The intensive discussion between the Supreme Court and the CEO of the Unique Identification Authority of India on recent Aadhaar-related data leaks could result in the court recommending that the Ministry of Law and Justice make amendments to the Aadhaar Act and direct the UIDAI to build a far more robust security framework.
Following recent reports of many Aadhaar-related breaches, the Supreme Court earlier this month issued a ruling that linking Aadhaar numbers to bank accounts, payment cards and mobile phones cannot be mandatory until security issues were adequately addressed.
Hopefully the court will take action to recommend amendments to the Aadhaar Act to ensure it clearly articulates security and privacy clauses.
The Supreme Court indefinitely extended the March 31 deadline for Aadhaar linkage until the constitution bench delivered a judgement on the matter (see: Analysis: Supreme Court Ruling Against Aadhaar Mandate ).
The apex court has asked for proof from UIDAI, which handles over 1.2 billion citizen's data under Aadhaar, that its security measures are adequate.
Last week, the court summoned Aadhaar project head Ajay Bhushan Pandey, CEO of UIDAI, to conduct a presentation in a courtroom presided over by a five-judge Constitution Bench led by Chief Justice of India Dipak Misra.
Pandey, in his hour-long presentation, argued that Aadhaar data was adequately protected by a 2048-bit encryption which is stored at the central server.
Critics and the court, however, question why the data was accessible in recently publicized Aadhaar data leaks.
Security Lapses in Aadhaar
While Pandley has dismissed news reports about Aadhaar data leaks, calling them "irresponsible" because they were based on reports of "a few Aadhaar cards reportedly put on the internet by some unscrupulous elements," the judges demanded answers on security lapses and reasons for data leaks.
In the wake of the data leaks, UIDAI seems to have blacklisted 49,000 of its data operators in its enrollment centers back in September for corruption, carelessness and harassment of the public and no longer outsourcing its services to them.
And during the course of his presentation, Pandey seemed to admit that there have been security lapses and lacunae in the Aadhaar system and said the operators were blacklisted because they deliberately entered wrong data.
Pandey also admitted that that UIDAI cannot promise 100 percent authentication in establishing the credentials of the user or a transaction, due to connectivity and other technological issues in the country. So he also recommended that further authentication steps be established using demographics and an electronic one-time PIN as an alternative mechanism.
Pandey contended that UIDAI's licensed software developed by three top companies and used for logging the data is secure and confined to UIDAI's server. Plus, it's not integrated with the internet server to help limit access.
But if that setup, and the encryption used, is truly sufficient, then how did the French researcher who goes by the names Elliot Alderson and Baptiste Robert) allegedly access Aadhaar-related data of the Telangana State Postal Service and telecom provider BSNL? (See: Data of 47000 BSNL Employees Exposed)
Once UIDAI completes its presentation, hopefully the court will then take action to recommend amendments to the Aadhaar Act to ensure it clearly articulates security and privacy clauses.