AADHAAR VS. PRIVACY LAWS: AN ASSESSMENT

ROAR
Research, Opinions and Reviews:
Registered Users can write a blog/article/post up to 2,000 characters. The entire Law Fraternity is keen to hear from Lawyers, Solicitors, Judges and Legal professionals from respective Bar associations, state and territory to share ideas, give opinions and light on important matters.
Read More...
NEWS
BAR ASSOCIATION
LAW COLLEGE
EVENTS
TEMPLATES
SERVICES
JOB CENTRE
MOOT COURT
SL CONFIDENTIAL
RESOURCE CENTRE
Need a Lawyer
LAWYER’S FEE

Bhumesh Verma 14 Mar 2018

Like
Comment
Share

0 Like
0 Comment
4118

AADHAAR VS. PRIVACY LAWS: AN ASSESSMENT

Bhumesh Verma, Managing Partner, Corp Comm Legal

Somashish, 5th Year B.A. LL.B. (Hons.) student, School of Law, Christ (Deemed University), Bangalore

Introduction

Recently, the government’s overdrive on making Aadhaar mandatory in every walk of life for Indians and the litigation pertaining to Aadhaar Unique Identification has brought forth the issue of data protection and privacy into civic debate spehere. Between MP Sharma[1] and Rajagopal[2], the Supreme Court in Justice K.S Puttaswamy (Retd.) v. Union of India[3] has decisively held in favour of the right to privacy recognised in the latter. Thus, right to privacy, the right to be free and protected from unwanted intrusion into one’s private life, is now a part of right to life and personal liberty under Article 21. It is worth noting that the judgment provides us profound conceptual insights into privacy while permitting necessary factual flexibility needed for deciding future disputes.

The judgement, inter alia, pertains to informational privacy. In other words, an individual’s interest in preventing and if necessary controlling access to and dissemination of private information is protected under Art. 21. Any encroachment upon this right can only be enforced by virtue of law which serves a legitimate and compelling State interest and if the means adopted by the said law to achieve such interest are proportional in nature.

Simultaneously, the encroachment on privacy must not be disproportionate to the compelling State interest to be served by the law. Further, notwithstanding the presence of any such law, the State has a positive obligation to protect informational privacy from patently illegal intrusions.

It is noteworthy that hitherto the issue of data protection has been statutorily addressed in a manner which is friendly to the State and confusing for the individual. The legal framework under the Information Technology Act, 2000 (ITA) and rules thereunder has been continuously felt inadequate for protection of privacy and severely constrains the ability of individuals to hold violators liable for data theft and breaches.

In terms of government interception of digital/electronic communication, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption) Rules, 2009 (Interception Rules) and sections 69 and 69B of the ITA now provide far greater surveillance powers to the Central Government and State Governments (the governments). Experts are unanimous about the fact that these powers are even greater than the powers granted by the Indian Telegraph Act, 1885.[4]

Arguably, the rules also make significant departure from the judgement of the Supreme Court in PUCL v. Union of India.[5] Nevertheless, going by the governments’ poor record in respecting these norms, one is tempted to believe that the Interception Rules are far more likely to be honoured in the breach than compliance. In any scenario, even the most literal conservative interpretation of the aforesaid norms does very little to control the governments’ all-pervasive powers of monitoring and interception.

Ultimately, when it comes to the privacy test laid down by the Supreme Court in Justice K.S Puttaswamy (Retd.) v. Union of India[6] one finds it difficult to defend the Aadhaar project, both constitutionally and practically for a number of reasons elucidated in this article. The Central Government’s record in protecting privacy is extremely poor and its Aadhaar project only adds to the existing problems in relation to privacy protection in India.

Aadhaar—an astronomical data project with big risks

Aadhaar Unique Identification project is a gigantic data gathering project which seeks to provide a Unique Identification to persons living and accessing government subsidies, benefits, and services in India. Section 2(a) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services), Act, 2016 (‘Aadhar Act’) defines “Aadhaar number” to be an identification number issued to an individual by a Central Government-recognised enrolment authority on the basis of the demographic information and biometric information. Thus, we find a 12 digit unique Aadhaar number on Aadhaar/Unique Identification cards.

The uniqueness of the Aadhaar number is confirmed by section 4 of the Aadhaar Act which declares that one person’s Aadhaar number shall not be assigned to any other and that it shall be a random number without any relation with the holder’s attributes. Section 9 declares that Aadhaar is not a proof of citizenship. This means that the identity function of Aadhaar is connected to the economic activity of availing any government related subsidy, service or benefit. Hence, it is not surprising that one of the key contentions in favour of the Central Government in the ongoing case is purely economic. Thus, it’s argued by the government that Aadhaar is not about sneaking on citizens but on keeping identification of anyone availing any advantage or benefit from the government.

It would be pertinent to note the definitions of “biometric information” and “core biometric information” under section 2(g) and 2(j) of Aadhaar Act. Biometric information means photograph, fingerprint, iris scan, or other biological attributes as decided by regulations. Of the aforesaid, fingerprint, iris scan (and other biological attributes prescribed by regulation) are defined as core biometric information. Section 10 empowers the UIDAI to establish a Central repository containing the data of all Aadhaar number holders. Section 28 stipulates that protection of the aforesaid voluminous data is to be the sole responsibility of UIDAI. Thus, no civil suit or private lawful enforcement effort for Aadhaar data protection is permissible under the Act.

One of the key controversies which have arisen relating to Aadhaar is with respect to the merits of the Aadhaar project. Over 82 billion rupees have been spent on the project till now.[7] Maintenance and planned security upgrades might push up expenditure even further on an annual basis.[8] It would not be an exaggeration to suggest, as the World Bank has recognised, Aadhaar now contains identification data of more than one billion Indian citizens.[9] In such a scenario, one is bound to assess the benefits which arise on account of the project—a valuable consideration in overall constitutionality test of Aadhaar.

There have been two highly diverging discourses on Aadhaar - Central Government’s optimistic propaganda has presented the project as a panacea for plugging economic leakages in the implementation of government benefits, whereas a sobering sceptical discourse of several legal and technical experts has doubted the efficacy, security of Aadhaar apart from the reliability of government’s tall claims. The Central Government has employed or engaged a plethora of private technology firms for implementation of Aadhaar, but without so much as initiating a tender based process.[10] This has also been one among major reasons for sceptics to be wary of Aadhaar project.

While, the authentication by Aadhaar is acclaimed as having earned global fame[11] on account of effectively plugging leakages in LPG distribution,[12] weeding out fake ration cards,[13] or providing citizens with a welfare-oriented identification mechanism,[14] it is not without its critics, which include constitutional experts. Therefore, the challenge to Aadhaar has both legal as well as technical facets.[15]

Like demonetisation spree 18 months back, India has been in a “linking” frenzy. Everyone’s email account and phone is flooded with messages from banks, insurance companies and who not. A large number of government schemes, apart from bank accounts and mobile connections, now require compulsory Aadhaar verification, flagrantly violating an interim Supreme Court order which was made during the course of the Justice KS Puttaswamy[16] matter. This gives rise to a worry that the Aadhaar based authentication may be akin to “signing a blank paper”.[17] As any lawyer would understand, such a signature can be used for all kinds of mischief, attributing them to its maker who may not even be aware of them. Citizens do not know nor determine who all will have access to their Aadhaar information, it is the other way round. Citizens are being hounded from all corners to share their Aadhaar information.

There are two reasons for the aforesaid conclusion—firstly, the authentication involves the separate but successive twin stages of Aadhaar number input and biometric/fingerprint verification over the internet; secondly, the separateness between the two stages enables the biometric/fingerprint information to be stored independently, albeit connected with the Aadhaar number.[18] As to how this independent fingerprint can be deployed without consent of the citizen is anyone’s guess in a country like India.

Least surprisingly, instances of serious data breaches have occurred during the Aadhaar linking processes in banks such as Axis Bank.[19] Axis Bank, Suvidhaa Infoserve and eMundhra were proceeded against by UIDAI for attempting unauthorised authentication and impersonation by illegally storing Aadhaar biometrics.[20] The said breach did not lead to any financial loss or fraud as per official replies.[21] Even if it did cause such loss to bank customers, under the Act, it is not possible for any civil/private enforcement or compensation in light of such breach.

Another illustration is the recent Airtel Payments Bank fiasco. Airtel used its customers’ biometric data provided for the purposes of mobile connection KYC requirements was used by the company to open hundreds of bank accounts in Airtel Payments Bank.[22] The principles of informed consent and purpose specificity affirmed in the UN Data Protection Guidelines[23] were disregarded.

The other threat which could strike Aadhaar data is a “Man-in-the-middle” attack by even the most novice hackers.[24] The very methods and structure of the Aadhaar infrastructure is such that in between the separate communication stages pertaining to Aadhaar number input and biometric verification over the internet, a hacker could divert to other servers, the crucial data being processed in any particular stage.[25]

Therefore, it is most alarming to note that the Tribune newspaper had last year revealed in an exposé that certain urban tech-savvy criminals in Punjab were capable of doing the business of providing access to crucial Aadhaar database for a relatively humble sum of Rs. 500.[26] The most shocking part of the exposé was that the hackers revealed that they had sold such access to more than one lakh different service providers.[27]

Even the Indian government’s computer systems have repeatedly been attacked by foreign hackers on an almost routine basis every year.[28] In 2017-18 alone over 114 government website-related servers were subjected to cyber invasion.[29] Thus, in the background of such weak security record of the government tech infrastructure a citizen might rightly consider his Aadhaar data to be insecure, despite newly added security features in the UIDAI website[30] and repeated assurances by the government.[31]

Most of the government’s claims on success of Aadhaar based economic initiatives such as LPG or PDS access verification, have fallen flat on closer scrutiny. Several reports[32] have found errors and exaggeration in the government’s claims of significant plugging of leakage of subsidies or huge reduction in subsidy burden by Aadhaar implementation, including the CAG’s Report on Implementation of Aadhaar-linked Direct Benefit Transfer in LPG subsidies.[33]

While achieving very little in comparison to the high expectations of the government, the Aadhaar linkage with LPG subsidies, large number of government welfare schemes, as well as the Public Distribution System in select villages has been found to make life difficult for the poor. A phenomenal study[34] by Jean Dreze, et. al, on the implementation of both DBT and Aadhaar verification for access to foodgrains, found that the technical discrepancies made the system so flawed that significant numbers among the poor often had to run pillar to post either to obtain their DBT entitlement or foodgrains under the PDS.[35] Even the most basic issues of low internet and weak mobile connectivity led to miserable delays in obtaining the aforesaid entitlements by the poor.[36]

Thus, Aadhaar, as an astronomical data project with less-than-satisfactory security and reliability, is thus difficult to defend in both constitutional and practical terms.

Umbrella with holes: Data Protection under the ITA

Any person aggrieved by any data theft or system breach can sue for damages under section 43 of the ITA. The competent authority to decide such complaints is the Adjudicating officer established by different state governments in each state, having pecuniary jurisdiction to decide complaints for damage amounting upto Rs 5 crores. For complaints pertaining to damage beyond Rs 5 crores, the appropriate remedy shall be a regular civil suit. Unfortunately, section 46 of the Act uses the terms “damage”, “injury” and “compensation” interchangeably without regard for the long and rich jurisprudence that finds them to be different concepts.[37]

As per section 46(2) of the Act, the quasi-judicial adjudicating officer may impose penalties, thereby vesting him with some of the powers of a criminal court. The adjudicating officer can award compensation, the quantum of which is to be determined after taking into account factors including unfair advantage, loss suffered and repeat offences. The adjudicating officer may impose penalties for any of the offences described in section 43 of the Act. The law as to the appointment of the adjudicating officer and the procedure to be followed on all adjudications is prescribed by Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003. Appeals are to be taken up by the Cyber Appellate Tribunal.

Section 43 provides for the following offences:

“(a) accesses or secures access to such computer, computer system or computer network or computer resource;

(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(e) disrupts or causes disruption of any computer, computer system or computer network;

(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;

(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;

(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;

(j) steal, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.”

In respect of the aforesaid offences, as per section 66, the criminal punishment prescribed is a maximum of three years imprisonment and/or fine of Rs 5 lakhs. The jurisdiction lies with the Judicial Magistrate of First Class and the offence is both cognizable and non-bailable.

The Adjudicating officers have had a mixed record in deciding complaints. In most decisions, they have sought to literally apply the statute to the facts and awarded compensation. There have been at least 47 cases filed before the adjudicating officer in Maharashtra.[38] Of these cases, there are three decisions in which the adjudicating officer particularly interpreted the law relating to privacy.

Vinod Kaushik v. Madhvika Joshi[39] involved misuse of husband’s email access to take away his income details for the purpose of use in maintenance suit filed by the estranged wife. The first decision of the officer was that there was no violation of the Act because the wife had gained access owing to a special personal relationship of trust. On being challenged, in the Delhi High Court, the adjudicating officer finally re-decided that the lack of consent on the part of husband to allow access to his emails for the purpose intended by the wife was key to the case. Thus, it was a violation of the ITA. Delhi High Court, which was moved in appeal because the Cyber Appellate Tribunal was non-functional, upheld the final order in its decision of 27.01.2012.

In Nirmalkumar Bagherwal v. Minal Bagherwal[40] the facts were similar to the Vinod Kaushik complaint. The electronic records of bank account of the complainant was given away to the wife by the bank which was one of the respondents. A greater quantum of compensation was ordered by the adjudicating officer against the respondent bank. It is noteworthy that in its decision, the adjudicating officer reviewed decisions and laws from European Union and USA apart from the relevant consumer protection cases and RBI Master Circular.

Amit D. Patwardhan v. Rud India Chains[41] involved a claim against an employee who had revealed bank account statement of the complainant and other private data of the complainant to rival business before jumping ship. The confidentiality agreement had been violated by the respondent. The complainant specifically argued that his privacy had been violated. While accepting the contentions the adjudicating officer, granted only a token compensation liability on the respondent. The bank had not been made a party to the proceeding.

It is worth noting that the adjudicating officer’s jurisdiction does not extend to matters entailing loss beyond Rs 5 crores. This severely limits the ability of individuals to hold body corporates and governments liable for massive data theft or system breaches. Section 43A of the ITA and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI rules), do hold body corporates liable for misuse of sensitive personal data or information of users or customers. But this is fruitless in situations such as the one caused by the recent fiasco pertaining to the unauthorised Aadhaar verification for Airtel Payments Bank in which almost Rs 190 crores of subsidies got redirected to newly set up accounts without informed consent of Airtel consumers.[42]

UIDAI fined Airtel Rs. 2.5 crore.[43] However, owing to the quantum of loss being greater than Rs 5 crores, Airtel consumers may not be able to proceed against the company before the adjudicating officers. The rules on jurisdictional issues in relation to wrongdoing spanning across multiple states are also unclear in the SPDI rules. Redundant to add that the Government/government bodies are not within the bounds of either the ITA or SPDI rules.

Interception by governments under ITA

In terms of government interception of digital/electronic communication, the Interception Rules and sections 69 and 69B of the ITA now provide far greater surveillance powers to the Central Government and State Governments (the governments). Experts are unanimous about the fact that these powers are even greater than the powers granted by the Indian Telegraph Act, 1885 (Telegraph Act).[44] The erstwhile Indian Telegraph Act, 1885 had been challenged in PUCL v. Union of India[45] in which the Supreme Court adjudged that the grounds mentioned under section 5(2), namely public emergency, public safety or matters under Art. 19(2) ought to be strictly complied for a valid surveillance order to be made.

The judgement provided that there ought to be a Review Committee consisting of Cabinet Secretary, the Law Secretary and the Secretary, Telecommunication at the level of the Central Government. The Review Committee at the State level shall consist of Chief Secretary, Law Secretary and another member, other than the Home Secretary, appointed by the State Government. The other mandates declare that the total duration of a surveillance order must not exceed 6 months, and the order itself is valid only for two months at a time. The Review Committee can reverse orders and order destruction of material obtained from interception.

The Interception Rules by and large mimic the aforesaid judgement and the Telegraph Act. The only competent authority for passing interception orders under the rules is the Home Secretary to the State government or Union government. Rules 11 and 22 similarly embody the PUCL restrictions on the use of the power. The grounds for ordering interception are defined under section 69 and also include “investigation of offence”, which is a significant departure from PUCL. There are no similar limits to a cyber-monitoring direction under section 69B except that it should be for preventing a “computer contaminant”. Rule 23 also obligates the security agency to destroy records within six months unless necessary for lawful purposes.

The problems are threefold- firstly, there is no redressal mechanism for citizens to hold the government accountable if the requisite interception powers are used in a manner contrary to the aforesaid ITA and rules; secondly, the destruction of all intercepted data leads information relating to criminal activity to be permanently lost to citizens who may have an interest in obtaining this data under the Right to Information Act; thirdly, there are different thresholds that the government has to fulfil for interception under section 69 and section 69B even though the surveillance activity is, for all practical purposes, equivalent under both sections, thus making these provisions vulnerable to a constitutionality challenge based on Art. 14.

The Ratan Tata[46] writ petition against the Union government for the tapping of phone calls between the industrialist and a lobbyist named Nira Radia, tending to implicate both for shady lobbying for favourable 2G spectrum allocation is yet to be decided. However, some significant issues are posed by the case. The phone tapping by the Income Tax Dept. may have been legal under the Telegraph Act. Yet, this could be reversed in light of recent KS Puttaswamy[47] judgement granting that right to privacy is a facet of Art. 21.

If the constitutionality of Aadhaar could be struck down on the basis of the same judgement, it is likely that the disproportionately conducted phone tapping could also be declared to be in violation of Art. 21. Alternatively, if the tapping was held legal the fact that the tapes ended up with the media could be construed to be a violation of privacy of Ratan Tata, caused by the government’s failure to comply with the legal duty under the Telegraph Act viz. to maintain security of information obtained from phone tapping.[48]

Conclusion

The Supreme Court in Justice K.S Puttaswamy (Retd.) v. Union of India[49] has decisively held in favour of the right to privacy. Thus, right to privacy, the right to be free and protected from unwanted intrusion into one’s private life, is now a part of right to life and personal liberty under Article 21. It is worth noting that the judgment provides us profound conceptual insights into informational privacy while permitting necessary factual flexibility needed for deciding future disputes. It is definitely a step in the right direction for the apex court to steer public debate and constitutionality assessment of Aadhaar project on the touchstone of informational privacy. Unfortunately, for the astronomical expenditure incurred on the project, the Central Government may not succeed in defending the Aadhaar project because it is gravely vulnerable to any scrutiny based on the privacy test laid down by the Supreme Court. The Central Government’s record in protecting privacy is extremely poor and its Aadhaar project only adds to the existing problems in relation to privacy protection in India.

[1] (2017) 10 SCC 1.

[2] AIR 1954 SC 300.

[3] 1994 SCC (6) 632.

[4] Frost & Sullivan, Lawful Interception: A mounting challenge for service providers and governments https://wikileaks.org/spyfiles/docs/FROSTSULLIVAN-LawfInteA-en.pdf (last visited 14 Feb 2018).

[5] AIR 1997 SC 568.

[6] 1994 SCC (6) 632.

[7] Ronald Abraham, Elizabeth Bennet, et. al., State of Aadhaar Report 2016-2017, Omidyar Network http://stateofaadhaar.in/wp-content/uploads/State-of-Aadhaar-Full-Report-2016-17-IDinsight.pdf (last visited 12 Mar 2018).

[8] Id.

[9] World Bank Group, World Development Report 2016: Digital Dividends, 2-5.

[10] IANS, Aadhaar card projects over Rs.13,000 crore awarded without tenders, The Hindu, 19 Sept. 2015 http://www.thehindu.com/news/national/aadhaar-card-projects-over-rs13000-crore-awarded-without-tenders/article7668321.ece (last visited 12 Mar 2018).

[11] World Bank Group, World Development Report 2016: Digital Dividends, 2-5; Khanna, Tarun, and Anjali Raina; "Aadhaar: India's 'Unique Identification' System." Harvard Business School Case 712-412, January 2012. (Revised September 2012.); Amrit Raj, Aadhaar goes global, finds takers in Russia and Africa, LiveMint 19 Jul 2016 http://www.livemint.com/Politics/UEQ9o8Eo8RiaAaNNMyLbEK/Aadhaar-goes-global-finds-takers-in-Russia-and-Africa.html (last visited 12 Mar 2018).

[12] Prasanta Sahu, DBTL weeds out 3 crore bogus LPG connections, Financial Express, 27 April 2015 http://www.financialexpress.com/economy/dbtl-weeds-out-3-crore-bogus-lpg-connections/67103/ (last visited 12 Mar 2018).

[13] PTI, Aadhaar helped cancel 3 crore fake, duplicate ration cards: Minister, Indian Express, 26 Feb 2018 http://indianexpress.com/article/india/aadhaar-helped-cancel-3-crore-fake-duplicate-ration-cards-minister-5079183/ (last visited 12 Mar 2018).

[14] UNICEF, Why is birth registration important? http://unicef.in/Story/365/Why-is-birth-registration-important (last visited 12 Mar 2018); World Bank Group, World Development Report 2016: Digital Dividends, 2-5; Khanna, Tarun, and Anjali Raina; Jose Ragas, The Silent Revolution: How Id Cards are Changing the World, Harvard International Review, 38(2), 24-27.

[15] Ruchi Gupta, Justifying the UIDAI: A Case of PR over Substance? Economic and Political Weekly, Vol. 45, No. 40 (OCTOBER 2-8, 2010), pp. 135-136.

[16] (2014) 6 SCC 433.

[17] Prof. Jayanth R Varma, Why Aadhaar Transaction Authentication is like signing a blank paper, faculty.iima.ac.in/~jrvarma/blog/index.cgi/Y2017-18/adhaar.html (last visited 12 Mar 2018).

[18] Prof. Jayanth R Varma, Why Aadhaar Transaction Authentication is like signing a blank paper, faculty.iima.ac.in/~jrvarma/blog/index.cgi/Y2017-18/adhaar.html (last visited 12 Mar 2018).

[19] Suranjana Roy, Aadhaar biometric data breach triggers privacy concerns, LiveMint, 25 Feb. 2017 http://www.livemint.com/Industry/IKgrYL5pg3eTgfaP253XKI/Aadhaar-data-breach-triggers-privacy-concerns.html (last visited 12 Mar 2018).

[20] Id.

[21] Suranjana Roy, Aadhaar biometric data breach triggers privacy concerns, LiveMint, 25 Feb. 2017 http://www.livemint.com/Industry/IKgrYL5pg3eTgfaP253XKI/Aadhaar-data-breach-triggers-privacy-concerns.html (last visited 12 Mar 2018).

[22] Anand Venkatanarayanan and Srikanth Lakshmanan, Aadhaar Mess: How Airtel Pulled Off Its Rs 190 Crore Magic Trick, The Wire https://thewire.in/206951/airtel-aadhaar-uidai/ (last visited 14 Feb 2018).

[23] UN Guidelines for the Regulation of Computerized Personal Data Files, General Assembly resolution 45/95 of 14 December 1990.

[24] Nethanel Gelernter, Senia Kalma, et. al, The Password Reset MitM Attack, accessible at: https://www.ieee-security.org/TC/SP2017/papers/207.pdf (last visited 12 Mar 2018).

[25] Nethanel Gelernter, Senia Kalma, et. al, The Password Reset MitM Attack, accessible at: https://www.ieee-security.org/TC/SP2017/papers/207.pdf (last visited 12 Mar 2018).

[26] Rachna Khaira, Rs 500, 10 minutes, and you have access to billion Aadhaar details, 4 Jan 2018,

http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html (last visited 12 Mar 2018).

[27] Id.

[28] PTI, Over 22,000 Indian websites hacked between April 2017-Jan 2018, LiveMint http://www.livemint.com/Politics/KPLenpHmMKDwQvVlNRbgWI/Over-22000-Indian-websites-hacked-between-April-2017Jan-20.html (last visited 12 Mar 2018);PTI, 33,531 cyberattacks in India in 2014-16, LiveMint http://www.livemint.com/Politics/EsLu5w25R9oZY0cxys2ldK/33531-cyberattacks-in-India-in-201416.html (last visited 12 Mar 2018).

[29] Id.

[30] Aadhaar: Security Concerns Linger, BloombergQuint, 4 Jan 2018 https://www.bloombergquint.com/in-the-news/2018/01/04/aadhaar-security-concerns-linger (last visited 12 Mar 2018).

[31] Id.

[32] Kieran Clarke, Shruti Sharma, et. al., Ghost savings: Understanding the fiscal impacts of India’s LPG subsidy, http://www.iisd.org/blog/ghost-savings-understanding-fiscal-impacts-indias-lpg-subsidy (last visited 12 Mar 2018); Jean Drèze, Dipa Sinha, et. al., Ration Bachao: Why do Protesters in Ranchi Want Food not Cash? 1 March 2018 http://www.epw.in/engage/article/ration-bachao-why-do-protesters-in-ranchi-want-food-not-cash

[33] Report of the Comptroller and Auditor General of India on Implementation of PAHAL (DBTL) Scheme (Pratyaksh Hanstantrit Labh Yojana), Union Government (Commercial) Ministry of Petroleum and Natural Gas Report No. 25 of 2016 (Compliance Audit), accessible at:

http://www.cag.gov.in/sites/default/files/audit_report_files/Union_Commercial_Compliance_Full_Report_25_2016_English.pdf (last visited 12 Mar 2018).

[34] Jean Drèze, Reetika Khera, et. al., Aadhaar and Food Security in Jharkhand: Pain without Gain?, 16 Dec 2017, Economic & Political Weekly.

[35] Id.

[36] Jean Drèze, Reetika Khera, et. al., Aadhaar and Food Security in Jharkhand: Pain without Gain?, 16 Dec 2017, Economic & Political Weekly.

[37] State of Gujarat v. Shantilal Mangaldas AIR 1969 SC 634; Ranbir Kumar Arora v. State of Haryana, AIR 1983 P&H 431.

[38] Adjudicating Officer’s orders – http://it.maharashtra.gov.in/1089/IT-Act-Judgements (visited on 30 September 2017).

[39] Rajesh Aggarwal, Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra, 10.10.2011.

[40] Rajesh Aggarwal, Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra, 26.08.2013.

[41] Rajesh Aggarwal, Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra, 15.04.2013.

[42] Anand Venkatanarayanan and Srikanth Lakshmanan, Aadhaar Mess: How Airtel Pulled Off Its Rs 190 Crore Magic Trick, The Wire https://thewire.in/206951/airtel-aadhaar-uidai/ (last visited 14 Feb 2018).

[43] PTI, Airtel deposits ‘interim penalty’ of Rs 2.5 cr with UIDAI, The Hindu https://www.thehindubusinessline.com/money-and-banking/airtel-deposits-interim-penalty-of-rs-25-cr-with-uidai/article9996332.ece (last visited 14 Feb 2018).

[44] Frost & Sullivan, Lawful Interception: A mounting challenge for service providers and governments accessible at: https://wikileaks.org/spyfiles/docs/FROSTSULLIVAN-LawfInteA-en.pdf (last visited 14 Feb 2018).

[45] AIR 1997 SC 568.

[46] Writ Petitions (C) No. 398 Of 2010 With No. 16 Of 2011.

[47] Writ Petition (Civil) No. 494/2012.

[48] §§23 & 24, Indian Telegraph Act, 1885.

[49] 1994 SCC (6) 632.

Did you find this write up useful? YES 1 NO 0