No Aadhaar Data Breach From Our End, UIDAI Chief Tells Supreme Court

In a continuation of the presentation to defend Aadhaar in the Supreme Court, the Unique Identification Authority of India (UIDAI) CEO Ajay Bhushan Pandey on Tuesday said that there has been no data “breach of biometric data from our end”.

Addressing the five-judge constitution bench of the Supreme Court, which is listening to petitions challenging the constitutional validity of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, Pandey said,  “Aadhaar is privacy by design and biometric is not shared with anybody except for purposes of national security. UIDAI simply processed authentication requests and did not collect the reason or location from where the request was being made.”

However, not satisfied with the claims, Justice D.Y. Chandrachud said, “The high level of security at the CIDR (classless inter-domain routing) is not matched at the mirror end. Merely protecting your end is not enough. There needs to be a robust law in place to protect the other end of the spectrum.”

Pandey also asked the court to “look at past cases of data breach brought up by the media” and said, “they had nothing to do with the UIDAI database and that the breaches were by other organisations that had treated the data collected by them carelessly.”

On the question about sharing of data by private authentication user agencies (AUA), Pandey said that there were provisions under the Aadhaar Act, 2016 prohibiting this.

Justice A.K. Sikri also sought clarification on security concerns surrounding the collection of authentication logs with the authentication/requesting entity and sought to know the nature of such data and how it could be shared.

Pandey also demonstrated before the court how the authentication process works, claiming that this will the ease of authentication would lead to financial inclusion and will be simpler than that for using debit cards.

In the earlier hearing on Friday, UIDAI said that while a 100% authentication success rate under Aadhaar was not possible, the law governing it took care of the same. It also claimed that Aadhaar had a 2048-bit encryption key, which worked like a number lock, making it extremely secure.

Pandey had also said that it was “difficult to misuse an Aadhaar card because it has a hidden barcode that carries details of the original holder.”

The constitution bench also accepted the questionnaire by petitioners, which it has been asked to prepare after the UIDAI CEO’s presentation.

The case will be heard next on April 3.

Amid the ongoing case, Aadhaar has faced severe criticism primarily on fronts of security. In January, the Aadhaar system was hacked by a self-proclaimed French cybersecurity expert who goes by the alias, Elliot Alderson.

Soon after, a leakage was reported after an unidentified group on WhatsApp shared links containing the login and the password details which enabled access to 1 Bn Indian citizens.

Also, a harsh rebuttal to UIDAI’s claims of Aadhaar security surfaced when a report claimed that “a data leak on a system run by a state-owned utility company Indane allowed anyone to download private information on all Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information.”

The breach affected every single Aadhaar user.

Recently, UIDAI also announced that it will launch Face Authentication feature from July 1, 2018, to aid biometric authentication of those who have troubles due to old age, hard work or worn-out fingerprints. The face authentication would be permitted along with either fingerprint or iris or OTP for verification of Aadhaar details.

Also, the Central Board of Direct Taxes (CBDT) also extended the deadline for the PAN-Aadhaar linking to June 30, 2018 from the existing deadline of March 31, 2018.

While the central government has issued the draft of healthcare security Act to address healthcare data breach, the Supreme Court proceedings regarding Aadhaar and continuous reports of data breach continue to make it a tougher case for UIDAI to support its claims of privacy and security of Aadhaar data.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.