Siddhartha Law College, Dehradun

Emerging Trends in Cyber Crimes and Privacy Dimensions: The Aadhaar

Project
Project submitted for the partial fulfillment for the degree of B.B.A.LL.B.

BATCH: 2013-18

Submitted to: Submitted by:

Mr. Sandeep Kumar Dheeraj Ku. Tiwari

Faculty of Law B.B.A. LL.B. 7th Semester

Siddhartha Law College, Dehradun

(Affiliated to Uttarakhand Technical University, Dehradun)

 Table of Contents

1) INTRODUCTION
 The Aadhaar project
 Aadhaar and privacy
 Security, of data and the state
 Questions of privacy
 Privacy in India
2) CYBER CRIME
3) NATURE OF CYBERCRIME
4) INVESTIGATION
5) PROSECUTION – SOME ISSUES AND CONCERNS
6) CONCLUSION: THE NEED FOR JUDICIAL CLARITY
 Acknowledgment
It is my duty to express my gratitude to all those who helped me in preparing this project. My
thanks are especially due to those who encourage me to do on this wonderful project. I am
equally thankful to my teacher Mr. Sandeep Kumar. He gave me moral support and guided me
in different matters regard the topic. He had been very kind and tolerant while suggesting me the
sketch of this project and correcting my doubt on footnotes. I would like to express thank him for
his overall support.

Last but not least, I would like to thanks my parent and my classmate who helped me a lot in
assembling different information, collecting data and guiding me from time to time in building of
project. Despite of their busy schedules, they give me different ideas in making this project
effectively and unique.
INTRODUCTION
On 11 August 2015, India’s Supreme Court found itself unable to decide a high-
profile privacy case until more judges were summoned to create a larger bench.[1] This
development has intensified a bitter privacy contest that is underway in India which will
hopefully yield judicial clarity on the extent of the right to privacy.
The Aadhaar project
Three years earlier, Justice K.S. Puttaswamy, a retired appellate judge who is the face of a
broad privacy campaign, approached the Supreme Court to challenge the Indian government’s
collection of biometric information for its mammoth unique identity project called ‘Aadhaar’, a
transliteration of a Hindi word which means ‘foundation’ or ‘cornerstone’. The Aadhaar project
assigns each Indian resident a unique 12-digit number based on their photographs, fingerprints
and scans of their irises. Enrolment is free. By the end of October 2015, around 926.8
millionpeople had been issued an Aadhaar number, more than the combined population of North
and South America.
Aadhaar is administered by the Unique Identification Authority of India(UIDAI), a non-statutory
body created by an executive order in early 2009. The government argued the collection of
biometric information was necessary to verify the true identity of the beneficiaries of its social
security schemes. By using Aadhaar numbers to authenticate payments, the government claimed
fake identities would be weeded out of the social security system, obviating waste and improving
governance.
Many Indians did not share the government’s view. They questioned the premise of the Aadhaar
project by arguing the problem was not the unclear identities of beneficiaries but governmental
corruption and malfeasance. Some also questioned the reliability of biometric technology; for
instance, the fingerprints of a substantial number of underprivileged Indians have been damaged
by years of manual labour. However, most of the arguments in the Supreme Court sidestepped
the premise of the Aadhaar project altogether to focus on privacy-related objections.
With a current strength of 31 judges, the Supreme Court never sits en bancalthough it is a
constitutional court. Instead, it most commonly sits in simultaneous benches of two or three
judges. As of March 2015, the Supreme Court faced a docket of 61,300 pending legal
proceedings. A matter of unique constitutional import is heard by a Constitution Bench of at least
five judges to establish ratio decidendi which bind subsequent smaller benches. The largest
Constitution Bench ever constituted had 13 judges. Following the Supreme Court’s 11 August
2015 order, the Aadhaar case is now being re-heard by a Constitution Bench of five judges.
Aadhaar and privacy
The Aadhaar project collects biometric information which, since it can result in the identification
of a person, falls within the ordinary meaning of personal data. Additionally, since biometric
information cannot be anonymised it is sometimes protected by special laws.[2] Clearly, the
collection of biometric information triggers a privacy claim. The Supreme Court has previously
located privacy within the right to personal liberty guaranteed by Article 21 of the Indian
Constitution. This poses a significant problem for the Aadhaar project.
In the Maneka Gandhi case of 1978, the Supreme Court read substantive due process into Article
21, only permitting derogations of personal liberty through statutory law which creates a just,
fair, reasonable, and non-arbitrary procedure.[3] But the UIDAI is an executive creation, not a
statutory one, and it does not follow such a just, fair, and reasonable procedure. If the Supreme
Court finds the right to privacy encompasses biometric information, the Aadhaar project will
have to be measured against the Maneka Gandhi test, and it will certainly fail.
To survive constitutional scrutiny, merely enacting statutory law to bless the Aadhaar project
with parliamentary sanction will not be enough. Only comprehensive renovation to build in the
principles of justice, fairness, and reasonableness will suffice. In the project’s present form, there
is no informed consent; respondents from whom biometric information is collected are not
told inter alia of the potential uses of their personal data, who it may be shared with, and their
recourse against any misuse of their data. There is no opt-out mechanism; once collected,
biometric information is perpetually in the government’s possession.
Security, of data and the state
There are also serious concerns regarding the security of the collected information. Two lapses in
particular stand out. First, the collection of biometric information is contracted to private entities
in a poorly regulated manner resulting in numerous reports of data breaches. Second, the storage
of biometric information in large repositories is a considerable security risk. All Aadhaar data is
held in the Central Identities Data Repository from whence the danger of data leaks by hacking
and hostile espionage is compounded. According to Sunil Abraham, centralising valuable
information creates a “honeypot” that incentivises hacking.
Aadhaar’s vast database of biometric information is another pillar of India’s national security
state. India is currently engaged in technological projects of astonishing dimensions, a colossally
wide array of information collection, communications monitoring, and identity
profiling. Biometricshave long been associated with biopower, a Foucauldian concept that is
being frequently revisited as the world negotiates pervasive surveillance.[4] The Aadhaar project
is a new frontier in biopower: unparalleled in scale and unchecked by law, it is
obliterating privacy.
In 2010, a bill was floated to lift the confidentiality of biometric information, allowing it to be
shared in the interest of national security.[5]But absent a definition or reasonable limits, national
security consecrates all manner of sins. The Aadhaar database is now being integrated with
the National Population Register, another large biometric information collection effort. This is an
instance of ‘scope creep’: when an open-ended project spawns uncontrollable changes. More
scope creep lies ahead as Aadhaar numbers are being linked to bank accounts, cellphone SIM
cards, air travel, and more, all in the name of national security.
Questions of privacy
In 2011, the erstwhile Planning Commission constituted a group of experts to suggest the
contours of future Indian privacy law. Chaired by Justice Ajit P. Shah, the highly-regarded
former Chief Justice of the Delhi High Court, the group considered the implications of the
Aadhaar project and proposed nine principles to inform privacy law. These are the principles of
notice, informed consent and opt-out choice, collection limitation, purpose limitation, access and
correction, non-disclosure, data security, openness, and accountability. They are actually data
protection principles, their scope is narrower than the conceptual breadth of privacy.
In stark contrast to Justice Shah’s views, the Indian Attorney-General denied the very existence
of the right to privacy while defending the Aadhaar project in the Supreme Court. If there was
such a right, he said, Indians did not enjoy it. He selectively based his arguments on outdated
cases regarding the police’s powers to search and seize private property.[6]But, while
disingenuous, the Attorney-General was not far off the mark. Indian privacy jurisprudence is
confused and, as a result, the right to privacy is unclear.
Further, according to the Attorney-General, even were the Supreme Court to declare the Aadhaar
project infringed the right to privacy, it was open to people to waive that right by voluntarily
handing over their biometric information. This argument sits atop a slippery slope. For instance,
if the Constitution’s fundamental rights could be waived, it would be legal to induce sexual
trafficking. Constitutional rights serve a public purpose, they are not solely measures for
personal gain, so they cannot be waived. This position was affirmed by the Supreme Court in
1958.[7]
Privacy in India
To locate the Aadhaar project on a larger map of Indian privacy demands a brief exercise in
taxonomy. The constitutional right to privacy has evolved in three streams. The
strongest privacy stream regulates surveillance. Although the Constitution’s drafters chose not to
include an explicit right against invasions of correspondence and the home, the Supreme Court
has protected both. But although individual freedoms are generally secure, there is a discernible
judicial trend that privileges the interests of the state. That is why the Attorney-General based his
anti-privacy arguments on surveillance-related cases: so that he could exploit this accompanying
narrative of the state’s superior compelling interest.
There is also a nascent privacy stream that seeks to protect the autonomy of fundamental
personal choices from social morality. This privacy right was forcefully asserted by the Delhi
High Court in 2009 when it struck down India’s antiquated and discriminatory sodomy
law.[8]Unfortunately, the High Court’s decision was overturned on appeal by the Supreme Court
in late 2013, and private consensual homosexual acts remain anachronistically criminalised in
twenty-first century India.[9]
The third stream concerns biometric and bodily privacy where Indian law is restrictive. The
Identification of Prisoners Act, 1920 and the Indian Evidence Act, 1872 permit the forcible
taking of biometric information of suspects and convicts. Further, courts have allowed non-
consensual collections of bodily information in the interests of public health, public morality,
and public safety. In 2001, the Andhra Pradesh High Court dismissed privacy arguments to
permit non-consensual HIV tests in certain conditions.[10] And in 2010, the Supreme Court said
the non-consensual administration of truth serums, lie detector tests, and brain mapping did not
violate the right to privacy; instead, they offended the freedom from self-incrimination.[11]

CYBER CRIME
Cybercrime is not a new form of crime – it is a description applied to new ways and means of
committing familiar crimes of various kinds, principally involving dishonesty, principally (but
not exclusively) involving money and often (but also not exclusively) involving very old forms
of crime indeed (such as theft). Many of these crimes are well known, their jurisprudence is well
understood and they arise in this context mainly from human greed. Electronic ways of
committing them, however, are new and modern crimes against the operation of computer
technology itself are as new as the technology. Cybercrime as a means of offending operates in
white collar crime, economic crime, intellectual property infringement, telecommunications
crime and in the civil jurisdiction. The common feature is the use of information technology
(computers) in their commission.
Even though the methods of prosecution and judicial disposition of cases of cybercrime are
fundamentally no different from those for already established crime, novel practical challenges
do need to be addressed by prosecutors. Conventional legal concepts continue to apply, but often
there is need for the creation of specific new offences and new procedural rules (including
evidence law) to enable an effective response to new methods of offending by the use of new
technology. We need to respond to the emerging trends in cybercrime by developing our own
trends in fighting it.

NATURE OF CYBERCRIME
I doubt that anyone here has not received an e-mail version of the so-called “Nigerian scam” or
advance fee “419” fraud in one form or another. They are obvious attempts at commencing
frauds that involve the use of the Internet, able to be committed once bank account and identity
details are made known. That is a crude form of cybercrime that plays directly upon the greed
and gullibility of people both naïve and otherwise worldly.
Cybercrime has been defined as encompassing “any proscribed conduct perpetrated through the
use of, or against, digital technologies”. That definition says it all. It embraces three areas of
activity.

- Crimes in the commission of which computers are used. These include online fraud and
financial crime, the electronic manipulation of share and other markets, the dissemination
electronically of offensive material, misleading advertising, identity theft and so on.
 - Specific crimes committed against digital technology itself. These include “hacking”, cyber
stalking, theft of communication services and the transmission of malware – viruses,
worms, Trojans, botnets, backdoors, phishing and so on.
- Conventional crimes attended by incidental cyber methods. These include encryption or
steganography (the embedding of information in data) to conceal information relevant to
other crime and the use of databases to store or organise information about criminal
activity.

Some offending has elements of more than one of those divisions, such as the electronic
transmission and perhaps covert storage of child pornography where real children are initially
victimised. Another example is the all-too-prevalent use of computer chat rooms to groom and
entice victims into illegal sexual activity with the offenders. Another example is to be found in
the new offence called, colloquially, “upskirting” – where offenders use digital cameras to
photograph up the skirts of women in public places and then disseminate the images.
The infrastructure of cybercrime is in computers, communications technologies and other
networked services. It is sometimes known by other names, such as computer crime, or virtual,
online, high-tech, Internet-related, electronic crime, and so on.

INVESTIGATION
The investigation of cybercrime and the gathering of computer-based evidence encounter new
problems. The expansion of data storage capacity has been mentioned. Even if investigators have
a good idea of what they are looking for and a reasonable suspicion of where it might be,
searches in digital memories may be hampered by the mislabelling of data (accidental or
deliberate), encryption, storage in hidden directories or embedding in space that a simple file
listing will ignore.
Evidence of a crime may be stored among other data that do not relate to the investigation. Prima
facie the data may be protected by privilege or privacy laws. Evidence of a crime being
investigated may be stored with evidence that discloses other offending. If information about the
former is being obtained pursuant to a search warrant, evidence obtained about the latter may not
later be admissible in a prosecution. These can become real issues for prosecutors. If the data
sought are in a networked system, the practical and impact problems that can arise from
intervention by investigators can be serious.
Digital evidence may be readily damaged or destroyed. For example, an investigator on site may
come across a system that is uncommon and inadvertently destroy data. A computer may have
been booby-trapped by the operator (perhaps by a short program that requires a password to be
entered at intervals, failure of which triggers deletion), so that a search will trigger the
destruction of data. A “hot key” may be programmed, destroying evidence when a particular key
is pressed. When a police officer knocks at the door, the button may be easily pressed and
evidence lost.
Skilled hackers make use of the logical structure of the Internet itself to compromise systems and
leapfrog between systems without leaving a trail, making it difficult (if not impossible) to trace
them.
Locard’s principle of exchange (that anyone or anything entering a crime scene takes something
of the scene away and leaves something of themselves behind) does not apply generally to the
cyber world. It might apply in some circumstances, but especially is it the case that most
computer security systems currently used do not track, trace and generate legally admissible
evidence through the systems designed into computers.

PROSECUTION – SOME ISSUES AND CONCERNS

Prosecutors become involved in the response to crime as the criminal justice process attempts to
deter, incapacitate, punish and/or rehabilitate offenders. We are one part of the system and take
on the principal role of proving the commission of offences to the satisfaction of the court on the
basis of the material provided by investigators. (In some jurisdictions, of course, prosecutors
have a role in the investigation process itself.) What particular matters do we need to be
especially aware of when dealing with cybercrime?
Various approaches have been adopted to grapple with this ever-growing problem. At first
prosecutors and criminal justice systems generally tried to squeeze new ways of offending into
existing old offences proved by conventional means. Over time and in its conservative manner
the law, in some jurisdictions at least, has come to address the conduct directly by the creation of
new offences and the provision of new ways of proving them.
Some issues remain, however, and we continue to address them as the problems continue to be
exposed.

RESOURCES
An important policy issue is the extent of the state’s resources that should be put into
investigating and prosecuting some of these offences, some of which may result in the loss of
huge amounts of property, but some of which may amount to not much more than nuisance
value. From the prosecutor’s point of view, it is important that adequate financial and other
resources are provided to enable prosecutions to be carried out effectively, fairly and in a timely
manner.
TECHNICAL UNDERSTANDING
Continuing training (or “learning and development”) for prosecutors in this area is essential.
Prosecutors need to have enough knowledge and understanding of the issues they are addressing
in order to do so effectively. (This conference is a good example of what can be done in this
area.)

HARMONY OF LAWS
One important international issue is the obvious benefit in having the laws of countries mesh
together to provide more effective and efficient ways of investigating and prosecuting
cybercrime across national borders by mutual legal assistance of various forms. National
governments also need to publicise their opposition to cyber-offending and cooperate with each
other, in very public ways, to address the problem. Only then can some real deterrent value be
obtained from law enforcement efforts.
In the UK there is newly enacted anti-fraud legislation that it is hoped will address technology
fraud; but its effective implementation will require the cooperation of other jurisdictions,
especially in extraditing people for trial. Many countries will not extradite their own citizens –
that is not a new issue, but it has a particular relevance in global cybercrime. Internet and e-mail
related scams cost UK citizens around 100 million pounds every year. Russia, Romania and
African countries are commonly the homes of the scammers. Two new offences are directed
particularly against technology crime: “obtaining services dishonestly” and “possessing articles
for use in frauds”.
In 2005 the USA passed the Anti-Phishing Act which added two new crimes to the US Code.
One prohibits the creation or procurement of a website that represents itself to be that of a
legitimate business and that attempts to induce the victim to divulge personal information with
the intent to commit a crime of fraud or identity theft; the other prohibits the creation or
procurement of an e-mail message that does those things with those intents.
Nations must modernise and continually update substantive and procedural laws and coordinate
their efforts internationally to deal with evolving methods of criminal offending across national
borders. Cybercrime provides a spur for action already under way to some extent in most
regions.
JURISDICTION
Another question is the jurisdiction in which a prosecution should be brought, once an offender
has been detected. Electronic impulses may cross many jurisdictional boundaries before hitting
their targets or bringing about the responses they seek. A cybercriminal can sit in one country,
route electronic communications through several others, commit a crime in another and park the
proceeds in yet another. Offences may be committed in several countries along the way.
Decisions may have to be made about where the perpetrator may be amenable to justice and what
offence/s should be prosecuted, under what law (and where) in the general public interest.
Practical considerations such as the effective obtaining of evidence may impact on those
decisions. General issues of jurisdiction also apply – is it sufficient that an act occurs in the
jurisdiction; is a national subject amenable to the jurisdiction of his or her citizenship, wherever
the offence occurs; and so on.
OFFENCE/S
Similarly, the choice of offence may be problematic. For example, should an offender be charged
by reference to what is done or the effect it achieves – or for both? Are there more appropriate
offences, or offences more easily proved, in one place or another covered by the offending? The
selection and framing of charges from a course of offending pose other problems.

DEFENDANTS
Who is to be prosecuted? If several people are involved in the offending, should they all be
prosecuted? Is there scope for obtaining the evidence of one against another? If so, how is that to
be determined? (Again, these are not new issues, but they need to be viewed in new light in the
context of cybercrime.)
Juveniles are empowered as never before by access to the means with which to commit
cybercrime. Should they be dealt with any differently from adult offenders in this area? In North
Carolina in the USA there was a proposal to require parental consent for juveniles to join
MySpace.com and other social networking sites in an effort to protect them from sexual
predators – but it might serve other subsidiary purposes, too. Would it be effective?
EVIDENCE
The obtaining and admissibility of evidence need to be considered. This is an area where careful
consideration needs to be given to the procedural law of the place of trial and the procedural laws
of the places from which evidence is obtained. For example, a prosecution in Malaysia might
rely on evidence obtained from another country where search warrants may be given only for
physical evidence and not for digital impulses. Is the admissibility of the digital evidence
affected by the way in which it was obtained?
EXPERTS
It will often be the case that expert evidence will be required to explain structures and systems in
the cyber world. Tests for the admissibility of expert opinion evidence may vary from place to
3
place. In the USA the Daubert test is applied. That requires that the following questions to be
addressed.
1. Can the theory or technique be tested and has it been?
2. Has the theory or technique been subject to peer review and publication?
3. Does the technique have a high known or potential error rate?
4. Does the theory or technique enjoy general acceptance within the relevant scientific
community?

It must be remembered that computer forensics is still really in its infancy (although there are
many very competent practitioners).
VOLUME OF EVIDENCE – DISCLOSURE
The prosecution’s obligation of disclosure to the defence must be observed; but with huge
volumes of potentially relevant digital evidence available, judgment must be exercised in every
case. Disclosure must also be made in an acceptable electronic form.
We have had to grapple with this sort of issue for a long time, for example when there are
thousands of intercepted telephone calls to be assessed; but we will confront it increasingly in the
future.

ACTUS REUS AND MENS REA

Sometimes difficulties may arise in proving the required guilty mind for specific offences. In
some cases inferences may be able to be drawn easily enough; but in others the proof of a
specific intent, for example, may be uncertain.
DEFENCES
What defences have been thrown up by suspects? How can they be met?
VICTIMS
Who are the victims of cybercrime? Sometimes that can be answered easily, sometimes not.
SENTENCING
What are the appropriate punishments for this kind of offending? Because information
technology is used in the commission of an offence, does that make it more or less serious than a
similar crime committed by traditional means – or does it make no difference? How are the
traditional purposes of punishment – deterrence, retribution, reform, and incapacitation –
measured against cyber-offending? How many corporate offenders be implicated and punished?
The theme of this conference makes reference to opportunities and challenges. The challenges
are being placed before us in cybercrime on an ongoing basis and we are able to identify trends
in our individual jurisdictions. It is up to us to help to develop the opportunities for combating it
effectively – and, of course, efficiently.

CONCLUSION: THE NEED FOR JUDICIAL CLARITY

However, there is a significant difference between the Aadhaar project and pre-existing law
regarding bodily and biometric privacy. On the face of it, the Aadhaar project is unconnected
with public health, public morality, or public safety. Knowing this, the Attorney-General tried to
justify the project through surveillance-related cases, where the law leans toward the state.
Hopefully, the Constitution Bench hearing the Aadhaar case will see through this logical sleight
of hand.
The Supreme Court has made mistakes in the past. In 1975, it approvingly cited American
personal autonomy cases while hearing an unconnected claim against surveillance[12] but when
correctly called upon to protect the private autonomy of consenting Indian homosexuals, it
balked.[13] And in 1994, it confused the distinction between the constitutional right to privacy,
the tort of privacy, and the crime of libel.[14]
Biometric information collected by the Aadhaar project could also be protected by an appropriate
data protection regime, an emerging field of law which has yet to receive judicial attention
despite Justice Shah’s well-publicised data protection principles. India issued very basic data
protection rules in 2011 which were widely panned for their shoddy drafting and flimsy
safeguards. But because the rules only apply to bodies corporate, the UIDAI escapes regulation
since it is an executive authority.

More than 90 percent of India’s adult population’s biometric information has already been
collected, and Prime Minister Narendra Modi recently called for swift total enrollment. When
that is done, the government will present the Aadhaar project to the Constitution Bench as a fait
accompli. Nevertheless, the Supreme Court has a unique opportunity to clarify the right
to privacy, besides fixing the lack of substantive due process in the Aadhaar project. It must seize
this historic opportunity to reiterate its traditional custodianship of the freedoms of India’s
citizens.

References :
[1] Justice K.S. Puttaswamy v. Union of India, 2015 (8) SCALE 747.
[2] See, for instance, the laws of Illinois (the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq.) and
Texas (Bus. & Com. Code Ann. § 503.001). See also bill AB 83 introduced in the California Assembly in January
2015, which would amend California’s commercial data privacylaw, Cal. Civil Code 1798.81.5.
[3] Maneka Gandhi v. Union of India, (1978) 1 SCC 248 and A.K. Gopalanv. State of Madras, AIR 1950 SC 27.
[4] Foucault, Michel (2009): Security, Territory, Population: Lectures at the Collège de France, Picador. See further
Ajana, Btihaj (2013): Governing Through Biometrics: The Biopolitics of Identity, Palgrave Macmillan; and Pugliese,
Joseph (2010): Biometrics: Bodies, Technologies, Biopolitics, Routledge.
[5] Clause 33(b) of the National Identification Authority of India Bill, 2010.
[6] M.P. Sharma v. Satish Chandra, AIR 1954 SC 300 and Kharak Singh v. State of Uttar Pradesh, (1964) 1 SCR
332.
[7] Basheshar Nath v. Commissioner of Income Tax, AIR 1959 SC 149.
[8] Naz Foundation v. Government of NCT Delhi, 160 DLT 277 (2009).
[9] Suresh Kumar Koushal v. Naz Foundation, (2014) 1 SCC 1.
[10] M. Vijay v. Chairman, Singareni Collieries, AIR 2001 AP 502.
[11] Selvi v. State of Karnataka, (2010) 7 SCC 263.
[12] Gobind v. State of Madhya Pradesh, (1975) 2 SCC 148.
[13] Suresh Kumar Koushal, supra note 12.
[14] R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632.