NEW DELHI: After the government blacklisted Ranchi-based Aadhaar enrolment agency that had inadvertently leaked details of former Indian cricket team captain Mahendra Singh Dhoni, questions are being raised on selection of domestic and international players for the game-changing yet tricky unique identification programme that involves security and privacy concerns.
Here are the details of a contract the Unique Identification Authority of India (UIDAI) had signed with L-1 identity solution, a US-based company that was later acquired by France-based Safran Group. The clause 15.3 of the contract signed on August 24, 2010, said: “The data shall be retained by M/s L-1 identity solutions not more than a period of seven years as per retention policy of the government of India or any other policy that UIDAI may adopt in future.” According to sources, similar agreements were signed with other foreign vendors, who had opened shops in India. What happened to the personal data of 112 crore people after retention period expired last year? The government officials were tightlipped over the issue; however, they maintained that UIDAI’s Aadhaar data is fully secured and have never been compromised.
“Any complaints received against enrolment agency is taken seriously by the government and UIDAI regional offices. The officers are told to take immediate action against the delinquent agency. Each enrolment goes through various checks and data stored with UIDAI cannot be breached. It is a fully secure system,” the officials said.
The government earlier this month in a statement vouched for the safety of Aadhaar data. But, two weeks later, the Ministry of Electronics and Information Technology admitted that in some instances, personal identity of individuals, including Aadhaar number and sensitive data, has found its way into the public domain.
You are buying your monthly ration at the government shop. The shopkeeper holds the camera of smartphone up to your eyes and later on fingers. The smartphone confirms a match to biometrics in a database, already linked to your bank. Phew! Your transaction is over within minutes.
This sounds great. But, when top secretaries gave a presentation to PM Narendra Modi last year, they had raised the issues related to security of data in such transactions.
The No. 6 of the presentation—Mobile Based Authentication—had recommended using Aadhaar for authentication.
It said most smartphones have cameras, which can be converted into an Iris scanner with changes to the phone design, and Iris camera requires change in filter of an ordinary camera and associated embedded software. It further said, “Prototypes of the same were also invited from the industry and tested by UIDAI. The tests were confirming the possibility of making smartphones Iris-compliant.”
The next para, however, touches upon the security concerns. “While the UIDAI ensures safety of biometrics once encrypted and sent to its server, the biometrics when captured and stored in the individual’s device need to be encrypted through security-related interventions in system hardware. These security requirements would ensure that the biometrics are not misused or reused. Liveliness of biometrics is another issue.”
The recommendation further said UIDAI and Department of Electronics and IT would take up with Google and other major smart-phone providers to allow third party ‘Authenticating Protocol Interface’ from Aadhaar to be integrated with Android.
The Mazdoor Kisan Shakti Sangathan of Rajasthan has collected some case studies which reveal that people with mismatch fingerprints are unable to avail the benefits.
In 2010, Ernst & Young was asked to set up the Central Identities Data Repository and a chapter in it raised doubts over the accuracy of biometrics data.