On the 24^th of August, in a landmark judgment related to the biometric database project called Aadhaar, the Supreme Court ruled that privacy is a fundamental right for citizens. The judgment has brought much cheer among the advocates of digital civil liberties. While the order may indeed have set a brilliant legal precedent, and laid the ground for fighting back against the rise of an intrusive and illiberal State in India, as things stand today, the order is unlikely to affect the ground realities of the world’s largest biometric project or counteract the threat it poses to billions of innocent people.

The Tech Problem

For one, much of the actual damage has already been done. And the damage is of the kind and magnitude that can’t be undone by any court order.

The Unique Identification Authority of India (UIDAI), the authority established on July 21, 2016 by the Government of India, under the Ministry of Electronics and Information Technology, has already collected the biometric records of 1.171 billion Indians. And the UIDAI has been notoriously opaque about how and where the data has been stored and has refused to provide any means of publicly auditing the security of that data.

Even in 2015, concerned with violation of privacy and civil liberties, the Supreme Court had warned the government that citizen’s biometric data must not be handed over to anyone — presumably meaning any non-government agency. But technically, this amounted to nothing since the Aadhaar project was, from the very beginning, a project led and implemented by private parties.

The project’s chief evangelist was Indian IT czar-turned-lawmaker, Nandan Nilekani. And under his aegis, the UIDAI outsourced the data collection job to innumerable private parties spawning a swarm of countless agencies and sub-agencies.

There were no audits, no capability or background check or any other form of standardised vendor approval process. The harvesting of fingerprints and iris scans was an ad-hoc process carried out by innumerable small software customisation firms, resellers, labour-contracting agencies and even cyber cafes and photocopy shops.

Sub-agents were allotted small clusters of homes and they set out with print scanners, laptops and cyclostyle forms, collecting biometric data from anyone willing to walk up and give it. All this data traversed multiple layers of storage– from end-point to the central data warehouse – and all of it was done without any encryption. During the entire process, there were no clear statements from the government about where the data was going or to what end it would be used and the initial collection was fuelled by rumours and panic. In fact, data collection by unknown and unaccountable entities began well over a year before the UIDAI was even formally set up.

The servers could well be outside of India’s borders and, thereby, outside the jurisdiction of Indian courts. Besides, there are no publicly available audits or records of how many times and by whom the data has been accessed or how many times it has been replicated.

The recent Wikileaks report that speaks of the CIA, DHS and other American agencies accessing Indians’ biometric data, lends credence to the possibility of the data having been replicated offshore.

Use of legal loopholes

The efficacy of court judgments rests on the political will of the executive. And since its inception, the UIDAI and the lobbies that back the biometric project, have shown scant regard for both courts and of due process.

For example, the Supreme Court had, in an interim judgement in 2015, told the government that they can’t deny citizens any pre-existing welfare benefits for not enrolling in the biometric project. But thumbing their noses at the judgment, the Indian government blocked access to food grains and cooking gas subsidies to those without an Aadhaar card.

Given the widespread hunger and poverty in India, vast populations are critically dependent on these subsidies. Understandably the threat drove the masses in hordes to their nearest enrollment centre.

The ruse given by the UIDAI’s food-for-biometrics programme was to plug holes in India’s welfare net. But it was a poor disguise for the project’s militaristic aims. The country’s National Security Adviser Ajit Doval is on record saying: the biometric project was essentially devised to monitor illegal immigrants, but the welfare part was added to mask concerns of privacy.

Even now, despite the privacy judgment and all past orders from the Supreme Court, the UIDAI continues to remorselessly threaten its citizens in order to harvest prints. It has now issued notices to make Aadhaar numbers mandatory for filing of taxes and is threatening to freeze bank accounts of citizens who do not link it to their biometric data.

For all practical purposes, the Aadhaar project has proven itself to be beyond the reach of the ecosystem of checks and balances that has historically worked inside India’s polity. It has even proven immune to partisan changes. The project was kicked off by the Indian National Congress and opposed by the Bharatiya Janata Party. But post-election, Narendra Modi has transformed himself into an Aadhaar zealot.

Moreover, the UIDAI and its backers have repeatedly shown themselves to be utterly unscrupulous and devoid of the gravity which a project of this scale should ideally command. For example, Sharad Sharma, cofounder of the Indian Software Products Industry Round Table (iSPRIT) – a group that’s laying out the communication protocol for biometric-based financial transactions – took to creating fake Twitter accounts and trolling activists and Aadhaar sceptics. After being caught out by pro-civil liberties hackers, he apologised and found loud support from Nandan Nilekani himself.

Notably, unlike the US or Europe, India doesn’t have a privacy law. In the early days of Aadhaar, some lawmakers had mooted the idea of first getting in a privacy bill that would prevent the misuse of data and only then proceeding towards data collection. But that proposal got buried and the UIDAI carried on with the harvesting of prints with no legal oversight.

In the absence of a formal privacy law, even if the right to privacy of a citizen is violated, under what statutes will the aggrieved citizen take the State or its vendors to court? How will the quantum of punishment and/or compensation be decided in a court of law?

With the absolute majority that the ruling party has in Indian Parliament, there is little hope of such a law becoming a reality.

Conclusion

Given that the government’s lawyer had gone to court literally saying that Indians do not need the right to privacy or don’t have absolute right to their body parts, the court order comes as a big fillip to the civil rights movement. It also lays down the legal foundation on which future battles for a surveillance-free society could be built — not just in India, but also other countries grappling with the issues of information technology infringing civil rights, elections and democracy. In fact, when seen in conjunction with the Supreme Court judgment from 2016 which put the brakes on Facebook’s multi-million-dollar attempt to control internet services in the country, India’s battles against tech hegemony may well hold vital lessons for the world.

But speaking within the ambit of the Aadhaar project, the personal data and safety of billions of Indians is already out in the wild.

NOTE: At the time of this going to the press, an Indian engineer has been arrested for spoofing the government approved myGov app and exploiting the lack of encryption to freely access demographic details of people from the Aadhaar database.

The author can be contacted on Twitter @siddharthyaroy