Govt’s Confidence Aside, How Safe Are Your Aadhaar Biometrics?

The question is: who does one go to if personal identifiable information is leaked, if biometrics are compromised?

5 min read
Sensitive information can be accrued through the use of his/her photo. 

This is an exclusive excerpt from Aadhaar: A Biometric History of India’s 12-Digit Revolution (Westland, July 2017) by senior journalist Shankkar Aiyar. The excerpt was published in Bloomberg Quint and has been republished with permission.

The biometric and demographic data of over one billion Indians are in the vaults of the Central Identities Data Repository (CIDR). There are two issues at play here — the security of the core biometric and demographic data in CIDR, and the security of data with the government, with various departments, which is characterised as personal identifiable information.

How safe is the biometric data? How safe is CIDR from hacking? Both the UPA and now the NDA governments have consistently maintained that data in the CIDR vaults is safe. Nandan Nilekani asserts there is no question of the data being hacked. “Show me even one instance of data theft. Aadhaar is very, very secure,” he says confidently.


Eternal Vigilance is the Price for Digital Convenience

This confidence stems from the technical aspects of encryption. The biometric data, UIDAI claims on its website, is encrypted using the ‘highest available public key cryptography encryption (PKI-2048 and AES-256) with each data record having a built-in mechanism to detect any tampering’.

And how good is that? Bruce Schneier, author of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World and fellow at the Berkman Center for Internet and Society at Harvard Law School and an expert on computer security and cryptography says, “The algorithms are fine. They are excellent choices.” Cryptography algorithms, he adds, “are, by far, the strongest link in any security chain.”

He cautions that an attack against a system is more likely to exploit vulnerable areas — in the software, or the implementation, or the underlying computer or user interface.

In short, one can never be too sure given the speed at which technology is evolving – particularly in computing power and in artificial intelligence. Threat perceptions are fluid. In 2016, the US National Security Agency shifted to, and recommended, a higher level of encryption (RSA 3072 with AES 256). Eternal vigilance is the price for digital convenience, just as it is with democracy.

The question which people want an answer for is: who does one go to if personal identifiable information is leaked, if biometrics are compromised?

No Specific Legal Provisions in Case of Data Breach

In a signed article titled ‘The Aadhaar We Deserve’, Rajeev Chandrashekhar points out, “Unfortunately the Aadhaar Act and accompanying regulations place no accountability on UIDAI to protect the database of citizens’ personal information and are silent on the liability of the UIDAI and its personnel in case of non-compliance.”

Vrinda Bhandari, an advocate, and Renuka Sane, a researcher at the Indian Statistical Institute, found in their analysis ‘Is Aadhaar grounded in adequate law and regulations?’ that while notifying the regulations, multiple aspects were left to be ‘specified by the authority’. “Through the four substantive regulations, the phrase ‘specified by the Authority’ has been used 51 times.”

The fog on accountability must be cleared. Section 47 of the Aadhaar Act 2016 says, “No court shall take cognisance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”

Does this mean the individual has no power even to initiate proceedings and has to depend on the Authority to initiate criminal proceedings? Is the provision to file a regular First Information Report under the Indian Penal Code enough?

The road ahead must be cleared by recognising the right of the sovereign, the people, to seek redressal. Justice cannot be hostage to systemic flaws and apathy. Perhaps Section 47 was framed as a transitory measure as UIDAI transitioned from executive to statutory status. It is necessary for government to review this provision and restore the right to seek justice.

The law must specify who is to be accountable, where the buck stops.

Furthermore, data leakage and identity theft must fall under real-time disclosure and a mechanism for a speedy redressal system and options for compensation must be enshrined in law. And what if biometrics is indeed stolen? Life cannot grind to a halt. There is a need to work on Plan B – either an option to opt out or an alternate mechanism.


The Right to Privacy

The primary question that arises in the digital trail of Aadhaar is that of the right to privacy. There clearly is a need for a law in India that safeguards the privacy of individuals. Apart from the discourse about the Orwellian state – those who lived through the Emergency years know a bit about that – there is also a sense of vulnerability as individuals are drawn, even pushed, into the connected world, into digitisation.

The preamble of the Aadhaar Act of 2016 describes it as ‘An act to provide for, as a good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals and for matters connected therewith or incidental thereto.’ Arguably any activity of the government paid for from the Consolidated Fund of India – ranging from supply of subsidised grains and LPG, to use of roads and civic amenities, and even, at a stretch, rebates to tax payers – could come under such an umbrella.

The Attorney General has asked in the Supreme Court whether privacy is a fundamental right. The government’s chief lawyer has also stated that ‘The concept of absolute right over one’s body was a myth and there were various laws which put restrictions on such a right’. The contention is borne out by previous judgements, as also by some laws that impinge on the concept of absolute right over the body. But the question remains: of the safety of roughly 3 MB of human biometrics and about the privacy rights of the person who is identified by it.

Preceding and following the fears of data protection, and in the absence of a privacy law, is an unstated question:

Can the Aadhaar platform be converted into a snoop stall?

And a possible counter question:

Does the government need Aadhaar in order to snoop on its citizens?

(Shankkar Aiyar, political-economy analyst, is the author of Accidental India: A History of the Nation’s Passage through Crisis and Change. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same.)

We all love to express ourselves, but how often do we do it in our mother tongue?

Here's your chance! This Independence Day, khul ke bol with BOL – Love your Bhasha. Sing, write, perform, spew poetry – whatever you like – in your mother tongue. Send us yourBOL at or WhatsApp it to 9910181818.

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Stay Updated

Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.

Join over 120,000 subscribers!