Post burglary into Aadhaar database, Virtual ID layer over UID/Aadhaar is a stale-dated cheque or a post dated cheque
Ahead of the verdict in the case about the 12 –digit biometric Unique Identification (UID)/Aadhaar numbers for Central Identities Data Repository (CIDR) by the Constitution Bench comprising Chief Justice of India Dipak Misra and Justices A.K. Sikri, A.M. Khanwilkar, Dhananjaya Yeshwant Chandrachud and Ashok Bhushan, Ministry of Electronics and Information Technology (MeitY)’s Unique Identification Authority of India (UIDAI) issued a Press Statement on 30th June, 2018 saying, “its Virtual ID (VID) system is now operational with its Authentication User Agencies (AUAs) which have migrated to VID and UID Token using Auth API 2.5 and e-KYC API 2.5” under the Aadhaar Act, 2016.
CEO, UIDAI Dr. Ajay Bhushan Pandey claimed that VID is a critical security measure for protecting residents’ privacy and their Aadhaar numbers. With the introduction of Virtual ID, an Aadhaar holder will have an option of not sharing his/her Aadhaar number and can generate a Virtual ID to share with AUAs to perform Aadhaar based authentication. He added that “UIDAI, in near future proposes to introduce other forms of Aadhaar data verification and the same may be provided to AUAs for identity verification in lieu of global or local, as per our review
Notably, the Virtual ID (VID) system has become operational after some nine years after the establishment of UIDAI by a notification dated 28 January, 2009. It amounts to a confession about security breach of CIDR which has been happening in the absence of VID.
It may be recollected that while the hearing was underway UIDAI had issued two circulars dated 15 January, 2018 on the subject of implementation of face authentication and on the subject of implementation Virtual ID, UID Token and Limited KYC for enhancing privacy of UID/Aadhaar holders on 10th January, 2018. Both the circulars have been issued by Yashwant Kumar, Assistant Director General, Authentication & Application Division, UIDAI, Ministry of Electronics and Information Technology (MeitY). This come after it has been established beyond any reasonable doubt that Aadhaar, “the permanent ID for life” has been compromised, UIDAI admitted that “there is need to provide a mechanism to ensure its continued use by the Aadhaar number holder while optimally protecting the collection and storage of Aadhaar number itself in many databases.” The fact is that its sub-optimal performance has become part of folk lore by now.
The circular made a reference to “Virtual ID” of 16 digit number which can be used as substitute of UID/Aadhaar number. The fact remains UID/Aadhaar is also a 16 digit number like VID, in the case of the former 4 digits are hidden from public view. Parliamentary Standing Committee on Finance had found that UIDAI did not do any comparison with preexisting identification systems in India like another VID (10 digit voter ID number). Instead of burdening Indians with one more VID, it makes eminent sense to undertake a comparison between UID/Aadhaar and old VID (Voter ID) that gives legitimacy to all elected legislators and governments.
It is clear that the UIDAI’s press statement of 30th June ahead of the imminent verdict of the Court in the UID/Aadhaar case is akin to issuance of a post dated cheque or a stale-dated cheque aimed at persuading the Court that UIDAI may have erred in claiming CIDR to be safe and secure in the past but now it proposes to do some damage control. This step of UIDAI is just an empty post disaster activity wherein it wishes to be seen to be doing something to secure all those Indian residents who are not yet part of the CIDR database of more than 121 crore people.
It is noteworthy that the signatory of both the above mentioned circulars, Yashwant Kumar was Assistant Director General under Finance & Authentication & Updation Process Division when Nandan Nilekani was Chairman of UIDAI. In this role Kumar used a private email@example.com which is still available on the blog of UIDAI. Under the chairmanship of J Satyanarayana, he also has an official email id: firstname.lastname@example.org. Someone who has been using private email for governmental work of very sensitive nature cannot be trusted with personal sensitive information of present and future generation of India. His private and governmental email accounts must be investigated to ascertain all the locations around the world from which it has been accessed especially in the light of disclosures about the controversy surrounding use of private email account by Hillary Clinton who began using it as “a matter of a convenience" disregarding the advice of technology experts who didn’t allow personal email accounts to be installed on government-issued devices. Her official communications included thousands of emails that would retroactively be marked classified by the US State Department. This issue has been raised vociferously by the President of USA because it compromised USA’s national security.
The fact that one of the senior officials of UIDAI chose to receive such sensitive information on the server of Hotmail which was acquired in 1997 by Microsoft, a private company, is a threat to national security and privacy of Indians. This company is regulated by US laws and has been working in collusion with foreign intelligence agencies. The authorities in the US, where Hotmail is headquartered, can legally access the information on the server of Microsoft without a court warrant and without any civil and criminal liability. Unless it is investigated Indian government will remain in dark about it. In fact US’ Cyber Intelligence Sharing and Protection Act make the exchange of electronic information between Internet Service Providers and the government of US possible. The use of Hotmail account demonstrates the lack of professionalism of UIDAI, which has been given the task of handling the database of the personal sensitive information of Indians. This act of omission and commission merits attention. Any circular issued by such a gullible official of UIDAI cannot inspire even an iota of real or virtual confidence.
The last paragraph of the 10th January circular refers to Regulation 14 (n) and 17 (g) of Aadhaar (Authentication) Regulations, 2016 made under Section 54 of the Aadhaar Act. The relevant provisions of the Regulations have made compliance with contractual terms and all rules, regulations, policies, manuals, procedures, specifications, standards, and directions issued by UIDAI mandatory as part of obligation on the part of requesting authorities in relation to use of identity information.
But the factual position with regard to relevant provision of Regulation 14 and 17 is that as per the terms of pre-existing contractual agreements between Union of India and transnational companies like L-1 Identity Solutions Operating Company of Safran Group, Accenture Services Pvt Ltd, Ernst & Young and others, the latter can keep data of Indian residents for at least seven years “as per Retention Policy of Government of India or any other policy that UIDAI may adopt in future". These agreements are part of efforts by MeitY’s UIDAI to implement UID/Aadhaar number scheme and related schemes. Thus, it is quite clear that these Regulations framed under the Aadhaar Act are subservient to the contractual agreements whereby law has been made subordinate to commercial contracts with impunity.
The announcement regarding VID is aimed at diverting the attention of the judges whose pronouncement can undermine the UID/Aadhaar project. It is apparent that it is part of efforts to influence the proceedings in the court. Such efforts failed in the right to privacy case, this endeavor too is likely to meet the same fate.
Dr Gopal Krishna
The author had appeared before the Parliamentary Standing Committee on Finance that examined the Aadhaar Bill and the Parliamentary Standing Committee on Food, Consumer Affairs and Public Distribution that examined the Consumer Protection Bill. He is editor of www.toxicswatch.org and is the convener of Citizens Forum for Civil Liberties which have been working on UID/Aadhaar issue since 2010.
P.S.: Experts like Prof. Anupam Saraph say that UIDAI doesn't even know if the entities in their CIDR database are real, unique or have the address, mobile and email as stated in the database. Issuing a virtual ID doesn't certify, verify or audit the data associated with the UID/Aadhaar.