Keeping Aadhaar data secure a key challenge

Wednesday’s judgment by a Constitution Bench of the Supreme Court on the Aadhaar Act has been a landmark one. This represents a watershed moment in the history of independent India. This is because very few occasions have arisen where the Supreme Court has been called upon to decide as momentous a issue as Aadhaar.

The Supreme Court judgment comes as a major relief for a majority of Indian citizens who were slightly confused about the legality of Aadhaar. We were all hearing different things from different quarters, but finally the Supreme Court has held that Aadhaar is constitutionally valid. However, we have to quickly realise that while this judgment is indeed historic and a landmark one, it is just one chapter in a book that is still being written. We quickly have to move on to the next chapter. It is one thing to say that Aadhaar is constitutionally valid and legal, but it is a completely different paradigm to say that Aadhaar is cyber secure, cyber safe and cyber resilient.

Now the focus has to be on how can we actually concentrate on the cyber security-related ramifications of Aadhaar. This is one aspect that requires the utmost attention today.

From a common man’s perspective, who has given his data to private companies, the striking down of Section 57 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 comes in as a great saver. This is because people still trust their government somewhat, but they cannot trust private entities, who may monetise any kind of personal information. Having said that, this judgment actually opens up a Pandora’s box — on how we can now ensure that people who had given their Aadhaar information to private entities are going to get back the said information?

How are they going to ensure that this information does not get misused, to their detriment? Who is going to certify that the said information has been deleted and scrapped from the systems of private players, considering the fact that a number of private players may not really want to part with such information because this could be monetised later? Also, jurisdictional issues will come to the forefront as a lot of private players have saved this information on servers and data centres located outside the territorial boundaries of India. Therefore, trying to get the said information back from those data centres is going to be a tall order.

We would now require a supplemental legal regime that needs to concentrate on and elaborate the rights, duties and responsibilities of the corporate sector, who had earlier dealt with, handled or processed the Aadhaar data — on how they will dismantle the said Aadhaar data on their computer networks and resources and how they will delete it and ensure that the said data does not actually get compromised or misused in the coming weeks, months and years.

Seen from another perspective, the first set of legal challenges have been now decided by the Supreme Court. Aadhaar represents not just a normal paradigm, it represents India’s critical information infrastructure. A lot of issues and challenges still have to be addressed in the context of the cyber ramifications of Aadhaar — because Aadhaar is capturing people’s biometric details, like thumb impressions, retina scans, etc. Thus, it is absolutely imperative that India must work on constantly strengthening the cyber security of the Aadhaar paradigm. It is not just the Aadhaar Central Identities Data Repository (CIDR), but the entire Aadhaar ecosystem which is developing that needs to be cyber secure, as Aadhaar is now intrinsically linked with India’s sovereignty, security and integrity. If any state or non-state actor outside India wants to target India, they would want to target India’s Aadhaar ecosystem.

There have not been adequate steps taken to strengthen cyber security of the Aadhaar ecosystem. We need to not just incorporate more and more stringent cyber security mechanisms as part of the Aadhaar ecosystem, but more significantly, we also need to stipulate the cyber security responsibilities and duties of various stakeholders in the Aadhaar ecosystem.

The government is now duty bound to protect the privacy of people’s personal data and biometric data on the Aadhaar ecosystem. Furthermore, the issues pertaining to data protection have to be adequately dealt with. At present, we do not have a dedicated data protection law in India. The personal Data Protection Bill is currently being discussed. It is yet to be seen how this judgment impacts the said bill.

At the end of the day, we must quickly realise that Aadhaar is here to stay. With 1.22 billion individuals in the Indian population on Aadhaar, it is now a ground reality. The issue is how best can we, as a nation, make it more cyber secure, cyber resilient, cyber safe and cyber reliant.