Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,
(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?
(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?
the judges have responded….
(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.
The section 26 of the regulations state as follows:
(1) The Authority shall store and maintain authentication transaction data, which shall contain the following information:—
(a) authentication request data received including PID block;
(b) authentication response data sent
(c) meta data related to the transaction.
(d) any authentication server side configurations as necessary Provided that the Authority shall not, in any case, store the purpose of authentication.
The judgement suggests a “Suitable Amendment”. In the earlier paragraphs, the judges have noted the fact that UIDAI does not collect the purpose of authentication nor the location of the transaction. Hence it is not clear what exactly is the concern of the judiciary regarding the meta data collection. It appears that this reflects the unverified concerns of the petitioners.
In fact from the security perspective of prevention of frauds, it looks stupid not to collect the locational information of the authentication since this is part of any “Risk management” system.
There are instances where the POS devices are moved from one state to another and used for conducting fraudulent transactions to avoid detection. Also in case of cloned card use, one of the security measures is to understand where from the transaction is happenning. Similarly if one minute back an aahaar authentication hapenned from Bangalore and the next minute from Chennai, it is an indication that the authentication request is fraudulent.
To identify such frauds, it is necessary to collect the IP address, GPS data and not only use it at the time of authentication but also maintain it as “Evidence” for later use.
It is accepted that the data so collected should be securely stored. Placing any other restriction would be weakening the security of the transaction and actually hurt the interest of the Aadhaar user whose biometric might have been stolen.
It is therefore necessary to record that this prescription of the Court was not warranted. Since the judgment only says the section has to be amended, without exactly giving direction, at this point there is lack of clarity on this suggested amendment.
Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.