On Day 22 of the Aadhaar hearing, the CEO of the UIDAI, Ajay Bhushan Pandey, completed his PowerPoint presentation before the Supreme Court and answered the questioned posed by the petitioners. The bench posed many questions on the security of Aadhaar at the authentication and enrolment stages. The issue of data breaches from points other than the CIDR was also raised. Also, the Bench refused to extend the deadline for Section 7 benefits.
Data breaches by enrollers
Pandey commenced his presentation by sharing details of blacklisted enrollers, along with reasons for the same. The Bench questioned if any had been blacklisted for data breaches. To this, the UIDAI CEO responded that that could only be possible if the enrollers possessed the qualifications to tamper with the enrolment software, indicating that they didn’t. Such tampering, in any case, is punishable under the Aadhaar Act.
He further clarified that individual packets of data received during enrolment were checked by operators. The Bench questioned if it was possible for the enrollers to make copies of the biometric data before it was encrypted. Pandey asserted that the enrollers had no access to biometrics, and this was collected only by UIDAI’s software. Such retention, moreover, is also a punishable offence.
Phasing out of private enrolment agencies
Further, private enrolment agencies are being phased out and will be available only in banks and post offices. The Bench, here, stated that this was being done because these agencies were no longer needed since the enrolment process was mostly complete. Pandey responded that these facilities were still required for updating purposes.
Aadhaar related data breaches denied
Describing the CIDR as fully secure, Pandey stated that this was not even connected to the internet. When asked by the Bench to clear the apprehensions of the petitioners on the security of Aadhaar software, Pandey stated that every data breach so far had been of databases other than the CIDR. He denied various reports including The Tribune report as well as the recent Indane report.
Further, it has been made a standard practice to display only the last four digits of the Aadhaar number. The Bench pointed out that unless there was protection against breaches from other ends of the spectrum, Aadhaar remained a problem.
SC points out lack of control over possible AuA data use
The bench then asked how many of the Authentication User Agencies (AuAs) were private, to which it was stated that a few dozens were. Next, it was asked whether the AuAs could record authentication data and monetise it. Pandey again states that such sharing was prohibited under Sections 29(3) and 38(g) of the Aadhaar Act. The Bench, however, pointed out that the UIDAI does not have control over such sharing.
Profiling based on authentication data
The Bench pointed out that service providers have a record of authentication requests, which could be misused to profile the individuals. When asked previously to clarify if such profiling and aggregation of data was not possible, Pandey cited Section 32(3) of the Aadhaar Act, which prevents the UIDAI from collecting data on the purpose of authentication.
Aadhaar is ‘privacy by design’
He then conducted a live demonstration, showing the use of biometric authentication to withdraw money from a bank account. Pandey then discussed the various forms of data that are captured during authentication. This excludes Geo Codes and IP addresses. Previously, GPS coordinates and PIN codes were collected, but this had been discontinued. Pandey described Aadhaar as ‘privacy by design’, and reiterated that Aadhaar data could not be shared except for national security purposes.
Security measures in Aadhaar infrastructure
Turning to security measures, he further discussed the STQC (Standardisation Testing and Quality Certification) and Aadhaar certified biometric devices, multiple factor authentication, biometric locking, etc. The 4-minute video on Aadhaar security measures was then shown. This video stated that Aadhaar was certified by the STQC and its data centres are certified as Tier-III by Uptime. It was shown that there are three layers of security, including vehicle check, ID verification, X-ray baggage scan, physical frisking, and biometric entry at the CIDR, in addition to CRPF personnel.
Pandey then discussed Aadhaar based privacy safeguards, including Virtual IDs, UID tokens, purpose and use limitation, strict confidentiality and online access to biometric authentication history.
Authentication of data is susceptible to misuse
The Bench, here, pointed out that it could not be ruled out that authentication history could not be shared under Section 33 of the Aadhaar Act. The petitioners also pointed to similar sharing under Section 57 of the Aadhaar Act.
The Bench questioned if authentication logs were kept with authenticating or requesting entities. Pandey answered in the affirmative, with the exception of biometric information, which is not stored. He stated that the AuAs and requesting entities were audited by the UIDAI or agencies appointed by them.
Virtual ID system
Pandey then turned to Virtual IDs. He explained how the use of Virtual IDs would prevent aggregation of databases. He said that entities which need real Aadhaar number, such as for income tax, and those which don’t, such as telecom companies, would be distinguished between. The Bench asked for a note to be submitted on how the Virtual ID and UID token would function.
Pandey stated that these were random numbers from which the Aadhaar number could not be regenerated. The Bench questioned how illiterate people would be taught to use Virtual IDs. Pandey also stated that from 1 July, facial recognition would be used along with fingerprints.
Smart cards will not ensure uniqueness
Lastly, Pandey discussed the difference between Aadhaar and a smart card. He stated that a centralised database was necessary to ensure uniqueness. If smart cards were used, a single person could have multiple cards with different identities and same biometrics. Further, he argued that there could be no identity theft if Aadhaar is lost, unlike with a smart card. The smart ID card system in Singapore was also discussed, where Pandey stated that too much information on a single smart card was risky.
The hearings will resume on Tuesday. The petitioners submitted a list of questions, which the UIDAI is to answer when the hearings resume.
Read our past coverage of the on-going Aadhaar Supreme court hearing:
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.