28/09/2018 8:19 AM IST | Updated 28/09/2018 10:56 AM IST

Security Experts Weigh In On Supreme Court Verdict Favouring Aadhaar

Justice DY Chandrachud noted that neither the government nor the UIDAI had done enough to dispel fears that the controversial biometric project was vulnerable to attack.

A woman goes through the process of finger scanning for the Aadhaar, at a registration centre in New Delhi.

BENGALURU, Karnataka—In his dissent to the Supreme Court's judgement in favour of Aadhaar, Justice DY Chandrachud noted that neither the government nor the UIDAI had done enough to dispel fears that the controversial biometric project was vulnerable to attack, and could also be used for citizen surveillance.

HuffPost India reached out to a cross-section of security and technology experts, both in favour of and opposed to the project, for their views on the judgement.


"The majority judgement shows judges need to understand technology better," said Anivar Aravind, a security analyst who has been critical of Aadhaar, noting that the majority judgement delivered by Justice AK Sikri did not engage with the fact that a significant amount of Aadhaar data was collected before the act was passed, and that much of this data was shared with states and cross-indexed on platforms like the State Resident Data Hubs.

"Aadhaar is defective by design," Aravind said. "It will take courts and political parties years to understand it. As technologists, we understand it."

Srinivas Kodali, a security researcher based in Hyderabad, said that the majority judgement ignored how states were already using Aadhaar to build intrusive surveillance regimes.

"The judgement does not do justice to any of the concerns related to privacy and surveillance with 360 degree databases using Aadhaar in Andhra Pradesh," Kodali said.

Earlier this year, HuffPost India reported on how AP had used Aadhaar to track the intimate personal details of the state's 50 million residents, right down to who amongst them used Viagra.

"The court has taken AB Pandey's powerpoint presentation as the gospel truth," said cybersecurity expert Anand Venkatanarayanan, referring to a presentation made by the UIDAI's CEO Ajay Bhushan Pandey, in the course of the hearings. "The correct position regarding technology is taken by Justice Chandrachud. The others did not even engage with the conflicting data presented to them."

Private Use

Analysts noted that the court's decision to strike down Section 57, dealing with the use of Aadhaar by private companies, was a step in the right direction. Except, in a press conference immediately after the verdict, Finance Minister Arun Jaitley suggested that the government was looking to pass a law to allow private companies to continue using the database.

"By holding Section 57 of the Aadhaar Act to be unconstitutional, the Supreme Court of India has recognized the surveillance risk created by the indiscriminate and rampant use of Aadhaar for private services," Amba Kak, Mozilla's policy advisor, said. "While this is welcome, by allowing the State wide powers to make Aadhaar mandatory for welfare subsidies and PAN, this judgement falls short of guaranteeing Indians meaningful choice on whether and how to use Aadhaar."

"This is especially worrisome, given that India still lacks a data protection law to regulate government or private use of personal data. Now, more than ever, we need legal protections that will hold the government to account," Kak concluded.

Rajpreet Kaur, a senior research analyst at Gartner, said the core of the Aadhaar system was secure, but the ecosystem around it was leaky. Regulating private use, she said, would enhance the security of the system.

"Whenever I have done my analysis of the security of this architecture, I have found that the main problems and the loopholes are in the security of adjacent services, which are working with the UIDAI," said Kaur. "I have seen that companies collecting your Aadhaar cards for KYC or what not did not have basic security in place."

As a result, a lot of personal information that only the UIDAI is supposed to have access to is being leaked to all the various private companies in the ecosystem, and without a data privacy regulation, there was no requirement for these companies to protect a user's data, Kaur said.

"So the very first thing which needs to be taken care of is introduce a personal data law, which the government is already working on," Kaur said. "It was too early for the government to mandate the collection of Aadhaar details for basically everything. Mandating it for the private sector gave too much of information flow in these organisations which they were not capable of handling, and without data privacy laws, no one cared what happened to this information."

HuffPost India also reached out to other experts including Tanuj Bhojwani, a volunteer at the iSPIRT Foundation, and a start-up founder who was working in a venture capital fund until earlier this year. Bhojwani said he will respond, and HuffPost India will update this article when he does.

HuffPost India also contacted Nikhil Kumar, former fellow and head of developer ecosystem, IndiaStack, at the iSPIRT Foundation. With close ties to Aadhaar and the ecosystem that has come up around it, Kumar has frequently voiced his support for the Aadhaar and UIDAI. However, at present, Kumar did not share his views on the technological points raised by the verdict, as he was still reading the judgement.

However, he did write: "Today's Aadhaar judgement is a seminal moment for all of us. Over the years, this debate divided a lot of us onto two sides. I hope the judgement brings all of us together now."

He added that the court has clearly called out the benefits of Aadhaar and its inclusive design, and that, "World over governments are amazed by the progress we've made as a country on digital infrastructure.This ruling will only rest all their concerns on the India model now."

On whether the judgement will impact IndiaStack's products such as eKYC, he added: "As of now, we see no impact in eKYC, eSign, and Digilocker. So nothing changes for IndiaStack and it only restricts access to those allowed by law."

He added that "the court also recognises the need for Aadhaar authentication services in both govt and private sector", although many others suggest that the private sector won't be able to use on the ID anymore.

"Honorable Supreme Court's judgment around the constitutional validity of Aadhaar Act shall be seen as a milestone in the ongoing journey and not an end by any means," said Rana Gupta, vice president, APAC sales, identity and data protection, at Gemalto. "Gemalto has been fortunate to be part of this journey in order to facilitate a safe journey to all concerned."

"The only obvious downside at this stage seems to be the constraints imposed on eKYC by any and every service provider outside the government," he added. "The convenience of eKYC shall be missed in the immediate term."