Aadhaar Judgement-5…Collection of Metadata

This is a continuation of the earlier articles on the topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded….

(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.

The section 26 of the regulations state as follows:

(1) The Authority shall store and maintain authentication transaction data, which shall contain the following information:—

(a) authentication request data received including PID block;
(b) authentication response data sent
(c) meta data related to the transaction.
(d) any authentication server side configurations as necessary Provided that the Authority shall not, in any case, store the purpose of authentication.

The judgement suggests a “Suitable Amendment”. In the earlier paragraphs, the judges have noted the fact that UIDAI does not collect the purpose of authentication nor the location of the transaction. Hence it is not clear what exactly is the concern of the judiciary regarding the meta data collection. It appears that  this reflects the unverified concerns of the petitioners.

In fact from the security perspective of prevention of frauds, it looks stupid not to collect the locational information of the authentication since this is part of any “Risk management” system.

There are instances where the POS devices are moved from one state to another and used for conducting fraudulent transactions to avoid detection. Also in case of cloned card use, one of the security measures is to understand where from the transaction is happenning. Similarly if one minute back an aahaar authentication hapenned from Bangalore and the next minute from Chennai, it is an indication that the authentication request is fraudulent.

To identify such frauds, it is necessary to collect the IP address, GPS data and not only use it at the time of authentication but also maintain it as “Evidence” for later use.

It is accepted that the data so collected should be securely stored. Placing any other restriction would be weakening the security of the transaction and actually hurt the interest of the Aadhaar user whose biometric might have been stolen.

It is therefore necessary to record that this prescription of the Court was not warranted. Since the judgment only says the section has to be amended, without exactly giving direction, at this point there is lack of clarity on this suggested amendment.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.


This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to Aadhaar Judgement-5…Collection of Metadata

  1. Firdaus Lalkaka says:

    As an honest and upright Indian citizen, to prevent misuse/abuse of my Aadhar data, I would want :
    (1) to be given a ‘prior’intimation through an SMS/email on my registered Mobile No/email address whenever anyone (be it a bank, mobile service company, etc) is attempting to verify my information with the Aadhar database maintained by UIDAI.
    (2) to have the ‘right to decline’ the giving of my Aadhar information if I so desire by responding to such SMS/email Intimation sent to me.
    (3) to know the ‘purpose’ for which my Aadhar information was being requested as well as the identity of the information seeker.

    The above information should be held by UIDAI at all times (without any time limit) as this will establish an audit trail in case it is needed in future.
    Needless to say, that I would expect my biometric information to be furiously guarded to prevent identity theft.
    In my view, linking of Aadhar and PAN to a citizen’s assets (Bank A/cs, Demat A/cs, Credit/Debit cards, Immovable properties, insurance policies, etc as well as his loan A/cs) will go a long way in identifying the true owner as well as reduce corruption.
    To eradicate the menace of corruption, the Govt should link all immovable properties with Aadhar & PAN and make it mandatory for all holdings in bullion form to be transacted compulsorily in demat form. There should be a law which prohibits holding of bullion above a certain weight in physical form.
    If all of the above is done, it would be very difficult for scamsters/corrupt citizens to hold any assets or for that matter even run away with the loot.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.