Aadhaar hearing: Supreme Court expresses concerns with data breaches, Aadhaar security and profiling

On Day 22 of the Aadhaar hearing , the CEO of the UIDAI, Ajay Bhushan Pandey, completed his PowerPoint presentation before the Supreme Court and answered the questioned posed by the petitioners. The bench posed many questions on the security of Aadhaar at the authentication and enrolment stages. The issue of data breaches from points other than the CIDR was also raised. Also, the Bench refused to extend the deadline for Section 7 benefits. [caption id=“attachment_1596471” align=“alignleft” width=“380”]  Representational image. AFP.[/caption] Data breaches by enrollers Pandey commenced his presentation by sharing details of blacklisted enrollers, along with reasons for the same. The Bench questioned if any had been blacklisted for data breaches. To this, the UIDAI CEO responded that that could only be possible if the enrollers possessed the qualifications to tamper with the enrolment software, indicating that they didn’t. Such tampering, in any case, is punishable under the Aadhaar Act. He further clarified that individual packets of data received during enrolment were checked by operators. The Bench questioned if it was possible for the enrollers to make copies of the biometric data before it was encrypted. Pandey asserted that the enrollers had no access to biometrics, and this was collected only by UIDAI’s software. Such retention, moreover, is also a punishable offence. Phasing out of private enrolment agencies Further, private enrolment agencies are being phased out and will be available only in banks and post offices. The Bench, here, stated that this was being done because these agencies were no longer needed since the enrolment process was mostly complete. Pandey responded that these facilities were still required for updating purposes. Aadhaar related data breaches denied Describing the CIDR as fully secure, Pandey stated that this was not even connected to the internet. When asked by the Bench to clear the apprehensions of the petitioners on the security of Aadhaar software, Pandey stated that every data breach so far had been of databases other than the CIDR. He denied various reports including The Tribune report as well as the recent Indane report. Further, it has been made a standard practice to display only the last four digits of the Aadhaar number. The Bench pointed out that unless there was protection against breaches from other ends of the spectrum, Aadhaar remained a problem. SC points out lack of control over possible AuA data use The bench then asked how many of the Authentication User Agencies (AuAs) were private, to which it was stated that a few dozens were. Next, it was asked whether the AuAs could record authentication data and monetise it. Pandey again states that such sharing was prohibited under Sections 29(3) and 38(g) of the Aadhaar Act. The Bench, however, pointed out that the UIDAI does not have control over such sharing. Profiling based on authentication data The Bench pointed out that service providers have a record of authentication requests, which could be misused to profile the individuals. When asked previously to clarify if such profiling and aggregation of data was not possible, Pandey cited Section 32(3) of the Aadhaar Act, which prevents the UIDAI from collecting data on the purpose of authentication. [caption id=“attachment_4364417” align=“alignnone” width=“1280”]  A man goes through the process of eye scanning for the Unique Identification (UID) database system, Aadhaar, at a registration centre. Image: Reuters[/caption] Aadhaar is ‘privacy by design’ He then conducted a live demonstration, showing the use of biometric authentication to withdraw money from a bank account. Pandey then discussed the various forms of data that are captured during authentication. This excludes Geo Codes and IP addresses. Previously, GPS coordinates and PIN codes were collected, but this had been discontinued. Pandey described Aadhaar as ‘privacy by design’, and reiterated that Aadhaar data could not be shared except for national security purposes. Security measures in Aadhaar infrastructure Turning to security measures, he further discussed the STQC (Standardisation Testing and Quality Certification) and Aadhaar certified biometric devices, multiple factor authentication, biometric locking, etc. The 4-minute video on Aadhaar security measures was then shown. This video stated that Aadhaar was certified by the STQC and its data centres are certified as Tier-III by Uptime. It was shown that there are three layers of security, including vehicle check, ID verification, X-ray baggage scan, physical frisking, and biometric entry at the CIDR, in addition to CRPF personnel. Pandey then discussed Aadhaar based privacy safeguards, including Virtual IDs, UID tokens, purpose and use limitation, strict confidentiality and online access to biometric authentication history. Authentication of data is susceptible to misuse The Bench, here, pointed out that it could not be ruled out that authentication history could not be shared under Section 33 of the Aadhaar Act. The petitioners also pointed to similar sharing under Section 57 of the Aadhaar Act. The Bench questioned if authentication logs were kept with authenticating or requesting entities. Pandey answered in the affirmative, with the exception of biometric information, which is not stored. He stated that the AuAs and requesting entities were audited by the UIDAI or agencies appointed by them. Virtual ID system Pandey then turned to **Virtual IDs**.  He explained how the use of Virtual IDs would prevent aggregation of databases. He said that entities which need real Aadhaar number, such as for income tax, and those which don’t, such as telecom companies, would be distinguished between. The Bench asked for a note to be submitted on how the Virtual ID and UID token would function. Pandey stated that these were random numbers from which the Aadhaar number could not be regenerated. The Bench questioned how illiterate people would be taught to use Virtual IDs. Pandey also stated that from 1 July, facial recognition would be used along with fingerprints. Smart cards will not ensure uniqueness Lastly, Pandey discussed the difference between Aadhaar and a smart card. He stated that a centralised database was necessary to ensure uniqueness. If smart cards were used, a single person could have multiple cards with different identities and same biometrics. Further, he argued that there could be no identity theft if Aadhaar is lost, unlike with a smart card. The smart ID card system in Singapore was also discussed, where Pandey stated that too much information on a single smart card was risky. The hearings will resume on Tuesday. The petitioners submitted a list of questions, which the UIDAI is to answer when the hearings resume. Sources of arguments include livetweeting of the case by SFLC.in, Prasanna S and Gautam Bhatia, and LiveLaw Reports Read our past coverage of the on-going Aadhaar Supreme court hearing: **Aadhaar hearing: UIDAI’s presentation discusses Aadhaar enrolment, updation and authentication processes in detail** **Why SC needs to look into technical evidence of Aadhaar’s surveillance capabilities** **Lack of governmental ownership of CIDR’s source code can have serious consequences** Will State give citizens rights only if they agree to be   **tracked forever, asks lawyer Shyam Divan** Coalition for Aadhaar: A collective of private companies wants to ensure that Aadhaar ID and related services continue to be offered Petitioners argue on centralisation of data and challenge Aadhaar’s claims on savings **Petitioners argue for a voluntary ID card system that does not collect user data** **Petitioners argue that receipt of govt benefits cannot be at the cost of compromising fundamental rights** **Aadhaar is architecturally unconstitutional, argue the petitioners** **Petitioners argue that Aadhaar violates dignity by objectifying and depersonalizing an individual** Petitioners seek compensation for starvation deaths and extension of March 31st deadline **Section 7 exception in Supreme Court’s interim order greatly affects people’s constitutional rights** **Entire Aadhaar project is beyond the stated objectives of Aadhaar Act, argue petitioners** **Petitioners conclude their arguments on 'the number of the beast' Aadhaar, highlighting various issues** **Aadhaar hearing: Political liberties cannot be foregone for economic and social justice, states the Bench** The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.