UIDAI CEO SAYS AAD­HAAR NOT BIG BROTHER

Business Standard - - FRONT PAGE -

At a time when civil so­ci­ety and the pub­lic at large have raised con­cerns over the over­ar­ch­ing power the gov­ern­ment has given to the Aad­haar pro­gramme, AJAY BHUSHAN PANDEY, CEO, Unique Iden­ti­fi­ca­tion Au­thor­ity of In­dia (UIDAI), told Ki­ran Rathee that the idea of Aad­haar be­ing used as a Big Brother pro­gramme for the gov­ern­ment to spy on cit­i­zens is com­pletely un­founded. More­over, while some peo­ple have been ask­ing to get ex­ter­nal agen­cies to re­view the se­cu­rity of Aad­haar, Pandey says be­ing a crit­i­cal state func­tion, it’s bet­ter to not “be dis­clos­ing all your cards to ev­ery­body”. Edited ex­cerpts:

UIDAI is one of the en­ti­ties in the world which has over a bil­lion users putting the Au­thor­ity in the league of firms like Google, Ap­ple and Mi­crosoft. Re­gard­ing se­cu­rity pro­ce­dures, these com­pa­nies do hackathons, in­volve eth­i­cal hack­ers, and crowd source ideas to fur­ther im­prove se­cu­rity. Is UIDAI also open to do such things?

Un­like all these plat­forms you have men­tioned, though we are also a very large plat­form, we are per­form­ing a very cru­cial state func­tion for which se­cu­rity is im­por­tant. We take var­i­ous pos­si­ble mea­sures and try to as­sess all kinds of feed­back not only what is com­ing in me­dia or so­cial me­dia, but also lots of things which may not be ap­pear­ing in me­dia at all. There may be some peo­ple who may be very se­cretly do­ing it (to at­tack UIDAI servers). So what we have to do is and what we are do­ing is that we are con­stantly as­sess­ing the threats which may be emerg­ing from any­where be it me­dia or so­cial me­dia or even out­side, a com­pletely un­known do­main, and we take proac­tive mea­sures to en­sure that such at­tempts do not at all suc­ceed. The only con­straint here is that we do not dis­cuss what kind of threats we get and what are the kinds of counter mea­sures that we take in the in­ter­est of se­cu­rity be­cause one of the fun­da­men­tal prin­ci­ples of the se­cu­rity is that you have to ac­cess the risks and you have to take ac­tion but at the same time, you should not be dis­clos­ing all your cards to ev­ery­body.

There have been voices from mem­bers of civil so­ci­ety that Aad­haar in­vades pri­vacy of cit­i­zens. What is your take on that?

There could be a mis­con­cep­tion among a sec­tion of peo­ple. What they need to un­der­stand is that Aad­haar is an en­abler. Aad­haar is for em­pow­er­ment and it is nowhere go­ing to be a Big Brother or so. It is com­pletely ruled out in the Aad­haar

ar­chi­tec­ture and Aad­haar de­sign and law it­self. In or­der for some­body to do Big Brother kind of a job, one has to col­lect lots of data. Aad­haar col­lects very min­i­mal data whether at the time of en­roll­ment or at the time of au­then­ti­ca­tion. Aad­haar col­lects only the ba­sic de­mo­graph­ics like name, age, gen­der, and bio­met­rics like face, fin­ger­prints and iris. It does not col­lect the data about a per­son’s fam­ily, eat­ing habits, con­tact list, in­come, pro­fes­sion, likes or dis­likes, bank ac­count de­tails. Aad­haar does not have that kind of in­for­ma­tion any­where in its data­base. Aad­haar by law is pro­hib­ited from ask­ing for such in­for­ma­tion. There­fore any ap­pre­hen­sion of fu­ture mis­use is also ruled out be­cause ask­ing or col­lect­ing such in­for­ma­tion in fu­ture is com­pletely pro­hib­ited under the Aad­haar Act and any vi­o­la­tion will be dealt with crim­i­nal of­fence. Who­ever is re­spon­si­ble for col­lect­ing and main­tain­ing such data can be charged crim­i­nally. There­fore, the UIDAI main­tains the prin­ci­ple of min­i­mal data and op­ti­mal ig­no­rance. So when you don’t have data, the ques­tion of some­body be­com­ing a Big Brother does not arise.

But with the gov­ern­ment link­ing most of the ser­vices such as bank ac­counts and mo­bile num­bers with Aad­haar, the ques­tion of sur­veil­lance arises?

Let me give a counter ex­am­ple. Sup­pose you are giv­ing your mo­bile num­ber and PAN card at most places. Can the gov­ern­ment link all these data just like that? If you have given your mo­bile num­ber and PAN card to a bank and if you have given your mo­bile num­ber and PAN card to in­come tax au­thor­i­ties and you have also given mo­bile num­ber and PAN card for buy­ing a prop­erty. Now that these two num­bers are com­mon in these three data­bases, can the gov­ern­ment, with­out au­thor­ity of the law, link the three data­bases? No, the gov­ern­ment can­not do this. Let’s sup­pose the gov­ern­ment asks the bank to give a per­son’s data. Will the bank give? The an­swer is no be­cause under bank­ing laws it is not al­lowed and that data will not be given even to the gov­ern­ment. Sim­i­larly, if your data is held with some depart­ment, data has to be used for that pur­pose only. Peo­ple have given their PAN card num­bers at many places. Was any gov­ern­ment able to ag­gre­gate the data on the ba­sis of PAN card? The an­swer is no. The gov­ern­ment is not in the busi­ness of be­com­ing a Big Brother as In­dia is a strong demo­cratic state where the rule of law is there with strong ju­di­cial over­sight and free press.

If any gov­ern­ment depart­ment wants data, it can only ask for it under a due au­thor­ity of law. For ex­am­ple, if the in­come tax depart­ment wants bank de­tails of a per­son, then it has to is­sue a no­tice under the In­come Tax Act say­ing there is a pro­ceed­ing to be con­ducted against the per­son on the ba­sis of rea­son­able ap­pre­hen­sion of a pos­si­ble tax eva­sion and then ask for data. But with­out any rea­son­able cause or sus­pi­cion, no in­come tax of­fi­cer can ask for any­one’s data just be­cause the PAN card is in data.

If Aad­haar num­ber is given to 10 dif­fer­ent au­thor­i­ties that do not au­to­mat­i­cally mean that the data can be ag­gre­gated by any­one. That is not pos­si­ble. In case of Aad­haar, it will be dou­bly dif­fi­cult. For ex­am­ple, if a bank ac­count which is linked with Aad­haar, the bank­ing law and also Aad­haar law will ap­ply on shar­ing of a cus­tomer’s data. So it is dou­ble pro­tec­tion.

If some bank unau­throis­edly dis­closes Aad­haar de­tails to other agency, be it a gov­ern­ment, then it will be vi­o­lat­ing law. Any such un­law­ful dis­clo­sure is a crim­i­nal of­fence, pun­ish­able with three years’ im­pris­on­ment. So with such strong safe­guard, the pos­si­bil­ity of Aad­haar be­com­ing an in­stru­ment of sur­veil­lance is com­pletely ruled out.

There have been in­stances when the de­mo­graphic de­tails of Aad­haar have been leaked and made pub­lic. Re­cently, there were re­ports that Aad­haar de­mo­graphic de­tails can be bought for a few ru­pees?

It was not a case of data breach. Af­ter all, name, age, gen­der and ad­dress are not secret in­for­ma­tion. The same in­for­ma­tion is also avail­able on voter ID cards. The Aad­haar Act says is it sen­si­tive in­for­ma­tion but it is not secret. There­fore, the Aad­haar Act says even though it is just a ba­sic de­mo­graphic in­for­ma­tion such as name, ad­dress, etc, even that should not be dis­closed with­out the con­sent of the Aad­haar holder. But sup­pos­ing if such de­mo­graphic in­for­ma­tion is dis­closed, this is not a case of data breach. It would be a case of unau­tho­rised dis­clo­sure which is pun­ish­able under the Aad­haar Act as well as other laws such as the In­for­ma­tion Tech­nol­ogy Act, etc. So, we need to un­der­stand the dif­fer­ence be­tween unau­tho­rised dis­clo­sure and data breach.

There have been in­stances when bio­met­ric au­then­ti­ca­tion did not take place due to worn out fin­ger­prints in old age or hard man­ual work. What are the other modes of au­then­ti­ca­tion?

We have mul­ti­ple modes of au­then­ti­ca­tion. If the fin­ger­print does not work, we have said the iris could be tried and one time pass­word method could be tried. Now we are com­ing up with face au­then­ti­ca­tion from July 1 where the per­son’s fin­ger­print, along with the face, will be used. So even if the fin­ger­print match score is less, along with the face, the per­son could be au­then­ti­cated. Even af­ter all this, if there is an au­then­ti­ca­tion fail­ure, the law pro­vides that a backup mech­a­nism should al­ways be there so that no one should be de­nied ben­e­fits. In­struc­tions have been is­sued from the Cab­i­net sec­re­tary to all the agen­cies that no­body is de­nied of the ben­e­fits due to lack of Aad­haar au­then­ti­ca­tion.

In some in­stances where it was found that a per­son has been de­nied ben­e­fits, we are ad­vis­ing the state gov­ern­ments to be more vig­i­lant and they need to take ac­tion against those who are not fol­low­ing the in­struc­tions. In a coun­try of 1.2 bil­lion peo­ple if the in­struc­tions have been is­sued and if they are largely com­plied with, there may be few aber­ra­tions, but the whole sys­tem should not be dis­carded.

Some of the state gov­ern­ments were also col­lect­ing bio­met­ric data for their own schemes. There must be du­pli­ca­tion as Aad­haar data is now used for most of the welfare schemes across the coun­try?

That was a sit­u­a­tion prior to Aad­haar but now most of the state agen­cies have stopped col­lect­ing bio­met­rics and they are re­ly­ing on Aad­haar au­then­ti­ca­tion. The data which the state gov­ern­ments col­lected was in their do­main and our bio­met­rics are quite dif­fer­ent and en­crypted in dif­fer­ent man­ner.

For full in­ter­view, visit busi­ness-stan­dard.com

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.