Not a single data breach in seven years, UIDAI tells SC

NEW DELHI, March 27, 2018 23:00 IST

Updated: March 27, 2018 23:00 IST

‘Aadhaar numbers in public domain often mistaken as breach from database’

There has not been a single breach in the past seven years in the Central Identities Data Repository (CIDR) that stores and manages data for the country’s Aadhaar project, Unique Identification Authority of India (UIDAI) CEO Ajay Bhushan Pandey told the Supreme Court on Tuesday.

On the second day of his powerpoint presentation, Mr. Pandey submitted that UIDAI did not “collect emotions, likes/dislikes or pull out data” of individuals. For UIDAI, authentication of Aadhaar details was “purpose-blind.” It had no aggregate record of the purpose, location or details of data of Aadhaar holders.

“We do not collect details of transactions. All we do is see whether a person is authenticated or not... We get a lot of requests from the income tax department. They are under the impression that we have a lot of data. We tell them we do not,” the UIDAI CEO told a Constitution Bench led by Chief Justice Dipak Misra.

Mr. Pandey said “other organisations reveal Aadhaar numbers in the public domain” and this was often mistaken as breach from the Aadhaar database. He said he had been telling these organisations that “wherever you display Aadhaar numbers in public domain, display only the last four digits... but there are a lot of people who have to get to that mentality.”

Sharing of biometrics

He said “core biometrics” like fingerprints and iris scans were only shared if there was a national security threat. Even this would require consent at the Cabinet Secretary level. “We have not received a single request so far,” Mr. Pandey said.

Sharing demographic Aadhaar details like name, gender, date of birth and place would require the consent of the district judge.

Data may be highly secure in the CIDR, Justice D.Y. Chandrachud observed. But was it safe in the hands of authentication user agencies, which also included private entities?

“There is no point securing the CIDR unless the private operators are equally secured... for this a robust law is required,” Justice Chandrachud said.

He wanted to know whether private operators could sell sensitive customer information as commercially viable data even before they biometrically signed in to ensure traceability and non-repudiation.

Constant improvements

Mr. Pandey said the authentication process was done through the UIDAI software and any unauthorised sharing of personal information at the time of enrolment or authentication would make a person liable to imprisonment for three years under Section 37 of the Aadhaar Act.

He said technology was challenged everyday and the UIDAI was constantly engaged in improving the safeguards. He said the UIDAI was working closely with the Justice Sri Krishna Committee on the data protection law.