There has not been “a single breach of biometric data from our end," Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India (UIDAI) told the Supreme Court on Tuesday, prompting a judge to respond that was not enough.
“The high level of security at the CIDR (classless inter-domain routing) is not matched at the mirror end. Merely protecting your end is not enough. There needs to be a robust law in place to protect the other end of the spectrum," justice D.Y. Chandrachud remarked.
Earlier, Pandey, making a presentation on the security and technical aspects of Aadhaar told the court, “Aadhaar is privacy by design and biometric is not shared with anybody except for purposes of national security." He added that the UIDAI simply processed authentication requests and did not collect the reason or location from where the request was being made.
A Constitution bench headed by Chief Justice Dipak Misra accepted questions raised by the petitioners on UIDAI’s presentation and asked them to respond to them by the next date of hearing.
Pandey also asked the court to look past cases of data breach brought up by the media saying they had nothing to do with the UIDAI database and that the breaches were by other organizations that had treated the data collected by them carelessly.
On being questioned about sharing of data by private authentication user agencies (AUA), Pandey said that there were provisions under the Aadhaar Act, 2016 prohibiting this.
Security concerns surrounding collection of authentication logs with the authentication/requesting entity were also raised by justice A.K. Sikri who sought to know the nature of such data and how it could be shared.
In the second half of his arguments, Pandey demonstrated before the court how the authentication process works. This will enable financial inclusion as the process will be simpler than that for using debit cards.
“Aadhaar-based authentication for services like withdrawal of funds is akin to a walking ATM," he said.
At the last hearing, UIDAI said that while a 100% authentication success rate under Aadhaar was not possible, the law governing it took care of the same. It also claimed that Aadhaar had a 2048-bit encryption key, which worked like a number lock, making it extremely secure.
The case will be heard next on 3 April.