Issues flagged by the CAG raised questions on the authenticity and uniqueness of Aadhaar cards, archiving of data, and more
Despite UIDAI maintaining one of the largest biometric databases in the world, it did not have a data archiving policy
No REs or ASAs had their operations audited annually either by themselves through a certified IS auditor or by UIDAI
The Comptroller Auditor General (CAG) of India put out a 108-page audit report pointing at various issues with the functioning of the Unique Identification Authority of India (UIDAI).
The issues flagged by the CAG raised questions on the authenticity and uniqueness of Aadhaar cards, archiving of data and streamlining citizens’ grievances/complaints, among others, which once again raises security and various other concerns around Aadhaar data.
Among one of the many points that CAG identified, it said that despite UIDAI maintaining one of the largest biometric databases in the world, it did not have a data archiving policy, which is considered to be a vital storage management practice.
Data archiving policy is an important tool in data protection in order to maintain transparency between any organisation and its stakeholders (here, the government and the citizens) clarifying what all data is being stored/archived and for what purposes would they be used.
As a solution to this major issue, the report suggested, “UIDAI may frame a suitable data archival policy to mitigate the risk of vulnerability to data protection and reduce saturation of valuable data space due to redundant and unwanted data, by continuous weeding out of unwanted data.”
Interestingly, this is not the first time that Aadhaar is facing such criticism regarding data protection, yet, no solid data archiving policy has been established in the country till now.
The Personal Data Protection Bill, 2019, was first drafted by a panel led by retired Supreme Court Judge BN Srikrishna in 2017. It was introduced in December 2019 by the then Minister of Electronics and Information Technology, Ravi Shankar Prasad. It was then reviewed by a Joint Committee of Parliament, which submitted its final recommendations and a revised draft Bill only in November 2021.
However, the same bill, which has been in the making for about five years, does not comprehensively address the requirements of the country’s changing technology landscape anymore, at least that is what people directly aware of an impending new privacy bill in India told ET earlier this year.
At a time when the country’s technology landscape is getting disrupted every minute, there are crypto exchanges asking for Aadhaar data for verification purposes, social media platform such as Koo is coming up with instant verification for profiles, solely based on Aadhaar document, it is undoubtedly a need of the hour to come up with a solid data archiving policy.
Agreeing with this view and CAG’s recommendations, Rashmi Deshpande, partner at Business Law Chamber, told Inc42, “We need to have a clear policy stating how the collected Aadhaar data would be managed, stored, and in case of any contingencies what are the government’s plans.”
“Now the government says that they won’t share data with random private companies but if we don’t have a proper data policy in place and a proper system to ensure data protection, then we are exposing these important data to possible cyber attacks also,” added Deshpande.
She believes that the policy should also ensure levying heavy penalties in case the concerned authorities fail to protect citizens’ data.
In fact, while providing Aadhaar data to third parties and private companies, citizens do not know what will happen to their data if the government puts a ban on those organisations in future. And the most obvious concerning segment in this is crypto.
Data Protection Is Not The Only Concern
Data security is only a part of the issues CAG flagged in the functioning of UIDAI. Data authentication and verification is also a very important part to consider in the latest CAG report.
Under the Aadhaar Act, an individual’s eligibility to obtain an Aadhaar stipulates residing in India for a period of 182 days or more in the twelve months, immediately preceding the date of application.
However, UIDAI seems to have not prescribed any specific proof/document or process for confirming whether an applicant has resided in India and there is no system in place to check the affirmations of the applicants.
CAG also stated that in some cases the data of Aadhaar cardholders have not been paired with their Aadhaar number even after 10 years.
Besides, UIDAI did not carry out verification of the infrastructure and technical support of Requesting Entities (REs) and Authentication Service Agencies (ASAs) before their appointment in the authentication ecosystem, the CAG report stated. To that end, UIDAI could not confirm that the entities involved in the authentication ecosystem had maintained their information systems that were compliant to its regulatory standards.
“UIDAI may consider suspension of the services of REs and ASAs if they fail to conduct the annual audit in time as prescribed by the Regulations 2016,” CAG stated.
CAG in its latest report has put out the details of the Information Systems (IS) audit report of REs and ASAs on a yearly basis, starting from 2014 to 2019. And its analysis shows that no REs or ASAs had their operations audited annually either by themselves through a certified IS auditor or by UIDAI.
“Thus, it was evident that while UIDAI regulations stipulated annual audit of the operations and systems of both REs and ASAs by Information Systems auditor, compliance was very poor,” CAG concluded on the matter.
Talking about the issue from a legal perspective, Deshpande stated that the agreements with all the service providers have to be robust enough and only then the data collection and data management processes would be successful.
According to Deshpande, the issuing of Aadhaar numbers to children below the age of five based on the biometrics of their parents is another pressing problem that CAG has correctly identified.
“With this practice of providing Aadhaar numbers to children based on their parents’ biometrics, the crux of the idea of Aadhaar, which is to provide every citizen with their unique identity, is lost,” said Deshpande.
After all, after the age of five, the minors need to provide their data all over again and that entire process is difficult, especially for the marginalised group who would want to skip the process, she added.
A Brief History Of Aadhaar Controversy
In 2010, the then PM Manmohan Singh and then Congress President Sonia Gandhi launched Aadhaar. But not until 2012 that Aadhaar started showing signs of getting mandatory. In the following year, a lot started happening around Aadhaar.
Banks began asking for Aadhaar to provide services. Several state governments started planning to make Aadhaar mandatory. The Supreme Court also decided to examine the usefulness and validity of the Aadhaar card in 2013, based on one of the first petitions.
In March 2016, by then the centre has already witnessed a change of power, the government introduced the Aadhaar Bill as a money bill in the Parliament.
Post that, the apex court delivered two landmark judgments — first, the right to privacy in August 2017 and second, the constitutional validity of the Aadhaar scheme in September 2018.
While a majority of the 5-judge bench upheld the constitutional validity of the Aadhaar in September 2018, Justice DY Chandrachud had declared that the law was unconstitutional.
Many petitions followed in the next two years questioning Aadhaar Act. In 2021, the Supreme Court dismissed a batch of pleas seeking a review of its 2018 verdict. Once again, Justice Chandrachud dissented with the majority order.
The issues and questions are still on as citizens keep putting out their Aadhaar data on more platforms for authentication purposes.
According to Deshpande, “If the authenticity of the data collected by Aadhaar is questioned at every stage then it would open the floodgate for more litigations in the future and it is not going to have a good reputation on the Aadhaar process while reliance on the data collected by Aadhaar will also go down.”