Questioning the safety of Aadhaar

Can Aadhaar be the one-stop solution for all identification requirements? Does it safeguard the privacy of its various beneficiaries?

The story so far: Two days after issuing an advisory asking people to refrain from sharing photocopies of their Aadhaar Card, the Unique Identification Development Authority of India (UIDAI) opted to withdraw the notification. It stated that the action was to avert any possibility of ‘misinterpretation’ of the (withdrawn) press release, asking people to exercise “normal prudence” in using/sharing their Aadhaar numbers. 

The withdrawn notice had suggested holders use a masked Aadhaar card instead of the conventional photocopy, adding that the document must not be downloaded from a cybercafé or public computer and if done for some reason, must be permanently deleted from the system. ‘Masked Aadhaar’ veils the first eight digits of the twelve-digit ID with ‘XXXX’ characters. The notice informed that only entities possessing a ‘User Licence’ are permitted to seek Aadhaar for authentication purposes. Private entities like hotels or film halls cannot collect or keep copies of the identification document. 

In July 2018, Telecom Regulatory of India’s Chairman R.S. Sharma tweeted his Aadhaar number challenging users to “cause him any harm”. In response, users dug up his mobile number, PAN number, photographs, residential address and date of birth. It could not be ascertained if the PAN number was actually correct. UIDAI dismissed assertions of any data leak, arguing that most of the data was publicly available. It did however caution users from publicly sharing their Aadhaar numbers.  

The Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016 makes it clear that Aadhaar authentication is necessary for availing subsidies, benefits and services that are financed from the Consolidated Fund of India. In the absence of Aadhaar, the individual is to be offered an alternate and viable means of identification to ensure she/he is not deprived of the same. 

Separately, Aadhaar has been described as a preferred KYC (Know Your Customer) document but not mandatory for opening bank accounts, acquiring a new SIM or school admissions.  

The requesting entity would have to obtain the consent of the individual before collecting his/her identity and ensure that the information is only used for authentication purposes on the Central Identities Data Repository (CIDR). This centralised database contains all Aadhaar numbers and holder’s corresponding demographic and biometric information. UIDAI responds to authentication queries with a ‘Yes’ or ‘No’. In some cases, basic KYC details (as name, address, photograph etc) accompany the verification answer ‘Yes’. The regulator does not receive or collect the holder’s bank, investment or insurance details. Additionally, the Aadhaar Act forbids sharing Core Biometric Information (such as finger print, iris scan, among other biometric attributes) for any purpose other than Aadhaar number generation and authentication. 

The Act makes it clear that confidentiality needs to be maintained and the authenticated information cannot be used for anything other than the specified purpose. More importantly, no Aadhaar number (or enclosed personal information) collected from the holder can be published, displayed or posted publicly. Identity information or authentication records would only be liable to be produced pursuant to an order of the High Court or Supreme Court, or by someone of the Secretary rank or above in the interest of national security.