Foreign Firms Have Full Access To Aadhar Data

Contrary to the Centre’s claims, contracts signed with foreign firms by the Unique Identification Authority of India (UIDAI), custodian of Aadhar data, show that they got “full access” to classified data including fingerprints, iris scan info, and personal information like date of birth, address and mobile number of the applicants.

They were also allowed to store the data for seven years.

This was revealed through an RTI application filed by Bengaluru-based Col Matthew Thomas, one of the petitioners in the right to privacy case currently being heard in Supreme Court.

The RTI reply showed that the nature of the contracts contradicted UIDAI’s statements that no private entity had access to unencrypted Aadhar data. The contract with one of the biometric service providers (BSPs), L-1 Identity Solutions Operating Co Pvt Ltd, headquartered in US, says that the company was given Aadhar data access “as part of its job”. (L-1 has been taken over by French transnational Safran Group) Morpho and Accenture Services Pvt Ltd are two other firms that were given identical contracts with twoyear (2010 to 2012) Aadhaar data access.

Clause 15.1 of the contract, titled ‘Data and Hardware’, says that the firm, by virtue of the contract “may have access to personal data of the purchaser (UID), and/or a third party or any resident of India…” Further, Clause 3, which deals with privacy, says that the BSP could “collect, use, transfer, store and process the data”. It also says that the BSP shall process all personal data in accordance with applicable law and regulation and should not disclose such information. The contract, however, does not define ‘personal data’.

An advocate familiar with the subject explained: “If the contract does not define it, then we must go by the definitions given by UIDAI as part of the project.” According to UIDAI, personal data includes both biometric (fingerprints and iris) and demographic data (name, date of birth, address, mobile number). The latter may also include bank details, licence number, PAN number, passport number and other information furnished as part of KYC.

Another clause in the contract says that the firm should maintain the biometric template created by it and that in the event of termination or expiry of contract, it “shall transfer all the proprietary templates to UIDAI”. Col Thomas says: “If the firms did not have the biometric data, what were they expected to transfer? Why can’t the UIDAI just come out in the open with all the contract details?” Though UIDAI maintained that it has purchased the software and hardware to roll out the Aadhar programme, the contracts show that the BSPs were responsible for providing hardware for the first one crore enrolments.

A cyber expert said: “If the hardware is also installed by the firms, then there must have been thorough checking to see if they contained anything that could steal data.” UIDAI has said that no data ever left its servers and premises and every bit of information is safe and secure.

Ravi Visvesvaraya Prasad, a telecom and IT expert, said, “One cannot check for duplication without having raw data. If foreign firms had access to such data, as is clear by the language in the contract, it is potentially dangerous and needs to be looked into.”