100% Aadhaar Authentication Success Not Possible, Admits UIDAI CEO
Ajay Bhushan Pandey, the CEO of the Unique Identification Authority of India (UIDAI), made a presentation on Aadhaar before a Supreme Court bench at 2:30 pm on Thursday, 22 March. During the presentation, Pandey said that 100% success of Aadhaar authentication for availing various public benefits is not possible because many variables, like connectivity, malfunctioning machines, etc. come into play.
He claims, however, that the Aadhaar Act, 2016, and regulations made under it have sufficient safeguards to prevent people from being denied essential services.
The five-judge constitution bench headed by Chief Justice Dipak Misra viewed the presentation at the request of the Attorney-General KK Venugopal, who is arguing before them that the Aadhaar scheme is constitutionally sound.
The presentation is meant to explain the technological framework for Aadhaar, and thereby demonstrate that there is no risk of exclusion, and the biometric and demographic data of people collected at the time of enrolling for Aadhaar is secure.
Need for Aadhaar and Emphasis on Security
Pandey began by arguing that Aadhaar was needed because of the lack of nationally accepted forms of identification. Even where there was a reliable form of identification, this was limited in some way. For instance, voter ID cards could not be given to children.
The Aadhaar project was meant to address this. According to Pandey, it is a matter of pride that the process allowed them to ‘leapfrog’ from a time when there was no form of identification straight to electronic IDs, without having to set up paper IDs in between.
Pandey also tries to establish that from the start the project recognised that it couldn’t be intrusive, and it needed to have high security. Only very limited demographic information is collected from a person, not including anything sensitive like religion or caste, and even when it came to biometrics, there were exceptions for those whose biometrics couldn’t be captured.
Justice Chandrachud intervened at this point to ask what the procedure is for someone who needs to exercise the biometric exception to which Pandey responded that an One Time Password (OTP) can instead be used for enrollment.
He continued by explaining how secure Aadhaar is. There are 13 modes of Aadhaar authentication. 10 fingers (fingerprint scanning), 2 eyes (iris scanning) and lastly the OTP. He further explained that the security of the data behind Aadhaar identification has a 2048-bit encryption system and hence, is not easy to crack. According to him, even the most powerful supercomputer in the world would need more time than the life of the universe to break the encryption.
Concerns About Safety of Data Captured on Enrollment
Justice Sikri referred to the arguments of the petitioners where they had argued that the data wasn’t secure when it was captured, or before it was transmitted to the UIDAI database. Pandey insisted that this was not possible as all machines used by the enrollment agencies have Standardisation Testing and Quality Certification (STQC) and that the software running on them is provided by the UIDAI itself.
This answer did not satisfy Justice Sikri, who pointed out that the UIDAI had terminated the contracts of 49,000 enrollment operators. Pandey insisted that the terminations occurred because the operators were charging money to enroll people, or were capturing incorrect demographic data (such as those who registered a tree and the god Hanuman for Aadhaar). The judge remained skeptical that this would account for all 49,000.
Pandey noted that the UIDAI used to rely on private operators earlier to enroll large number of people quickly, but after the issues mentioned above and misuse of the biometric exception, this is no longer the case. Now, the government has decided that Aadhaar enrollments from now on will only be conducted in banks, government offices and post offices.
The UIDAI CEO also explained to the judges what needs to be done in the case of an Aadhaar database mismatch. “A circular was issued yesterday (21 March), which said that if a person's authentication through biometrics does not happen, then he shall not be denied benefits for that reason,” he said.
Questions Over Enrollment of Children
Pandey showed the photo below of enrollment of various people, then mentioned that even newborn children in hospitals were being enrolled.
Pandey also said that even infants can have Aadhaar, and that the UIDAI doesn’t check for the 182-day residence limit. For children, he said, even Anganwadi workers can double up as Aadhaar enrollment operators, with enrollment done at schools.
Justice Chandrachud pointed out that this contradicted the UIDAI’s statements to the World Bank that no children below the age of 5 were enrolled for Aadhaar. Justice Sikri questioned how enrollments were done at school since parental consent would be required. Pandey hurriedly answered that all legal compliance was taken care of.
Updates and Issues With Authentication
The issue of children led to what needs to happen when Aadhaar information needs to be updated later, as Aadhaar for children is reliant on information about their parents. Fingerprints also change with age, which has been a problem for the elderly. Failure of biometric identification were a key part of the petitioners’ arguments.
Pandey claimed that updates were possible, and in fact, if a person's biometrics don't match the Aadhaar database, an error code is sent to the UIDAI, which will prompt the person to update their data.
Justice Sikri asked how people were to avail of services when there was an authentication failure, till such time as their information was updated. Pandey argued that section 7 of the Aadhaar Act 2016 and regulation 14 of the Authentication Regulations 2016 allowed for alternative forms of authentication to be used, so that no person could be denied some service/benefit in case of an authentication failure. He also pointed out that the Aadhaar card itself had a potential fix for such situations.
Pandey asserted that no denial of services can take place since the UIDAI receives error reports whenever an authentication failure happens. Justice Chandrachud pointed out that the error reports would only let them know that authentication had failed, not whether a denial of service had happened.
When Pandey insisted that they would take a strong view in case any official denied a service because of Aadhaar, Justice Chandrachud asked whether they even had any official data on denial of service. Pandey indicated that no such data existed.
Justice Sikri raised another question at this point, about how the concerns over welfare leakage could not be addressed even with Aadhaar since shopkeepers could appropriate the grain even after authentication. Pandey referred to one such incident in Jharkhand and said that this was not something the UIDAI or Aadhaar was responsible for — in fact, such incidents could now be caught unlike previously.
It was at this point that the issue of 100% success of authentication was brought up as the petitioners had submitted detailed affidavits about exclusion in Jharkhand and other areas. Pandey admitted that 100% success was not possible, whether because of technological failings, connectivity issues, and failure to read biometrics. However, he insisted that the law ensured this would not prejudice any person in such a situation.
Concerns Over the Technology
Pandey proceeded to discuss the technology and process for enrollment in detail. He claimed that the entire software had been developed in India.
Justice Khanwilkar pointed out that the petitioners had specifically raised concerns about elements of the software coming from abroad, for which the UIDAI did not have the source code. Pandey insisted that only the biometric match software is licensed from foreign companies, and that too the world’s leading companies in that field.
He claims that it comes from best in the industry, stating that the data centre consists of 6,000 servers, which according to him is more than enough for the country's needs.
Further defending the software, Pandey gave an example of banks, saying that just because banks use SAP or Oracle, does not mean they give data to these partners.
He further made the point that once the data goes into the Central Identities Data Repository (CIDR), it cannot be shared with anyone.
Pandey was forced to end for the day while saying that the UIDAI does not collect details about the location, purpose and details of the transactions. Justice Chandrachud asked him about metadata collection, which Pandey said he would address later.
The presentation will continue on Tuesday, 27 March 2018.
The presentation by the UIDAI chief comes after Attorney General KK Venugopal had told the apex court on Wednesday that the UIDAI intends to show that the data was safe from any kind of exposure.