Times of India’s Edit Page team comprises senior journalists with wide-ranging interests who debate and opine on the news and issues of the day.
A UIDAI advisory warning citizens of the misuse of Aadhaar card photocopies and e-copies by unlicensed entities went viral across the country. A stung GoI withdrew the note and asked cardholders to exercise “normal prudence” while sharing Aadhaar numbers. However, specific concerns raised by the UIDAI advisory weren’t addressed. Officials seemed more worried about the “possibility for misinterpretation” and stressed that the Aadhaar ecosystem had adequate safety features. Many private agencies demand and collect Aadhaar card photocopies even when they are not licensed to do online authentication. Digital photo-editing tools can easily manipulate images and text on Aadhaar card copies. However, such fraud can’t evade authentication checks against UIDAI’s central identities data repository.
Still, it is a fraud. But one that has a solution. UIDAI allows offline verification seeking entities (OVSE), which don’t have to be accredited, to scan the QR code on Aadhaar cards to check identity and demographic information of a person. And Section 8A (4) of the Aadhaar Act 2016 stipulates that no OVSE shall “collect, use or store” Aadhaar numbers or biometric information of any individual. Perhaps recognising the scale of unauthorised storage, UIDAI regulations in February mandated that any organisation seeking to check identities offline should scan the QR code on Aadhaar cards, verify the authority’s digital signature, and tally identity information encoded by the QR code. UIDAI was therefore not wrong in suggesting caution in the press release that was withdrawn. Such digital identity scanning should certainly replace the collection of photocopies. And UIDAI should perhaps penalise unauthorised storage.
An additional threat is the collection of biometric information like fingerprints by employers, lenders, state agencies. Unlike UIDAI, these smaller entities cannot boast of robust security protocols. Theft of such poorly stored biometric data is undermining Aadhaar-enabled payment systems. Telangana police recently warned users who lost money they should disable their biometric link to Aadhaar. These crimes require GoI to strongly regulate biometric and Aadhaar data collection by private entities. The crux of the problem is that governments have been too permissive about private and public entities seeking and collecting personal data. The Supreme Court had barred commercial entities from demanding Aadhaar. The flipside was that many people in a document-poor country didn’t have any means to prove identity when, say, applying for a SIM card. GoI specifically allowed telecom companies to use Aadhaar for e-KYC. But restrictions should be put in for many other entities demanding and storing Aadhaar.
This piece appeared as an editorial opinion in the print edition of The Times of India.