Need more security at authentication agencies to keep Aadhaar safe: SC

The UIDAI chief stated that the authority and the government are open to enacting more laws and regulations if the privacy and security is a concern around Aadhaar

Data stored at the authentication agencies level needs to be made more secure, Supreme Court’s five-judge constitutional bench observed on Tuesday. The bench stated that it’s not enough that the UIDAI’s own servers are securely situated inside its complexes because the data travels upwards from enrolment agents and authentication agencies which may store data and misuse it for commercial interests.
 
This observation came just a day after Business Standard reported on why UIDAI’s defence that its own servers are secure rests on shaky grounds as long as there are copies of Aadhaar linked data with third parties. During the presentation, UIDAI CEO Ajay Bhushan Pandey said that the authority doesn’t collect data on the location or purpose of authentication even though citizens can check recent authentications on its website.

 
“The high level of security maintained at CIDR is not maintained at the other end like AUA also. Unless the security at the other end of the spectrum is secured, Aadhaar will be a problem,” Justice Chandrachud observed in response.
 

There are 307 live authentication user agencies as per the UIDAI website and each of these agencies are eligible to have sub-AUAs which use these enterprises’ infrastructure to process authentication requests to provide services such as e-KYC, welfare delivery, among others.
 
The bench observed that even though UIDAI doesn’t have authentication logs, AUAs may have it despite there being a law against storage of information and that could be misused by the private entities.

 
The UIDAI chief also stated that the authority and the government are open to enacting more laws and regulations if the privacy and security is a concern around Aadhaar.
 
As Pandey continued his presentation from Thursday in the court, he argued that the UIDAI will soon launch virtual identity numbers which are supposed to be a 16-digit random number that masks Aadhaar number and can be used to provide to companies and third parties. While the VID was supposed to be launched on March 1, there has been no communication from the authority or the government on its arrival date.

 
The bench also questioned if VID will even be useful because the process of generating a number and then destroying it could be complicated for a large number of illiterate population in the country. To this, Pandey said that it will just be another additional level of security.
 
The judges, however, asked him to submit a note on how the virtual ID and UID tokens will work to prevent de-duplication in the system.
 
The UIDAI chief also demonstrated live authentication in the court and showed how money can be withdrawn from bank by people through biometric authentication. He also argued that financial inclusion in India was lagging because people weren’t comfortable using debit cards and PINs at ATMs but with Aadhaar they can use their thumb prints, especially for smaller transactions.

 
The discussion also moved towards the information stored with the UIDAI on which Chief Justice of India Deepak Misra stated that UIDAI’s submission is that information is so encrypted that even the authority can’t access it. Ajay Bhushan Pandey said that the authority has the key but not the information which prompted the CJI to ask again if the authority can access this information to which Pandey said that it can.
 
Ajay Bhushan Pandey also blamed sections of the media for spreading misinformation about Aadhaar on behest of “vested interests”. He detailed the authentication success rates observed in various spheres and listed them as 88% in government departments, 95% for banks and 97% for telecom.

 
The debate around authentication failures being a critical problem for the Aadhaar ecosystem has been raging for a long time with activists arguing that people are being denied benefits due to failure of biometrics during authenticating. On Tuesday, a set of people also launched a website which maps authentication failures around the country and also lists the reported deaths of people who allegedly died due to denial of benefits after their Aadhaar authentication failed.
 
The success rates for senior citizens found during a proof-of-concept study done by UIDAI according to Pandey were 83% for fingerprints and 90% for iris. He added that the authority will soon launch face recognition to further improve authentication accuracy before ending his presentation.

 
After the presentation, petitioners side handed over twenty questions to the bench which the state will respond on next Tuesday when the bench reassembles. Moreover, the petitioners raised requests to extend the interim order of stay on Aadhaar linking and asked for it to be extended to welfare schemes. The Chief Justice of India denied that request. 

●       UIDAI chief offered to make more regulations to allay privacy and security concerns
●       SC bench questioned the security arrangements on the ground where data is collected for enrollment and authentication
●       Ajay Bhushan Pandey accepted that UIDAI holds the key to people’s information and can access it but it doesn’t

●       Petitioners requested the court to extend the deadline for linking Aadhaar with welfare schemes but CJI denied the request.