Access Management , Digital Identity , Governance & Risk Management
Why Complying With Court's Aadhaar Order Is Challenging
Some Complain About Lack of Advice on How to Delete Aadhaar DataPrivacy and security practitioners wonder if Aadhaar data collected by private firms all these years can actually be completely deleted in the next six months as directed by the Supreme Court of India, which recently determined that it's unconstitutional for companies to collect or ask for Aadhaar data from consumers.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
"This logically means that companies that have stored authentication details of their users need to delete them immediately, as otherwise it will be illegal," says Rakesh Goyal, a CERT-In certified auditor.
"Almost 95 percent of Indians have Aadhaar, and a majority of them have given the details to private firms at one point or the other," Goyal says. "But how does one completely delete this data? I do not see a solution. We need a lot of planning and ground work."
Petitioners had raised concerns that the unique Aadhaar number enabled the government to potentially profile individuals and place them under surveillance. But despite the court's ruling, concerns around privacy still remain.
For many, the ruling has failed to take into account the practical aspects of deleting all the data collected until now. Also, the Supreme Court assumes that Aadhaar data is kept secure and safe by the government, practitioners complain. "The SC has not given any proper direction to the government. When most Aadhaar breaches are happening through government websites, how can the SC assume that the government is not at fault?" asks Dinesh O. Bareja, COO at Open Security Alliance.
In light of the Supreme Court ruling, the government has extended the comment period on a draft of a personal data protection bill to Oct. 31 so the new Aadhaar policy can be considered when commenting.
Aadhaar use is still mandated for certain government-related transactions, such as filing income tax returns or extending social grants.
Making Sure Data Deleted
Making sure that all private entities comply with the court's order to delete Aadhaar will prove challenging, security experts claim, especially because the nation has not yet enacted a data protection law.
"In the absence of law, there is no entity to audit whether or not private companies are actually deleting personal data of customers," says a spokesperson from Software Freedom Law Center, a legal services organization that brings together different stakeholders to protect freedom in the internet.
Many companies in India, especially banks and telcos, have been conducting KYC, or Know Your Customer, validation of their clients through Aadhaar and have been pushing customers to link their mobile numbers and bank accounts with Aadhaar.
"In all probability, the data collected by these firms would have travelled to other countries as well," Bareja notes. "A complete removal of this data is an impossible task."
Some privacy advocates are calling for the government to create incentives for companies to delete Aadhaar data.
Not Addressing Security
The Supreme Court's ruling does little to address the issue of Aadhaar security.
In recent months, there have been frequent news reports claiming that various government and private websites were displaying PII details of individuals collected because of Aadhaar. (see: Why Does Aadhaar Data Continue to Get Compromised?)
Earlier this year, for example, the Center of Internet and Society reported that Aadhaar numbers and personal information of as many as 135 million Indians was illegally disclosed and published. Also, in July about 210 websites of the central and state government departments were reported to have displayed personal details and Aadhaar numbers of many beneficiaries.
But the Supreme Court decision has not taken into consideration these incidents, some critics say.
"The Supreme Court has declared the Aadhaar ecosystem as secure by relying on a presentation given by the UIDAI [Unique Identification Authority of India] during the hearings of the case," the SFLC spokesperson says. "There was evidence submitted by the petitioners during the hearings showing fallacies in the Aadhaar security measures, which have not been addressed by the court. The court has found that the Aadhaar Act does not violate fundamental right to privacy and has only struck down certain provisions found infringing on such right."
Goyal adds: "The Supreme Court has said that during the course of time, security will be built up in Aadhaar. The judgment totally missed [the lack of] cybersecurity of Aadhaar ecosystem at various pain points. This is disappointing."
It also remains unclear what new approaches to authentication might replace companies' reliance on Aadhaar.
For now, UIDAI has passed the baton on enforcing the ban on private usage of Aadhaar data to sectoral regulators, including the Telecom Regulatory Authority of India and the Reserve Bank of India.
UIDAI CEO Ajay Bhushan Pandey told The Economic Times that he expects companies to comply with the court's order as soon as possible. But he added that the Aadhaar-issuing body will not issue any guidelines. Any clarifications would have to be sought from the court.