On Day 21 of the Aadhaar hearingsthe Bench allowed the CEO of the UIDAI, Dr Ajay Bhushan Pandey to present his PowerPoint (PPT) presentation on Aadhaar security. The presentation involved a detailed description of the Aadhaar enrolment, updation and authentication processes. The aim was to establish that Aadhaar was not a casual undertaking and measures were in place to ensure security. The Bench raised several questions, particularly on the issue of Aadhaar-based exclusion.
A unique identity is of paramount importance
First, the Attorney General of India continued with his arguments on behalf of the State, continuing to cite excerpts from the World Bank’s Identification for Development Report (the ID4D Report). To establish the need for Aadhaar, he emphasised the paramount importance of a unique identity and its role in eradicating poverty. The ID4D Report, for instance, states that identification enables better communication between the people and the government and plays a crucial role in the access of basic services like healthcare, social and financial services.
Rs 9,000 crore investment in and 52.85 percent returns from Aadhaar
Discussing the set up of the Aadhaar system, he stated that Rs 9,000 crore had been invested by the government in setting up and operationalising the UIDAI. The 2012 cost-benefit analysis conducted by the National Institute of Public Finance and Policy, as quoted in the ID4D Report, was cited, which claims that the investment in Aadhaar would yield returns as high as 52.85 percent (the same NIPFP analysis that was disputed by the economist Reetika Khera as being based on unrealistic assumptions and outdated data).
On being questioned by the Bench, he stated that both Aadhaar enrolment and authentication were completely free of charge, with the aim being to achieve the sustainable development goal via a unique identity by 2030. Pandey later also stated that the cost of Aadhaar itself was less than $1.
Aadhaar is not a casual undertaking
Further, the Attorney General argued that India was leaps ahead of other countries since nowhere else had a huge exercise of enrolling 1.2 billion people been undertaken. He re-emphasised that Aadhaar was not a casual undertaking but had involved a lot of effort. The Bench, to this, said that the huge effort involved does not answer the constitutional challenges to Aadhaar. They further questioned the gap of seven years in enacting the Aadhaar Act, despite the fact that the need for a legislative backing had been felt back in 2009. The Attorney General responded that the planning and effort involved in Aadhaar had resulted in this delay.
Limitations of existing ID systems
The CEO of the UIDAI then commenced his PowerPoint presentation on the security of the Aadhaar security (see PPT here). Pandey’s first statement was with respect to the limitations of existing identity systems. For instance, Voter IDs could not be acquired by children, and acquiring a ration card needed prior identity proofs. Additionally, these cards were region specific and not nationally accepted. Aadhaar, on the other hand, is easy to acquire, nationally verifiable digital identity.
Basic security features of Aadhaar
Commencing with the basic security features of Aadhaar, Pandey stated that Aadhar was a completely random issue, baring no link with the person for whom it was generated. This number would never be re-issued, even after the death of the person. Further, Aadhaar was not linked to citizenship and was accessible even to children and transgender persons. The identity is portable, and it can be acquired and used anywhere in the country. Data sharing, in addition, would not be done without consent. The only exceptions are on the instructions of a district judge or for national security.
Enrolment process requires minimal data
Next, he turned to the process of enrolment. Data collected at this stagehe said, is minimal. This includes name, date of birth, address, gender and biometric information. There was no collection of father’s name or of caste or religion. Even mobile number and e-mail address were optional. He compared this to the huge amounts of data required for an SSN in the US. For instance, acquiring a birth certificate required information even on the kind of pregnancy.
An illustration was also presented on enrolment for persons whose biometrics fail. When questioned on how authentication would happen for such persons, he stated that they had the option of OTPs. In total, he claims that Aadhaar authentication recognises 13 forms, the 10 fingers, 2 irises and an OTP.
Next he explains the biometric exception process and gives example photos for the same. Asserts that always provide for exceptions in appropriate cases and noone will be denied enrolment. pic.twitter.com/Z5kMm2yP2z
— Prasanna S (@prasanna_s) March 22, 2018
Enrolment agencies have high quality and security standards
On enrolment agencies, Pandey stated that these were both public and private, and were subject to very high quality and security standards. They can only be empanelled on the fulfilment of certain criteria.
The 30,000 enrolment agencies in operation thus enable decentralised enrolment, but centralised storage of data. The data with the enrolment agencies, further, is encrypted by 2048-bit encryption. He asserted that this was a far higher level of encryption than the commonly used 256-bit encryption, and is very difficult to crack. Lastly, an audit trail was also in place to ensure traceability of all actors.
Bench questions the deregistration of 49,000 enrollers
Here, the Bench questioned the de-registration of 49,000 enrollers. Pandey cited findings of corruption and improper data collection, along with failure to meet the high-quality requirements. Instances like misuse of biometric exceptions, enrolment of Lord Hanumanand trees were also cited.
Enrolment of infants and children
Next, the enrolment of children, including newborn infants, was discussed. Pandey stated that only photographs of the infants were collected, and the requirement of being a resident for 182 days under Section 2(v) of the Aadhaar Act was overlooked for them. Biometrics, he stated, would be collected only at the age of 5 and then 15. Anganwadi workers were also authorised to act as enrollers for this purpose. When asked by the Bench if parental consent was acquired, he asserted that all legal compliance was taken care of.
Updation of biometric data
The Bench, here questioned how people would know that their biometrics were in need of updation particularly in cases such as bonded labourers and workers. The fact that several Indians are illiterate and not technologically adept was pointed to. To this, it was stated that such person could update their data at an enrolment centre. Details of Aadhaar customer care and locating Aadhaar centres were also shared.
Biometric authentication failure and exclusion concerns
On being asked about how a person would get to know if their biometrics had failed, Pandey stated that they would come to know in case of authentication failure due to biometrics not matching. An error code would be sent to the UIDAI, and the person would be informed. The Bench was unconvinced of this, stating that this might lead to exclusion. To this, circulars instructing agencies that people should not be denied benefits for a failure of Aadhaar authentication were cited. The Aadhaar card, itself, has a QR code, and thus could be used if biometrics didn’t match.
100 percent authentication not possible
The Bench, here, stated that while the UIDAI could be aware of authentication failures through this, they would still be unaware of denial of services. The instance of shopkeepers pilfering food grains citing the failure of biometric authentication was pointed to. Pandey responded that strong measures would be taken against those denying services. He stated that it was important the shopkeepers had been caught, and this would not have been possible prior to Aadhaar.
Further, he stated that 100 percent authentication success was not possible. It may fail on account of several extraneous factors including the breakdown of machinery or lack of electricity.
Foreign companies owning Aadhaar software don’t have access to data
Next, the Bench raised the issue of the Aadhaar software being designed outside India. Pandey responded that only the software for matching biometrics was from foreign companies. The remaining software was developed in India. Further, he asserted that owning the intellectual property in the software did not mean that the company had access to the data. He drew comparisons with banks using SAP or Oracle, and Microsoft owning the intellectual property in Windows.
Authentication data in silos cannot be merged
Returning to the issue of authentication, he stated that only registered devices were used. No biometric data would be shared with the requesting entities. The authentication process itself takes less than a second. More than 4 crore authentications, he stated, were being done per day. Further, purpose, location, and transaction data were not collected. On being asked about metadata collection, he stated that he would get to this later. Information, he stated, remains in silos and merging was prohibited.
The petitioners were asked to submit their questions on the presentation in writing for 27 March.
Sources of arguments include livetweeting of the case by SFLC.in and Prasanna Sand Live Law reports. Link to the presentation here.
Read our past coverage of the on-going Aadhaar Supreme court hearing:
Why SC needs to look into technical evidence of Aadhaar’s surveillance capabilities
Lack of governmental ownership of CIDR’s source code can have serious consequences
Will State give citizens rights only if they agree to be tracked forever, asks lawyer Shyam Divan
Coalition for Aadhaar: A collective of private companies wants to ensure that Aadhaar ID and related services continue to be offered
Petitioners argue on centralisation of data and challenge Aadhaar’s claims on savings
Petitioners argue for a voluntary ID card system that does not collect user data
Petitioners argue that receipt of govt benefits cannot be at the cost of compromising fundamental rights
Aadhaar is architecturally unconstitutional, argue the petitioners
Petitioners argue that Aadhaar violates dignity by objectifying and depersonalizing an individual
Petitioners seek compensation for starvation deaths and extension of March 31st deadline
Section 7 exception in Supreme Court’s interim order greatly affects people’s constitutional rights
Entire Aadhaar project is beyond the stated objectives of Aadhaar Act, argue petitioners
Petitioners conclude their arguments on ‘the number of the beast’ Aadhaar, highlighting various issues
Aadhaar hearing: Political liberties cannot be foregone for economic and social justice, states the Bench
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.