SC raises concerns over Aadhaar data safety

| | New Delhi
SC raises concerns over Aadhaar data safety

The Supreme Court on Tuesday expressed concern over the safety of data collected under Aadhaar programme, saying data can only be considered secure if there exists a robust mechanism to protect it at the end where this information is collected or at the point where Aadhaar is authenticated. Unfortunately, at present such a mechanism does not exist, the court observed.

Fears of data security forms one of the principal grounds in several petitions filed before the Supreme Court to strike down the scheme. The petioners have also called for scrapping the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.

To allay these fears, Unique Identification Authority of India (UIDAI) CEO Ajay Bhushan Pandey continued with the presentation showing a four-minute film to show the security apparatus guarding the two UIDAI centres where 1.20 billion citizens’ data is to be stored.

The five-judge Constitution Bench told Pandey that undoubtedly, the data lying in the Central Identities Data Repository (CIDR) of UIDAI is well-protected. However, the Bench said, “Merely protecting data at your end will not suffice unless we have a robust mechanism to protect data at the mirror image end where it gets authenticated. This data is sensitive information about citizens and their biometrics which is commercially profitable data. Unfortunately, we don’t have that system in India.”

Pandey agreed that there is need for securing the other end point where data is authenticated. He informed the court that 27 private entities are involved as authentication user agency (AUA). The Act prescribes for punishment of three years for any misuse or theft of data. But Pandey believed that there is need for stricter laws, which he felt could come within the purview of the Justice Srikrishna Committee on Data Security.

The Bench comprising Chief Justice Dipak Misra, Justices AK Sikri, AM Khanwilkar, DY Chandrachud, and Ashok Bhushan were also alive to the concern of data pilferage at the time when a person enrols for Aadhaar. CJI asked Pandey, “Suppose a man who enrols for Aadhaar and gives his thumb impression, it gets encrypted and stored in your server the moment he presses ‘save’ button. But is there any gap of time till it gets stored for him to do anything with the data.” The Bench said this is crucial as the citizen is entrusting the State with his/her sensitive information.

Justice Chandrachud further gave illustration of how such data can be misused. “Suppose I order pizza and everytime I order, the private entity at other end asking for authentication will know how many times I ordered pizza. He can share this information with the insurance provider who draws up my health profile as lifestyle is an ingredient that will count towards insurance,” the judge said.

Justice Sikri also highlighted a concern on sharing of authentication history that could reveal where and when a person went or visited. UIDAI stores authentication log of last 6-7 months but is not authorised under law to share it with anyone.