advertisement
The debate over the security of data collected and stored under the Aadhaar project is heating up. While the Unique Identification Project has always had strong supporters and equally strong detractors, the latest controversy has been sparked off by an alleged breach of biometric data.
On 25 February, Mint reported that the Unique Identification Authority of India (UIDAI) had detected a breach of biometric data and filed a police complaint on 15 February against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra with the allegation of impersonation using illegally stored biometric information.
These entities deny storage of any data and claim that the business correspondent was merely testing the platform which accidentally sent authentication requests to the live server instead of the testing one.
Still, the incident has sparked concerns about the security of data in the possession with the UIDAI and also the redressal mechanism in the case of a breach like this.
Legal experts that BloombergQuint spoke to point out that while the international principles of data collection require that any breach or abnormal activity be revealed to the users and authorities quickly, the Aadhaar regulations give no such assurance.
While banks are not required to disclose details of the breach to the public, they are required to report it to regulators immediately. Customer protection provisions also ensure deposit protection to some extent.
Delhi-based lawyer Apar Gupta said that a user may never really get to know if there was a data breach in the Aadhaar database which compromised their personal data, unless the authority chooses to voluntarily disclose it.
Adding that the authority is “whole and sole” and it isn’t liable to even disclose it under the Right To Information Act or to the parliament, Gupta said:
A broad comparison can be drawn to system breach in the banking system last year which led to 32 lakh debit cards being compromised.
In contrast, there is no regulatory oversight of the UIDAI which keeps it away from scrutiny, Gupta said. “There is an absence of a breach notification requirement under the Act,” he added.
Rahul Matthan, partner at law firm Trilegal said that all technological systems are likely to be breached at one point or the other and the Aadhaar Act has strong provisions against nefarious elements wronging the system.
“There is a clear violation of the law in this case no matter who has done it,” Matthan said while adding that it is not clear where the violation has happened.
Matthan said that storing of biometrics is wrong and illegal and the concern stems from the potentiality of people using this information left, right and centre.
He also added that protective provisions of the IT Act will apply to Aadhaar as well.
However, there remains a loophole here for those who do not have their correct phone numbers updated in the Aadhaar system.
Gupta also said that even if one gets to know about their Aadhaar being misused, there is no guarantee under the Act that a redressal will be provided.
In chapter 7 of the Aadhaar regulations, there is a provision for a grievance redressal mechanism whereby a person can approach a call centre through phone or email which will provide residents with a tracking number till the matter is closed.
Gupta believes that this is not enough, saying that:
Additionally, Sunil Abraham, executive director of Bangalore-based Centre for Internet and Society told BloombergQuint that a privacy law was promised when the Aadhaar Act was being passed in the parliament. That never happened so the system remains deficient on redressal.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)