The Unique Identification Authority of India (UIDAI) recently filed its counter affidavit in the petition filed by Prof Shamnad Basheer seeking damages for Aadhaar data leaks.
And it might just have provided false information in the document filed before the Delhi High Court.
At the outset, the counter filed on behalf of UIDAI Deputy Director Ramesh Kumar states that the petition is no longer maintainable in view of the Supreme Court’s decision upholding most of the Aadhaar Act and scheme. The counter states,
“The writ petition is not maintainable after the Supreme Court’s judgment in K Puttaswamy v. Union of India, by which the Aadhaar Act and scheme were upheld for the most part. Issues raised in the petition are squarely covered by the judgment…”
However, a closer look at the majority judgment in Puttaswamy, delivered by Justice AK Sikri on behalf of himself and then Chief Justice Dipak Misra and Justice AM Khanwilkar reveals the following paragraph:
“A challenge to the Aadhaar project for violation of IT Act and Rules has been filed in the Delhi High Court in the matter of Shamnad Basheer v UIDAI and Ors. Therefore, we are not dealing with this aspect, nor does it arise for consideration in these proceedings.”
In effect, UIDAI’s contention that the issues raised in Prof Basheer’s petition are identical to those addressed by the Supreme Court in its September 2018 judgment, is not accurate.
The counter goes on to deny all the averments, submissions, statements and allegations made in Prof Basheer’s petition, stating that they are unsubstantiated. Portions of the Puttaswamy judgment have been reproduced to show what the Supreme Court ruled on privacy concerns raised by various petitioners.
The matter came up for hearing before a Division Bench led Justice S Ravindra Bhat today. In its counter, UIDAI has informed the Delhi High Court that till date, there has not been any security breach of its biometric database or Central Identity Data Repository (CIDR).
Therefore, any media report suggesting or indicating breach of the UIDAI’s Aadhaar database or CIDR, identity theft, or financial loss is incorrect, it informed the Court.
Rebutting the claim that demographic information has been compromised through security breaches, UIDAI has argued,
“…(the claim) is completely devoid of any substance or truth and the petitioner may be put to the strictest proof to show how any personal information pertaining to the petitioner has been compromised or rendered insecure in any manner whatsoever.”
It has thus submitted that existing security controls and protocols are robust and capable of countering any such attempts or malicious designs of data breach or hacking. It has also said that the biometrics available with UIDAI are not shared with anyone.
“..the data is fully secured/encrypted at all times i.e. at rest, in transit and in storage. For further strengthening of security and privacy of data, security audits are conducted on regular basis, and all possible steps are taken to make the data safer and protected. Further, there are multiple layers of security at physical level in UIDAI Data Centres and is being managed by armed CISF personnel round the clock. Strengthening of security of data is ongoing process and all possible steps are being taken in this regard.
“..,UIDAI has taken fool-proof measures to ensure end-to-end security of resident data, spanning from full encryption of resident data at the time of capture, tamper resistance, physical security, access control, network security, stringent audit mechanism, 24/7 monitoring and measures such as data partitioning and data encryption with UIDAI controlled data centres.”
Strong asymmetric encryption technologies used to encrypt every resident’s data ensures that no agency or person can access, modify, or misuse the same during field enrolment or in transit to the UIDAI data centre, it has further said.
UIDAI has also apprised the Court of the regular audits that are undertaken to ensure data security as well as the internal mechanism provided in the Act itself.
It has thus prayed that the petition be dismissed for being devoid of merit.
In May last year, Prof Basheer had filed the petition contending that instances of Aadhaar data leaks have resulted in a breach of the fundamental Right to Privacy as guaranteed under Article 21 of the Constitution.
He sought exemplary damages in order to deter UIDAI and the Centre from future negligent behavior that compromises constitutional/statutory/common law rights of all ‘Aadhaaris’.
The petition has also sought information on the steps taken by the Central government and the UIDAI towards remedying and rectifying their security practices pursuant to the Aadhaar data breaches, and their compliance with the existing data protection safeguards.
Additionally, the Prof Basheer sought a direction to the UIDAI to delete of all his data from the system, while allowing him to opt out of the Aadhaar scheme, or to allocate a new Aadhaar ID to him, in view of the threat of the reported data breaches.
Further, it calls for the appointment of a neutral ombudsman/verification authority for addressing all concerns and complaints at the first level that may arise in the future, in relation to violations of the Aadhaar Act and associated regulations.
The Delhi High Court had issued notice in the petition on August 21 last year.
Read the counter affidavit: