The Supreme Court Constitution Bench of Chief Justice Dipak Misra and Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan, hearing Aadhaar and related linkages issue (petitions saying that it was unconstitutional), was told on Tuesday (March 27) by the CEO of the UIDAI, Dr Ajay Bhushan Pandey, that breaches will be looked into. At that the court reminded the CEO there has to be end-to-end security, “plus a robust law.”
Dr Pandey said that in cases where the biometrics are similar in nature, the computer prompts that the biometrics are very similar and it’s close analysis is required.
Justice Chandrachud asked: “We’ve understood that for the breach of data, we have punishments for the operators. However, can any action be taken for the operators who leak data?”
The CEO said that this itself is a serious offence under the Aadhaar Act and carries a punishment of three years.
He said that the data recording is done on their software. In order to leak the data by the operators, tampering of their system/software is required.
The CEO said: “We have a zero tolerance policy and actions are immediately taken (regarding leak). Private enrollment centres are to be set up in banks and post offices. And regulation 12A to be invoked.”
Justice Sikri said: “Since most of the people already have registered for Aadhaar, so now you can settle down with reliable sources like nationalized banks and post offices.”
The CEO said: “We do not collect the details of the transactions. We are completely purpose blind. So the UIDAI will never know the reason for the authentication, be it for SIM cards or anything else.”
He said that a demo was to be presented, showing the opening of a bank account which is completely paperless, merely by using fingerprint. “Enrollment software is ours and it’s been constantly being updated,” he said. “However, the reality was that the gas agency had collected the Aadhaar number of all its customers and because of this, the customers will get to know in which bank does their subsidy go to (not the bank account number, but the name of the bank).”
The CEO quoted a news article stating that the Aadhaar information has been leaked. “We have to make a distinction between the fact whether Aadhaar number has been taken and their server has been breached or the bank server has been compromised.
Justice Chandrachud at that point told Dr Pandey: “Merely securing your end doesn’t solve the purpose. We must have a robust law, strong enough to protect the other end.”
He talked about enabling sections 8 and 32 of the Act for the purposes of security of authority transactions and regulation 26 on authentication of meta data.
The CEO said: “If the person doesn’t remember his Aadhaar number, he can either go to the official website or access the M-Aadhaar app, unlock his/her biometrics for 30 minutes and perform his/her transactions. The biometrics will be locked automatically.
“Other sources are:
- UDC: Unique host device code.
- DLPD: registered device model id
- MC: allows the UIDAI to store data and inform the same.”
He said that even though in 2009, no privacy law existed, the privacy under the Aadhaar scheme was maintained due to the design of the Aadhaar. And same has been incorporated in the Act too.
He referred to Section 33 of the Aadhaar Act and said: “We do not collect any data. We have minimal data and can be given by only prior to the permission of the district judge. The only information barred is the core biometrics.”
Following this the chief of cyber security, member of the technology and architecture review board, who reviews the security system of the UIDAI, presented a short film on the UIDAI centres at Bangalore and Manesar. This exhibited the amount of security used to protect the data information.
The CEO of UIDAI said: “We have to constantly be vigilant about the security as in the IT world, we cannot take a risk.” He talked about the creation of a 16-digit alias Aadhaar number, explaining the concept of virtual identity.
This is an additional safeguard, he said.
The data returns in the same way as it is sent, i.e. in the encrypted form, as per Regulation 22 of data security.
“Why is iris important? A complete de-duplication wouldn’t be able to decipher the fingerprints because they might match. However, iris cannot match, it’s unique in nature.”
He talked about section 18 (1): maintenance of the Aadhaar logs by the requesting entity. He said that all data is sent to the main department in the encrypted form so that the data is not read. The middle layer is created only for security purposes, he said. He went to the presentation part pertaining to authentication history.
Senior counsel K V Viswanathan then presented a set of 20 questions in toto. The answers to be prepared in writing by the respondent. Authentication denial doesn’t mean denial, SAID.
The matter listed for Tuesday.
—India Legal Bureau