UID says telecom operators cannot misuse Aadhaar eKYC data

A schematic representation of Aadhaar eKYC provided by UIDAI

The Unique Identification Authority of India has rebutted allegations that Aadhaar data submitted by citizens to companies are prone to misuse.

Aadhaar — which is India’s equivalent to the US social security number — is a unique number given to each resident of India, including non citizens.

Each Aadhaar number is associated with a set of ten fingerprints and two iris scans.

Many people in India refused to have themselves fingerprinted and their eyes scanned to obtain an Aadhaar number, and the Supreme Court of India has ruled that the government cannot force its citizens to acquire an Aadhaar number.

Despite this, 99% of the people in India have signed up, the government clarified recently, due to the ease of getting government schemes and entitlements.

eKYC & PRIVACY CONCERNS

These concerns have come to the fore once again in recent weeks after private corporations were allowed to use the Aadhaar database to identify their customers.

Private companies, such as telecom operators and banks can get their customers to scan their fingerprint on their machines as a way of identifying themselves.

According to many social media messages, Aadhaar data so obtained — which include the name, sex and location of the person — is being stored by these companies and subsequently ‘sold’ to others for use in marketing their products.

Many messages allege that the UID Authority has given these companies a ‘copy of the Aadhaar’ database to help them identify these customers.

However, said the UID Authority in a clarification today, neither of these allegations are true.

First, it said, private companies are not allowed to store the biometric information — such as fingerprint data — obtained from their customers. Secondly, it said, no copy of the Aadhaar database is given to private companies.

“A telecom operator can obtain the E-KYC data of its subscribers and will keep them in their records without biometrics and use them only for the purpose of proving telecom services,” the agency said.

For example, if a person walks into a telecom services outlet, gives his Aadhaar number and presses his finger on their scanner to get a new connection, the data from the device is encrypted and sent to the UID Authority’s computers along with the Aadhaar number.

At the UID office, the computer checks whether the fingerprint submitted by the company matches the fingerprint present in their database for the given Aadhaar number.

If both fingerprints match, then the UID server responds to the telecom operator with a green signal. If not, it sends a red signal indicating that the fingerprint does not match its records for the given Aadhaar number.

According to the UID Authority, the telecom operator or bank is not supposed to interfere in this process in anyway or copy and retain the fingerprint data captured by the device sent to the Authority for verification.

“Any unauthorized capture of IRIS or fingerprints or storage or replay of biometrics or their misuse is a criminal offence under the Aadhaar Act,” it said.

Moreover, the UID Authority does not provide the bank or the telecom company with a copy of its UID database as verification is entirely at the Authority’s office via the Internet. The private company can only get a ‘yes’ or ‘no’ answer to the question — does the fingerprint provided match the Aadhaar number provided?’

In recent months, the organization added, it has strengthened its security measures by requiring only registered devices for capturing biometric data and encrypted the data at the point of capture.