Interview: ‘Aadhaar is not a secret number like your password or PIN,’ says UIDAI chief
As a five-judge bench of the Supreme Court gets ready to
hear petitions on Tuesday and Wednesday challenging the government’s decision
to make Aadhaar mandatory for accessing vital services, Ajay Bhushan Pandey,
chief executive officer of the Unique Identification Authority of India, spoke
with Scroll.in on Monday. The Authority is the nodal
agency that maintains the database of the biometrics-based 12-digit unique
identification number that the Centre wants all Indian residents to have.
Pandey said the Unique Identification Authority of India
is vigilant about data breaches and citizens should not be too concerned even
if their Aadhaar numbers are leaked. His comments come in the backdrop of
numerous reports of the personal details of Aadhaar
holders being leaked, and close on the heels of an alleged security breach of telecommunications major Reliance
Jio Infocomm’s database last week.
Affirming that Aadhaar data sits securely
on the Authority’s servers, Pandey, however, said there have been several
instances of the Aadhaar Act’s enrolment guidelines being violated. As a result
of this, the Authority has penalised close to 5,000 operators. These violations
ranged from sending people away when they showed up at the enrolment centre to
demanding money for enrolment or updating of information in the Aadhaar
database.
Excerpts from the interview:
Many private companies are building
parallel databases using Aadhaar authentication, which adds Aadhaar numbers to
their data banks. Are there enough safeguards and legal recourses available to
people in case of a breach?
You see, Aadhaar data is not with anyone. Aadhaar data means your biometric and demographic data and Aadhaar number are securely with us. What private companies have is their own database and the corresponding Aadhaar number. It is just that the 12-digit number is there. We have a very strict protocol saying that the number should not be misused and should be used only for the purpose it was obtained for, and that it must not be leaked or shared and so on.
You see, Aadhaar data is not with anyone. Aadhaar data means your biometric and demographic data and Aadhaar number are securely with us. What private companies have is their own database and the corresponding Aadhaar number. It is just that the 12-digit number is there. We have a very strict protocol saying that the number should not be misused and should be used only for the purpose it was obtained for, and that it must not be leaked or shared and so on.
If anything happens, then it is a criminal
offence. If the person does it knowingly, then it is a criminal offence. If the
person fails to protect Aadhaar data, then it is a case of criminal negligence
for which the person can be held criminally liable under the Aadhaar Act, and
for such cases we do this.
This is the punishment that can be taken
against a person who has leaked Aadhaar data.
But those who get impacted…
What I would like people to understand is that Aadhaar is not a secret number like your password or PIN [personal identification number], which can materially affect your life tomorrow if it is leaked without your knowledge. It is not like your Aadhaar number is leaked and your bank account gets emptied out.
What I would like people to understand is that Aadhaar is not a secret number like your password or PIN [personal identification number], which can materially affect your life tomorrow if it is leaked without your knowledge. It is not like your Aadhaar number is leaked and your bank account gets emptied out.
In case of Aadhaar, let us say the 12
digits are leaked. The question is, by merely knowing your Aadhaar number, will
someone be able to harm you? My answer is no. The Aadhaar number by itself does
not give away any information. It has to be used with biometrics. Or, you know,
it has to be used with the one-time-password that is sent to your phone for a
transaction.
Let us take another example. Aadhaar is
not a secret number but it is personally sensitive information. Let me give you
a parallel. The bank account number is also a personally sensitive number. We
say that it should not be publicly disclosed. But suppose it is known to the
public, is your bank account then at risk? Even if your bank account number is
known, it does not put you at any risk.
But at the same time, you would not like
sensitive personal information to be freely available to the outer world. We
are being so particular that even though we say that your Aadhaar number is not
secret, we also say that you should protect it. But in case the number does get
out, should people be worried? My answer is no. People reveal their Aadhaar
number, bank account number and address all the time. Your biometrics are with
you, you cannot be impersonated. But if your biometrics are disclosed, then
that could be a problem.
Recently, there have been multiple leaks
from the government end with ministries and departments found to be sharing
Aadhaar and other information of people on their websites.
What happened was that several government departments were disclosing Aadhaar numbers, names, addresses and bank account numbers. And the reason they gave us when we asked them was that they had divulged this data under the Right to Information Act. When we told them that they should not display such information, they immediately complied. We have asked them to be careful in future. However, by publishing these numbers, the people have not been put at risk.
What happened was that several government departments were disclosing Aadhaar numbers, names, addresses and bank account numbers. And the reason they gave us when we asked them was that they had divulged this data under the Right to Information Act. When we told them that they should not display such information, they immediately complied. We have asked them to be careful in future. However, by publishing these numbers, the people have not been put at risk.
Why then are we bothered about these data
breaches if the leaking of the Aadhaar number cannot hurt its holder?
If everyone starts publishing Aadhaar numbers, there is a danger that someone will make a 360-degree profile of you. So, unless and until we can prevent everyone from publishing your Aadhaar information freely, I cannot prevent such a profiling. If one person does it and if I stop it, I nip the problem in the bud and the threat of a 360-degree profiling ceases to exist.
If everyone starts publishing Aadhaar numbers, there is a danger that someone will make a 360-degree profile of you. So, unless and until we can prevent everyone from publishing your Aadhaar information freely, I cannot prevent such a profiling. If one person does it and if I stop it, I nip the problem in the bud and the threat of a 360-degree profiling ceases to exist.
Basically, we have prohibited publishing
Aadhaar numbers to ensure that nobody can make a full profile of you and
connect databases. That kind of harm has not been done yet. But at the same
time, we will be very very tough on anyone who does it; we will hold them
accountable.
Did you file a case against any of these
government departments for publishing Aadhaar numbers?
We did not file a case because there was no criminal intent. It was a question of understanding. They thought they were doing something under the Right to Information Act. We asked them not to do it and they complied. But suppose they had continued to do so, then they would have become liable for action.
We did not file a case because there was no criminal intent. It was a question of understanding. They thought they were doing something under the Right to Information Act. We asked them not to do it and they complied. But suppose they had continued to do so, then they would have become liable for action.
Earlier, there were reports of the
licences of around 34,000 private operators who enrol people for Aadhaar being
suspended. What has happened since then? Do you continue to monitor and take
action against such operators?
See, our enrolment happens through the registrar. The registrar goes to an enrolment agency, which employs the operators. We have a strict quality control process, so we not only depend on complaints that we receive but also proactively monitor and see what is happening in the field.
See, our enrolment happens through the registrar. The registrar goes to an enrolment agency, which employs the operators. We have a strict quality control process, so we not only depend on complaints that we receive but also proactively monitor and see what is happening in the field.
Whenever such violations have been brought
to our notice from the field, either through our own monitoring or through
complaints, we have taken action. So we have taken action against these 34,000
people and imposed fines and we have also blacklisted some.
One complaint that we have been getting of
late is that people visiting Aadhaar enrolment centres are being turned away or
they are being asked to pay. In the case of information updates, they are being
charged more than the amount specified. In all such instances, we impose a fine
of Rs 10,000 for the first violation. In the case of a second violation, the
fine goes up to Rs 50,000. We blacklist the operator on the third instance.
We have data on this. In the last seven
months, we have fined or blacklisted about 4,700 private operators. We are also
setting up an internal cell. The good thing about Aadhaar is that we have the
address and number of every person enrolled. So instead of waiting for people
to register a complaint, we call them and ask them how their Aadhaar enrolment
experience was.
No comments:
Post a Comment