This is a record of the proceedings in the Supreme Court bench hearings on the Constitutional validity of Aadhaar, which began on Feb 13, 2018. You may read the previous days’ proceedings here: Day 1Day 2Day 3Day 4Day 5Day 6Day 7Day 8Day 9, Day 10, Day 11, Day 12, Day 13Day 14Day 15Day 16., Day 17Day 18, Day 19, Day 20. and Day 21.

Dr. Ajay Bhushan Pandey, CEO of UIDAI resumed his PowerPoint presentation on Aadhaar. He began by giving a break up of enrollment operators that were blacklisted, classified by reason. He clarified that operators check individual packets of data received during enrollment. Currently, 65 operators are responsible for verifying biometrics.

Justice Chandrachud asked whether it possible for the enroller to make copies of the data before the data is encrypted and sent to CIDR? Dr. Pandey replied that enroller does not have access to biometrics. It’s collected by UIDAI’s software.

Justice Chandrachud asked whether any operator has been blacklisted for data breach….such as sharing of data etc. Dr. Pandey replied, without actually mentioning whether any operator had been blacklisted, that it is only possible when the operator is so qualified to tamper the enrollment client software to capture or share biometric data. Even if someone does it, it is punishable.

Dr. Pandey explained that retaining data by the operator is an offence. They have zero-tolerance policy. They have started phasing-out private enrollment agencies. Now only banks and post offices will do it. (MediaNama: The Supreme Court had ordered this. Additionally, it is not clear whether banks and post offices will do the actual enrolment, as private operators have been asked to operate their own businesses out of government premises.)

Dr. Pandey said that a notification was issued in July saying 12500 banks and 15000 post offices would become operator agencies. Justice Sikri commented that that was because you don’t need so many enrollment agencies now. People have already enrolled. Dr. Pandey said they are doing it for updation of Aadhaar.

Dr. Pandey continued explaining on Slide 13 on Aadhaar Authentication Services. He explained how CIDR is fully secure and not even connected to internet. (MediaNama: There is missing information here. If the CIDR is not connected to the internet, but can be authenticated on the internet, there is enough internet access to the sensitive data – whether to the CIDR or to copies of the data)

Justice Ashok Bhushan reminded about UIDAI having to satisfy that no aggregation is possible. Dr. Pandey cited Section 32 (3) that they are prohibited from knowing the purpose anyway.

Justice Chandrachud wanted to know how many AUAs are private. Dr Pandey replied that they were a few dozen. Justice Chandrachud pointed out that an AUA has a record of how many times an authentication request was made even if UIDAI doesn’t. Parting with that data is a commercially profitable enterprise. The private sector AUA can misuse that data. He pointed out that the UIDAI doesn’t actually have any control over this.

Dr. Pandey said that they are prohibited under Sections 29(3) and 38(g) of the Aadhaar Act. Further there are regulations to prevent such misuse. He gave the example of Regulation 17(1)(d).

Justice Chandrachud said that there is difficulty and cited an op-ed in the Times of India that day. A pizza chain sharing that information with an health insurance provider for instance is a problem! Lifestyle is an important info for the latter. Justice Chandrachud said that the problem area is that private service providers have a record of authentication requests which can be misused in various ways to profile individuals.

Justice Khanwilkar said that the state has to clear the apprehensions of the petitioners with regard to the software of Aadhaar.

Dr. Pandey said that software is secure and there hasn’t been one data leak till date. He told the Court to not believe media reports. He denied recent report of breach by ZDnet and rubbished The Tribune report as well. He said that now they have made it a standard practice to only display the last four digits of the Aadhaar number, wherever needed.

Justice Chandrachud pointed out that the high level of security maintained at CIDR is not maintained at the other end including AUAs. Unless the system is secured at the other end of the spectrum, Aadhaar will be a problem.

Dr. Pandey demonstrated the process of E-KYC authentication. He showed what information is displayed. He said that location, purpose etc is not showed. He said that Aadhar based authentication and other services like withdrawal of funds is akin to a walking ATM.

Justice Khanwilkar seemed angry. He asked Dr. Pandey to not bother them with operational aspects but satisfy them that breaches were not possible. Dr. Pandey said that all breaches are other databases not UIDAI’s. He referred to Tribune, the latest Indane breach etc. (MediaNama: While the Indane breach may not be UIDAI, the Tribune breach did appear to be UIDAI)

DYC J says there is no enforceable protection against others even if CIDR is fully secure.

The live demo of biometrically withdrawing 100 rupees from an IDBI bank account worked. Dr. Pandey said debit cards and PIN numbers are difficult to use for most people in India. He claimed that Aadhaar makes it simpler and allows people to be financially included.

Dr. Pandey explained the security of authentication transactions next. He talked about STQC and UIDAI certified biometric devices, secure channel, biometrics locking, multiple factor authentication. He explained the process of biometrics locking. He said that a person can enter her Aadhaar details on UIDAI’s website to check her authentication history. This way she can know if her Aadhaar number was misused. He said that they continue to make it more and more secure. (MediaNama: According to the documents submitted by Dr. Pandey before the Supreme Court – Pages 16 – 18, in the last six months, there was only one attempt to authenticate the Aadhaar number with biometrics, on the day before the hearings before this Supreme Court bench began – it FAILED!)

Dr. Pandey explained all fields captured during authentication. Says Geo Code and IP address of Authentication txns are not received by UIDAI. He discussed authentication meta data elements. He said that they have no meta data that reveals anything about an individual such as likes and dislikes. He emphasized again that location, and purpose of authentication is not collected. He said that the UIDAI used to track locations such as GPS coordinates and PIN code earlier, but as per latest API released, it is no longer captured.

Aadhaar is privacy by design, said Dr. Pandey; and described how core biometric is not shared except for national security and that there was no request under that for the last 1.5 year from the government. Pandey said that the technology and architecture board review the technology of Aadhaar. Similarly the security review board reviews the security of Aadhaar. Security is an ongoing challenge and they need to keep upgrading it.

Dr. Pandey referred to their star-studded Technology and Architecture review and security review committee and to Godel Prize winner Prof. Maninder Aggarwal being in SRC. The Gödel Prize is an annual prize for outstanding papers in the area of theoretical computer science, given jointly by European Association for Theoretical Computer Science (EATCS) and the Association for Computing Machinery Special Interest Group on Algorithms and Computational Theory (ACM SIGACT). 

A 4-minute-video on the design of the CIDR data centre was shown. Narration by a false baritone male voice.

Dr. Pandey took the court through the security measures incorporated in Aadhar infrastructure. He discussed the privacy safeguards in Aadhaar like VirtualID, UID token, purpose and use limitation, strict confidentiality, online access to authentication history, biometrics lock, strict punishment under the Aadhaar Act. He said that they can make further regulations if there are any concerns related to the security and privacy of the Aadhaar ecosystem.

Justice Sikri said that it cannot be ruled out that authentication history will not be shared under section 33. Senior Advocate KV Vishwanath said it can be shared under section 57 also. Pandey said that till date they haven’t shared data with any other agency.

Dr. Pandey explained Virtual Aadhaar ID generation. Justice Sikri wanted to know many people will be able to use it – You can’t expect illiterate people to use virtual ID. Dr. Pandey said this is just an additional safeguard apart from the act.

The Bench rose for lunch and reassembled at 2:30pm.

CEO of UIDAI, Dr. Ajay Bhushan Pandey resumed his PowerPoint presentation on Aadhaar.

Justice Sikri asked if the authentication logs are kept with the authentication/requesting entity. What is the nature of this data? Dr. Pandey said that details except biometrics are kept. He drew attention to regulation 17 and 19 on the point that AUAs are not as secure as CIDR. Audits are done on AUAs, and requesting agencies, by UIDAI itself or by an agency appointed by them to ensure smooth functioning of the system.

Dr. Pandey said that Anil Jain, professor of Michigan state university, and expert on biometrics, was consulted. He suggested multi-modal biometrics authentication i.e both iris and fingerprints should be combined for the process of identification and authentication.

Dr. Pandey said that another expert was consulted and he suggested that iris should be used, because fingerprints often don’t work. Judges were of the view that AG should be making such arguments, not CEO of UIDAI.

Dr. Pandey said that using virtual ID and UID token ensured that databases were not joined. (A while earlier he had called them an additional safeguard when it was pointed out that most people would not be able to use them). They make distinctions between what agencies require real Aadhaar number and what agencies do not. For eg. Telecom does not require real Aadhaar no. But income tax does.

Judges asked Dr. Pandey to submit a note explaining Virtual ID and UID token and how their usage prevents duplication.
ABP: Uid token is a 72 character alpha numeric string meant only for system usage. For the same resident, different AUAs or KUAs will have different uid tokens. Aadhaar cannot be reverse engineered from the token.

Dr. Pandey distinguished between Aadhaar Card and Smart Card. He said central database of biometrics is important, to ensure uniqueness. Uniqueness may not hold true in the case of Smart Card, and one person can have multiple cards with different identities and same biometrics.

Dr. Pandey said that there’s no identity theft if Aadhaar is lost. The same cannot be said of Smart Cards. Surveillance is not possible with CIDR as silos are not merged. Surveillance is possible by Smart Cards by merging databases. (MediaNama: Unclear how) Some discussion followed on the Smart Card ID system used in Singapore. Dr. Pandey said that keeping too much information on a Smart Card is not a good idea. Replacement of Smart Card with a better technology in the future is a huge responsibility.

Dr. Pandey said that changing encryption kept on a smart card from time to time is not possible. He said an offline Smart Card is not a substitute for online authentication. he said that a Singaporen newspaper praised India and Estonia’s ID system and wrote that Singapore should adopt something similar.

The Chief Justice of India clarified about the process of enrollment. He asked if the enroller or requesting entity has access to any data. ABP says data is encrypted and sent to CIDR, so there’s no question of misuse. He showed a graph to illustrate the success rate of Aadhaar based biometric authentication. He showed year wise trends from 2013-18.

Dr. Pandey then showed a graph made on a proof of concept study conducted at old age homes in nine different states. He said that from July 1, facial recognition will be used along with fingerprints in order to ensure better authentication.

Petitioners submitted a list of questions based on the presentation. The State will answer them on Tuesday.

Petitioners asked that deadline for Section 7 benefits should also be extended. Some 14 crore 48 lakh authentication failures have taken place for section 7 benefits and subsidies. The State argued that authentication rejections do not amount to denial of services.

The CJI refused to give an extension on section 7 benefits.

Court rose for the day. Advocate General will continue submissions on behalf of the government at 11:30am on the 3rd April 2018.

Summary of hearing based on tweets by Prasanna S, Gautam Bhatia and SFLC.