Intelligence agencies will not have open access to Aadhaar data: UIDAI chief
Intelligence agencies will not have free access to Aadhaar data, a top government official said on Thursday, looking to assuage fears of abuse of personal information.
The article by Aloke Tikku was published in the Hindustan Times on October 20, 2016. Sunil Abraham was quoted.
The Unique Identification Authority of India (UIDAI), which issued identity cards to 1.07 billion Indians, last month decided to retain data related to the verification of Aadhaar-enabled transactions for seven years, leading to security concerns over data safety.
As reported by HT on Monday, privacy experts expressed concerns that transaction data retained for so long could be accessed by the security establishment for surveillance on individuals without sufficient grounds.
“This fear is completely misplaced,” ABP Pandey, UIDAI’s chief executive officer told HT in an interview.
Security agencies can access the data only in case of national security after they get the nod of an oversight committee headed by the cabinet secretary. This committee has to clear every order made by the designated joint secretary-level officer before the information is shared, he said.
“You cannot have any legal protection stronger than this,” Pandey added.
Aadhaar transaction data is not only protected by the most powerful, contemporary law to restrict access but also by strong cryptography.
“Even if someone attempts, the 2048-bit encryption is so strong that it will take them millions of computers and billions of years to decrypt the data,” he said.
A vocal critic of Aadhaar’s design, Sunil Abraham of the Centre for Internet and Society (CIS) suggested he wouldn’t rely too much on the legal framework. “You cannot put a legal band-aid on a broken technological solution. You need to get privacy and security right by design,” the director of the Bengaluru-based research body said.
Abraham said the problem could have been averted if the UIDAI did not store the data in a centralised form. Instead, it could have used its digital signature to sign proof of authentication that could be stored by the authenticating agency and the citizen on a smart card.