Aadhaar data breach just a fallacy, has strongest encryption technology: UIDAI

New Delhi: Countering a plea that alleged leakage of Aadhaar data, in Delhi High Court, the Unique Identification Authority of India (UIDAI), on Thursday, claimed that reports regarding security breach of data related to Aadhaar are incorrect and misleading. The agency also asserted that the strongest encryption technology has been used in Aadhaar to store data which is impossible to decrypt.

A bench comprising of Justice S. Ravindra Bhat and Justice Prateek Jalan, was hearing a plea filed by Shamnad Basheer alleging that the dissemination of personal information of Aadhaar holders made it clear that the government is responsible for any breach of right to informational privacy.

"The technology used is 2048-bit encryption, which is the strongest one and it is impossible to decrypt and extract any information even if enrolment packets were accessible during transit to the UIDAI data centre," UIDAI told the bench.

In an affidavit, the government agency stated that Aadhaar data is fully secured and for further strengthening of security and privacy of data, security audits are conducted on regular basis, and all possible steps are taken to make the data safer and protected.

The agency further added that there are multiple layers of security at physical level in UIDAI data centres and is being managed by armed Central Industrial Security Force (CISF) personnel all the time.

"The technical architecture of Aadhaar has been structured in such a way, so as to ensure clear data verification, authentication and de-duplication, while ensuring a high level of privacy and information security," the UIDAI said.

"UIDAI has taken all necessary safeguards, starting from providing standardised software that encrypts the entire data even before saving it to any disk; protecting data using tamper-proofing; identifying every operator in all and every enrolment; and identifying every one of the thousands of machines using an unique registration process, which ensures every encrypted data is tracked," stated UIDAI in its reply copy.

Countering Basheer's claim, the agency also said that the petitioner is trying to bring-up the same issues which have attained finality before the Supreme Court and therefore the present petition deserves to be dismissed with costs. It also alleged that the current petition is based on a mere assumption that the general public is likely to be aggrieved.

In this plea, the petitioner has opined that his constitutional rights have been violated due to the negligence of UIDAI.

"In the entire petition, there is not even a mention as to how the petitioner is aggrieved by the actions of the UIDAI and how his constitutional rights have been violated to entitle him to damages claimed by him," the UIDAI said.

UIDAI, also stated: "The alleged facts (leakage of Aadhaar data) on the basis of which the petitioner has filed the plea are unsubstantiated statements and the information relating to the Aadhaar scheme has been grossly misreported and interpolated to mislead this court."

"The petitioner has pivoted his entire case around the misleading and unverified reports in the media regarding security breach of data related to Aadhaar, which is entirely denied as incorrect and misinformed."

Citing the apex court's judgement, Basheer said that courts may also award compensation to the states when they violate the constitutional rights of a citizen. He further requested the court to appoint an independent committee comprising multiple experts to investigate the scope, extent of breaches and the magnitude of harm caused due to Aadhaar data leak.