Day 22 of the final #Aadhaar hearing will begin shortly.
CEO of UIDAI resumes his PowerPoint presentation on #Aadhaar
ABP clarifies that operators check individual packets of data received during enrollment. There are 65 operators who are responsible for verifying biometrics he says
J. Chandrachud: Is it possible for the enroller to make copies of the data before the data is encrypted and sent to cidr?
ABP says that enroller does not have access to biometrics. it's collected by uidais software
ABP says that enroller does not have access to biometrics. it's collected by uidais software
ABP: Also retaining data by the operator is an offence. We have zero tolerance policy.
We have started phasing out private enrolment agencies. Now only banks and post offices will do it
We have started phasing out private enrolment agencies. Now only banks and post offices will do it
ABP: A notification was issued in July that says that 12500 banks and 15000 post offices will become operator agencies.
J.Sikri: That is because you don't need so many enrollment agencies now. People have already enrolled.
ABP says they are doing it for updation of Aadhaar
J.Sikri: That is because you don't need so many enrollment agencies now. People have already enrolled.
ABP says they are doing it for updation of Aadhaar
ABP says that their central authentication server is not connected to the internet for security purposes
J. Chandrachud: How many AUAs are private?
ABP says few dozen.
J. chandrachud:AUA has a record of how many times an authentication request was made even if UIDAI doesn't.Parting with that data is a commercially profitable enterprise. The private sector AUA can misuse that data.
ABP says few dozen.
J. chandrachud:AUA has a record of how many times an authentication request was made even if UIDAI doesn't.Parting with that data is a commercially profitable enterprise. The private sector AUA can misuse that data.
ABP says they are prohibited under section 29(3) of the act.
ABP: Section 38(g) also prohibits it. Further there are regulations to prevent such misuse. Regulation 17(1)(d) for example.
ABP: Section 38(g) also prohibits it. Further there are regulations to prevent such misuse. Regulation 17(1)(d) for example.
J.Chandrachud:The problem area is that private service providers have a record of authentication requests which can be misused in various ways to profile individuals.
J.Khanwilkar says that the state has to clear the apprehensions of the petitioners wrt to the software of Aadhaar
J.Khanwilkar says that the state has to clear the apprehensions of the petitioners wrt to the software of Aadhaar
ABP says software is secure and there hasn't been one data leak till date. Tells court to not believe media reports. Denies recent report of breach by ZDnet
ABP rubbishes the report by tribune also.
ABP says that now they have made it a standard practice to only display the last four digits of the Aadhaar no., wherever needed.
J. chandrachud: The high level of security maintained at CIDR is not maintained at the other end like AUA also. Unless the security at the other end of the spectrum is secured, Aadhaar will be a problem.
ABP physically demonstrates the process of authentication. Shows what all information is displayed. Says location, purpose etc is not showed.
ABP says that Aadhar based authentication and other services like withdrawal of funds is akin to a walking ATM.
ABP says debit cards and pin nos. is difficult to use by most people in India. Aadhaar makes it simpler and allows people to be financially included.
ABP explains the security of authentication transactions next. Talks about stqc and UIDAI certified biometric devices, secure channel, biometrics locking, multiple factor authentication.
Explains the process of biometrics locking.
Explains the process of biometrics locking.
ABP says that a person can enter her Aadhaar details on uidais website to check her authentication history. This way she can know if her Aadhaar no.was misused.
ABP discusses authentication meta data elements. Says we have no meta data that reveals anything about an individual such as likes and dislikes. Emphasizes again that location, and purpose of authentication is not collected.
ABP says that the technology and architecture board review the technology of Aadhaar. Similarly the security review board reviews the security of Aadhaar. Security is an ongoing challenge and we need to keep upgrading it.
ABP shows a short film on Aadhaar data centres
ABP takes the court through the security measures incorporated in the Aadhar infrastructure.
ABP now discusses the privacy safeguards in Aadhaar like virtual I'd, uid token, purpose and use limitation, strict confidentiality, online access to authentication history, biometrics lock, strict punishment under the Aadhaar act
ABP: We can make further regulations if there are any concerns related to the security and privacy of the Aadhaar ecosystem.
J. Sikri: It cannot be ruled out that authentication history will not be shared under section 33.
Senior Advocate K.V Vishwanath says it can be shared under section 57 also.
ABP says that till date they haven't shared data with any other agency.
Senior Advocate K.V Vishwanath says it can be shared under section 57 also.
ABP says that till date they haven't shared data with any other agency.
ABP is now explaining Virtual Aadhaar ID generation.
J. Sikri: How many people will be able to use it? You can't explain illiterate people to use virtual ID. ABP says this is just an additional safeguard apart from the act.
J. Sikri: How many people will be able to use it? You can't explain illiterate people to use virtual ID. ABP says this is just an additional safeguard apart from the act.
Bench rises for lunch.
CEO of UIDAI, Ajay Bhushan Pandey resumes his PowerPoint presentation on Aadhaar.
J. Sikri asks if the authentication logs are kept with the authentication/requesting entity. What is the nature of this data?
ABP says that details except biometrics are kept.
ABP says that details except biometrics are kept.
ABP draws attention to regulation 17 and 19 on the point that AUAs are not as secure as CIDR.
ABP: Audits are done on AUAs, and requesting agencies, by UIDAI itself or by an agency appointed by them to ensure smooth functioning of the system.
ABP: Anil Jain, professor of Michigan state university, and expert on biometrics, was consulted. He suggested multi modal biometrics authentication i.e both iris and fingerprints should be combined for the process of identification and authentication.
ABP says another expert was consulted and he suggested that iris should be used, because fingerprints often don't work.
Judges are of the view that AG should be making such arguments, not CEO of UIDAI.
Judges are of the view that AG should be making such arguments, not CEO of UIDAI.
ABP: Using virtual ID and uid token ensures that databases are not joined. We make distinctions between what agencies require real Aadhaar no.and what agencies do not. For eg. Telecom does not require real Aadhaar no. But income tax does.
Judges ask ABP to submit a note explaining Virtual id and uid token and how their usage prevents de duplication.
ABP: Uid token is a 72 character alpha numeric string meant only for system usage. For the same resident, different AUAs or KUAs will have different uid tokens. Aadhaar cannot be reverse engineered from the token
ABP now distinguishes between Aadhaar card and smart card. Says central database of biometrics is important, to ensure uniqueness. Uniqueness may not hold true in the case of smart card, and one person can have multiple cards with different identities and same biometrics
ABP: there's no identity theft if Aadhaar is lost. The same cannot be said of smart cards.
Surveillance is not possible with CIDR as silos are not merged. Surveillance is possible by smart cards by merging databases.
Surveillance is not possible with CIDR as silos are not merged. Surveillance is possible by smart cards by merging databases.
There's some discussion on the smart card id system used in Singapore. ABP says keeping too much information on a smart card is not a good idea. Replacement of smart card with a better technology in the future is a huge responsibility.
ABP says that changing encryption kept on a smart card from time to time is not possible. Says offline smart card is not a substitute for online authentication.
ABP says a Singaporen newspaper praised India and Estonia's ID system and wrote that Singapore should adopt something similar.
CJI clarifies about the process of enrollment. Asks if the enroller or requesting entity has access to any data.
ABP says data is encrypted and sent to CIDR, so there's no question of misuse.
ABP says data is encrypted and sent to CIDR, so there's no question of misuse.
ABP shows a graph to illustrate the success rate of Aadhaar based biometric authentication. He shows year wise trends from 2013-18.
Next, ABP shows a graph made on a proof of concept conducted at old age homes in nine different states.
He says that from July 1, facial recognition will be used along with fingerprints in order to ensure better authentication.
He says that from July 1, facial recognition will be used along with fingerprints in order to ensure better authentication.
Petitioners submit a list of questions based on the presentation. State will answer them on Tuesday.
Petitioners say that deadline for Section 7 benefits should also be extended. Fourteen crore forty eight lakh authentication failures have taken place for section 7 benefits and subsidies.
State argues that authentication rejections does not tantamount to denial of services.
CJI refuses to give an extension on section 7 benefits.
Bench rises for the day. Will reassemble on Tuesday.
