Officials who have designed the blueprint for utilisation of Aadhaar card say that the Narendra Modi government should have forcefully stated that Aadhaar usage is compliant with the Information Technology Act, 2000 in the Supreme Court.
While the Modi government is grappling with the confusion over Aadhaar card utilisation in as many areas as possible with the issue being referred to a Constitution bench of the Supreme Court (SC), those aware of the fine print are of the view that since its use is backed by the Information Technology (IT) Act, 2000, there is no reason to worry or stop the ongoing work related with the Aadhaar card utilisation in any area.
“Even if you leave out the biometrics part for the time being till the case is pending in the Supreme Court, electronic Aadhaar number and card is a legally valid document and the same is the case with e-KYC,” said an official who has taken part in the development of Aadhaar model.
The electronic know your customer (e-KYC) service provided by the Unique Identification Authority of India (UIDAI) is paperless, instant, secure and non-repudiable and the government expects it to enhance business efficiency and resident convenience across sectors where proof of identity and address has to be established, he added.
According to the UIDAI: “Using the e-KYC service, the residents can authorise UIDAI to release their KYC data to a service provider, either in person (through biometric authentication), or online (through OTP authentication). In real-time, upon successful authentication of the resident, the UIDAI will provide the name of the resident, address, date of birth, gender, and photograph to the service provider”.
The official said the best part is that all this is compliant with the law, and this is what the government needed to tell the Supreme Court rather than harping on the privacy issue, and added that while the passage of the UIDAI Bill to give Aadhaar a statutory status is the ultimate solution, its use even now is legally valid, so it can’t be stopped.
This is how Aadhaar card use is compliant with the IT Act, 2000:
The data provided to the service provider is fully in compliance with the Act.
1. The e-KYC electronic record provided by UIDAI is equivalent to the Aadhaar letter (Section 4 of the IT Act, 2000);
2. A cryptographic hash of the KYC data is computed and attached. The SHA-2 digital hash function algorithm is used. Hashing ensures that any tampering of the data in transit is detected (Section 3 of the IT Act, 2000);
3. The KYC data along with the computed hash are encrypted using a combination of AES-256 symmetric key and RSA-2048 PKI encryption form a secure electronic record. The encryption ensures that only the intended service provider can view the data provided by UIDAI (Section 14 of the IT Act, 2000); and
4. The encrypted data and hash are digitally signed by UIDAI using RSA-2048 PKI. The secure digital signature of UIDAI can be verified by the service provider to ensure the authenticity of the source (Section 15 of the IT Act, 2000).
According to the official, the e-KYC service is also compliant with the latest standards notified in the Information Technology (Certifying Authorities), Amendment Rules 2011.
Clearly, this could be a big support for the government in dealing with the setback due to the decision of the three-judge bench of the SC led by Justice J Chelameswar to not make its August 11 order less stringent – which restricted its use to public distribution system and LPG subsidy – till a Constitution Bench considers the legal issue relating to the right to privacy in collection of biometric data for Aadhaar cards.
The government and other agencies can go ahead and use Aadhaar on a voluntary basis till the final decision in the case comes in the SC so that more than 92 crore people having Aadhaar are not denied its benefits.