Aadhaar gem: ‘Fastest computer will take life of universe to breach’


TRYING to allay fears over Aadhaar, CEO of Unique Identification Authority of India (UIDAI), the nodal agency implementing the project, told the Supreme Court Thursday that it doesn’t share biometric details of residents with anyone and that it will take the fastest computer currently available, “more than the life of the universe” to break its 2048-bit encryption.

“Biometrics is never given out. Our software is such that the moment the resident presses the save key, entire data gets encrypted by the 2048-bit key. To break one key, the fastest computer in the world will take more than the life of the universe”, Ajay Bhushan Pandey told a five-judge Constitution bench comprising Chief Justice of India Dipak Misra and Justices A K Sikri, A M Khanwilkar, D Y Chandrachud and Ashok Bhushan.

The court is hearing a batch of petitions challenging the constitutional validity of the Aadhaar Act.

The official who was allowed by the court to make a presentation to explain the security and other features of Aadhaar said this when the bench told him that there were concerns that the data could be captured by others at the enrolment centres.

“Maybe when it reaches you, it gets encrypted, but at the (enrolment) centre, it may be captured by private party”, said Justice Sikri.

“No,” replied Pandey.

Justice Khanwilkar pointed out that there were charges that the software used was foreign and there was fear of data falling into wrong hands.

Read | Aadhaar data protected by 10×4 m walls, Attorney General tells SC

On this, the official said that only the software used for biometric-matching was foreign, under license from “world’s three best companies”. Explaining further, he added this was like SAP or Oracle, used by banks and financial institutions under license from foreign companies that own it. “These are intellectual properties and the companies don’t share the source code”, he said adding banks using them doesn’t mean they are giving their data to the companies.

The biometric-matching software is used offline, he said, and added “the data is fully under our control. The biometrics is anonymized before it’s given to the matching software. We segregate the Personally Identifiable Information (PII) so the software doesn’t know whose biometrics it is.”

Justice Chandrachud wanted to know how authentication happens for a person who has not given biometrics because of old age etc.

On this, the official said there already existed an “exception handling mechanism.”

Even those who did not have biometrics due to old age, or other physical infirmities could have an Aadhaar card and their authentication would be done on the basis of their photographs and their mobile number which can be verified with an OTP, he said.

The “face authentication shall be available in fusion mode alongwith one more authentication factor like fingerprint/iris/OTP, from July 1, 2018,” he added.

At the time of authentication, the purpose for which it is done, the location or other details of transaction are not collected, said Pandey. He added this was the policy followed by UIDAI even prior to the coming into force of the Act and after the Act, it was made part of the law.

Justice Sikri referred to the death of a woman in Jharkhand after ration was denied to her allegedly for want of authentication of Aadhar.

Pandey replied that in that case, authentication had happened but yet she was sent back. He added that such situations would require other legal means and Aadhaar could not take care of such instances of human dishonesty.

Justice Sikri nodded saying “because that is our character”.

Pandey added that the use of Aadhaar, however, had resulted in “irrefutable digital evidence” that she was turned back despite the authentication. “Earlier it was my word versus that person’s word. Now we have digital evidence”.

Justice Chandrachud added: “There are two situations – one where the denial of services is due to faiure of authentication and secondly denial despite authentication. The first can be cured. But the second has existed in the past and probably will exist in future..”.

Justice Sikri quizzed Pandey about UIDAI decision to blacklist 49,000 enrolment centres.

The official replied that some of them were charging money from the residents while others had been harassing subscribers by entering wrong data. “We have a zero tolerance policy”, he said and added “not the enroller too has to put in his Aadhaar numbers”.

His presentation remained incomplete and will continue on March 27.

Earlier in the day, Attorney General K K Venugopal drew the court’s attention to a World Bank report on saving due to Aadhaar.

Referring to this, Justice Chandrachud said the report also seemed to indicate that the Prime Minister’s council had referred to the need for a legal backing for Aadhaar as way back as in 2009 and exclaimed that the government had taken seven years after that to come up with the Aadhaar legislation.