Questioning the Safety of Aadhaar

Why in the News?

Two days after issuing an advisory asking people to refrain from sharing photocopies of their Aadhaar Card, the Unique Identification Development Authority of India (UIDAI) opted to withdraw the notification.

The action was taken to avert any possibility of ‘misinterpretation’ of the (withdrawn) press release.

What was the UIDAI’s initial warning?

The UIDAI, the statutory body mandated to collect Aadhaar data, issued the first press release on May 27, warning the “general public not to share photocopy of one’s Aadhaar with any organisation, because it can be misused”
Instead, it recommended that “a masked Aadhaar, which displays only the last four digits of your Aadhaar number,” be used for such purposes
It also asked the public to avoid using public computers to download their e-Aadhaar
- If they did so, it reminded them that they should ensure that any downloaded copies of the same are “permanently deleted from that computer”
Only those organisations that have obtained a User License from the UIDAI can use Aadhaar to establish the identity of a person
It asked users to verify that any private entity demanding to see the Aadhaar card should have a valid User License from the UIDAI

Why was it withdrawn?

The UIDAI withdrew the press release, on the ground that it could be open to misinterpretation
It said “Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers”, and that there are enough security features to keep it safe

How does one keep one’s Aadhaar data safe?

Two-factor authentication: It is imperative that Aadhaar is linked to the primary mobile number and email ID.
- This is where UIDAI will send the one-time password (OTP) if someone tries to access the Aadhaar account or using it for any verification.
Masked Aadhaar copy: A ‘Masked Aadhaar’ copy can be downloaded from the official UIDAI website
- A photocopy or version of this can be shared as a full Aadhaar ID
- This version only has the last four digits of the Aadhaar number, instead of the full number
Locking biometrics: Aadhaar biometric data can be locked from the UIDAI website. After locking the biometrics (fingerprint, iris, and face), they can no longer be used for authentication

However, OTP-based authentication would continue to be available as needed

Use VID: The Virtual Identity, or VID, is a system of “Limited KYC” (Know Your Customer)
- This hides the Aadhaar number from the authenticating agency, while still confirming the identity of the user
- This is a 16-digit number, but temporary in nature. So, unlike the permanent 12-digit Aadhaar number, the VID is valid only for some time

What does the law say?

The Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016 makes it clear that Aadhaar authentication is necessary for availing subsidies, benefits and services that are financed from the Consolidated Fund of India
In the absence of Aadhaar, the individual is to be offered an alternate and viable means of identification to ensure she/he is not deprived of the same
The requesting entity would have to obtain the consent of the individual before collecting his/her identity and ensure that the information is only used for authentication purposes on the Central Identities Data Repository (CIDR)
This centralised database contains all Aadhaar numbers and holder’s corresponding demographic and biometric information
The Act makes it clear that confidentiality needs to be maintained, and the authenticated information cannot be used for anything other than the specified purpose

About UIDAI:

The UIDAI is a statutory authority established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016
It Works under the jurisdiction of the Ministry of Electronics and Information Technology
Mandate: The UIDAI is mandated to assign a 12-digit unique identification (UID) number (Aadhaar) to all the residents of India