed in 2013. But the Court was kept in dark about it.

The first reference to “metadata” in the 1448 page long verdict on Aadhaar Act reproduces Dr. Chandrachud’s observation about “metadata” made as part of 9-judge bench.

The verdict refers to the decision of the Court of Justice of the European Union (CJEU) Tele2 Sverige AB vs. Post-och telestyrelsen (2016) wherein it was seized with the issue as to whether in light of Digital Rights Ireland, a national law which required a provider of electronic communications services to retain meta-data (name, address, telephone number and IP address) regarding users/subscribers for the purpose of fighting crime was contrary to Article 7, 8 and 11 of the Charter of Fundamental Rights of the European Union. The CJEU struck down the provision allowing collection of such meta data on grounds of lack of purpose limitation, data differentiation, data protection, prior review by a court or administrative authority and consent.

The operative order of the Indian Court’s verdict referred to the decision of CJEU in Maximillian Schrems v. Data Protection Commissioner (2016), which struck down the transatlantic US-EU Safe Harbor agreement that enabled companies to transfer data from Europe to the United States on the ground that there was not an adequate level of safeguard to protect the data. It held that the U.S. authorities could access the data beyond what was strictly necessary and proportionate to the protection of national security. The subject had no administrative or judicial means of accessing, rectifying or erasing their data.

These judgments of foreign courts are quite relevant for India because the contract agreement between USA’s Accenture and UIDAI enables transfer of data from India to USA. The US government can access the data of all the residents of India including all the present and future citizens in complete disregard of national security. The data of Indians are in possession of US agencies under the USA PATRIOT Act, 2001. US government has access to data through UIDAI’s contract agreement with L1 Identities Solution company, a US company which got bought over by Safran, a French conglomerate on July 26, 2011. It implies that the French too have access to it. UK’s Ernst & Young too have signed a similar contract agreement. Indians have no administrative or judicial means of accessing, rectifying or erasing their data which in the possession of these foreign entities.

As part of his order, Dr. Chandrachud has recorded the submission of the government with regard to the process of authentication and metadata retained under Aadhaar Act. It records that “metadata allows officials to make precise conclusions about a person’s private life, and dragnet data collection creates a chilling effect based on the sense that one’s life is subject to surveillance at all times.” On the nature of metadata, the Court observed that: “Taken as a whole, [metadata] may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.” The only data, which has been excluded from retention is the purpose of authentication.

Dr. Chandrachud’s order takes note of a report titled as “Analysis of Major Concern about Aadhaar Privacy and Security” March 4, 2018 authored by Professor Manindra Agrawal who is a Professor at IIT Kanpur and is a member of the Technology and Architecture Review Board (TARB) and of the Security Review Committee of UIDAI. Professor Agarwal’s Report reveals that for each verification, the biometric data, Aadhaar number, and ID of the device on which verification was done, is stored. The report analyses the situation if any of the databases gets leaked. The report points out that “Its leakage may affect both the security and the privacy of an individual as one can extract identities of several people (and hence can keep changing forged identities) and also locate the places of transactions done by an individual in the past five years.” A breach in verification log would allow a third party to access the location of the transactions of an individual over the past five years. The report indicates that it is possible through the Aadhaar database to track the location of an individual.

In this backdrop, it is noteworthy that the operative part of the verdict states that Section 2(d) of Aadhaar Act “which pertains to authentication records, such records would not include metadata as mentioned in Regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016. Therefore, this provision in the present form is struck down.” The government’s explanation that metadata refers to process data only does not find specific mention in the law. This deliberate silence of the law makes the law illegitimate and is fraught with genocidal implications.

In his book, Snowden says, “intelligence agencies are far more interested in the metadata—the activity records that allow them both the ‘big picture’ ability to analyze data at scale, and the ‘little picture’ ability to make perfect maps, chronologies, and associative synopses of an individual person’s life, from which they presume to extrapolate predictions of behavior.” It is evident that metadata acts as a digital panopticon and is a tool for indiscriminate unlimited mass surveillance. The marriage of metadata with biometric data by state and non-state actors seem to be aimed at ensuring the extinction of natural rights of human beings.

In April 2022, the audit report of the Comptroller Auditor General (CAG) of India revealed “flaws in the management of various contracts entered into by UIDAI”. The report states that “statistical information on generation, update and authentication services of Aadhaar and financial information referred to in the Report have been updated upto March 2021, to the extent as furnished by UIDAI.” It implies that UIDAI has not been furnishing all the information required for audit by CAG. The audit report also discloses that “The decision to waive off penalties for biometric solution providers was not in the interest of the Authority giving undue advantage to the solution providers, sending out an incorrect message of acceptance of poor quality of biometrics captured by them."

It shows that rejection of Bharatiya Automated Fingerprint Identification System (BAFIS) in favour of foreign firms was a flawed decision of the Indian government. The audit report corroborates the findings of the report titled Biometric Recognition: Challenges and Opportunities (2010). It has concluded that biometric identification systems are "inherently fallible". It was funded by the US Pentagon’s Defense Advanced Research Projects Agency (DARPA), the National Science Foundation, the Central Intelligence Agency (CIA) and USA’s Department of Homeland Security.

The Forty-Second Report of Yashwant Sinha headed Parliamentary Standing Committee on Finance submitted to the Parliament revealed that BAFIS was launched in January 2009. It was funded by the Department of Information Technology, Ministry of Communications and Information Technology, for collection of biometric information of the people of the country. But UIDAI did not use it because according to the government, “The quality, nature and manner of collection of biometric data by other biometric projects may not be of the nature that can be used for the purpose of the Aadhaar scheme and hence it may not be possible to use the fingerprints captured under the Bhartiya-AFSI project.” Supreme Court’s operating order refers to this parliamentary report which shows that government reached the conclusion that biometric technology of foreign firms is better than the existing Indian one from the point of uniqueness without any comparative study with regard to the quality, nature and manner of collection of biometric data. This parliamentary report has underlined that the “estimated failure of biometrics is expected to be as high as 15% due to a large chunk of population being dependent on manual labour.”

CAG’s audit report reveals that foreign biometric technologies are no better than the Indian one. In any case, it has been conclusively established that biometric identification system is fallible and unreliable.

The CAG’s audit report reveals that "UIDAI had not ensured that the client applications used by its authentication ecosystem partners were not capable of storing the personal information of the residents, which put the privacy of residents at risk. The Authority had not ensured security and safety of data in Aadhaar vaults. They had not independently conducted any verification of compliance to the process involved." On July 17, 2022, government informed the Lok Sabha that the “Recommendation of CAG’s Audit Report No.24…on ‘Performance Audit on Functioning of UIDAI’ have been accepted for implementation. Action taken report on CAG’s report on ’Performance Audit of UIDAI’ uploaded on Audit Para Monitoring System (APMS) (https://apms.nic.in). It could not be traced on this website. This report does not appear to be in public domain.

It may be recalled that the Annexure 1 of the notification of Government of India dated the January 28, 2009 which constituted UIDAI deals with the Role and Responsibilities of UIDAI. It states: "implementation of UID scheme will entail” taking “necessary steps to ensure collation of NPR with UID (as per. approved strategy)”. NPR refers to National Population Register. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 subsumed the government’s notification dated the 28th January, 2009. The convergence initiatives of MHA like NPR and UIDAI’s UID/Aadhaar uses myriad fish baits like goods, services and subsidies besides mandatory quoting for PAN to entrap the present and future generation of citizens, the data subjects at the behest of transnational commercial and surveillance technology czars. 

A joint reading of two orders of Justice Subramonium Prasad, Delhi High Court dated September 6, 2023 in Mathew Thomas v. Union of India (2014) case and October 5 2023 in Prashant Reddy v. CPIO, UIDAI (2023) case shows that all the contracts of UIDAI and foreign firms come under the Right To Information Act. There is a logical compulsion for the Supreme Court must examine these contracts with reference to Section 57 of Aadhaar Act and Section 139 AA of Income Tax Act, 1961 as well. Notably, Justice Sikri authored judgment by a Division Bench comprising Justice Bhushan in Binoy Visman v. Union of India (2017) on Section 139 AA was given at a time when the constitutionality of enactment of Aadhaar Act was not adequately adjudicated. It pre-dates the pronouncement about the unconstitutionality of Section 57.

In such a backdrop, in the aftermath of the revelations by CAG about contracts awarded to foreign firms which are involved in UIDAI’s CIDR and Home Ministry’s NPR, this national security related case deserves utmost priority. Structurally, Aadhaar and NPR is part of one initiative being pushed by World Bank Group which admits its central pillar to be surveillance including military surveillance. It emerges that Aadhaar Act has put privacy and security of present and future residents, citizens, Prime Ministers, Chief Ministers, judges, legislators, soldiers, civil servants, editors, intelligence officials and their families at risk by transferring demographic data, biometric data and metadata to foreign state and non-state actors. It is hoped that attempts by the foreign entities which are subverting public institutions through anonymous and limitless donations is being resisted by the judiciary.

(Author: Dr. Gopal Krishna is a lawyer and public policy researcher. He had appeared before the Parliamentary Committee that examined the National Identification Authority of India Bill, 2010 that was withdrawn in 2016 and enacted later as Aadhaar Act 2016)