Apart from creating unnecessary confusion, the Centre’s recent flip-flop over the safety of sharing Aadhaar card photocopies also exposes the deep-rooted problems in the ecosystem. A regional office of the Unique Identification Authority of India (UIDAI) had cautioned against sharing photocopies with “unlicensed private entities”, in an advisory last week. It also warned against downloading e-Aadhar on public computers, or permanently delete it from such systems. Against the backdrop of multiple instances of Aadhaar data leakage of individuals, these warnings were, without doubt, well-directed. Curiously, hours later, the Union ministry of electronics and information technology withdrew the advisory to avoid “misinterpretation.” The ministry asked all Aadhaar card-holders to exercise “normal prudence” in their use of unique identity details. The Centre would do well to spell out what constitutes “normal prudence” given how ubiquitous Aadhaar has become for any requirement of proof of identity.
The Supreme Court’s Puttaswamy judgment (2018) had held that private entities could not insist on Aadhaar, and it could not be made mandatory for even banking and telecom services. In practice, however, Aadhaar details have become the “preferred” (read mandatory) Know Your Customer document for a host of private- and government services.While the entity soliciting Aadhaar details is required to obtain consent from the Aadhaar-holder, but when denial of consent effectively translates into denial of service, thus, consent-seeking becomes perfunctory. This is not to say that Aadhaar should not be widely used—even as the Centre has exhorted the states to use it to expand service delivery within the framework of the law, the Aadhaar-stack use-cases hold considerable promise in the digital age. However, the Aadhaar ecosystem must not become a tool in the hands of unscrupulous elements for defrauding the State and its people.
The retracted UIDAI advisory asked Aadhaar-holders to make use of masked Aadhaar—where only the last four digits of the 12-digit Aadhaar is visible. However, there is not enough awareness among the public regarding this. There could be accessibility problems as well, especially for the technologically challenged and the poor, given it is in a password-protected, electronic form. Aadhaar, of course, can be used as proof of identity without having to involve the physical card or its photocopies. For use-cases in brick and mortar settings, point-of-sale biometric/QR-based authentication can do away with the need for photocopies. Basic KYC details of the Aadhaar-holder can be shared with the requesting entity for record-keeping. But apart from the low deployment and connectivity issues, these come with their own problems, including the possibility of stolen biometric information.
The UIDAI has not acquitted itself well with ensuring the ecosystem’s security-robustness. In a recent report, the Comptroller and Auditor General of India said that the UIDAI was “neither able to derive required assurance” that the information systems of the entities involved in the authentication ecosystem—the requesting entities (REs) and the authentication service agencies (ASAs)—complied with prescribed standards, “nor did it ensure” auditing by the authorised bodies. The Centre needs to fix the security challenges to the Aadhaar ecosystem. Asking Aadhaar-holders to exercise normal prudence is just passing the buck. The least it can do is to bring in a robust personal data protection law so that data principals have some recourse if defrauded.