The Unique Identification Authority of India (UIDAI) on Thursday told the Delhi High Court that reports regarding security breach of data related to Aadhaar is incorrect and misleading as the strongest encryption technology has been used to store data which is impossible to decrypt.
“The technology used is 2048-bit encryption, which is the strongest one and it is impossible to decrypt and extract any information even if enrolment packets were accessible during transit to the UIDAI data centre,” UIDAI told a bench of Justice S. Ravindra Bhat and Justice Prateek Jalan.
The bench was hearing a plea seeking exemplary damages for the losses caused due to leakage of Aadhaar data.
The plea was filed by Shamnad Basheer alleging that the dissemination of personal information of Aadhaar holders made it clear that the government is responsible for any breach of right to informational privacy.
In an affidavit, the government agecy said that Aadhaar data is fully secured at all times and for further strengthening of security and privacy of data, security audits are conducted on regular basis, and all possible steps are taken to make the data safer and protected.
It further added that there are multiple layers of security at physical level in UIDAI data centres and is being managed by armed Central Industrial Security Force (CISF) personnel round-the-clock.
“The technical architecture of Aadhaar has been structured in such a way, so as to ensure clear data verification, authentication and de-duplication, while ensuring a high level of privacy and information security,” the UIDAI said.
“UIDAI has taken all necessary safeguards, starting from providing standardised software that encrypts the entire data even before saving it to any disk; protecting data using tamper-proofing; identifying every operator in all and every enrolment; and identifying every one of the thousands of machines using an unique registration process, which ensures every encrypted data is tracked,” read the reply copy filed by the UIDAI.
Countering Basheer’s claim, the agency also said that the petitioner is trying to re-agitate the same issues which have attained finality before the Supreme Court and therefore the present petition deserves to be dismissed with costs.
It said that the petition is based on a mere assumption that the general public is likely to be aggrieved.
“In the entire petition, there is not even a mention as to how the petitioner is aggrieved by the actions of the UIDAI and how his constitutional rights have been violated to entitle him to damages claimed by him,” the UIDAI said.
Adding that there is no merit in the application, UIDAI, in its reply, said: “The alleged facts (leakage of Aadhaar data) on the basis of which the petitioner has filed the plea are unsubstantiated statements and the information relating to the Aadhaar scheme has been grossly misreported and interpolated to mislead this court.
“The petitioner has pivoted his entire case around the misleading and unverified reports in the media regarding security breach of data related to Aadhaar, which is entirely denied as incorrect and misinformed.”
The agency requested the court to dismiss the plea with cost as the petitioner has no locus standi to file this application.
The petitioner has said his constitutional rights have been violated due to the negligence of UIDAI.
Citing the top court’s judgement, the petitioner said that when the state violates the constitutional rights of a citizen, courts may award compensation.
Basheer has also requested the court to appoint an independent committee comprising multiple experts to investigate the scope, extent of breaches and the magnitude of harm caused due to data leak.