The UIDAI on Wednesday rejected charges that foreign firms were accessing sensitive data, saying no Aadhaar information has ever been stored or processed outside its own data centre and that it resides only within its fully-secured servers.
"Aadhaar data is fully safe and secure and has robust uncompromised security. The UIDAI data centre is an infrastructure of critical importance and is protected accordingly with high technology, conforming to the best standards of security," the UIDAI said in a statement.
The Unique Identification Authority of India (UIDAI), which is the Aadhaar issuing body, said such data isaccessible only to the biometric software provider's solution for the purpose of processing of data "within the highly secure environment of UIDAI data centre". The Aadhaar data is stored, kept and processed only on the UIDAI servers within its data centre. Moreover, it said these servers have no linkages to the "outside world" through the Internet or any other means, including laptops and pen drives, adding that applications running on UIDAI IT hardware too are secured through firewall and intrusion prevention system.
The data centre premises are fully protected "physically", the UIDAI claimed, adding that hardware supplies are also tested twice before being put to use in the data centre. "No Aadhaar data has ever been kept, stored or processed outside the UIDAI data centre and is always on UIDAI servers," it added.
The UIDAI said the role of the biometric service providers is to offer de-duplication software which too runs on the UIDAI's secure servers and data centres. "The biometric image data is never in physical possession of biometric service provider or any of its employees at any point of time, in any case," it said further.
In terms of contracts requiring the software solution to be secure and conform to the government's data security guidelines, the statement said that all the service providers are bound by strict confidentiality regime under the contract, and violation would lead to three years of imprisonment.
The statement from the UIDAI comes amid reports that an RTI application has revealed that the Aadhaar contract gave foreign firms access to classified personal data such as fingerprints and iris scan information. The UIDAI has been fire-fighting allegations of unauthorised access to data. Last week, WikiLeaks hinted that the CIA had allegedly accessed the Aadhaar database, a claim strongly refuted by the UIDAI.
WikiLeaks, in a tweet last week, had said, "Have CIA spies already stolen #India's national ID card database?" It was alleged that the Central Intelligence Agency (CIA) was leveraging tools of US-based technology provider Cross Match -- incidentally, an Aadhaar vendor -- for snooping, and that sensitive data could have been compromised.