Either Aadhaar number or enrolment ID still a must for new accounts, says UIDAI chief Ajay Bhushan Pandey
New applicants for bank accounts, Tatkal passports, mutual funds and telecom services will have to still provide their Aadhaar number to avail of services even after the Supreme Court indefinitely extended the 31 March deadline, Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India (UIDAI), said in an interview on Tuesday. The apex court extended the deadline until after it rules on petitions challenging the constitutional validity of Aadhaar. Edited excerpts:
What does the Supreme Court’s interim order on Tuesday mean?
The Attorney General had earlier made a statement that when the time comes the government would not be averse to extending the deadline. Based on that, when the matter came up on Tuesday again, the Attorney General said that we may extend the date for bank accounts and other services, but so far as the benefits, subsidies and services under Section 7 of the Aadhaar Act are concerned, that should remain undisturbed. The court accepted both the arguments and gave the order that for subsidies and welfare programme under Section 7, the deadline will remain as it is. For bank accounts and non-subsidy areas like passport, telecom, the linkage with the existing account, the court has directed that the interim order of 15.12.2017 shall stand extended till the matter is finally heard and the judgement is pronounced.
However, for opening new accounts, either the Aadhaar number or the enrolment ID is required. So, some reports in media saying that Aadhaar number is not any more required for bank accounts, mutual funds, telecom, etc. are not correct. In each sector, there are two types of things — the existing ones and the new ones. For the existing ones, the date has been extended, but for the new ones, such as opening of new accounts, etc., Aadhaar is required.
There seems to be some confusion with the Tatkal passports….
The Supreme Court order is clear and is applicable to passport also. In case of applying for a new Tatkal passport, Aadhaar number or enrolment ID with other documents is needed. To that extent, we did not see much change in status for Tatkal passports from the court’s order.
Many states collected their own biometric database before the Aadhaar Act was passed in 2016. In a Supreme Court hearing, the Gujarat government lawyer said that data has been destroyed after the enactment of the Act. Did UIDAI also dump some data related to them?
The other side (petitioners against Aadhaar) said that there were some states creating state resident data and that was not good as it leads to a surveillance state.
In pre-Aadhaar (Act) situation, all the state governments were our registrars i.e. they were registering people for Aadhaar. Whenever someone enrols, the demographic information i.e. name, date of birth, address and biometrics- photograph, fingerprint and iris (scan) — are collected. The states used to keep a copy and send another copy to us. The information was stored in an encrypted manner and there was a key to it. We would do the de-duplication at the backend to generate an Aadhaar number and inform you of the Aadhaar number so that you will have a database of all the persons you have registered along with the Aadhaar number now and the other information you already have.
But yes, it’s a fact that the information was available to them as it was the arrangement under which they were collecting the information itself.
There was also another situation. Suppose you have gone to a bank and have enrolled for Aadhaar, so the bank will have one copy but while filing the application form you say that I don’t have any objection if my data is shared with the entities involved in the delivery of social benefits. For such people, even though the registration has been done by the bank and bank has the biometrics..., we gave the demographic information and Aadhaar number to the state governments. So the state governments had a dataset, one dataset of the people whom they have enrolled along with their biometrics and another is the ones that they got from other registrars where they got only the demographic data. This was called State Resident Data Hub and the idea was that the state governments are involved in the various benefit schemes like MGNREGA, PDS etc. and accordingly plans (benefits of) which schemes should be given to you and which schemes should not be given to you.
However, when the Aadhaar Act came, many of these things went away. The first thing that went away was that we stopped giving one copy of the data to them. We also told them ‘please destroy all the biometric data that we have given to you before the Act.’
Did they destroy it?
Yes, we have got certificates from state governments and we are filing them in courts. All of them have been destroyed.
We were also quite worried because once the Aadhaar Act came, it was our responsibility to protect the biometric data wherever it is. I’m also very confident while saying this because only a few states were technologically capable of keeping the data. Most of the states had told us to keep their copy of the data as well. They had told us that whenever they would need it, they would ask us but no one actually asked for it. Those states that kept the data were not in a position to use the biometrics.
So, whatever data we had, we destroyed it. Only the biometric data was destroyed, the demographics remain with the states. The Aadhaar Act provides for it and the demographics have much lesser information than that you have on a voter ID card except for the Aadhaar number. And anyway the state government is supposed to be having your Aadhaar number.
Some states went ahead to build their own biometric database. For example, Gujarat has a PDS system which works on biometrics.
I’m not aware of (that). This is a parallel activity which has nothing to do with UIDAI. In earlier days, Gujarat said that we don’t want to use Aadhaar-based PDS system because we have been working on the biometric base earlier than us. At some point, Andhra Pradesh also said that it had tried something similar with iris (scan identification). So they were using their own biometrics.
So far as Aadhaar is concerned, we have come out with registered devices where whenever the fingerprint is put, it gets encrypted with our key and time stamp. So if you try to replay, the time stamp will be different.
We will protect the biometrics to the best of our ability and never allow it to be compromised. In the last eight years, my database has been secure and not breached. In the worst case, let’s say that the biometrics have been leaked but question is, your biometrics are anyway in the public domain, right? Your face, your fingerprint, everything is in public domain; therefore, this catastrophe that we are talking about doesn’t hold.
By knowing your Aadhaar number, the other person can do nothing; it also needs biometrics unlike a social security number where a person can impersonate you by just (knowing) the number. If we say that the Aadhaar number and biometric is being used to impersonate you, we have an arrangement here as well; whenever you are putting your biometric it will always be in front of a person. So unless and until that person is also compromised, then it’s a case of collusion and no system can then protect it.
What is the level of encryption that UIDAI has?
The encryption that we have is 2048 bits. Normally, in a digital signature you have an encryption of 256 bits. So, we are almost eight times higher. Now, when you try to break this encryption. The fastest computer on earth will require more than the age of the universe to break this.
Do you review the level of encryption and try to move it to higher levels?
We have two committees. One is the UIDAI technology and architecture review committee where we have a few outside experts. These are professors from IITs (Indian Institutes of Technology), Indian Institute of Science and National Cyber Security. The country’s top experts are in the architecture board. We also have a security review committee. It includes a few directors of IITs and defence experts. Security is kind of a continuous process. Today what is secure, probably after five months, it may not be secure. We need to anticipate that after 5-6 months what things might come up and accordingly we have to take counter-measures.
No one should be excluded from benefits because they don’t have an Aadhaar card as it’s supposed to be an inclusive thing. There is a provision of physical copy of downloaded version of Aadhaar but why is it that the provisioning is still not happening?
This is a new law and it still has to percolate down. We have told all the state governments, all banks and everywhere else to accept it. Our cabinet secretary, on 19 December 2017, issued a circular to all state governments and ministries saying that they should ensure that no one is denied the benefits. The awareness also should be built in. If a bank branch or local ration shop doesn’t accept it, then people should complain. The government is not ambiguous on this and has given statutory guarantee of inclusion in the Aadhaar Act itself.
One of the issues that keep coming up is the failure rates during authentication. Some of these numbers are alarming, is that really the case?
The question is, what do you mean by failure rates? If a person goes to do the authentication at a particular time and after multiple trials if it happens, we consider the authentication as a success and not a failure. Such success rate is between 86-98%. The range is there because the rate depends on which organisation you are looking at.
If a state government has recently started authentication for PDS, there might be a human error as people are not well-trained. In the telecom sector, the success rate is 96% whereas in state subsidy schemes, the success rate is around 86-87%. The maximum rejection rate at individual level is 14% and the minimum is around 4%.
In your ecosystem, there were some issues with people at the front-end who are actually providing the services to customers. What is happening there?
Initially, Aadhaar was voluntary for both enrolment and services. Therefore there was not much premium for doing something wrong and the system was working very well. The moment it became mandatory and Aadhaar became a reliable document, there were certain elements at the front-end who tried to take advantage of this. Either by indulging in corruption i.e. charging exorbitantly or not collecting proper documents. It was leading to a lot of discontent among the people and so we aligned our focus to changing the environment at the ground level and working on creating a trustworthy ecosystem. We have a zero-tolerance policy.