UIDAI’s post-dated cheque
THE Unique Identification Authority of India (UIDAI) wishes to add more safety features to Aadhaar from March 1. By then, the Supreme Court will either be hearing or would have completed the hearing in the Aadhaar case.
Ahead of the hearing of the Aadhaar case by the Constitution Bench, the UIDAI had issued two circulars on the subject of implementation of face authentication and limited KYC for enhancing privacy of UID/Aadhaar holders. Both the circulars were issued after it was established beyond any reasonable doubt that Aadhaar, “the permanent ID for life”, has been compromised.
The UIDAI has admitted that “there is need to provide a mechanism to ensure its continued use by the Aadhaar number holder while optimally protecting the collection and storage of Aadhaar number itself in many databases”. The fact is that its sub-optimal performance has become part of folklore by now. That both the circulars were issued almost nine years after the establishment of the UIDAI amounts to a confession about security of the Central Identities Data Repository (CIDR).
The penultimate paragraph of the circular on the implementation of face authentication states that the UIDAI will release necessary application programming interfaces from March 1.
All Authenticated User Agencies (AUAs)/e-KYC User Agencies (KUAs) are required to make the necessary changes in their authentication system for use of Virtual ID, UID Token and Limited KYC so as to start using it from March 1.
By June 1, all AUAS/KUAs are required to fully migrate to the new system, failing which their authentication services may be discontinued and financial disincentives may be imposed.The circular makes a reference to “Virtual ID” (VID) of 16 digits, which can be used as a substitute for the UID/Aadhaar number. The fact remains that UID/Aadhaar is also a 16-digit number like the VID, but in case of the former, four digits are hidden from public view.
The Parliamentary Standing Committee on Finance found that the UIDAI did not go for any comparison with the pre-existing identification systems in India, like the well prevalent 10-digit voter ID (VID) number. Instead of burdening Indians with one more VID, it makes eminent sense to undertake a comparison between UID/Aadhaar and the old VID (voter ID) that gives legitimacy to all elected legislators and governments.
It is apparent that all these changes are proposed to happen either through the hearing or after the hearing in the UID/Aadhaar case. The issuance of this circular ahead of the upcoming hearing is akin to the issuance of a post-dated cheque aimed at persuading the court that the UIDAI may have erred in claiming the CIDR to be safe and secure in the past; but now it proposes to do some damage control.
This step is just a hollow post-disaster activity, wherein it wishes to be seen to be doing something to secure all those Indian residents who are not yet part of the CIDR database of 119 crore people.The signatory to both the circulars was Assistant Director General under Finance and Authentication and Updation Process Division, when Nandan Nilekani was the UIDAI Chairman. In this role, he used a private email which is still available on the blog of the UIDAI. Someone entrusted with personal sensitive information of present and future generation of India should have abstained from using a private email.
The controversy surrounding the use of private email account by Hillary Clinton as “a matter of a convenience” disregarding the advice of technology experts is salutary. In fact, US’ Cyber Intelligence Sharing and Protection Act permits the exchange of electronic information between Internet Service Providers and the US government. The last paragraph of the January 10 circular refers to Regulation 14 (n) and 17 (g) of Aadhaar (Authentication) Regulations, 2016.
The relevant provisions have made compliance with contractual terms issued by the UIDAI mandatory as part of obligation on the part of requesting authorities in relation to the use of identity information.But the factual position is that transnational companies like L-1 Identity Solutions Operating Company of Safran Group, Accenture Services, Ernst & Young and others can keep the data of Indian residents for at least seven years “as per Retention Policy of Government of India or any other policy that UIDAI may adopt in future”. These agreements are part of efforts by the UIDAI to implement UID/Aadhaar number scheme and related schemes.
Thus, it is quite clear that these regulations framed under the Aadhaar Act are subservient to the contractual agreements, whereby law has been made subordinate to commercial contracts with impunity. These circulars are aimed at diverting the attention of the judges whose pronouncement can undermine the UID/Aadhaar project.
It is apparent that the circulars of January 10, January 15 and the office memorandum of July 31, 2017, that set up an expert committee on data protection are part of the efforts to influence the proceedings in the court. Such efforts failed in the right to privacy case, this endeavour too is likely to meet the same fate.