Foreign Companies Also Have Access to Biometric Data Under Aadhaar

On February 7 the hearings on Aadhaar continued in the Supreme Court with Kapil Sibal representing Raghav Tankha leading the arguments. The arguments advanced fell under three broad headings; evaluation of centralized biometrics from a technical standpoint, Aadhaar and e-governance, and centralized biometrics evaluated against particular fundamental rights. Half of the points raised were argued on the next day, February 8.

Under the heading of ‘evaluation of centralized biometrics from a technical standpoint’, Sibal relied on an RBI report which identified the Central ID Repository (CIDR) as a ‘readily available single target for cybercriminals as well as India’s external enemies.’ The software used for the ‘de-duplication service’ as well as the ‘authentication service’ are software that are owned by foreign companies. As a part of the licensing agreement, the foreign companies would also have access to the biometrics of those enrolled in Aadhaar. It is not clear whether the information has been deleted or not. The next issue he highlighted under this heading was that once data was breached through a ‘hack’ or even though other means such as ‘fingerprint duplication’ by using wax and Fevicol, there is no full proof way to rectify the breach.

Another issue raised was of the vulnerability to ‘man-in-the-middle’ attacks. A man in the middle attack in the case of Aadhaar would mean that the ‘attacker’ would insert a code at the time of authentication to either reject or accept the biometrics entered in order to steal them. A common man-in-the-middle attack is a false Facebook page in which you enter your login details which then get stolen. What makes stealing biometric details different from a hacked Facebook account is that one can always contact Facebook and have the account suspended or re-establish one’s control over the account. In the case of Aadhaar, once the data has been stolen, it is permanent. The arguments also touched upon the issue of the ‘facial recognition’ technology, which would not only violate the privacy of citizens but also compromise the identities of intelligence agencies and military personnel who would then be identifiable to any person who has such details, thus compromising their duties. The last argument under this heading was about the ownership of the information. The question raised was whether the UIDAI, the requesting agency (even a private company can be a requesting agency), or citizens owned the biometric information.

Under the heading of Aadhaar and e-governance, Sibal relied on the EPW report wherein the UIDAI admitted that the margin of error increases with the size of the database. Therefore, the more number of people brought under a centralized database, the higher the chance for authentication to be rejected. However, the adjudication of such instances of ‘rejection’ would be handled by the UIDAI rather than an independent authority, violating the principles of natural justice which is a mainstay in administrative law. On the issue of forgeries, the UIDAI’s claim that forgeries would fall under the same laws as ‘forged signatures’. However, in the case of a forged signature, the person whose signature is alleged to have been forged will be present along with ‘experts’ who will determine the veracity of the signature. Sibal also argued that a centralised database would undermine federalism as the State Government would always have to rely on the Union Government to determine the identity of a citizen.

Under the heading of centralized biometrics evaluated against particular fundamental rights, two points were raised. One was on the right to privacy, and the other was on the right to dignity. On the right to privacy, the issue was that biometrics takes away consent. Unlike a password which a person may decide whether to divulge it or not, biometrics does not have that option. An unconscious person is as capable of authenticating their information as a conscious person. While this may not be an issue in a rescue scenario, it also means that a person can be drugged or killed, and their biometrics used to carry out transactions through a bank account linked to their Aadhaar. Regarding the right to dignity, the argument raised was that the elderly and other vulnerable groups are often subjected to unwanted physical contact during the process of authentication, such as holding their hands to obtain fingerprints. Authentication can also be carried out with smart cards.