Intelligence Agencies Will Not Have Open Access to Aadhaar Data: UIDAI Chief

Intelligence Agencies Will Not Have Open Access to Aadhaar Data: UIDAI Chief is a Hindustan Times report by Aloke Tikku published on 20 October 2016. The article presents UIDAI CEO ABP Pandey’s defence of the seven-year data retention policy announced the previous month, emphasising legal and cryptographic safeguards against unauthorised access, whilst featuring counterarguments from privacy advocates who questioned whether regulatory frameworks could adequately protect against surveillance risks inherent in centralised data architecture.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: Hindustan Times
📅 Date:: 20 October 2016
👤 Authors:: Aloke Tikku
📄 Type:: News Report
📰 Newspaper Link:: Read Online

Full Text

Intelligence agencies will not have free access to Aadhaar data, a top government official said on Thursday, looking to assuage fears of abuse of personal information.

The Unique Identification Authority of India (UIDAI), which issued identity cards to 1.07 billion Indians, last month decided to retain data related to the verification of Aadhaar-enabled transactions for seven years, leading to security concerns over data safety.

As reported by HT on Monday, privacy experts expressed concerns that transaction data retained for so long could be accessed by the security establishment for surveillance on individuals without sufficient grounds.

"This fear is completely misplaced," ABP Pandey, UIDAI's chief executive officer, told HT in an interview.

Security agencies can access the data only in case of national security after they get the nod of an oversight committee headed by the cabinet secretary. This committee has to clear every order made by the designated joint secretary-level officer before the information is shared, he said.

"You cannot have any legal protection stronger than this," Pandey added.

Aadhaar transaction data is not only protected by the most powerful, contemporary law to restrict access but also by strong cryptography.

"Even if someone attempts, the 2048-bit encryption is so strong that it will take them millions of computers and billions of years to decrypt the data," he said.

A vocal critic of Aadhaar's design, Sunil Abraham of the Centre for Internet and Society (CIS) suggested he wouldn't rely too much on the legal framework. "You cannot put a legal band-aid on a broken technological solution. You need to get privacy and security right by design," the director of the Bengaluru-based research body said.

Abraham said the problem could have been averted if the UIDAI did not store the data in a centralised form. Instead, it could have used its digital signature to sign proof of authentication that could be stored by the authenticating agency and the citizen on a smart card.

Context and Background

This article appeared three days after an earlier report in the same publication had highlighted privacy concerns regarding UIDAI’s seven-year data retention policy. The timing suggested a coordinated effort by the authority to address public and expert anxieties about potential surveillance capabilities enabled by centralised authentication logs. With 1.07 billion Aadhaar numbers issued by October 2016, the programme had achieved near-universal coverage, amplifying the stakes of data protection failures.

UIDAI CEO’s defence rested on two pillars: legal safeguards and cryptographic protections. The legal framework required intelligence agencies seeking access to authentication data to obtain clearance from an oversight committee headed by the cabinet secretary, which would review every request made by designated joint secretary-level officers. This represented a higher approval threshold than the rules previously reported, which had allowed joint secretaries to authorise access on national security grounds without explicit mention of oversight committee clearance.

The cryptographic assurance—that 2048-bit encryption would require “millions of computers and billions of years” to decrypt—addressed concerns about technical vulnerabilities. However, this argument assumed that adversaries would attempt brute-force decryption rather than exploiting implementation flaws, insider access, or legal compulsion for key disclosure. Cryptographic strength, whilst important, offered limited protection against authorised but potentially overreaching state access.

The counterpoint from the Centre for Internet and Society articulated a fundamental critique: legal and cryptographic safeguards could not compensate for architectural choices that concentrated sensitive data in centralised repositories. The phrase “legal band-aid on a broken technological solution” encapsulated the argument that privacy protection required “privacy by design”—systems structured to minimise data collection and retention—rather than ex-post controls on access to extensively collected data.

The alternative architecture proposed—using digital signatures to create verifiable authentication proofs stored by citizens on smart cards and by authenticating agencies, rather than centrally by UIDAI—would have fundamentally altered the surveillance risk profile. In such a model, no single entity would possess a comprehensive log of authentication events, eliminating the possibility of “360-degree surveillance” that critics had warned about in earlier coverage. However, implementing such a decentralised model would have required different technical infrastructure and potentially complicated the government’s direct benefit transfer objectives, which relied on centralised verification.

The debate reflected broader tensions in digital identity systems globally: whether to prioritise transactional convenience and state oversight capabilities through centralised architectures, or to emphasise privacy and resistance to surveillance through distributed designs. The UIDAI’s choice of the former, defended through assurances of robust access controls, would remain controversial throughout subsequent Aadhaar litigation and policy debates.