From UPSC perspective, the following things are important :
Prelims level : Aadhaar and its minuscles
Mains level : Data Privacy and Aadhaar
Two days after issuing an advisory asking people to refrain from sharing photocopies of their Aadhaar Card, the Unique Identification Development Authority of India (UIDAI) opted to withdraw the notification.
- The withdrawn notice had suggested holders use a masked Aadhaar card instead of the conventional photocopy.
- It added that the document must not be downloaded from a cybercafe or public computer and if done for some reason, must be permanently deleted from the system.
- Private entities like hotels or film halls cannot collect or keep copies of the identification document.
What is Masked Aadhaar?
- ‘Masked Aadhaar’ veils the first eight digits of the twelve-digit ID with ‘XXXX’ characters.
- The notice informed that only entities possessing a ‘User Licence’ are permitted to seek Aadhaar for authentication purposes.
Why in news now?
- In July 2018, Telecom Regulatory of India’s Chairman tweeted his Aadhaar number challenging users to “cause him any harm”.
- In response, users dug up his mobile number, PAN number, photographs, residential address and date of birth.
- UIDAI dismissed assertions of any data leak, arguing that most of the data was publicly available.
- It did however caution users from publicly sharing their Aadhaar numbers.
Security of Aadhaar: What does the law say?
- The Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016 makes it clear.
- Aadhaar authentication is necessary for availing subsidies, benefits and services that are financed from the Consolidated Fund of India.
- In the absence of Aadhaar, the individual is to be offered an alternate and viable means of identification to ensure she/he is not deprived of the same.
- Separately, Aadhaar has been described as a preferred KYC (Know Your Customer) document but not mandatory for opening bank accounts, acquiring a new SIM or school admissions.
- The requesting entity would have to obtain the consent of the individual before collecting his/her identity.
- The entity must ensure that the information is only used for authentication purposes on the Central Identities Data Repository (CIDR).
What is CIDR?
- This centralised database contains all Aadhaar numbers and holder’s corresponding demographic and biometric information.
- UIDAI responds to authentication queries with a ‘Yes’ or ‘No’.
- In some cases, basic KYC details (as name, address, photograph etc.) accompany the verification answer ‘Yes’.
- The regulator does not receive or collect the holder’s bank, investment or insurance details.
Protection of confidentiality
- The Act makes it clear that confidentiality needs to be maintained and the authenticated information cannot be used for anything other than the specified purpose.
- More importantly, no Aadhaar number (or enclosed personal information) collected from the holder can be published, displayed or posted publicly.
- Identity information or authentication records would only be liable to be produced pursuant to an order of the High Court or Supreme Court, or by someone of the Secretary rank or above in the interest of national security.
Is identity theft via Aadhaar possible?
- As per the National Payment Corporation of India’s (NCPI) data, ₹6.48 crore worth of financial frauds through 8,739 transactions involving 2,391 unique users took place in FY 2021-22.
- Since the inception of the UID project, institutions and organisations have endowed greater focus on linking their databases with Aadhaar numbers.
- This include bank accounts especially in light of the compulsory linkage for direct benefit transfer schemes.
Structural problems with UIDAI
- The Aadhaar Data Vault is where all numbers collected by authentication agencies are centrally stored.
- Comptroller and Auditor General of India’s (CAG) latest report stipulated that UIDAI has not specified any encryption algorithm (as of October 2020) to secure the same.
- There is no mechanism to illustrate that the entities were adhering to appropriate procedures.
- Further, UIDAI’s unstable record with biometric authentication has not helped it with de-duplication efforts, the process that ensures that each Aadhaar Number generated is unique.
- The CAG’s reported stated that apart from the issue of multiple Aadhaars to the same resident, there have been instances of the same biometric data being accorded to multiple residents.
- The CAG concluded it was “not effective enough” in detecting the leakages and plugging them.
- Biometric authentications can be a cause of worry, especially for disabled and senior citizens with both the iris and fingerprints dilapidating.
- Though the UIDAI has assured that no one would be deprived of any benefits due to biometric authentication failures.
- The absence of an efficient technology could serve as poignant premise for frauds to make use of their ‘databases’.
Try this PYQ:
Q.Consider the following statements:
- Aadhaar metadata cannot be stored for more than three months.
- State cannot enter into any contract with private corporations for sharing of Aadhaar data.
- Aadhaar is mandatory for obtaining insurance products.
- Aadhaar is mandatory for getting benefits funded out of the Consolidated Fund of India.
Which of the statements given above is/are correct?
(a) 1 and 4 only
(b) 2 and 4 only
(c) 3 only
(d) 1, 2 and 3 only
Post your answers here.