NEW DELHI: Your biometric and biographic data collected by Unique Identification Authority of India (UIDAI) for the 12-digit unique Aadhaar number could well be at Fort Meade, the headquarters of NSA, the US spy agency. Intelligence agencies that had forewarned the government two years ago about the vulnerability of Aadhaar data due to involvement of foreign players are livid over latest NSA disclosures that reveal the US is prying on biometric database.
Needless to say the Intelligence Bureau (IB) is in a tizzy. NSA whistleblower Edward Snowden’s recent revelation that the American intelligence agency is covertly collecting biometric data of people from across the world has them worried sick. Central intelligence agencies had warned the government about a possible security breach in Aadhaar, which is considered the world’s largest biometric database.
The Aadhaar programme under UIDAI involved several foreign vendors and private companies for storage and collection of individual data, including iris scan and finger prints. In 2012, the IB warned the state about loopholes in Aadhaar, but the government continued with the enrolment process, sidestepping security concerns.
The NSA top secret documents leaked last week point to the covert operation. “Identity Intelligence is exploiting pieces of information that are unique to an individual to track, exploit and identify targets... ,” the papers stated.
Three types of data is being mined by the NSA which includes “biometric, biographic and contextual.” Biometric data shows an individual’s physical or behavioural traits like face, iris, fingerprints, voice etc. Biographic data gives details of life history, including address, school, and profession while contextual data is about individual’s travel history and financial bank details.
Although, the US government had earlier scrapped Aadhaar-like project for its residents, it surprisingly mounted covert ops to infiltrate biometric database in other countries. The decision of the US to not allow biometric profiling of residents was followed by China, Australia and UK and similar proposals were shot down by the respective governments.
The intelligence agencies raised the contentious provision in the contract agreement that allows foreign vendors to keep the biometric data for next 7 years making it easy prey for NSA. “The contract agreement signed by UIDAI with foreign vendors is absurd. Private companies can easily share it with US spy agency. We have seen how they arm twist private players to gain foothold in their server,” a top intelligence official said, adding the UIDAI also had arrangements with certain private software firms for technology assistance.
UIDAI had signed contract agreement with US companies, Accenture and L1 Identity Solutions allowing them to keep data for seven years. The contract agreement clause 15.3 says, "The Data shall be retained by L1 Identity Solutions Operating Company not more than a period of seven years as per Retention Policy of Government of India or any other policy that UIDAI may adopt in future.” The same clause was applicable for Accenture.
Clause 15.1 further exposes the vulnerability regarding misuse of the data by foreign vendors. The clause in case of American company Accenture says: “By virtue of this Contract, M/s Accenture Services Pvt Ltd/Team of M/s Accenture Services Pvt Ltd may have access to personal information of the purchaser and/or a third party or any resident of India, any other person covered within the ambit of any legislation as may be applicable.”
In November last year, Max Schireson, CEO of tech firm Mongo DB (allegedly funded by CIA and NSA) had a meeting with UIDAI officials. Although, UIDAI had clarified that no contract was signed between Mongo DB and UIDAI, it had confirmed that DDG Tech Centre and ADG IT-II, Tech Centre held a meeting with Schireson.
A home ministry official said on the condition of anonymity that the original mandate of UIDAI was to issue 12-digit numbers only and data collection was the responsibility of Registrar General of India (RGI) under the Ministry.
“UIDAI had no mandate to collect biometric as home ministry wanted government supervision over sensitive data, but the decision to overrule the original provision was taken at the top level,” he said. The UIDAI in its present form is like a private shop where home ministry rules and guidelines are not followed, he added.