Moneycontrol
Aug 02, 2017 12:49 PM IST | Source: CNBC-TV18

UIDAI can detect, repel security breaches in Aadhaar: CEO Ajay Bhushan Pandey

Refuting allegations questioning the data's security, Ajay Bhushan Pandey, UIDAI CEO said that the data with UIDAI is fully safe and secure


The Aadhaar enrollment process implemented by the UIDAI has fetched much criticism lately as experts have said that a person's linking financial details with the 12-digit unique identification number is vulnerable to misuse and data theft.

Refuting allegations questioning the data's security, Ajay Bhushan Pandey, UIDAI CEO said that the data with UIDAI is fully safe and secure.

Speaking to CNBC-TV18 he said that more than 113 crore Indians have registered for Aadhaar and till date not a single case of data leak from UIDAI has been reported.

He further said that critics need to make a judgement on security after looking into the data.

Aadhaar is as secure as any other contemporary system and in case of any security breach, UIDAI is capable enough to detect and repel attacks, he added.

Below is the verbatim transcript of the interview

Q: First, there has been a lot of negative criticism around Aadhaar in the last few weeks, rather in the last few years. Aadhaar advocates say that this will definitely streamline the system and weed out duplicates as well as frauds, but critics are concerned about data security breach and also on privacy. What are your comments on the recent developments around this and the campaign that has been going as far as Aadhaar is concerned? What are your comments on that?

A: What we would like to say is that whatever data that is with UIDAI is fully safe and secure. One fact that I would like to present to you is that ever since we started Aadhaar, Aadhaar was started in September 29, 2010, and since then, we have give Aadhaar to more than 113 crore people. We have also started authentication service where you can give your Aadhaar number and give your biometric and then our system will tell yes and no.

Till now, we have done more than 500 crore of authentications, more than 100 crore of Aadhaar based e-KYC for various purposes, for opening bank accounts, for getting sim cards and these things.


How Aadhaar will transform India in the future

Now, not a single case of data leak from the UIDAI, data breach from UIDAI, not a single case of identity theft or financial loss has been reported to us. So, this is the only thing that I would like to say and then the people should make a judgement whether Aadhaar is safe or not.

Q: To follow up on this question, you are definitely saying that Aadhaar database is absolutely secure, there was a backlash on social media last week over the online publication of personal information, be it Aadhaar numbers to bank account details and also names and addresses. Several privacy advocates alleged that information collected by ministries, departments and state governments are readily available just by an online search. So how secure really is Aadhaar database? How do you allay these concerns?

A: Let me explain. There are two parts of this whole problem. One is, as you know, the database which is inside the UIDAI and as I mentioned, no breach has happened and we are quite vigilant about it because we can never say that we are 100 percent and absolutely secure. In the security world, there is nothing called fully secure and absolutely security.

Q: But you are saying that this is fool proof?

A: It is secure as much as any other contemporary system. This is number one. Now, the social media and the other parts of the media, the story that has come out that some people's personal data which could include even the bank account details, financial information and including his Aadhaar number, that was outside the UIDAI system.

Let us say, suppose somebody went to receive some benefits or somebody went to some school for getting school admission, he wants to apply for a scholarship. Now he has to give some form of ID. Now, because most people have Aadhaar, they may have given Aadhaar identity and also they have given their bank account number. Publishing bank account number is also an offence under the Income Tax Act and then the banking laws.

Similarly, publishing Aadhaar number also is an offence. So, what has happened is in the overall scenario, some users of Aadhaar as well as the financial information they were not very vigilant and therefore, they published the list of the beneficiaries online along with their names, addresses and Aadhaar number, bank account number.

So, that is what the government, last week, gave an advisory to all ministries of the central government and also the state government saying that please be vigilant, be respectful to the privacy of people and do not publish such data including Aadhaar, including bank account details and other things because we need to respect the privacy of the people whom you try to serve.

But so far as data from Aadhaar itself was never leaked.

Q: But is the UIDAI really equipped to deal with any kind of data breach in the near future?

A: So far as the UIDAI system is concerned, we are fully equipped to one is prevent and in case suppose, hypothetically, something happens, we have a mechanism to immediately detect and repel those attacks. And in case, something happens unfortunately, let us say in some remote probability, if something happens, then we have a very strong law, Aadhaar Act that any breach into Aadhaar database is a serious offence and punishment is imprisonment up to three years.

So it is a very tough and serious crime which has been provided for specifically in Aadhaar Act.

Q: To follow up on that question, who has access to the Aadhaar database because the Aadhaar Act says that the information will be disclosed on Centre's orders if national security is threatened, but there is no specific definition of national security in the Act itself. How do you really define that?

A: First of all, the Aadhaar database access is defined only in two manners. One is that if a person wants to authenticate and confirm his identity, then he gives his Aadhaar number and gives his biometric and then he also gives consent to the person who is collecting this that I hereby give you consent to collect my biometric and also my Aadhaar number so that you can authenticate from the UIDAI server. This is one.

Also, we have another kind of service where you give your biometric and your Aadhaar number and we give the e-KYC information that your name, address, photograph so that it will help you open the bank accounts and in this manner, more than 4.47 crore people have opened bank accounts through Aadhaar e-KYC because they did not have any other IDs. This is a very important point.

However, there could be some case where for national security purpose, supposing accessing to Aadhaar database is required, then Aadhaar Act provides a very stringent condition which is not there in any other contemporary law.

For example, in case of Aadhaar, if this data is required without the consent of the individual, then an order of a Joint Secretary in the Ministry of Home will be required and before that order takes effect, this order has to be vetted and approved by a committee headed by Cabinet Secretary and Secretary of Ministry of Information Technology and Secretary of Ministry of Law, such senior officers. They would weigh whether it is a case of national security or not and in the national security, if they decide that yes, in certain cases, Aadhaar data has to be shared, then Aadhaar Act allows that.

But I will just give you a little bit of a parallel. Let us say, in other domains, let us say for example, today certain data is shared, for example, if suppose somebody's telephone has to be tapped, then what does it require? It requires the order of Officers of the various state government. In case of Aadhaar, what we have done is that this power is available to the highest, first of all, highest official of the country which is the Cabinet Secretary.

Q: My question is what is the scope of definition of national security? In what kind of cases does this conform to? When can the centre access the information of general public?

A: The definition of national security, whether a case falls into the overall situation of national security or not, it will be decided by the committee headed by the Cabinet Secretary.

Q: What are the remedies available to a citizen, if you could really tell this to our viewers out here, in case of a data breach of course, or a fraud? For instance, money being taken out from a bank account, what is the redressal system? Should a person go to the court, file a police complaint or come to you for redressal?

A: I will give you an example. Let us say suppose somebody finds out that some money has been withdrawn from his bank account. Basically, he should go to the police and lodge a complaint saying that my money has been withdrawn from my bank account and I do not know how the money has been withdrawn, through the debit card or credit card or somebody forged the signature and then he withdrew the money.

Now during the investigation, supposing if the police comes to know that yes, it is a case of a signature fraud, then in that particular case, police will take a different course of action. But during the investigation if it is found that this particular fraud was committed through Aadhaar number, then in that particular case, police will approach us and take our approval under the Aadhaar Act and we will give approval in that particular case.

So, the fact is that anyone who is aggrieved by any fraud first has to go to the normal police under the Criminal Procedure Code (CrPC) and then follow the due process of law. The law also provides that you can go to court and then the court can direct the police to conduct investigation.

So, these are the options available but as and when it comes to the notice during the investigation that Aadhaar data was used to commit this fraud or commit this offence then at that particular time, if it is a violation of Aadhaar Act, they can come to us and we will give approval.

Q: Would bringing perhaps a privacy bill settle some of the data security concerns? Is there something in the making, has the government internally discussed on way forward and how to tackle the privacy concerns? Of course as you said it is very much secured but any privacy bill?

A: There are two parts of the problem, one is the privacy relating to Aadhaar. So, far as the Aadhaar Act is concerned, this whole privacy protection features have been inbuilt into the Aadhaar Act itself. For example Aadhaar Act Section 29 describes what privacy protection measures are there.

Section 29 says that your core biometric cannot be shared with anyone for any reason whatsoever. Supposing if somebody comes and says that I want the biometric of this person, even if the resident says that I have no objection if my biometric is given to this person, we will say no. Aadhaar core biometric cannot be given to anyone.

If any agency has collected Aadhaar number, he has to take his consent that we want to have your Aadhaar number because we want to give you some service. At the time of collection of Aadhaar number and biometric that agency has to disclose the purpose for which Aadhaar number is being collected. Then this Aadhaar number can be used only for the purpose which was disclosed to that resident.

In case if there is any violation then again it is a serious offence under the Aadhaar Act.

The Aadhaar Act also says that Aadhaar information, Aadhaar number and other details cannot be published online. If anyone does that he is committing an offence. So, that is precisely the point, that in the social media that you talked about in the beginning some people were inadvertently publishing this data along with name and other details and we told them that this is technically an offence and please don’t do this otherwise tomorrow you will have to face action.

Q: The government’s decision to make Aadhaar mandatory for a host of services including filing of the Income Tax Returns now have been criticised by not only experts but also the opposition who say that the centre has unconstitutionally bypassed the Rajya Sabha and disregarded the Supreme Court order that has called for Aadhaar to not be made mandatory. So, this leaves citizens with no option but to enrol. Why is there an extreme hurry to mandate Aadhaar in terms of these kind of services?

A: Aadhaar Act was passed by the Parliament last year and then it has been notified by the government in September last year. So, it has become the law of the land. What does this law of land say? The law of land says, and which is passed by the parliament, that if government wants to give any service from the consolidated fund of India or benefits or subsidy from consolidated fund of India like scholarship or PDS benefit or MNREGA, housing or various health benefits, in all these programmes the money comes from the consolidated fund of India, so the government can say that Aadhaar is required. However the government also recognises that not everyone in the country even today, even though we have given Aadhaar to more than 113 crore people, still there could be a very few people who may be left out and there is no justification for denying them the benefit just because they have not been able to enrol for Aadhaar. Therefore the provision of giving an alternate means of identifications to those who do not have Aadhaar is provided in the Aadhaar Act itself.

So, what Aadhaar Act says, that if anyone wants benefit from the government then he has to give Aadhaar and if he doesn’t have Aadhaar then he should try to enrol for Aadhaar. Till he is able to enrol for Aadhaar and till he is given Aadhaar number from the UIDAI, the benefit shall be given by the concerned department through the alternate means of identification without an Aadhaar card, that is the law of the land.

Q: So, it is still possible to avail the entitlement without an Aadhaar card?

A: Yes that is the law of the land. However the only thing is that the person has to at least enrol for Aadhaar. There could be a case where somebody says that I will not enrol for Aadhaar forever and you continue to give me the benefit….(Interrupted)

Q: That itself is mandatory, you have to enrol for Aadhaar or you have an Aadhaar card.

A: Exactly, that is the law of the land.

Q: Right from retaining your PAN card or applying for a new PAN to filing ITR, to even get your driving licence, the list is getting longer. However linking Aadhaar with other identities may not be an easy task. For instance mismatch of names, is that going to be a hurdle because there can be a different name in my PAN account, so how do you really take care of that?

A: That is precisely the purpose of purifying the system. We have been noticing multiple cases that a person may have a multiple pan cards with little variation of names or little different name. So, idea is that the person should have as far as possible one name and then try to give the same identity everywhere. So, what the system provides here is that let us say somebody has a different name in the pan card and different name in Aadhaar card, now the person has a choice, either he can apply for a name correction in Aadhaar system and this can be done online or he can also request Income Tax department to make that correction or make a change in the name in pan card. So, both are possible.

Q: But now of course, citizens will have to hurry to enrol to an Aadhaar card right from the elderly to a new-born. But for Aadhaar linkage to happen, what is the window really for Aadhaar seeding to be implemented?

A: So far as the use of Aadhaar is concerned, the use is governed by the rules of those user departments and we do not have any say in that. For example, if the income tax department has said that by such and such date, you should link your Aadhaar to the PAN card, it is the discretion or the jurisdiction of income tax department. We have absolutely no say in their plan of action.

Q: 113 crore people have enrolled for Aadhaar as we speak. This is almost about 88 percent of the population that have enrolled for an Aadhaar card.

A: More than 90 percent.

Q: But how has the enrolment really been in perhaps the north east or Jammu and Kashmir? Has that been really slow as of now?

A: Even as we speak, we enrol around five lakh people every day from all over the country. More than 40,000 enrolment centres are working across the country. The coverage of Aadhaar has been relatively on the lower side in a few north eastern states. In fact, Sikkim has done very well. Tripura has done very well. A few other north eastern states, they are yet to catch up. Similarly, Jammu and Kashmir.

So, we are working with those governments and trying to ensure that the people who are residing in those states also, they are able to get their Aadhaar enrolment done as early as possible.

Q: So, what is the next phase? How soon will we see 100 percent enrolment? Of course, now with the deadlines coming in, I am sure in the next few months, we will see?

A: I would like to say there is nothing like 100 percent enrolment because children will continue to be born, roughly two crore children will continue to be born every year. So they will have to be enrolled. They will cross the age of five because we collect biometrics at the age of five, so we will collect again their biometrics, they will have to come to our centres and we will collect their biometrics. And again at the age of 15, again we will collect their biometrics, all ten finger prints and iris so the person has to be in touch with Aadhaar system, enrolment system thrice in their lifetime.

Q: Aadhaar is getting a lot of global attention, right from the World Bank appreciating the Aadhaar architecture, right from countries showing keen interest, how are you looking at working with such countries who have shown interest in understanding the Aadhaar architecture.

A: We have got request from various countries that in what way we can help them. So, we have always been willing to help them, the teams have come from various countries and we have had very extensive discussions. However, there is a word of caution here that under the Aadhaar Act, all our technical processes, the technical details are considered confidential.

Why did we do that? Because of security. For the purpose of ensuring security, we need to keep our technical information also secret. And therefore, except that part, so far as the broad principles are concerned, how Aadhaar is being used by the various ministries, all those experience sharing, all those things can take place.

Q: In fact Aadhaar has brought significant savings to the government and now, with Aadhaar being made mandatory to a whole list of entitlements and welfare schemes of course, this will of course add up to the governments total savings going ahead. How much of that is a target really?

A: Now what Aadhaar has done and wherever this Aadhaar has been used, for example in Public Distribution System (PDS), it has been fully used in a state like Andhra Pradesh, in Rajasthan, now it is being used in Gujarat and it is being extended all across the country, Aadhaar in PDS.

Now in these three states where Aadhaar is being used, the initial results are that the savings are to the tune of around 15 percent at least. Similar savings are being reported in the other sector where the Aadhaar is being used which is consistent with the earlier studies that I talked about that the studies have estimated that the bogus, duplicates, fakes accounted for the leakage of around 15-20 percent overall. So, in the last 2.5 years Aadhaar is being used only for some schemes in certain areas and that has given the benefit of more than Rs 49,000 crore to the central government.

There is a very interesting report from the World Bank which published a report called Digital Dividend last year and where World Bank estimated that if Aadhaar is used across all central government schemes, then it will save government at least USD 11 billion which amounts to almost Rs 70,000 crore every year.

Sections
Follow us on
Available On