There Has Been No Aadhaar Data Security Breach: Centre Tells Delhi HC In Prof. Shamnad's PIL [Read The Counter]

Prof. Basheer, however, opined that this wasn't the case. He pointed out that the Supreme Court had, in its judgment, specifically stated that it was not dealing with the issues raised in his petition.

A quick search would show that this was indeed the case. The Court had, in Justice KS Puttaswamy (Retd) v. Union of India, categorically observed, "Section 43A of the IT Act attaches liability to a body corporate, which is possessing, handling and dealing with any 68 A challenge to the Aadhaar project for violation of IT Act and Rules has been filed in the Delhi High Court in the matter of Shamnad Basheer v UIDAI and Ors. Therefore, we are not dealing with this aspect, nor does it arise for consideration in these proceedings."

In addition to challenging the maintainability of the petition on the aforementioned ground, the Centre also claims that the alleged facts on the basis of which the petition has been filed are "unsubstantiated" and that the information relating to the Aadhaar scheme has been "grossly misreported and interpolated" to mislead the court.

The counter affidavit then goes on to assert the importance and utility of Aadhaar for delivery of public services, relying on various reports and court decisions. It further demands Mr. Basheer to be put to strictest proof to show evidence of his personal information being compromised or rendered insecure.

The Centre also denies allegations of there having been a security breach of UIDAI's biometric database or Central Identity Data Repository (CIDR). It submits, "It is quite curious that reading of press reports without actual verification of its impact on the petitioner affected his privacy, personhood and dignity and the petitioner felt to distressed without even verifying as to whether his data was at all compromised. It is strongly denied that any data breach has occurred in the CIDR or that the petitioners right has been affected in any manner whatsoever."

In his petition, Prof. Basheer recalls how he obtained an Aadhaar card back in 2015 believing the project to be safe, secure and consent based. Soon after, he also linked his bank account with Aadhaar for the fear of his account being deactivated.

However, around the beginning of this year, he was devastated to learn through news reports that the confidentiality of Aadhaar data had been compromised, not once but several times over. For instance, he cites a news report by Tribune wherein Tribune claimed to have "purchased" a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.

Listing down various other illustrative examples demonstrating such breach of Aadhaar data, he now submits, "He was particularly distressed to note that most of these breaches pertained to personal identity data maintained with the Central Identities Data Repository, a centralized database containing all information collected from Aadhaar applicants by Respondent No.1 and its various affiliates/partners, including sensitive personal information such as biometric data.

The petition attributes the security breaches to "negligence/willful recklessness" on the part of the UIDAI due to the absence of reasonable security measures. It then asserts that UIDAI's conduct violates Aadhaar Act and associated regulations, as well as the Information Technology Act, 2000 and associated rules. UIDAI's conduct, it argues, violates the Petitioner's fundamental right to privacy; and is actionable and compensable as a common law tort.

For instance, the Petition relies on Section 28 of the Aadhaar Act, which places a specific duty on the UIDAI to ensure the security and confidentiality of all identity information held by it, either directly or through its various partners/affiliates. In particular, the UIDAI is obligated to "take all necessary measures" to ensure that the information in its possession or control is secured and protected against any unauthorized access, use or disclosure.

It then alleges violation of this provision, submitting, "It is evident that this duty under Section 28 of the Aadhaar Act has been breached by the reckless and grossly negligent actions/omissions of Respondent Nos. 1 [UIDAI] and 2 [Union of India] and their officers in unleashing a very vulnerable privacy architecture that gave direct access to the CIDR database to so-called "grievance redressal" personnel to effectuate changes as they pleased, and permitted such access controls to be multiplied manifold and disseminated widely."

The Petition further blames UIDAI for its failure to systematically audit and track breaches, and deploy a fraud analytics system. It in fact argues that the UIDAI and the Centre are liable to compensate the aggrieved Aadhaaris for security breaches under Section 43A of the IT Act, "for its negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal information and data, thereby causing wrongful loss or wrongful gain to individuals."

In the light of such submissions, the Petition prays for a direction to the authorities for immediately complying with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This includes the demand for publication of a privacy policy, and laying down of an information security policy for itself and its core operations.

The petitioner also seeks information on the number of data breaches which have taken place since the inception of the Unique Identification Authority of India (UIDAI) and the Aadhaar scheme. He further demands to know the scope of such breach, and the manner in which his data has specifically been compromised.

To this end, the petition advocates for appointment of an independent investigative/audit committee comprising multiple stakeholders and experts to investigate all Aadhaar security breaches as well as the robustness of the existing systems.

As for the damage already done, Prof. Basheer not only requests action against the UIDIA and other government agencies such as National Informatics Centre (NIC) for its failure to adhere to security practices, but also seeks exemplary damages as well as the liberty to opt out of the Aadhaar system. He highlights the damage that such data leak can cause to him specifically, submitting,

In the alternative, a Writ of Mandamus is sought directing the Centre to permanently delete all existing Aadhaar numbers. Besides, he recommends the appointment of a neutral ombudsman/ verification authority for addressing all concerns and complaints at the first level, which may arise in the future in relation to violations of the Aadhaar Act and the IT Act, as well as any data breaches.