The UIDAI on Thursday told the Delhi High Court that there was no security breach of its database or Central Identity Data Repository (CIDR) and sought dismissal of a petition seeking damages for Aadhaar data “leaks”.
The Unique Identification Authority of India (UIDAI), the 12-digit Aadhaar number issuing body, in an affidavit filed before a bench of Justices Ravindra Bhat and Prateek Jalan, said its existing security controls and protocols are “robust and capable of countering any such attempts or malicious designs of data breach or hacking”.
“Security of Aadhaar is of critical importance and is given paramount significance by the Respondent. Respondent no-1 (UIDAI) constantly strengthens and reviews its infrastructure and ecosystems in line with the best international security practices and technological standards and has multi-layered security and privacy considerations built into the core strategy of Aadhaar with three basic doctrines of minimal information, optimal ignorance and federated database which give higher level of security to the data,” it said.
The affidavit was filed in response to a petition by Kerala-based lawyer Shamnad Basheer who has alleged that there were several breaches of the Aadhaar system leading to leakage of personal information of individuals since January 2018 and contended that UIDAI and the Centre were liable to compensate people whose data were compromised.
The UIDAI claimed that the petition was no longer maintainable in view of the Supreme Court’s last year decision in K Puttaswamy case in which it has upheld most of the provisions of the Aadhaar Act and the scheme.
“The writ petition is not maintainable after the Supreme Court’s judgment in K Puttaswamy Vs Union of India, by which the Aadhaar Act and scheme were upheld for the most part. Issues raised in the petition are squarely covered by the judgment,” it said.
However, the top court in its majority verdict had said that “A challenge to the Aadhaar project for violation of IT Act and Rules has been filed in the Delhi High Court in the matter of Shamnad Basheer Vs UIDAI and Ors. Therefore, we are not dealing with this aspect, nor does it arise for consideration in these proceedings.”
The UIDAI also reproduced in the affidavit some portions of the top court Aadhaar judgement to show what the top court had ruled on privacy concerns raised by various petitioners.
Denying the “false and baseless” allegations of any data breach, the authorities said Mr Basheer has not been able to demonstrate how his rights have been affected.
“… the data is fully secured/encrypted at all times i.e., at rest, in transit and in storage. For further strengthening of security and privacy of data, security audits are conducted on regular basis, and all possible steps are taken to make the data safer and protected. Further, there are multiple layers of security at physical level in UIDAI Data Centres and is being managed by armed CISF personnel round the clock. Strengthening of security of data is ongoing process and all possible steps are being taken in this regard,” it said.
“… UIDAI has taken fool-proof measures to ensure end-to-end security of resident data, spanning from full encryption of resident data at the time of capture, tamper resistance, physical security, access control, network security, stringent audit mechanism, 24/7 monitoring and measures such as data partitioning and data encryption with UIDAI controlled data centres,” it said and added that the petition be dismissed for being devoid of merit.
The high court had earlier sought response of the UIDAI and the Centre on the plea raising concerns about Aadhaar data security and privacy of individuals, in the wake of several reported leaks of personal information of people from the UIDAI database.
The plea has also urged the court to direct the Centre to either allow people to opt out of the system or delete the entire existing UIDAI data in view of the security breaches.
Referring to one such alleged breach, the plea has said a media house had allegedly managed to gain access to the entire database by paying a sum of Rs. 500.
It has said the breach, which was acknowledged by UIDAI and later led to the lodging of a criminal case against those involved, was a result of a leak of the “access control” given to some individuals.
The petition has contended that the breaches occurred due to the “negligence and willful recklessness” on part of UIDAI to adopt reasonable security measures to secure the private information.
The plea has further sought setting up of an independent investigative committee to probe and audit all security and privacy breaches of the Aadhaar database.