Universe's strength needed to break Aadhaar encryption: CEO to SC; updates

Aadhaar would include face ID besides the fingerprints and iris for authentication from July 1, said UIDAI CEO Ajay Bhushan Pandey

Trying to allay the fears over security and privacy of Aadhaar, Ajay Bhushan Pandey, the Chief Executive Officer of the Unique Identification Authority of India (UIDAI), the nodal agency implementing the project, told the Supreme Court on Thursday that it would take the world’s fastest computer “the whole universe’s strength to break the Aadhaar encryption system”.

In a first-ever powerpoint presentation in open court, the constitution bench of Chief Justice Dipak Misra, and Justice A K Sikri, Justice A M Khanwilkar, Justice D Y Chandrachud and Justice Ashok Bhushan was told that Aadhaar data in an encrypted form were "very very secure".

The UIDAI CEO had said the biometric and demographic information of people enrolled for Aadhaar was secure, while no one would suffer loss of benefits for its absence.

According to tweets by lawyer Prasanna S (@Prasanna_s), who was present at the Supreme Court, and legal services organisation Software Freedom Law Centre (@SFLCin), Pandey covered three major points in his presentation — an introduction to Aadhaar, the technology behind Aadhaar and the privacy safeguards put in place to protect Aadhaar data. 

The apex court was hearing a bunch of petitions challenging the constitutional validity of the Aadhaar Act and concerns that the data could be taken over by other enrolment centres that might even misuse them. 

“Maybe when it reaches you, it gets encrypted, but at the (enrolment) centre, it may be captured by a private party”, said Justice Sikri. To this, Pandey replied that UIDAI did not share biometric details with anyone and the “software is such that the moment the resident presses the save key, entire data gets encrypted by the 2048-bit key.”

Pandey had said that UIDAI starts collecting data from the birth of a child and the data are updated twice, first at the age of five and later at 15 years. 

Having said that 1.2 billion people had already been enrolled for Aadhaar, Pandey added that a number once given to an enrolled person would not be repeated even after their death. He contended that UIDAI had reached a level where it could generate, print and dispatch more than 1.5 million Aadhaars per day.

The CEO then said that Aadhaar required minimum information from citizens like photograph, demographics, fingerprints, iris, but does not collect details of "religion, caste, tribe, language, records of entitlements, income or medical history and profession".

At the start of the presentation, a technical snag led to not functioning of one of the projectors facing the lawyers and litigants. The glitch was rectified later.

Here are the top 10 developments related to the Aadhaar hearing so far:

1. ‘Universe's strength needed to break Aadhaar encryption’: Stressing that the entire system for storing the Aadhaar biometric data and demographic information was safe and free from any kind of intrusion, Pandey had said that it would "require the age of the universe to crack the data stored in encrypted form".

Reverting to the question of intrusion in the privacy of Aadhaar users, he had said "we are ignorant about the purpose and details of the transactions being undertaken by the people" whose Aadhaar is linked to various services.

Noting that data matching software has been bought from the world's three best companies and stored on UIDAI's 6,000 servers, Pandey had said that these are not linked to the internet to eliminate the possibility of any backdoor access to the data.

He had then given the example of softwares like Oracle used by banks and had said if the banks were using foreign softwares, it does not mean that details are shared with the software providing company. The presentation remained inconclusive and would resume on March 27.

UIDAI is blind: Dealing with the authentication process, he had said the UIDAI is "blind" and does not keep track of any transaction done by using the Aadhaar card. "If somebody opens a bank account or gets a mobile phone by using the Aadhaar, the UIDAI cannot know the account details or the phone number," he had said.

Once the enrolment agency submits the biometric details after enrolment, the data is encrypted and deposited at the Central Identities Data Repository (CIDR), Pandey explained. 


2. ‘No one will suffer loss of benefits’: Pandey, a 1984 batch IAS officer of Maharashtra cadre, had said the UIDAI has no data about persons who have been denied benefits for want of Aadhaar or due to lack of authentication. The top court had asked him whether there was any official data on how many persons have been denied benefits either due to want of Aadhaar or due to failure of their authentication.

"We had no means to know as to how many persons have been denied benefits...Is there any official data on denial of services," the bench had said.

Pointing to the "exception handling mechanism" in the UIDAI system, Pandey had said that "no one will suffer the loss of benefits for the lack of Aadhaar" as the bench pointed to illiterate, the poor and tribals who may not be aware that over time their biometrics have undergone changes and must be updated.

Pandey had added that the officers have been instructed to check the Aadhaar card and see if the case is genuine.

mobile number online

3. Why are some denied ration despite having Aadhaar?  Justice Sikri had asked Pandey as to what happens if a person goes to a ration shop and even though his biometric details match, he is refused goods which are later drawn by the shop owner in an unauthorised manner.

Pandey couldn’t answer that question and just said, "It has to be handled at a different level.”

4. On Jharkand woman's death over ration: The bench had then asked him about the death of a woman in Jharkhand after she was denied ration for want of Aadhaar authentication.

The CEO had said he was aware of the case and it was not the case of failure of authentication. The authentication was done and Aadhaar details matched, it was a case of dishonesty on part of the shopkeeper of the fair price shop.

It was the "failure of honesty" and not the failure of Aadhaar, Additional Solicitor General Tushar Mehta, who represents UIDAI, had said. 

5. ‘Face ID’ from July 1: The bench had said that sometime biometric details like fingerprints fade over a period of time and unaware and illiterate persons may not get them updated and can they "be left high and dry".

Making use of two projectors, Pandey had said that UIDAI would introduce ‘face ID’ on July 1 to enable Aadhaar holders to authenticate their identity to access services, benefits and subsidies. Aadhaar would include the face besides the fingerprints and iris for authentication. The facial identification would help people without biometrics or those with poor biometrics to avoid authentication failures and financial exclusion.

Pandey had said that people suffering from leprosy or others who don't have biometric details would get Aadhaar on the basis of their facial scan or their registered mobile number, which would operate on one-time password system.

6. Operators registered trees! The bench questioned the CEO on his plea that Aadhaar was infallible, asking why did the UIDAI blacklist 49,000 registered operators. To that, Pandey had said the agents were blacklisted for indulging in corruption, carelessness and harassment of the public.

"It sounds somehow strange that you blacklisted 49,000 of your operators for harassing people," the bench asked.

"Initially, we trusted these operators, but they ended up registering trees, Lord Hanuman, Jamun trees etc," Pandey responded.

7. UIDAI mum on virtual ID: Almost three weeks after the promised release date of the specifications of double-layer virtual ID technology for Aadhaar, the UIDAI remained silent on the roll-out of the virtual ID, a 16-digit number generated randomly by the Aadhaar system. UIDAI was supposed to introduce the virtual ID by UIDAI by March 1 and deployed by companies using Aadhaar by June 1.  

“The UIDAI will be releasing necessary APIs (application programming interface) with implementation by March 1, 2018,” the circular said. It said that all authorities should migrate to the new system by June 1, 2018, after which their authentication services could be discontinued and financial disincentives may be imposed.

In the circular, the authority also announced the launch of limited Know Your Customers (KYC) norms, which allow the UIDAI to restrict information flow to private companies and only the required information about a citizen instead of the complete demographic profile is shared.

UIDAI is yet to respond to the queries sent by a reporter of Business Standard.

8. 1.2 billion people enrolled by UIDAI: The Aadhaar ID has nationwide portability and uniqueness and one card cost less than one dollar from the time of enrolment to its delivery to a citizen, he had said, adding that so far, 1.2 billion people have been enrolled in the scheme.

"Aadhaar enrolment is free. They charge people. We got complaints," the CEO had said, adding that these operators also filled wrong details at the time to enrolment and "as we have a zero tolerance policy towards corruption, they were blacklisted."

9. Pandey to speak on Tuesday again: Pandey would again present his case on the viability of Aadhaar on March 27 where he would stress on the need of why people need Aadhaar, among other topics. 

"A very large population had no nationally-acceptable IDs - children, old, migrant workers, poor, destitute,” he had said on Thursday.

"Most people used local proxy/domain IDs and faced language, format, jurisdiction barriers. Lack of identity and identification led to exclusion and denial of service," he had said.He had also referred to the issue of duplicates and ghosts in the welfare schemes, PAN cards and shell companies.

Coming Tuesday, he will make a power-point presentation, explaining how Aadhaar provided a "robust, lifetime, reusable, nationally on line verifiable ID and identification" to citizens.

10. ‘Aadhaar data behind 13-feet-high and 5-feet-thick walls’: Contending that Aadhaar data is absolutely safe and secure, General  K K Venugopal appeared in front of a five-judge Constitutional Bench of the Supreme Court and said “Aadhaar data remains secure behind a complex that has It's 13-feet high and five feet thick walls.”

Venugopal told the bench that tremendous efforts by various government agencies and experts had gone into erecting the architecture of Aadhaar at an expenditure of Rs 90 billion (Rs 9,000 crore).

He had said that 61 committees went into the issue threadbare before the present Aadhaar edifice was put in place, adding all the committees were unanimous on creating a legal framework for unique identity.

Continuing his arguments, the Attorney General took the court through the list of the dates starting from March 3, 2006, till 2016 when the law was enacted to demonstrate the exercises undertaken by the present and the previous government.

To this, Justice Sikri said: "These are all dates, right now we are examining the constitutional validity of Aadhaar Act."

As Justice Chandrachud observed "it took you seven years to enact a law", Venugopal said that the legislation was of 2010 and it took time to do groundwork.