In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.
The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.
Mr. Ajay Bhushan Pandey, the CEO of the Unique Identification Authority of India (UIDAI) resumed his presentation. He began with a discussion on the enrollment operators. Justice Chandrachud asked if its possible for the enrollment agencies to make copies of the data before it is encrypted. Mr. Pandey responded that they do not have access to biometrics as it is collected by UIDAI software. Justice Chandrachud asked if any of the operators have been blacklisted on the grounds of data breach to which Mr. Pandey responded that it would be possible only if the enrollment operator is qualified enough to tamper with the enrolment software and further pointed out that in the event it happens, it is punishable. He further stated that private enrolment agencies are being phased out and that only banks and post offices will be allowed to perform it.
He also highlighted that the central authentication server is not connected to the internet to ensure security of the data.
Justice Bhushan asked if UIDAI is capable of aggregating the data. Mr. Bhushan responded that s.32(3) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) prohibits them from knowing the purpose of authentication.
Next, Justice Chandrachud asked if authentication agencies could be private and if they could store the authentication data and share it. Mr. Bhushan responded that such acts are prohibited under s.29(3) and 38(g) of the Act and Reg.17(1)(d) of the Aadhaar (Authentication) Regulations, 2016. Justice Chandrachud rightly pointed out that the private authentication agencies have a record of the authentication requests even if the UIDAI does not and that it can be misused to profile individuals.
Justice Khanwilkar asked Mr. Bhushan to not discuss the operational aspects in great detail but to clear the apprehensions regarding the Aadhaar software. Mr. Bhushan however responded the software is secure and that there has not been a single data breach till date and requested the court to not believe the media reports. He further stated that the breaches that have occurred are not of UIDAI’s database. Justice Chandrachud interjected that there is no enforceable protection that is available against other databases even if Central Identities Data Repository (CIDR) is completely secure. He also pointed out that unless the high level of security maintained at the CIDR is implemented at the authentication agencies as well, it would be problematic.
Next, Mr. Pandey accessed his authentication history form the UIDAI website and pointed out that information such as location, purpose are not available. He also stated that the provision to access the authentication history allows a person to figure out if his Aadhaar number has been misused.
Next, he successfully demonstrated the withdrawal of Rs.100 from an IDBI bank account using biometrics and said that it is similar to a walking ATM. He mentioned that most people find it difficult to use debit cards and pin numbers and therefore Aadhaar makes it simpler thereby enabling people to be financially included.
He continued to further explain how secure the whole process of authentication is. He stated that the UIDAI no longer collects the Geocode and IP address of authentication. He also stated that a standard practice has been established to display only the last four digits of the Aadhaar number wherever necessary. He further stated that Aadhaar architecture ensure privacy and reiterated that the biometrics is not shared except for purpose of national security and pointed out that no such request has been received from the government so far.
Next, he discussed the authentication metadata elements and said that UIDAI does not collect metadata elements that would enable profiling of individuals. He reiterated that location and purpose of authentication is not collected.
Next, Mr. Pandey screened a short film on security measures available at the data centres.
Then, he discussed the privacy safeguards built into the Aadhaar infrastructure like virtual id, UID token, purpose and use limitation, online access to authentication history, biometrics lock. He stated that further safeguards could be adopted if there are concerns regarding the privacy and security of Aadhaar data. Justice Sikri interjected and pointed out that illiterate people cannot be expected to use virtual ID. Mr. Pandey responded that it is just a safeguard in addition to the Act.
Next, Justice Sikri asked if authentication agencies and requesting entities store the authentication logs. Mr. Pandey responded that they store the details except the biometrics. He further mentioned that these agencies are audited either by the UIDAI itself or by an agency appointed by them to ensure smooth functioning of the whole system.
Mr. Pandey, next, stated that experts have advised to use multi model biometrics authentication such as a combination of iris scan and fingerprints for identification and authentication as they are of the opinion that fingerprints might not work in all instances. The bench responded that such arguments should be made by the Attorney General and not by the CEO of the UIDAI.
Next, Mr. Pandey submitted that the use of virtual ID and UID tokens help in ensuring that the databases are not combined. He distinguished between agencies that require real Aadhaar number such as income tax department and those that do not such as telecom.
The bench asked Mr. Pandey to submit a note explaining the architecture of virtual ID and UID tokens and how they help in preventing de duplication. Mr. Pandey has agreed to the same and in furtherance explained that UID token is a 72 character alpha numeric string generated for system usage and pointed out that different authentication agencies will have different UID tokens thereby making it impossible to identify the Aadhaar number through reverse engineering.
Mr. Pandey distinguished between Aadhaar card and smart card. He said that uniqueness might not be possible in case of smart cards as one person could have multiple smart cards with different identities and same biometrics. In furtherance of this submission, he stated that a central database of biometrics is therefore important to ensure uniqueness. He also stated that identity theft does not occur even if the Aadhaar card is lost whereas it is possible in case of smart cards. Next, he submitted that surveillance is not possible with CIDR as silos of information are not combined whereas it can be performed in case of smart cards by merging databases.
Referring to the smart card system used in Singapore, Mr. Pandey stated that storing a lot of information on the smart card is not a great idea. He further pointed out changing the encryption on a smart card form time to time is not feasible and stated that offline smart cards cannot substitute online authentication.
Next, the CJI asked if there is any scope for misuse of data by the enrollment agency or requesting entity. Mr. Pandey responded that the data is encrypted and sent to the CIDR and during the time gap between entering the fingerprint and encryption of the same, the data is captured in the UIDAI’s software and therefore there is no scope for misuse.
Mr. Pandey concluded his presentation by showing a graph depicting the success rate of Aadhaar authentications from 2013-2018 and reiterated that from July 1, 2018 facial recognition will be used along with biometrics to ensure better authentication.
The petitioners submitted a list of questions based on the presentation, which the state will have to answer during the next hearing.
The petitioners also requested the bench to extent the deadline for s.7 benefits in light of the factor that fourteen crore forty eight lakh authentication failures have taken place. The state responded that authentication failures does not amount to denial of services. The CJI refused grant an extension.
The hearing will continue on April 3, 2018.