Pandey’s presentation had just started and one of the two projectors in the court stopped working. He had also failed to authenticate himself during a demo.
Ajay Bhushan Pandey, the CEO of the Unique Identification Authority of India (UIDAI), is a frequent visitor to the Supreme Court these days for hearings on Aadhaar. He was brought in by the government to give explanations to the court regarding concerns about information security raised by the petitioners, and counter them using PowerPoint presentations.
During the opening statements of the final hearings, petitioner Shyam Divan had used the illustrations of fingerprint matching and of a map to show how one can conduct surveillance of a user, based on his metadata of Aadhaar authentications.
The job of the Attorney General has been to convince the court that Aadhaar is a perfect technology with no flaws whatsoever. Most of his arguments in the court so far have built been around how Aadhaar helps the government save taxes and preserve the rights of the poor. His arguments include how Aadhaar is acceptable under the exemptions provided by the Supreme Court judgment on the fundamental right to privacy.
Pandey’s presentation had just started when one of the two projectors in the court stopped working. This was not the first time such an incident occurred. During one of the previous Aadhaar hearings too, Pandey had failed to authenticate himself during a demo made for the court.
Armed with a 53-slide presentation, Pandey praised the security of the project by making statements like “it will take all the time in the universe to crack the encryption of Aadhaar data after encryption”, while making no references to developments in the field of quantum computing and cryptography, or to basic human flaws often found in poorly programmed software.
Comparing the issues of biometrics and smart cards, he said the Aadhaar Act does not allow surveillance, while smart cards can be used for surveillance. The judges sought clarity on the metadata UIDAI receives and the possibility of knowing further information; Pandey had to agree they do know the meta information.
Responding to questions raised by the judges, Pandey said Aadhaar authentication is not 100 per cent perfect because of multiple factors like internet connectivity, and issues with UIDAI partner agencies. He said the authentication success rate for the government was 88 per cent, 95 per cent for banks, and 97 per cent for telecom. He said vested interests and the media were bringing the success rates of government down.
Pandey’s executive presentation mirrored many of the assertions made by the government in conferences and press releases, like praise for virtual ID and face authentication for Aadhaar. Apart from surveillance, petitioners have raised the issue of probabilistic nature of technology, and how Aadhaar would deny rights.
As part of the support documents provided to the court, he submitted his own Aadhaar authentication records to show how an individual can find out about his Aadhaar authentications on the UIDAI dashboard. But these records showed 18 per cent authentication failure rate for Pandey himself.
Pandey’s transactional metadata now has become part of public record and has allowed security researcher Anand V. to track Pandey, including details of the bank he has accounts in, and how he had conducted audits during The Tribune episode. Anand V. has tweeted his entire findings on social media, and everyone now knows a lot more about Pandey than necessary. The metadata includes the name of the requesting authentication entity, date, time, and error code, apart from the UIDAI response code and transaction ID.
From the logs, Anand deduced how Pandey locked his biometrics and forgot to unlock them before a transaction, thus leading to a failure at the IDFC bank. Anand could also find out how the CEO did not leave for his home the whole night based on the transaction times on the day The Tribune reported a breach in the UIDAI portal. Anand also established how Pandey had been following up on the development of much hyped virtual ID for Aadhaar, which was supposed to be launched by 1 March but is yet under development.
Pandey is facing severe criticism from the public for his statements and actions related to the Aadhaar project, and is under close scrutiny.
Based on the presentation made by Pandey, the petitioners have now asked 20 questions to him through the court, asking for further clarifications on his assertions on Aadhaar security and surveillance. It would be interesting to see the UIDAI’s position during the next hearing on Tuesday, 3 April.
Read more: Aadhaar authentication failure in Supreme Court is a fake issue