Aadhaar and E-KYC: Various Issues

Reliance JIO and other telecom operators in these days are relying on Aadhaar data for customer verification before activating the SIM Cards. This article analyzes how such private players are able to access the Aadhaar data and what are issues related to this.

Key related Provisions of Aadhaar Act

To understand the nuances of this issue, we need to focus on three sections of the Aadhaar Act viz. section 57, section 8 and section 30.

Section 57

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 was enacted in March, 2016. Section 57 of this act has enabled the corporate and persons other than government to use Aadhaar number to establish the identity of the person for any purpose pursuant to a law or a contract. Section 57 of this act reads:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

The proviso to the section 57 of Aadhaar Act says that use of Aadhaar number by private entities should be compliant to Section 8 and Chapter VI of the same act. Section 8 and Chapter VI pertain to two basic principles in the act viz. “Individual Consent” and “Confidentiality of information”.

Section 8

Section 8 deals with the manner in which the consent of the individual should be obtained before using his Aadhaar number for “authentication”. A company {called requesting entity} can also obtain the biometric and demographic information from UIDAI for authentication for a fee.

Section 30

Section 30 of the act recognizes the biometric data as “sensitive personal information”.

How the Data is shared and used

The biometric data which we have provided to UIDAI while getting our Aadhaar card are now stored in a centralized database called “Central Identities Data Repository (CIDR)”. CIDR is a government agency under UIDAI mandates with storing and managing the data for Aadhaar project. It is also responsible for verifying the authenticity of the documents submitted by individuals and keeping the information updated. It seeks to ensure that the Aadhaar number of each individual is unique, updated and relevant.

Any entity, which wants to use the Aadhaar data, is called a “requesting entity”. A requesting entity can be a government department, government company or even a private company such as telecom operator. These entities are allowed to request and use the data as per section 57 of the act. To make things simpler, we use the JIO example. When we go to obtain a JIO sim, the company will take our biometric data {such as thumb /figure impression} electronically and will pass on that information to the CIDR. If the data supplied by requesting entity matches with the information in the CIDR, the CIDR sends a positive respond and this verifies the identity of that individual. This is called “authentication”.

We note here that the requesting entity can use Aadhaar number and biometric data only with the informed consent of the customer under section 8 of the act. So, when I go to get a JIO sim, I need to be informed what information I will have to share for authentication.

E-KYC and Aadhaar

We note that in the above authenticating process, the CIDR shares only yes / no information about the authentication. It does not share the demographic and biometric information. This is where the E-KYC comes into playing a role. If that company is registered as an e-KYC User Agency (KUA), biometric and demographic information of the customer stored in CIDR can also be shown to the company so that it can physically verify the identity of the customer.

Understanding Consent Clause

We have discussed above that the requesting entity needs to obtain consent from the Aadhaar number holder for authentication. This consent has to be taken in electronic form and its log has to be maintained. Kindly note that oral is NOT a valid method of obtaining consent.

Issues Involved

Now let’s discuss the issues involved here. Firstly, there are questions such as – Is it safe that the service providers are able to use personal and sensitive information? We take JIO’s example here. What happened in JIO case was that it provided a honey-pot of free data and many people just swarmed into Jio outlets and gave their biometric data to get the sim activated. Reliance JIO is a KUA and legally collected the biometric data {finger prints} in the devices of agent. However, the legal process of obtaining prior consent is / may not have been followed and most shops might have contravened the regulations. This might suggest that Aadhaar data may be misused by the companies or their agents.

Secondly, the positions taken by the government and UIDAI on these issues have been ambiguous. The Attorney General of India recently claimed that Indian citizens have no constitutional right to privacy. This is surprising not only because there are several interpretations of constitutional provisions and judgments to the contrary, but also because it contravenes conventional wisdom and best practices in digital authentication and authorization systems. The finance minister, while getting the Aadhaar bill passed as a money bill, announced that “the government presupposes privacy as a fundamental right” and claimed that the bill has tightened privacy provisions when compared to what was there in the previous version.

Thirdly, the another major concern is Mass Surveillance, tracking or profiling of people beyond legal sanctions using the centralized database, either through external hacks or through insider leaks and collusion.

Fourthly, the data theft by insider has the high possibility which cannot be easily identified but can have huge implications. Our information technology laws need to be strengthened for protecting these kind of thefts.

Thus, though there are serious privacy concerns at present, Aadhaar e-kyc can be made safe from a technology perspective with due diligence. The legal framework however needs to be more specific and requires significant strengthening. Perhaps the single most important specific question that begs answering is who should have the right to verify the identity of an individual, and under what circumstances? Above all, Aadhaar project requires informed and comprehensive policy debates, covering all angles, to realize its full effectiveness without causing the kind of disruptions that have been reported.