On Day 22 of the final Aadhaar hearing, the CEO of Unique Identification Authority of India (UIDAI) resumed his PowerPoint presentation on Aadhaar. Speaking on the issue of privacy and data protection during the enrolment process, he claimed that operators check individual packets of data and verify biometric information before storing it in the Central Identities Data Repository (CIDR).
Justice Chandrachud interjected, asking whether it is possible for the enroler to make copies of the data before encrypting it and sending it to CIDR. Mr. Pandey replied that enrolers do not have access to biometrics and that it is collected by UIDAI’s software. He also mentioned that retention of data by an enroler / operator is an offence. Mr. Pandey revealed that UIDAI has started phasing out private enrolment agencies, and in the future, only banks and post offices will be responsible for enrolment and updation of Aadhaar. Also, the central authentication server, he said, is not connected to the Internet for the purpose of security.
Further, Justice Chandrachud remarked that Authentication user agencies (AUAs) have a record of how many times an authentication request was made, even if UIDAI does not, and that selling such data is a commercially profitable enterprise. To this, Mr. Pandey replied that there are provisions under the law to prevent misuse of such data.
On being asked about the security of the software of Aadhaar, Mr. Pandey rubbished all media reports that claimed that the Aadhaar database was compromised, including the recent report published in the Tribune. Justice Chandrachud was of the view that the security maintained at the other end of CIDR i.e AUAs is not upto the level of security maintained at CIDR, and unless the security at the other end of the spectrum is tightened, Aadhaar database will remain a problem. Mr. Pandey mentioned that the technology review board keeps reviewing the technology of Aadhaar. Similarly, the security review board is responsible for timely upgradation of the security. He also said that audits are performed on AUAs and requesting agencies by UIDAI itself or by an agency appointed by them to ensure smooth functioning of the system.
Thereafter, Mr. Pandey physically demonstrated the process of authentication and the withdrawal of funds using Aadhaar based authentication. He justified the process by commenting that debit cards and PIN numbers are difficult to use by most people in India, therefore Aadhaar could be a tremendous tool to solve the problem of financial exclusion.
Mr. Pandey also emphasized that an individual can enter her Aadhaar details on UIDAI’s website to check her authentication history, and therefore will know if her Aadhaar number was misused. Next, he discussed the authentication meta data elements and stressed that no meta data that reveals anything about an individual such as her likes and dislikes is collected.
After showing a short video on Aadhaar data centres, Mr. Pandey took the court through the privacy safeguards in Aadhaar such as virtual ID, UID token, purpose and use limitation, strict confidentiality, online access to authentication records, biometrics lock and strict punishment under the Aadhaar Act. He was also open to the idea of drafting more regulations depending on the requirement. Justice Sikri opined that most people in India will not be able to use the technology of virtual ID and UID token. Mr. Pandey commented that virtual ID and UID token are just additional safeguards.
Mr. Pandey highlighted that several experts were consulted and a consensus was reached that multi-modal biometrics authentication system should be adopted i.e both iris and fingerprints should be combined for the process of identification and authentication. He pointed out that using virtual IDs and UID tokens ensures that databases are not joined. Also, UIDAI makes distinctions between what agencies require real Aadhaar numbers and what agencies do not. For e.g., Telcom companies do not require real Aadhaar number, but income tax does.
Further, Mr. Pandey distinguished between Aadhaar card and smart: central database of biometrics is important to ensure uniqueness. Uniqueness may not hold true in the case of smart card, and one person can have multiple cards with different identities and same biometrics; there’s no identity theft if Aadhaar is lost, but the same cannot be said about smart cards; surveillance is not possible with CIDR as silos are not merged. Surveillance is possible by smart cards by merging databases. Mr.Pandey remarked that offline smart card is not a substitute for online authentication.
He concluded his presentation by showing a graph illustrating the success rate of Aadhaar based biometric authentication and another graph made on a proof of concept conducted at old age homes in nine different states. The petitioners submitted a list of questions on the bases of the presentation, and the State will take them up in the next hearing. The petitioners also urged the bench to extend the deadline for mandatory linking of Aadhaar for availing benefits under Section 7 of the Aadhaar Act, but were turned down by the Chief Justice of India.
The hearing will continue on Tuesday, 3rd April, 2018.