Aadhaar[Day 22]: SC Expresses Concern Over Security Of Data And Abuse Of Authentication Records

On Day 22 of the Aadhaar final hearing, Dr Ajay Bhushan Pandey, UIDAI CEO, resumed his submissions on the technical and security-related aspects of the Aadhaar project with the aid of the PowerPoint presentation.

“Is it possible that the enrolment agencies save the biometric information before it is encrypted and transmitted to the CIDR”, inquired Justice DY Chandrachud.

“The biometric data is received only by the UIDAI software...even retention or duplication of data by the operators is an offence...the UIDAI follows a policy of zero tolerance...a notification has been issued appointing thousands of post offices and banks as enrolment agencies...we are gradually excluding all private agencies...,” responded Dr. Pandey.

“But the major proportion of the population has already been enrolled under the Aadhaar scheme...,” remarked Justice AK Sikri.

“But updation is an ongoing process. It is for this purpose we have appointed the banks and post offices...,” responded Dr. Pandey.

On a query by Chief Justice Dipak Misra, Dr. Pandey admitted that the sensitive biometric data, as well as the authentication records in the CIDR, can be accessed by the UIDAI. The Chief Justice also asked if in the time span between the scanning of the thumbprint and the transmission of the information to the CIDR, the same could be stored by the enrolment agencies. To this, Dr. Pandey replied in the negative, reiterating that the data remains on the UIDAI software.

When he advanced that the CIDR is not even connected to the internet to ensure protection of sensitive data as well as authentication records, Justice Chandrachud remarked that the Authentication User Agencies (AUAs), which maybe private bodies, have access to the data as to the number of authentication requests which is capable of being commercially exploited. AUAs are ‘requesting entities’ that submit the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository (CIDR) for authentication.

Justice AK Sikri also inquired if the authentication history is retained by the requesting entities and what the contents thereof are. Dr. Pandey acceded that data, except for the biometric information, is retained.

Dr. Pandey assured that any sharing of such information is prohibited under Section 29(3) of the Aadhaar Act and also punishable under its Section 38(g). He also relied on Regulation 17 of the Aadhaar (Authentication) Regulations of 2016 on the obligations relating to the use of identity information by a requesting entity. Further, he claimed that the UIDAI undertakes audits of requesting entities.

Justice Chandrachud interjected, saying that there is a possibility of abuse of the authentication records by these AUAs. Justice AM Khanwilkar also added that there are doubts regarding the security of the software of the UIDAI. Dr. Pandey responded that there have been no instances of any leakages of data and that the newspaper reports alleging leakages are false.

Justice Chandrachud remarked that the security at the end of the AUAs needs to be as stringent as at the CIDR. Dr. Pandey proceeded to explain the authentication procedure, showing that the information as to location and purpose is not available. He submitted that only the last four digits of the Aadhaar number are displayed wherever there is need. He asserted that Aadhaar enhances the financial inclusion of individuals. He also advanced that one may check their authentication history on the UIDAI website to see it there has been any abuse.

In respect of the claims of the petitioners regarding collection of metadata on authentication, he clarified that no such metadata is accumulated that could reveal such details as the likes and dislikes of an individual. He affirmed that details as the geocode or the IP address is not gathered at the time of authentication; besides, the GPS information or the PIN code is also no longer received. He assured that the Technology and Architecture Review and the Security Review committees are constantly attempting to better the data protection safeguards.

The UIDAI CEO on Tuesday also elaborated on the intricacies of privacy safeguards, such as biometric locking, virtual ID (a random 16-digit number) and the 72-character alphanumeric UID token. When Justice Sikri expressed doubts regarding the utility of virtual ID for illiterate people, Dr. Pandey responded that it is only an added safeguard. He elaborated that the use of virtual IDs and UID tokens is to ensure that the different databases remain separate. Continuing, he explained that a different UID token is received in respect of the same customer by different requesting entities from which the Aadhaar number cannot be reverse engineered. Further, the concept of multimodal biometric authentication was discussed, which uses both fingerprint as well as iris scan to reduce chances of authentication failure.

A live demonstration of biometric-based authentication for withdrawal of funds from a bank account was also given.

A video on the structure of the authority’s data centres was displayed. It was claimed that the UIDAI is certified by the (Standardisation Testing and Quality Certification) STQC and its data centres are certified as Tier III by Uptime. It was also shown that there are three layers of security, including vehicle check, ID verification, X-ray baggage scan, physical frisking and biometric entry at the CIDR, in addition to CRPF personnel.

“Authentication records may be shared under Section 33 of the Aadhaar Act (in the interest of national security),” noted Justice Sikri. Senior counsel KV Viswanathan added that the said information may also be revealed under a contract in view of Section 57. Dr. Pandey reiterated his submission from the previous hearing that no such requests for information have received till date from the government or any civil authority.

Thereupon, the difference between Aadhaar and smart cards was discussed- the former ensures uniqueness of identity and deduplication; there is minimal accumulation of transaction details; on account of multiple databases, surveillance is not possible; no risk of identity theft or denial of service as in the event of loss of the smart card or damage of its chip.

In context of the smart card-based ID regime in Singapore, Dr. Pandey advanced that even Singapore has appreciated the Aadhaar system.

Finally, he displayed, by way of a bar graph, the rate of acceptance of the Aadhaar based biometric authentication, which, for the year 2018, was claimed to be 88 percent in respect of the government, 95 percent for banks and 97 percent for the telecom sector. In respect of senior citizens, it was claimed that the success rate of authentication is 95 percent in case of iris scan and fingerprints and 99 percent where face and fingerprints are used.

The bench on Tuesday, however, refused to make the March 13 interim order, extending indefinitely the deadline for mandatory Aadhaar linkage with mobile numbers, bank accounts and other facilities, to the ‘Subsidies, Benefits and Services’ referred to in section 7 of the Aadhaar Act also. In response to the petitioners’ claim of a large number of authentication failures in respect of these social security schemes, the Centre asserted that there has no refusal of a rightful entitlement by reason of such failures.

The hearing shall resume on Tuesday.