Aadhaar ecosystem is unsafe as there are no parameters for protecting cyber security and privacy of its users.
The unauthorised access to the Aadhaar database that was obtained by a journalist to prove how unsafe the system was, has only increased concerns about the safety of personal data of nearly 120 crore people — the largest database available with a single authority anywhere in the world. Contrary to assertions of the government, this incident proved that the database is available on demand.
Though the Unique Identification Authority of India (UIDAI), the body responsible for Aadhaar, proposed the concept of Virtual Identity on January 10, whereby people would not have to share their actual Aadhaar number, the damage has already been done.
People have many doubts about the safety of their information and the adequacy of current laws in addressing the issues that may arise from any future breach of privacy or data theft from Aadhaar database or its vast network.
The legal framework for Aadhaar is the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Servi-ces) Act, 2016 and a January 10, 2018, circular that seeks to introduce virtual identity. The Aadhaar Act, however, does not envisage a virtual identity.
If we look at these legal frameworks, we find that the Aadhaar Act is not adequate to deal with the challenges thrown up, due to the increased breaches in the Aadhaar ecosystem. The offenc-es under the Aadhaar Act are defined under chapter VII.
Section 48 of the said Aadhaar Act makes the act of unauthorised accessing or extracting data from the Central Identities Data Repository, downloading, copying or extracting data therefrom, introducing or causing to be introduced any virus or computer contaminant, damaging or causing to be damaged the data in the Central Identities Data Repository or disrupting or causing to be disrupted the access to data in the Central Identities Data Repository as an offence punishable with three years imprisonment and Rs 10 lakh fine. The elements of hacking of Aadhaar database could be brought under Section 38 of the Aadhaar Act, 2016.
In addition, the provisions of Section 66 read with Section 43 of the Information Technology Act, 2000, relating to computer related offences could also be invoked. The said provisions make the act of hacking an offence that is punishable with five years of imprisonment.
As of now, the Aadhaar Act is almost two years old and outdated, given the increasing focus of the government on making Aadhaar mandatory for most services. The obvious result is that there are almost no convictions under this law.
Therefore, the Aadhaar ecosystem is completely unsafe as there are no parameters for protecting cyber security and privacy of Aadhaar holders. Rights, duties and obligations of service providers and stakeholders need to be defined clearly. On top of it, the new concept of Virtual Identity, which is introduced on an optional basis, makes the entire exercise not very effective in the long run.
India cannot take inspiration from advanced countries as there are no specific model laws in other countries in this regard. Some countries have tried to experiment with national biometric identity systems but have chosen not to implement it, given the huge security and other legal challenges that were in store.
Despite all the shortcomings in Aadhaar, there is no denying the fact that it has become the central point of our day-to-day life. Hence, all efforts must be made now to make Aadhaar more secure and safe. The government needs to revise and amend the Aadhaar Act, 2016 to mirror existing ground realities. While the Supreme Court judgment on Aadhaar law violating privacy is awaited, the government must proactively work on protecting cyber security of the Aadhaar ecosystem as a whole.
(The author is an advocate of the Supreme Court of India and the chairman of the International Commission on Cyber Security Law)