By: Ishaan Saha
India’s Aadhaar is the world’s largest biometric ID system. Linking biometric data to income tax returns, the scheme is now mandatory for all Indian residents. This article analyzes the Aadhaar scheme in the context of the right to privacy, and in particular, the fundamental right to silence.
There is a distinction in the law on the right to silence, between compelling a person to divulge her password to a digital device, as opposed to compelling a person to use her fingerprint to unlock the same device. In light of this distinction, Aadhaar could effectively render the right against self-incrimination illusory, as the biometric information already stored on the Aadhaar database could easily be used to access an individual’s digital information stored on her phone or computer protected by a fingerprint lock.
Comparing US law on the right to silence and its interface with digital technology with the Indian law on the issue, we see that the US position on the subject is incongruous to the fundamental rights envisaged under the Indian Constitution and also out of pace with the technological advancements of the day. Unless the right to silence comes of age and accommodates the technological challenges posed by biometric ID systems, the lacuna in the law which protects one’s right to refuse to divulge a password confined in her mind, while at the same time excluding from the ambit of protection, the use of one’s fingerprint or other biometric information to access the very same information stored on a hard drive, can be exploited to render the fundamental right to silence — which is often the last bastion of civil society — an abortive ideal.
The Aadhaar scheme, rolled out by the Indian government under the Aadhaar (target Delivery Of Financial And Other Subsidies, Benefits and Services) Act, 2016, is the world’s largest biometric ID system with over 1.133 billion persons enrolled as of March 2017.[1] Under this scheme each Indian resident is allotted a unique number against the collection of her biometric and demographic data. Recently, the Supreme Court has in the case of Binoy Viswam v. Union of India, upheld the constitutional validity of section 139AA of the Income tax Act which mandates the linking of a resident’s Income Tax returns with her Aadhaar number, thereby making it ineluctable for every resident of India to be registered and catalogued under the Aadhaar scheme.[2] This judgment has, however, partially stayed the application of section 139AA(2) of the Act holding that the same will only have prospective effect, thus exempting Indian residents who have not yet enrolled under the Aadhaar scheme from criminal action.[3] The Supreme Court clarifies that the validity of the provision upheld is however subject to the biometric authentication system under the scheme, passing muster of Article 21 of the Constitution which is the issue under consideration before the constitutional bench in a batch of petitions which are still subjuduce.[4]
In the catena of cases challenging the Aadhaar scheme, issues such as the right to privacy and bodily integrity have been brought to the fore.[5] There is, however, another fundamental right which may see flagrant violation in the event that a mandatory Aadhaar scheme receives the imprimatur of the Supreme Court. This is the right against self-incrimination enshrined in article 20(3) of the Constitution of India.[6] The right against self-incrimination finds its genesis in the legal maxim Nemo Tenetur Seipsum Accusare,[7] which posits that no man, not even the accused himself can be compelled to answer any question, which may tend to prove him guilty of a crime he has been accused of.
The threat to the right against self-incrimination in the age of a mandatory Aadhaar can be seen in a scenario where a person is accused of an offence and the police want to search her cell phone or laptop to obtain evidence against the accused. In such a situation, the right against self-incrimination may protect the accused from being compelled to divulge her password to her cell phone or computer to the authorities, if such information could potentially expose her to a criminal charge or penalty.[8] Today however, there are a growing number of technology users who are foregoing conventional password protection, which can often be circumvented by computer algorithm, for fingerprint or retina scan locks. Under such circumstances, it is relevant to consider how this changing trend in digital security will be affected by the advent of the mandatory all-pervasive surveillance heralded by the Aadhaar scheme.
The question which emerges is: Could the biometric information of an Indian resident canvassed under the Aadhaar scheme be used by the authorities to access a person’s digital data?
A similar question has recently come to the fore in the United States of America where the cell phones and computers of persons crossing into the country have been subjected to checks with increasing frequency by border patrol officers, with the devices belonging to noncompliant travellers often being seized or the travellers themselves being detained. During the 2016 fiscal year, Central Border Patrol officers and agents searched 19,033 international travellers’ electronic devices, which is more than twice the number of searches during the 2015 fiscal year.[9]
In February 2017 a federal Judge in Los Angeles signed a search warrant that required a woman to use her fingerprint to unlock her phone.[10] A Virginia Trial Court similarly ruled that such searches were not in derogation of a person’s right against self-incrimination otherwise known as the right to silence guaranteed by the Fifth Amendment to the US Constitution as they did not divulge the contents of the mind of the accused.[11] Thus as per this judgment and several others which followed suit, compelling the accused to furnish biometric data to unlock an electronic device and thereby reveal digital information is treated as fair game as it does not reveal the contents of the mind of the accused and for that very reason, compelling the accused to divulge her password or PIN was held to constitute a violation of her Fifth Amendment right against self-incrimination.
The Courts in India have repeatedly held that compelling an accused to yield to investigation by allowing her voice to be recorded, her blood samples and saliva to be tested, as well as allowing herself to be subjected to DNA testing, is beyond the pale of protection afforded by the right against self-incrimination.[12] While the Indian Courts have not yet explicitly adopted the facile and specious distinction between passwords which are contained in the brain of the accused and thereby protected by the right against self-incrimination enshrined in article 20(3) of the Constitution of India, as opposed to biometric data like fingerprints or iris scans, if the Indian Courts were to look to the US for inspiration in adjudicating such an issue, the question posed would be answered resoundingly in the affirmative.
The distinction drawn between compelling a person to divulge a password which is contained in the confines of her mind as opposed to a fingerprint or iris scan which is physiological feature likened to a blood sample or a voice recording and the extension of the protection under the right against self-incrimination to the former while declaring the latter to be beyond the purview of protection provided by the right against self-incrimination, is particularly tenuous as compelling a person to present a physiological feature such as her fingerprint or her iris for investigation or cataloguing the same for subsequent use to gain access to her computer or phone is merely an indirect means of compelling a person to divulge her digital data contained in those devices which is undoubtedly information which is contained in the mind and merely written onto a hard drive. The law must recognize a person’s hard drive to be an extension of her brain and advance to it the same exemption from unlawful searches which would be in violation of the person’s right against self-incrimination. Such a proposition can find support from the decision of the United States Supreme Court in Riley v. California, wherein the Supreme Court made it clear that a cell phone is unlike a physical lock box and is in a sense the extension of the person to whom it belongs as it is a vast repository of information pertaining to its owner.[13]
The risk of people’s biometric data collected under the Aadhaar scheme being used to access their digital data becomes particularly reified in light of section 33(2) of the Aadhaar Act of 2016[14] which authorizes the sharing, disclosure and use of a person’s core biometric data which includes her fingerprints and iris scans, for purposes other than those specified to the person at the time of collection of the data, in the interest of ‘national security’. The Act has of course chosen to remain silent on the definition of ‘national security’, thereby giving greater latitude to the authorities under the statute to invoke section 33 for myriad reasons under the amorphous specter of ‘national interest’.
Moreover, as under the scheme, information has already been collected and stored in the government database before a person is even suspected of having committed an offence, this obviates the need to issue a warrant which would otherwise be required to procure such information.[15] The government’s access to the biometric data of the person who is only subsequently suspected of the commission of an offence may thus render the accused person’s right against self-incrimination illusory, enabling the authorities to access confidential and incriminatory information and use the same against the accused in the course of criminal proceedings, with impunity.
While this issue may seem like a dystopian Orwellian nightmare and the stuff of science fiction novels to some, fingerprint locks have already become a standard feature on several smartphones today as have retina scanners on several PCs. With the assistance of a 3d printer, a 2d image of a fingerprint stored on a digital database can easily be printed onto a rubber mould and used to unlock a smartphone or computer, as was demonstrated by a security researcher known by the moniker Starbug at the Chaos Computer Club conference as early as 2014, who created a mould bearing the then German Defense Minister’s fingerprint from a high resolution photograph of his hand.[16] Google technical support itself cautions its smartphone users that a fingerprint can be less secure than a password as a fingerprint left on any surface one touches can be used to unlock one’s phone.[17] Similarly, ways of using the iris scan data stored on the Aadhaar database to access the information stored on an Indian resident’s digital device could be in the process of development at this very moment.
One must acknowledge that we live in the future and that the problems of tomorrow must be addressed today. The risk of Aadhaar heralding an era of blanket surveillance, thereby effectively effacing the right against self-incrimination provided in the Constitution in so far as digitally contained information is concerned, brings to mind a quote by Justice Sonia Sotomayor of the US Supreme Court in the case of Utah v. Strieff which reads, “By legitimizing the conduct that produces this double consciousness, this case tells everyone… guilty and innocent, that an officer can verify your legal status at any time. It says that your body is subject to invasion while courts excuse the violation of your rights. It implies that you are not a citizen of a democracy but the subject of a carceral state, just waiting to be cataloged”.[18]
Though it is unclear whether a challenge assailing the Aadhaar scheme before the constitutional bench for facilitating violations of the right against self-incrimination would prevail, it is certainly worthwhile to voice this concern before the Supreme Court owing to the grave and deleterious effects this scheme could potentially have on the right against self-incrimination. There is in any event an exigent need for courts to acknowledge that the traditional interpretation of the right to silence must evolve to address the challenges engendered by rapid technological advancements such as fingerprint locks on digital devices, biometric cataloguing systems like Aadhaar, 3d printing technology and the fact that today most aspects of a person’s life are recorded on a chip or a hard drive. In the wake of the mandatory imposition of the Aadhaar scheme on all Indian residents, it is imperative that the Indian courts refrain from drawing the same redundant distinction which the American courts have drawn, between a fingerprint locking a digital device and a password performing the same function, insofar as the application of the right to silence is concerned.
Ishaan Saha is an advocate practising in the High Courts in India. He has received his masters in law from Cornell law school and is interested in comparative law, constitutional law and intellectual property law.
[1] State-Wise Aadhaar Saturation, Unique Identification Authority Of India(May 15, 2017), https://Uidai.Gov.In/Enrolment-Update/Ecosystem-Partners/State-Wise-Aadhaar-Saturation.Html.
[2] Binoy Viswam v. Union of India, (W.P. (C) 247/2017).
[3] Id.
[4] Id.
[5] Justice K.S. Puttaswamy & Ors. v. Union of India & Ors.(W.P.(C) 494/2012); S.G. Vombatkere & Anr. v. Union of India & Ors. (W.P.(C) 797/2016); Id.
[6] INDIA CONST. Art. 20, Cl. 3.
[7] Black’s Law Dictionary (10th Ed. 2014).
[8] 180 Law Commission Of India Report, Article 20(3) Of The Constitution Of India And The Right To Silence, 5 (2002), available at , http://Lawcommissionofindia.Nic.In/Reports/180rpt.Pdf ; Code of Criminal Procedure, 1973, No. 2 of 1974, §161(2); Nandini Satpati v. P.L. Dani, 1978(2) SCC 424.
[9] CBP Releases Statistics on Electronic Device Searches, U.S. Customs and Border Protection ( Apr. 11, 2017), https://www.cbp.gov/newsroom/national-media-release/cbp-releases-statistics-electronic-device-searches-0; Marcus Wolf, Border Agents Can Legally Search Electronic Devices, Government Technology, (Apr. 17, 2017), http://Www.Govtech.Com/Security/Border-Agents-Can-Legally-Search-Electronic-Devices.Html.
[10] Kaveh Waddell, Police Can Force You to Use Your Fingerprint To Unlock Your Phone, The Atlantic Daily, (May 3, 2016), https://Www.Theatlantic.Com/Technology/Archive/2016/05/Iphone-Fingerprint-Search-Warrant/480861/?Utm_Source=Atlfb.
[11] Commonwealth of Virginia v. Baust, No. CR14-1439, at 1 (Va. 2d Cir. Ct. Oct. 28, 2014).
[12] Supra Note 5 at 5.
[13] Riley v. California, 134 S. Ct. 2473, 2477 (2014).
[14] The Aadhaar (Targeted Delivery Of Financial And Other Subsidies, Benefits And Services) Act, 2016, No. 18 of 2016, §33(2).
[15] Russell Brandom, Your phone’s biggest vulnerability is your fingerprint, The Verge, (May 2, 2016), https://www.theverge.com/2016/5/2/11540962/iphone-samsung-fingerprint-duplicate-hack-security.
[16] Id; Joseph Steinberg, Your New iPhone Can Put Your Identity At Risk, Forbes, (Sept. 13, 2013), https://www.forbes.com/sites/josephsteinberg/2013/09/13/your-new-iphone-can-put-your-identity-at-risk/#110521414f22.
[17] Nexus Help, Understand Fingerprint Security, Nexus, https://support.google.com/nexus/answer/6300638?hl=en.
[18] Utah v. Strieff, 579 U.S. , 136 S. Ct. 2056 (2016)
Image: Aadhaar cards
Very invective and original analysis