On March 22, the Supreme Court gave Ajay Bhushan Pandey, the chief executive officer of the Unique Identification Authority of India, a rather unique opportunity—to make a PowerPoint presentation before a five-judge Constitution bench hearing a batch of petitions challenging the legal validity of Aadhaar.
Pandey’s hour-long presentation was high on rhetoric, but surprisingly low on substance. At one point, he said, “It would take more than the age of the universe for the fastest computer on earth, or any super computer, to break one key” of Aadhaar’s encryption. It was a shocking exaggeration, because Pandey was grossly underestimating the computing capabilities that exist now. The duration he mentioned would be apt in the case of a standard desktop computer—say, one with 4GB RAM and a 2GHz multicore processor. As the Aadhaar data is protected by a 2048-bit encryption, such a machine would take, as per estimates by the internet security firm DigiCert.com, more than six quadrillion years to crack the code. The age of the universe is just 14 billion years.
READ: The complete PowerPoint presentation made before the Supreme Court, as accessed by livelaw.in
But, as Pandey surely knows, no hacker will ever try to access Aadhaar data using such a laggardly machine. In fact, it will not be hackers, or even teams of hackers, who are likely to try and break into the UIDAI vault. The attack is likely to come from large organisations with massive resources in the form of money, labour and computing power—governments, for instance. The National Security Agency of the US, for one, would find the job of hacking into Aadhaar difficult, but far from impossible. “The length of the key used to encrypt and decrypt information, measured in bits, is one of many aspects of what determines how hard an encryption scheme is to crack,” said a 2013 story in The New Yorker, titled ‘How the NSA cracked the web’. “The 128-bit encryption is now relatively easy; 2048-bit is much harder.”
Bruce Schneier, security technologist and contributor to Wired, wrote the same year: “We are already trying to phase out 1,024-bit keys in favour of 2,048-bit keys. Perhaps, we need to jump even further ahead and consider 3,072-bit keys. And, maybe, we should be even more paranoid… and use key lengths above 5,000 bits.”
All this discussion happened five years ago, which means that Aadhaar’s 2,048-bit encryption that Pandey is so proud of is clearly not the best available now. Also, his presentation also contained information that do not appear to be true. Slide 28 of his PowerPoint presentation, for instance, claimed that UIDAI’s data centres are “Tier 3 certified by Uptime”.
Uptime Institute is an American professional services organisation that evaluates critical infrastructure built and maintained by organisations, mainly businesses. For a behemoth like UIDAI, which sits on a data goldmine comprising personal information about more than 1.2 billion people, a Tier 3 certification by Uptime is not worth bragging about—there are better and much safer levels of certification available.
The bigger problem, however, is that UIDAI’s Tier 3 certification seems to have expired, as per information in the Uptime website. UIDAI got the certification for its facility in November 2015, and Uptime says that certifications issued after January 2014 are valid only for two years. In the case of a constructed facility, the certification awarded is valid only until the facility is modified. By UIDAI’s own admission, its data centres were in the process of continuous expansion and modification throughout these past four years.
UPDATE: After this story was published, N.K. Singh, Uptime's senior director (business development, south Asia), got in touch with THE WEEK. He clarified that the construction certificate awarded to UIDAI's Bengaluru and Manesar facilities were still valid. "Normally, the certification happens in stages," he said. "There are three stages to it. The first stage: Whenever you are designing the data centre, the design gets reviewed and certified. The validity of the design certification is two years... Second: Once you build [the data centre], and once you get the construction certificate, then that certificate overrides the design certificate, and has lifetime validity." Singh, however, said UIDAI's data centres did not have the third-stage certification. "Whatever great infrastructure you build, if you don't manage it well, then your reliability gets compromised," he said. "So the third stage of certification—we call it operation and management certification—looks at whether [the data centre] is in line with the required standards, and whether it can maintain a certain level of reliability and performance across its lifetime. That third-stage certification is not done [for UIDAI's data centres]." Singh added that Uptime's certificate was not about ensuring safety. "The certification is directly proportional to reliability, because reliability of data centres is the key."
UIDAI has been operating its data centres in Bengaluru and Manesar for the past five years. As of now, it remains unclear whether the authority has plans to apply for Uptime's third-stage certification for the two facilities.
Even if one chooses to ignore the troubling security aspects in his presentation, there are graver issues still. Like a magician conjuring a hare from his hat, Pandey pulls out authentic-looking statistics from thin air. Take, for instance, slide number 40—headlined ‘Savings on account of Aadhaar based DBT’. It has a chart showing the breakup of money saved by the government, thanks to the Aadhaar-enabled direct benefit transfer of subsidies.
According to that chart, the PAHAL scheme of the petroleum and natural gas ministry saved Rs 29,769 crore, till 2016-17; ‘Food and Public Distribution’ saved Rs 14,000 crore; ‘Rural Development’ saved Rs 12,140; ‘Others’ saved Rs 1,120 crore. In total, the government appears to have saved Rs 57,029 crore, all thanks to Aadhaar.
The figures are questionable, at best. They have been sourced from dbtbharat.gov.in, a government website that gives “estimated benefits/gains from DBT and other governance reforms”. The site does not give any information about how the figures were arrived at, and neither does it attribute all the savings to Aadhaar alone. The savings in the PAHAL scheme, for instance, are attributed, among others, to the elimination of “inactive LPG connections” and consumers stopping claims for subsidy. The savings for ‘Food and Public Distribution’ are attributed to “deletion of 2.75 crore duplicated and fake/non-existent ration cards (including some due to migration death, etc)”. The estimated savings for ‘Rural Development’, says the website, is based on “field studies”. There is no footnote or link to the unnamed study by the unnamed ministry.
Slide number 48 shows what appears to be clippings of media reports. Headlined ‘World View of Aadhaar’, the slide features, on top, a news item saying, “India saved 1 billion USD by using Aadhaar, reports World Bank.” A box in the bottom, which is apparently not part of the report's headline, says, “As per Digital Dividends Report of World Bank 2016, once Aadhaar is applied to all social programmes and welfare distribution, it is estimated that it will save USD 11 billion per annum.”
But, that is not what the World Bank said. The relevant passage in the report reads: “India’s fuel subsidy program, implementing cash transfers to Aadhaar-linked bank accounts to buy liquefied petroleum gas cylinders, saved about US$1 billion per year when applied throughout the country. This is just one of many subsidy programs in India that are being converted to direct transfers using digital ID, potentially saving over US$11 billion per year in government expenditures through reduced leakage and efficiency gains.”
Even if one left the matter of ‘potential savings’ aside, the World Bank’s is a deeply problematic conclusion, as pointed out by economists Jean Dreze and Reetika Khera in February this year. Dreze and Khera wrote that the figures pertaining to Aadhaar in the report were poorly sourced—they were from a brief prepared by a US-based, Indian-origin economist, and it was not based on any empirical study. The World Bank, they said, even misrepresented the data. “The $11 billion figure cited in the brief is not a savings figure at all. It is just an estimate of the government of India’s total annual expenditure on ‘major cash transfers’,” Dreze and Khera wrote.
The figure, according to them, was arrived at by wrongly extrapolating another problematic figure—a study in Andhra Pradesh had found that the government had reduced leakages in the National Rural Employment Guarantee Scheme by 10.8 per cent. That number from Andhra—which, to be sure, is not substantiated—was applied by the US-based economist to the whole range of welfare schemes run by state and Central governments. That is not only poor economics, but astoundingly bad mathematics as well.
Dreze and Khera pointed out that the World Bank dished up that figure with a warning: “It should be noted that realising this potential savings [of $11 billion] for all government transfers is conditional on accountable institutions to complement the investment in digital technology,” the bank had said in its report.
Pandey’s presentation was drained of all such nuances and nuggets. And he was not as careful and conscientious as he should have been while testifying before the Constitution bench of the Supreme Court in a case that has far-reaching consequences. By granting him the chance to make the PowerPoint presentation, the court had given him a great opportunity to make a strong argument in favour of the government’s claims, and thereby allay the fears and doubts regarding the privacy, security and economic aspects of Aadhaar. The errors make it evident that he not only blew that opportunity, but has exposed himself to charges of perjury.