Aadhaar

Final hearing of Aadhaar in Supreme Court – Day 22

Jan: Day 1 (17/1/18)| Day 2 (18/01/18) | Day 3 (23/01/18) | Day 4 (24/1/18) | Day 5 (30/1/18) Feb: Day 6...

· 7 min read >

This post is essentially a compilation of tweets from Gautam Bhatia, Prasanna and SFLC to understand how the Aadhaar hearing happened in the Supreme court.


Day 22: 27 Mar ’18

  • Aadhaar hearing resumes.
  • CEO of UIDAI, Dr. Ajay Bhushan Pandey continues his ppt.
    • He starts by giving a break up of enrolment operators having been blacklisted..classified by reason.
    • Clarifies that operators check individual packets of data received during enrollment.
    • There are 65 operators who are responsible for verifying biometrics he says.
  • Justice DY Chandrachud asks if there has any operator been blacklisted for data breach….such as sharing of data etc.
    • Asks if it is possible for the enroller to make copies of the data before the data is encrypted and sent to CIDR?
  • Pandey says that enroller does not have access to biometrics. it’s collected by UIDAIs software.
    • CEO says only possible when the operator is so qualified to tamper the enrolment client software to capture or share biometric data.
    • Even if someone does it, it is punishable. We have zero tolerance policy.
    • Says now they are phasing out private enrollment agencies and are going to be housed only inside banks and post offices. CEO says they have “directed” the banks.
    • A notification was issued in July that says that 12500 banks and 15000 post offices will become operator agencies.
  • Justice Sikri: That is because you don’t need so many enrollment agencies now. People have already enrolled.
  • Pandey says they are doing it for updation of Aadhaar
    • Continues explaining now Slide 13 on Aadhaar Authentication Services.
    • Explains how CIDR is fully secure and not even connected to internet for security purposes.
    • He wants to demo E-KYC. Demo being set up.
  • Justice Ashok Bhushan asks about UIDAI having to satisfy that no aggregation is possible.
  • Pandey cites 32 (3) that we are prohibited from knowing the purpose anyway.
  • Justice DY Chandrachud asks how many AUAs are private?
    • Pandey says a few dozen AUAs are private.
  • Justice DY Chandrachud asks whether AUAs can record authentication data and share or monetise.
  • Pandey says such sharing is prohibited under section 29(3) of the Act.
    • Section 38(g) also prohibits it. Further there are regulations to prevent such misuse. Regulation 17(1)(d) for example.
  • Justice DY Chandrachud correctly says but they don’t have control. Says there is difficulty and cites the TOI Op-ed today. Probably @ambaonadventure piece.
    • A pizza chain sharing that information with an health insurance provider for instance is a problem! Lifestyle is an important info for the latter.
    • The problem area is that private service providers have a record of authentication requests which can be misused in various ways to profile individuals.
  •  J.Khanwilkar says that the state has to clear the apprehensions of the petitioners wrt to the software of Aadhaar
    • Slightly livid. Asks CEO to not bother them with operational aspects but satisfy them that breaches etc not possible.
  • Pandey says software is secure and there hasn’t been one data leak till date. Tells court to not believe media reports. Denies recent report of breach by ZDnet.
    • Refers to Tribune, the latest Indane breach etc. rubbishes the report by tribune also.
    • Says that now they have made it a standard practice to only display the last four digits of the Aadhaar no., wherever needed.
  • Justice DY Chandrachud says there is no enforceable protection against others even if CIDR is fully secure.
    • The high level of security maintained at CIDR is not maintained at the other end like AUA also. Unless the security at the other end of the spectrum is secured, Aadhaar will be a problem.
  • Pandey physically demonstrates the process of authentication. Shows what all information is displayed. Says location, purpose etc is not showed.
    • The live demo of biometrically withdrawing 100 rupees from an IDBI bank account works. (Against all odds).
    • Slide on auth security. Says that Aadhar based authentication and other services like withdrawal of funds is akin to a walking ATM.
    • Says we continue to make it more and more secure..Details etc.
    • Says debit cards and pin nos. is difficult to use by most people in India. Aadhaar makes it simpler and allows people to be financially included.
    • Explains the security of authentication transactions next. Talks about stqc and UIDAI certified biometric devices, secure channel, biometrics locking, multiple factor authentication. Explains the process of biometrics locking.
    • Says that a person can enter her Aadhaar details on uidais website to check her authentication history. This way she can know if her Aadhaar no.was misused.
    • Discusses authentication meta data elements. Says we have no meta data that reveals anything about an individual such as likes and dislikes. Emphasizes again that location, and purpose of authentication is not collected. Says Geo Code and IP address of Authentication txns are not received by UIDAI.
    • Say UIDAI used to track locations such as GPS coordinates and PIN code earlier…but as per latest api released a few months back, it is no longer captured.
    • Aadhaar is privacy by design.
    • Talks about how core biometric is not shared except for national security. And that no request under that for the last 1.5 year from Govt.
    • Says that the technology and architecture board review the technology of Aadhaar.
    • And security review committee reviews the security of Aadhaar. And refers to Godel Prize winner Prof. Maninder Aggarwal being in SRC.
    • Security is an ongoing challenge and we need to keep upgrading it.
    • Now the 4-minute video on the design of the CIDR data centre shown.
    • Takes the court through the security measures incorporated in the Aadhar infrastructure.
    • Now discusses the privacy safeguards in Aadhaar like virtual I’d, uid token, purpose and use limitation, strict confidentiality, online access to authentication history, biometrics lock, strict punishment under the Aadhaar act.
    • We can make further regulations if there are any concerns related to the security and privacy of the Aadhaar ecosystem.
  • Justice  Sikri: It cannot be ruled out that authentication history will not be shared under section 33.
  • Senior Advocate K.V Vishwanath says it can be shared under section 57 also.
  • Pandey says that till date they haven’t shared data with any other agency.
    • Explains Virtual Aadhaar ID generation.
  • Justice Sikri: How many people will be able to use it? You can’t explain illiterate people to use virtual ID.
  • Pandey says this is just an additional safeguard apart from the act.
  • Bench rises for lunch.
  • Post lunch, CEO of UIDAI, Ajay Bhushan Pandey resumes his PowerPoint presentation on Aadhaar.
  • Justice. Sikri asks if the authentication logs are kept with the authentication/requesting entity. What is the nature of this data?
  • Pandey says that details except biometrics are kept.
    • Draws attention to regulation 17 and 19 on the point that AUAs are not as secure as CIDR.
    • Audits are done on AUAs, and requesting agencies, by UIDAI itself or by an agency appointed by them to ensure smooth functioning of the system.
    • Anil Jain, professor of Michigan state university, and expert on biometrics, was consulted. He suggested multi modal biometrics authentication i.e both iris and fingerprints should be combined for the process of identification and authentication.
    • Says another expert was consulted and he suggested that iris should be used, because fingerprints often don’t work.
  • Judges are of the view that AG should be making such arguments, not CEO of UIDAI.
  • Pandey: Using virtual ID and uid token ensures that databases are not joined. We make distinctions between what agencies require real Aadhaar no. and what agencies do not. For eg. Telecom does not require real Aadhaar no. But income tax does.
  • Judges ask Pandey to submit a note explaining Virtual ID and UID token and how their usage prevents de duplication.
  • Justice Chandrachud asks for a note showing that it is impossible for databases to be linked.
  • Pandey says he will provide the note.
    • Talks about virtual IDs.
    • One Aadhaar holder will have one active VID. An Aadhaar holder can generate a VID at any time, and authentication services must accept it. VID is a random sixteen digit number.
    • UID token is a 72 character alpha numeric string meant only for system usage. For the same resident, different AUAs or KUAs will have different uid tokens. Aadhaar cannot be reverse engineered from the token.
    • Talks about tokens. Different AUA’s will have different tokens for the same customer.
    • Says that through tokens, you can’t combine databases, because they will be different, and you can’t reverse engineer the Aadhaar number from the token. He says it is fully encrypted.
    • Comes to the distinction between Aadhaar and smart cards.
    • There’s no identity theft if Aadhaar is lost. The same cannot be said of smart cards.
    • Says that not all smart cards are offline. They are in addition to centralised authentication.
    • Says that they need a central database to ensure deduplication. He says that you can’t deduplicate with smart cards. He says that for uniqueness, you need one authorising agency.
    • Says that possibility of surveillance with Aadhaar is not there, because they don’t keep any data that can be misused. Surveillance is not possible with CIDR as silos are not merged.
    • Says that the possibility of aggregation is there even with smart cards. Surveillance is possible by smart cards by merging databases.
    • He says that with offline smart cards, it will be very difficult to block in cases of loss or compromise of the card.
    • Says that in Singapore (which Justice Sikri had asked about), there is a smart card with online authentication to enhance security, and not as a replacement.
  • Justice Sikri says that in Singapore, it is mandated to have the smart card, but the information remains with the person.
  • Pandey says that even they have authentication records. He says that Singapore is also planning to move to biometrics.
    • Says that having too much information on the smart card is risky. It’s frozen in time. If a new technology develops, you will have to be replace all cards.
    • Says that changing encryption kept on a smart card from time to time is not possible. Says offline smart card is not a substitute for online authentication.
    • Says that UIDAI can respond to changing circumstances, but you can’t do that for smart cards. He says that for example, UIDAI now requires encryption on the device, so you can’t store biometrics.
  • Justice Chandrachud asks when the UIDAI began doing that. Clarifies about the process of enrollment. Asks if the enroller or requesting entity has access to any data.
  • Pandey: This happened in January and February last year, after working on it for many years, and registered devices were made mandatory from June.
    • Repeats that smart cards can’t work because if technology changes, you have to change all the cards.
    • Says that financial inclusion in India could not take place because people could not use debit cards, but they can use thumb-prints, especially for small transactions.
    • Says that Singapore now wants to follow the example of Estonia and India.
  • Chief Justice of India says that A B Pandey’s submission is that the information is so encrypted that even UIDAI can’t access it.
  • Pandey says that they have the key but not the information.
  • Chief Justice of India says “that’s the same thing.” Ssks whether it is possible for UIDAI to access the information.
  • Pandey says yes.
  • Chief Justice of India asks whether there is any gap of time between putting the thumbprint and the information being sent to the CIDR, during which the Enroller can store it.
  • Pandey says it’s not possible, because it stays within UIDAI’s software.
    • Says that the moment you put it your thumb, it will get encrypted, and will take a billion years to decrypt.
    • Comes to success rates of biometric authentication. shows a graph to illustrate the success rate of Aadhaar based biometric authentication. He shows year wise trends from 2013-18.
    • Says that for government systems that success rate is 88%, for Banks it is 95%, and for Telecom it is 97%.
    • Says it is lower for government because vested interests are spreading misinformation and the media is helping them.
    • Says that they conducted a proof of concept where they visited senior citizens in their homes and found 83% success rates and 90% for iris.
    • Next, ABP shows a graph made on a proof of concept conducted at old age homes in nine different states.
    • He says that from July 1, facial recognition will be used along with fingerprints in order to ensure better authentication – which is even more accurate and will be rolled out soon.
    • Presentation ends.
  • Shyam Divan and KV Viswanathan hand twenty questions over to the bench.
  • Attorney General says that the bench can decide which questions are appropriate.
  • Chief Justice of India says that’s not needed. The bench is reassembling on Tuesday. Pandey can submit written response on Tuesday.
  • KV Viswanathan requests the Court to modify the interim order refusing to extend the deadline for subsidies (section 7).  Fourteen crore forty eight lakh authentication failures have taken place for section 7 benefits and subsidies.
  • Attorney General says that nobody has been excluded. argues that authentication rejections does not tantamount to denial of services.
  • KV Viswanathan says that government’s own data shows 88% success. 12% failure is too high. He repeats the request.
  • Cheif Justice of India refuses to give an extension on the issue of mandatory Aadhaar for welfare and subsidies (section 7 benefits) from 31 March.
  • Bench is rising half an hour early.

Aadhaar – The Conclusion

in Aadhaar
  ·   7 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.