Mr Ajay Bhushan Pandey, the CEO of UIDAI continued his presentation from the previous day of hearing (22nd March 2018).
Mr Pandey began by giving a break-up of all the enrolment operators having been blacklisted with reasons. Justice Chandrachud asked if any operator has been blacklisted for data breaches. Mr Pandey responded that such a breach is only possible when the operator is 'so qualified' that he can tamper with the enrolment software to capture and share biometric data. If someone manages to do so, it is punishable. He added that the UIDAI is now phasing out private enrollment agencies. Enrolment will be carried out only inside banks and post offices. A notification was issued in July that says that 12,500 banks and 15,000 post offices will become operator agencies.
Next, Mr Pandey asserted that the CIDR is fully secure as it is not connected to the internet.
At this point, Justice Ashok Bhushan enquired if the UIDAI could convince the Court that data aggregation was not possible. Mr Pandey responded that under Section 32 (3), the UIDAI is prohibited from knowing the purpose of the authentication, implying that this meant that there was no possibility of aggregation.
Section 32(3) reads:
The Authority shall not, either by itself or through any entity under its control, collect, keep or maintain any information about the purpose of authentication
Justice Chandrachud asked how many authorised user agencies (AUAs) are private, and pointed out that the AUA has a record of how many times an authentication request was made even if the UIDAI doesn't. He pointed out that parting with that data is a commercially profitable enterprise. The data is prone to be misused by private sector AUAs. Mr Pandey responded that this is prohibited under Section 29(3) and Section 38(g) of the Aadhaar Act. Further, there are regulations to prevent such misuse.
Section 29(3) reads:
No identity information available with a requesting entity shall be— (a) used for any purpose, other than that specified to the individual at the time of submitting any identity information for authentication; or (b) disclosed further, except with the prior consent of the individual to whom such information relates.
Section 38(g) reads:
Whoever, not being authorised by the Authority, intentionally,—
(a) accesses or secures access to the Central Identities Data Repository;
(b) downloads, copies or extracts any data from the Central Identities Data Repository or stored in any removable storage medium;
(c) introduces or causes to be introduced any virus or other computer contaminant in the Central Identities Data Repository;
(d) damages or causes to be damaged the data in the Central Identities Data Repository;
(e) disrupts or causes disruption of the access to the Central Identities Data Repository;
(f) denies or causes a denial of access to any person who is authorised to access the Central Identities Data Repository;
(g) reveals any information in contravention of sub-section (5) of section 28, or shares, uses or displays information in contravention of section 29 or assists any person in any of the aforementioned acts;
(h) destroys, deletes or alters any information stored in any removable storage media or in the Central Identities Data Repository or diminishes its value or utility or affects it injuriously by any means; or
(i) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used by the Authority with an intention to cause damage,
shall be punishable with imprisonment for a term which may extend to three years and shall also be liable to a fine which shall not be less than ten lakh rupees
Justice Chandrachud was not convinced. He pointed out that a pizza chain sharing information of a person buying a pizza with a health insurance provider is a problem for the insurance holder, as the person's lifestyle is important information for the latter. Justice Khanwilkar was also not satisfied with the responses of Mr Pandey and asked him to convince them that breaches are not possible, instead of concentrating on operational features of Aadhaar. Justice Chandrachud added that there is no enforceable protection even if the CIDR is fully secure. Mr Pandey said that the breaches that may had occurred so far had not been of UIDAI's databases.
Mr Pandey then spoke on the security aspects of the data. The UIDAI has no metadata that can reveal anything about an individual. He said that the Geo Code and IP address of Authentication is not received by the UIDAI. The UIDAI previously tracked locations through GPS coordinates and PIN code but it is no longer captured. He claimed that the 'Aadhaar is privacy by design'. Core biometric data is not shared except in cases of national security. He reiterated that the government has not requested any data in the past one and a half years. This was followed by a 4-minute video on the design of the CIDR data centre.
Mr Pandey denied data breaches and leaks. He said that the software is secure. Justice Chandrachud pointed out that the high level of security maintained at CIDR is not maintained at the other end (such as by the AUAs). He said that unless the other end (i.e. AUAs) is secured, Aadhaar will be a problem. Mr Pandey physically demonstrated the process of authentication to show the information that is displayed. He showed that the location, purpose etc. are not visible. He compared the Aadhar based authentication to a walking ATM. He contended that most people do not know how to use debit cards and pin numbers. Aadhaar makes it simpler and allows people to be financially included. He added that a person can enter his Aadhaar details on the UIDAI website and check his authentication history, and will know if his Aadhaar number has been misused. He added that further regulations can be made if there are any concerns related to the security and privacy of the Aadhaar ecosystem.
Here, Justice Sikri pointed out that one could not rule out the possibility of authentication history being shared. Mr Pandey responded that the UIDAI has not shared data with any other agency till date. He added that the Virtual Aadhaar ID generation is an additional safeguard against privacy concerns. Justice Sikri wondered how the UIDAI expected illiterate people to know how to use this mechanism. Thereafter, the Court rose for lunch.
Post lunch began with Justice Sikri asking if the authentication logs are kept with the authentication/requesting entity. Mr Pandey responded that all details except biometrics are kept with the requesting entity. AUAs are also audited by the UIDAI or by an agency appointed by them. Mr Pandey stated that Prof. Anil Jain, Michigan State University, who is an expert on biometrics, has suggested multi-modal biometric authentication (that is, combining iris and fingerprints for the process of identification and authentication). Another expert has suggested that iris should be used because fingerprints often do not work. The judges felt that these arguments should be made by Mr K K Venugopal and not the CEO of UIDAI.
Mr Pandey then stated that the virtual Aadhaar ID and UID token ensure that databases are not combined. Some agencies require 'real' Aadhaar number and some agencies do not. For instance, telecom companies do not require a real Aadhaar number but the income tax department does. The Bench asked Mr Pandey to submit a note explaining Virtual Aadhaar ID and UID token and how their usage prevents de-duplication. Mr Pandey responded that a UID token is a 72 character alpha-numeric figure meant for system usage. For the same resident, different AUAs or KUAs will have different UID tokens. The Aadhaar number cannot be reverse-engineered from the UID token.
He then distinguished between an Aadhaar card and a smart card. He said that a central database of biometric information is important to ensure uniqueness. Uniqueness may not be protected in the case of a smart card, and one person can have multiple cards with different identities and same biometrics. Moreover, there is no identity theft if Aadhaar card is lost, but the same cannot be said of smart cards. He assured the Court that surveillance is not possible by CIDR as the information silos are not merged, but surveillance is possible by smart cards by merging databases. He said that keeping too much information on a smart card is not a good idea, and replacing the system of smart cards with a better technology in the future would be a huge effort. Further, the encryption on a smart card cannot be changed from time to time. In short, an offline smart card is not a proper substitute for online authentication.
Chief Justice Misra asked if the enrolment or requesting entities can access any data. Mr Pandey said that data is encrypted and sent to the CIDR and thus cannot be misused. The petitioners submitted a list of questions to the Court and the respondents, based on this presentation. The Union will answer the questions on Tuesday. Next, the petitioners requested the Court to extend the deadline for benefits under Section 7, as 14,08,00,000 authentication failures have taken place in availing benefits and subsidies under this Section. The Union argued that failure of authentication was not tantamount to the denial of services. The Bench refused to give an extension for submitting Aadhaar details to avail benefits under Section 7.
With this, the 22nd Day of arguments concluded. The next hearing will be on 3rd April 2018.