Aadhaar biometric data breach triggers privacy concerns

New Delhi: A case of Aadhaar data breach has caused privacy concerns and raised questions over the security of biometric data in possession of the Unique Identification Authority of India (UIDAI).

This comes at a time when the government is pushing for Aadhaar-based transactions to promote its digital mission and the apex court is poised to debate concerns on privacy.

The UIDAI filed a police complaint on 15 February against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics.

A UIDAI official, who requested anonymity, said that the three had been given time till 27 February to explain their action.

The breach was detected after UIDAI found multiple transactions done with the same fingerprint. The official quoted above said that this would not have been possible without the core biometrics being stored and used without authorization.

"This shows that the confidence with which the government said that Aadhaar is invulnerable is misplaced. If UIDAI is admitting the breach, that is certainly to its credit. However, it needs to be much more forthcoming and proactive to secure this sensitive data," said Chinmayi Arun, director at the Centre for Communication Governance at National Law University, Delhi.

The breach was noticed after one individual performed 397 biometric transactions between 14 July 2016 and 19 February 2017. Of these, 194 transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,



intentionally copying Aadhaar data is a criminal offence and entails a three-year sentence and a fine.

Another expert said that he did not see the alleged breach of data as a systemic flaw in Aadhaar. "You've got the law that says you cannot go beyond authentication, and someone does it. Human being breaks the law and you have to go after them," said Rahul Matthan, partner in the technology, media and telecom group at law firm Trilegal and a Mint columnist.

According to an Axis Bank spokesperson, a developer from Suvidhaa carried out four live Aadhaar-based authentications even when the testing phase for them was going on. One can only do live authentications after no errors are found out in this phase.

"If something goes wrong in the testing phase, it has to be reported to us by Suvidhaa, they are accountable for it," added the spokesperson.

UIDAI is not convinced. "Even testing is not permissible under the Aadhaar law and if such an experiment was being conducted, UIDAI should have been informed about it earlier. The authentication operation of the firms concerned has been suspended till the matter is resolved," the official added.

The three agencies have been served a "notice for action" under Aadhaar regulations.

"The testing was done by our in-house team but there has been no financial loss as of now. We will submit our report to UIDAI on Monday," said Paresh Rajde, chief executive officer of Suvidhaa.

eMudhra denied storing biometrics.

On 22 February, UIDAI had submitted a proposal to the IT ministry on introducing registration of biometric public devices to ensure the security of transactions and end-to-end traceability of the authentication process.