‘No free run on Aadhaar data’
UIDAI promises privacy, security agencies allowed to access Aadhaar data only after nod from oversight panel
NEW DELHI: Security agencies will not have a free run of the Aadhaar data of India’s billion plus population, a top government official said on Thursday, in remarks aimed at easing concerns about abuse of Aadhaar information.
Last month, the Unique Identification Authority of India (UIDAI) that has issued 1.07 billion identity numbers had decided to retain data related to the authority’s verification of Aadhaar-enabled transactions for seven years.
As reported by Hindustan Times on Monday, privacy experts have expressed concerns that transaction data retained for so long could be accessed by the security establishment for a 360-degree surveillance on individuals without sufficient grounds.
“This fear is completely misplaced,” ABP Pandey, UIDAI’s chief executive officer told HT in an interview.
Security agencies can access the data only in case of national security after they get the nod of an oversight committee headed by the Cabinet secretary.
This committee has to clear every order made by the designated joint secretary-level officer before the information is shared, he said.
“You cannot have any legal protection stronger than this,” he added.
Aadhaar transaction data is not only protected by the most powerful contemporary law to restrict access, but had also gone for unusually strong cryptography.
“Even if someone attempts, the 2048-bit encryption is so strong that it will take them millions of computers and billions of years to decrypt the data,” he said.
A vocal critic of Aadhaar’s design, Sunil Abraham of the Centre for Internet & Society (CIS), suggested he wouldn’t rely too much on the legal framework.
“You cannot put a legal band-aid on a broken technological solution. You need to get privacy and security right by design,” the director of the Bengaluru-based research body said. Abraham said the problem could have been averted if the UIDAI did not store the data in a centralised form.
Instead, it could have used its digital signature to sign proof of authentication that could be stored by authenticating agency and citizen on a smart card.