Courts, inquiry both reviewing Aadhaar security measures
Delhi High Court judges have requested a written response from the Unique Identification Authority of India (UIDAI) to a petition filed by a law professor alleging that the Aadhaar operator failed to adopt adequate cybersecurity measures, leading to data leaks, Bloomberg reports.
UIDAI was given six weeks to respond by a bench made up of two judges, headed by Justice S. Ravindra Bhat, and the court will reconvene on November 19.
Kerala-based lawyer Shamnad Basheer is arguing before the court that the UIDAI should be held liable to compensate people whose data was compromised.
He claims that earlier this year there was an alleged breach where a media house managed to access the entire Aadhaar database. That breach, which was acknowledged by UIDAI, and later led to a criminal case against those involved, was a result of compromised “access control” given to specific individuals. Basheer’s court petition contends that security breaches have occurred because of “negligence and willful recklessness” on the part of UIDAI to adopt reasonable security measures to secure private data.
While this petition is currently before the courts, Justice Srikrishna’s committee, which has been reviewing India’s data protection law, recently noted in a report that the Aadhaar Act needs to be amended to bolster data protection.
The committee’s latest report found that currently the Aadhaar Act is silent on the powers of the UIDAI to take enforcement action against errant companies in the Aadhaar ecosystem. This includes companies wrongly insisting on Aadhaar numbers, those using Aadhaar numbers for unauthorized purposes and those leaking Aadhaar numbers, all of which have seen several instances in the recent past.
The report thus suggest that the Aadhaar scheme be amended so that the UIDAI is conceptualized to assume a regulatory role that can ensure consumer protection and enforcement action against violations, with appeals to an appropriate judicial forum.
While the committee does not propose large-scale amendments to the Aadhaar Act, it does suggest changes to classify data requesting entities into two different kinds of groups that regulate access to personal data on the basis of necessity: those who can request for authentication, and those who are limited to verifying the identity of individuals offline.
The committee also noted that the Aadhaar Act should be amended to ensure ensure the autonomy of the UIDAI. With over 1.22 billion Aadhaar numbers issued as of July 2018, the Government of India, along with state governments have made Aadhaar authentication mandatory for several benefits, subsidies and services. Increasingly, the scheme is also being used for private transactions as a method of identification. Due to this expansion of use, the committee argues that the UIDAI needs a clearly outlined regulatory framework in order to operate the Aadhaar scheme.
The committee therefore recommended two conceptual changes to the way in which the Act currently conceives of the UIDAI. Firstly, the UIDAI should be autonomous in its decision-making, and function independently of the user agencies in government and outside it. Secondly, the committee recommended that UIDAI must be equipped with powers akin to a traditional regulator for enforcement actions.
The UIDAI continues to increase the scope of the program, most recently by adding facial recognition to the identity verification checks for SIM registration, while they wait for a Supreme Court verdict on the program’s constitutional validity.