Dr Ajay Bhushan Pandey, CEO of the Unique Identification Authority of India (UIDAI), allays concerns on privacy, surveillance and the linking of Aadhaar to a huge array of services. Excerpts from an interview with Seetha:
UIDAI has always held that the Central Identities Data Repository (CIDR) is the sole repository of biometric data. But the Aadhaar Handbook for Registrars says registrars can retain the biometric data. There are allegations that State Resident Data Hubs (SRDHs) are keeping biometrics which state governments retained at the time of enrolment.
No. When the enrolment happens, regardless of who does it, all the data – biometric, demographic – gets encrypted with a 2048 bit encryption key (which is a very, very high standard). This data comes to us and is out of bounds for everyone. No one gets to keep this.
When the project was in the initial stages, different processes and rules may have been in place. But after the passage of the Aadhaar Act, this is the system - no one has access to the data.
So SRDHs don’t keep this data?
The question of keeping comes only when they get it. They do not get this data.
While UIDAI may be collecting only very basic information, state governments are collecting a lot of extra data under the KYR+ head and this can enable surveillance by security agencies.
But that is also is gone. KYR+ was being used much before the Aadhaar Act. There is now nothing called KYR+.
What happens to the data that the SRDHs may have collected?
Individual state governments may have collected information, but today the law is very clear: any information collected will have to be protected and cannot be used for any other purpose other than what has been communicated to the person at the time of collection. The Aadhaar Act also says the identity information cannot be disclosed without the prior consent of the individual. The Act is now applicable on new data as well as old data.
If the Justice Srikrishna Committee, which is working on a data protection regime, comes out with a draft data protection law and this gets enacted, that law will be applicable to the new and existing data. Similarly, the Aadhaar Act applies to the existing data as well.
UIDAI systems may be robust, but can the verification/authentication point not be the source of violation of privacy?
If Aadhaar becomes an identity document or mechanism, there will be certain elements in society which will attempt to misuse it, sometimes use it to commit a crime. What we need to see is whether the Aadhaar system – which will certainly make things harder - will make the process of tracing the crime and criminal easier.
We have been hearing of bank frauds for decades. Earlier people faked signatures; the culprit could not be traced. With internet banking, people hacked passwords and transferred the swindled money into a series of bank accounts which all turn out to be fictitious. When every bank account is verified with Aadhaar, if money is withdrawn fraudulently from one bank account and put in another, then it will be easier to identify, trace and punish the person committing the fraud because the second account is also verified with Aadhaar. This is something we need to consider.
But in Hyderabad, last year there was a case of people downloading Aadhaar numbers and using that to open bank accounts and siphoning off pension money.
But, as per the Prevention of Money Laundering Rules, banks are not supposed to open accounts just on the basis of an Aadhaar number. The bank manager is supposed to get the number and do a fingerprint authentication of the person opening the account. If you don’t do this, then it is not the problem of Aadhaar, it is the problem of their processes. If you don’t follow the instructions properly, if you have a car and don’t drive it properly, and if you are involved in an accident, it is not the car manufacturer who is at fault.
If certain violations have happened, if the processes of that domain or relevant laws have not been followed, then naturally problems will arise. For that, the agency which has been using Aadhaar has to be held accountable, and not Aadhaar.
You are not supposed to open a bank account without a signature. This is not the Aadhaar law, this is the banking law. But if a bank manager opens an account without a person’s consent, that is the responsibility of the senior management of the bank and the concerned organisation which is overseeing banking. They need to address the problem.
But since it is the UIDAI which gets the flak, will you be taking up this issue with the banking and telecom regulators?
This is an ongoing process, we keep telling them this is what you are doing wrong, this is how you should do it and if you don’t you will get into a problem; we issue circulars from time to time.
There have been cases where biometrics were scanned and stored in the device. UIDAI had taken action against Axis Bank, eMudra and Infoserve for doing multiple authentications . . .
Firstly, storing of biometric and replaying it is a serious criminal offence under the Aadhaar Act, inviting three years imprisonment. More importantly, technically also this possibility has been checked because we have in May or June brought in this registered device concept. The registered device ensures that biometric gets encrypted at the time of capture and also gets a certain time stamp so it is not capable of being stored or replayed. UIDAI recognises only the encrypted biometric which comes for authentication. Even if he is able to store it, he will not be able to use it because we will understand from the replay that this is a stolen biometric.
Does tokenisation and face recognition add additional layers to this security?
The tokenisation and virtual ID is for enhancing the privacy of the Aadhaar holder. The face recognition, along with other modes of authentication like fingerprint, iris is more for the convenience of people coming for authentication.
In Lucknow, there was the instance of the fingerprint of Aadhaar enrolment operators being cloned and being used to generate fake Aadhaars. Will that no longer be possible?
When there is any large system, people will try to break into it. We will always have to be alive to such threats. Every big IT organisation keeps facing different kind of vulnerabilities. They assess their vulnerabilities based on a matrix based on their own internal policy. Then they classify the vulnerability into critical, high, medium and low vulnerability and have a policy on how to respond to each of these levels.
Vulnerabilities of various kinds will be attempted and they will continue to be addressed by us. We always need to be ready. But saying that we have made a system that will never be vulnerable in the future that is something any person responsible for any IT system should not do.
Aadhaar was to be a number, not a card. Now it is a card and photocopies of the card are liberally used. Cards can be faked, signed photocopies (which are susceptible to forgery) are the norm. These may not get detected because not every transaction comes for biometric authentication. Doesn’t this make the original idea of Aadhaar meaningless?
Aadhaar is supposed to be used with authentication. But an individual hiring a household help, can’t do authentication, but will need some ID. Generally one trusts and takes the paper ID. Depending on the criticality of your need, you decide whether to accept a paper copy or go for authentication, and if you go for authentication, depending on your need, would you like to go for one fingerprint, multiple fingerprints or in combination with iris scan or one time password and now the face.
For example, for a small value transaction, say, of Rs 200, a simple fingerprint authentication may suffice the banking requirements. That is what Aadhaar Pay is about. But no one is saying that you allow a person to do a transaction of Rs 5 lakh on the basis of a simple photocopy or just a fingerprint. Banks have to decide what is the nature of the transaction and risk involved and then decide what kind of identity authentication will be acceptable as an appropriate risk mitigation strategy. It can’t be a one size fits all approach.
Aadhaar is becoming mandatory for a growing list of activities. Don’t you think this is creating more points of vulnerability? Doesn’t this need to be checked?
It is actually the other way round. Till yesterday I did not know how many people have taken a sim card in my name, using the paper ID that I have given to the vendor. If the mobile phone connection can be got only with my fingerprint, I am pretty sure nobody else is going to use my identity fraudulently.
But it is going to ridiculous lengths – nursery school admissions. . .
This has nothing to do with the vulnerability of Aadhaar. If two private parties decide to have more trust on Aadhaar, the government does not come into the picture. The good thing about Aadhaar is today it is the most trusted identity in the country. If a person sharing his Aadhaar number thinks this is the best way he can prove his identity without being subject to further questioning and the person he is giving it to is satisfied with just the Aadhaar number, it is between the two parties.
So far as public services like subsidies and welfare are concerned, there are specific provisions under the Aadhaar Act which allow Aadhaar-based authentication. There are cases of impersonation in examinations. If this is the extent of fraud, if that has to be addressed, then people need to understand the context in which the Aadhaar number is being used to strengthen the system.
What if there is coercion - the party who is required to identify himself does not want to share the Aadhaar number but the other refuses to deal with him?
If it is between two private persons/parties then it is between them but such use has to guided by the Aadhaar Act and Regulations. If someone insists on an ID one trusts it’s solely upto the person/party requiring it and also upto the other person/party who wants to give it or not. But if the trusted ID Aadhaar is required by the Government department or agency, then law has to be followed and Section 7 of the Aadhaar Act comes into the picture [Section 7 says Aadhaar number is necessary to access government subsidies and services].
When private agencies like Skype, Facebook, Amazon use Aadhaar, are there any protocols they need to follow?
I don’t think they are using. They have not come to us.
Our law is very clear – if two individuals/entities want to use Aadhaar as identity proof by mutual agreement or consent, we cannot stop them. If UIDAI has given someone an identity document, how can it stop him from using the document to establish his identity? Now if one person is providing Aadhaar as identity proof and the other is accepting it, they don’t require our permission.
But if they use it, they have to adhere to all the security guidelines under the Aadhaar Act. If they are storing the number, it has to be kept in a certain vault. When you are asking for the Aadhaar number, you have to notify the person what purpose it will be used for this purpose and you will not share his Aadhaar number with someone else. All those obligations will come.
If they want to use our authentication service, there are some guidelines - they have to obtain a licence, follow certain conditions, pay a license fee. But if they want to use Aadhaar without authentication, they are free to.
Why is there no data on authentication failures?
Today we are a matching agency, if a mismatch has occurred, we do not know if it is a technical problem or if it is deliberate. Therefore, that data is something that is to be viewed in that perspective.
But we have also seen certain agencies where acceptance rate is as high as 98-99 per cent. There are others which have just started work with a lower value of acceptance. It varies from area to area, agency to agency and also time to time.
Is there an acceptable error rate?
We have a reasonable rate. If we make it too loose, it will lead to false acceptance, which is very dangerous. We can’t allow that. We set those limits after a lot of study – we should not be authenticating false persons; at the same time people should not face difficulty.
How much has the Aadhaar project cost the taxpayer?
We have spent around Rs 9,000 crore during last seven years. We have given Aadhaar to 119 crore people and also have the authentication infrastructure and the maintenance. Every day we are doing between four and six crore authentications. We are also now updating records. The entire cost per Aadhaar card is close to $1. You compare that to any other service that you get in India or abroad. We should also remember these are all technology-intensive systems where the cost is not dependent on the geography.
So you believe Aadhaar is sound, it is alright if other people use it. .
Not alright, I would expect them to use it properly. They should follow the rules.
(A shorter version of this interview appeared in the February issue of Swarajya magazine as part of a special package on Aadhaar.)