Storing Aadhar is Punishable - Full Details
The use of the Aadhaar number is governed by The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016. Chapter II of the Act is on Enrolment and defines the creation of the Aadhaar number, its properties and measures for its issuance. Chapter III is on Authentication. It covers the use of the number for purpose of establishing identity.
Chapter V and VI deal with the establishment, powers and funding of the UIDAI. Chapter VI concerns itself with security and confidentiality of the information with UIDAI. Chapter VII deals with penalties for various offences under the Act. The final section, VIII, deals with powers of the central government to supersede the authority and the power of the authority to make regulations.
The UIDAI notified 5 Regulations on 12 September 2016.
1. Unique Identification Authority Of India (Transaction Of Business At Meetings Of The Authority) Regulations, 2016 (No. 1 Of 2016),
2. Aadhaar (Enrolment And Update) Regulations, 2016 (No. 2 Of 2016),
3. Aadhaar (Authentication) Regulations, 2016 (No. 3 Of 2016),
4. Aadhaar (Data Security) Regulations, 2016 (No. 4 Of 2016),
5. Aadhaar (Sharing Of Information) Regulations, 2016 (No. 5 Of 2016)
Permitted Use
Chapter III 8 of the Act, therefore, is the only section defining the use of Aadhaar numbers. It is evident that the only use of the Aadhaar number, according to the Act, is authentication of individuals.
8. (1) The Authority shall perform authentication of the Aadhaar number of an Aadhaar number holder submitted by any requesting entity, in relation to his biometric information or demographic information, subject to such conditions and on payment of such fees and in such manner as may be specified by regulations.
(2) A requesting entity shall—
(a) unless otherwise provided in this Act, obtain the consent of an individual before collecting his identity information for the purposes of authentication in such manner as may be specified by regulations; and
(b) ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication.
(3) A requesting entity shall inform, in such manner as may be specified by regulations, the individual submitting his identity information for authentication, the following details with respect to authentication, namely:—
(a) the nature of information that may be shared upon authentication;
(b) the uses to which the information received during authentication may be put by the requesting entity; and
(c) alternatives to submission of identity information to the requesting entity.
(4) The Authority shall respond to an authentication query with a positive, negative or any other appropriate response, sharing such identity information excluding any core biometric information.
Authentication is defined thrice. First in Chapter I 2(c) of the Act, then in Enrolment and Update Regulations, Chapter I 2(d) and in Authentication Regulations, Chapter I 2(c).
2(c). “Authentication” means the process by which the Aadhaar number alongwith demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.
The Authentication Regulations Chapter II 3 defines the types of authentication.
3. Types of Authentication.— There shall be two types of authentication facilities provided by the Authority, namely:
(i) Yes/No authentication facility, which may be carried out using any of the modes specified in regulation 4(2); and
(ii) e-KYC authentication facility, which may be carried out only using OTP and/ or biometric authentication modes as specified in regulation 4(2).
The Authentication Regulations Chapter II 4 defines the modes of authentication.
4. Modes of Authentication
(1) An authentication request shall be entertained by the Authority only upon a request sent by a requesting entity electronically in accordance with these regulations and conforming to the specifications laid down by the Authority.
(2) Authentication may be carried out through the following modes:
(a) Demographic authentication: The Aadhaar number and demographic information of the Aadhaar number holder obtained from the Aadhaar number holder is matched with the demographic information of the Aadhaar number holder in the CIDR.
(b) One-time pin based authentication: A One Time Pin (OTP), with limited time validity, is sent to the mobile number and/ or e-mail address of the Aadhaar number holder registered with the Authority, or generated by other appropriate means. The Aadhaar number holder shall provide this OTP along with his Aadhaar number during authentication and the same shall be matched with the OTP generated by the Authority.
(c) Biometric-based authentication: The Aadhaar number and biometric information submitted by an Aadhaar number holder are matched with the biometric information of the said Aadhaar number holder stored in the CIDR. This may be fingerprints-based or iris-based authentication or other biometric modalities based on biometric information stored in the CIDR.
(d) Multi-factor authentication: A combination of two or more of the above modes may be used for authentication.
(3) A requesting entity may choose suitable mode(s) of authentication from the modes specified in sub-regulation (2) for a particular service or business function as per its requirement, including multiple factor authentication for enhancing security. For the avoidance of doubt, it is clarified that e-KYC authentication shall only be carried out using OTP and/ or biometric authentication.
The Authentication Regulations Chapter II 9 defines the process of sending authentication requests.
9. Process of sending authentication requests
(1) After collecting the Aadhaar number or any other identifier provided by the requesting entity, which is mapped to Aadhaar number and necessary demographic and /or biometric information and/ or OTP from the Aadhaar number holder, the client application shall immediately package and encrypt these input parameters into PID block before any transmission, as per the specifications laid down by the Authority, and shall send it to server of the requesting entity using secure protocols as may be laid down by the Authority for this purpose.
(2) After validation, the server of a requesting entity shall pass the authentication request to the CIDR, through the server of the Authentication Service Agency as per the specifications laid down by the Authority. The authentication request shall be digitally signed by the requesting entity and/or by the Authentication Service Agency, as per the mutual agreement between them.
(3) Based on the mode of authentication request, the CIDR shall validate the input parameters against the data stored therein and return a digitally signed Yes or No authentication response, or a digitally signed e-KYC authentication response with encrypted e-KYC data, as the case may be, along with other technical details related to the authentication transaction.
(4) In all modes of authentication, the Aadhaar number is mandatory and is submitted along with the input parameters specified in sub-regulation (1) above such that authentication is always reduced to a 1:1 match.
(5) A requesting entity shall ensure that encryption of PID Block takes place at the time of capture on the authentication device as per the processes and specifications laid down by the Authority.
While it is evident that without the Aadhaar number a 1:1 match is not possible, we will ignore that consideration for now. Let us look at what the UIDAI’s response should be to an authentication query. It should return only Yes or No authentication response, or a digitally signed e-KYC authentication response.
eKYC
Section 16 (3) of the Authentication Regulations, any KUA can store the eKYC record only and cannot share the eKYC without consent of the Aadhaar holder.
16. Use of e-KYC authentication facility.—
(1) A KUA may use the e-KYC authentication facility provided by the Authority for obtaining the e-KYC data of the Aadhaar number holder for its own purposes.
(2) A KUA may perform e-KYC authentication on behalf of other agencies, and share the e-KYC data with such agency for a specified purpose, upon obtaining consent from the Aadhaar number holder for such purpose.
(3) A KUA may store, with consent of the Aadhaar number holder, e-KYC data of an Aadhaar number holder, received upon e-KYC authentication, in encrypted form and subsequently share the e-KYC data with any other agency, for a specified purpose, upon obtaining separate consent for every such sharing from the Aadhaar number holder for that purpose.
(4) The agency with whom the KUA has shared the e-KYC data of the Aadhaar number holder shall not share it further with any other entity or agency except for completing the transaction for which the Aadhaar number holder has specifically consented to such sharing.
(5) The Aadhaar number holder may, at any time, revoke consent given to a KUA for storing his e-KYC data or for sharing it with third parties, and upon such revocation, the KUA shall delete the e-KYC data and cease any further sharing.
(6) In addition to the restriction on further sharing contained in sub-regulation (4), all other obligations relating to the personal information of the Aadhaar number holder, data security and other relevant responsibilities applicable to requesting entities, shall also apply to the agency or entity with whom e-KYC data has been shared in accordance with this regulation 16.
(7) Upon request, a KUA shall provide a digitally signed electronic copy of the e-KYC data to the Aadhaar number holder, and the Aadhaar number holder may subsequently share the said copy with any agency: Provided that the agency that is requesting e-KYC data from the Aadhaar number holder shall inform the purpose of doing so and take the consent of the Aadhaar number; Provided further that the agency with whom the Aadhaar number holder has shared the e-KYC data shall not share it further with any other entity/agency except for completing the transaction for which the Aadhaar number holder specifically consented to such sharing.
(8) The KUA shall maintain auditable logs of all such transactions where e-KYC data has been shared with other agencies, for a period specified by the Authority.
A KYC User Agency (KUA) is defined in Chapter I 2(l) of the Authentication Regulations.
(l) “e-KYC User Agency” or “KUA” shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority;
eKYC data is defined under 2(k) of the Authentication Regulations, 2016 and does not include the Aadhaar number.
(k) “e-KYC data” means demographic information and photograph of an Aadhaar number holder;
Reading 8 and16(3) with 2(k) means Aadhaar number can only be used for authentication and only the eKYC data can be stored by the KUA on consent of the Aadhaar holder. The Aadhaar number cannot be stored.
Strangely the UIDAI’s own API is in violation of the Act by returning the Aadhaar number in an eKYC record. The API seems to have been developed by a group of IT professionals, including former UIDAI employees, calling themselves as “volunteers” to a group called iSprit as a part of the India Stack.
Storage and Retention of Aadhaar Numbers
Chapter IV 29 of the Aadhaar Act places clear restrictions on sharing information to that specified in the Act in the manner specified by the regulations. It prohibits publishing, displaying or posting publicly any Aadhaar number. Thus no other sharing of the Aadhaar number and the e-KYC data is possible.
29. (1) No core biometric information, collected or created under this Act, shall be—
(a) shared with anyone for any reason whatsoever; or
(b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.
(2) The identity information, other than core biometric information, collected or created under this Act may be shared only in accordance with the provisions of this Act and in such manner as may be specified by regulations.
(3) No identity information available with a requesting entity shall be—
(a) used for any purpose, other than that specified to the individual at the time of submitting any identity information for authentication; or
(b) disclosed further, except with the prior consent of the individual to whom such information relates.
(4) No Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations.
All storage of Aadhaar numbers is therefore illegal and a violation of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.
Any retention of the Aadhaar number by any organization or database would not be in accordance with The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016. Asking for linking the Aadhaar number, for it to be quoted on forms, displaying it on certificates and documents, storing it in registers or databases is completely illegal and a violation of the provisions of the Aadhaar Act.
Offences and Penalties
Organisations that continue to ask for Aadhaar numbers in their forms, displaying or storing it on their documents, certificates, registers and databases would be committing offences under Chapter VII 38, 39, 40, 41, 42 and various sections of the IPC.
38. Whoever, not being authorised by the Authority, intentionally,—
(a) accesses or secures access to the Central Identities Data Repository;
(b) downloads, copies or extracts any data from the Central Identities Data Repository or stored in any removable storage medium;
(c) introduces or causes to be introduced any virus or other computer contaminant in the Central Identities Data Repository;
(d) damages or causes to be damaged the data in the Central Identities Data Repository;
(e) disrupts or causes disruption of the access to the Central Identities Data Repository;
(f) denies or causes a denial of access to any person who is authorised to access the Central Identities Data Repository;
(g) reveals any information in contravention of sub-section (5) of section 28, or shares, uses or displays information in contravention of section 29 or assists any person in any of the aforementioned acts;
(h) destroys, deletes or alters any information stored in any removable storage media or in the Central Identities Data Repository or diminishes its value or utility or affects it injuriously by any means; or
(i) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used by the Authority with an intention to cause damage, shall be punishable with imprisonment for a term which may extend to three years and shall also be liable to a fine which shall not be less than ten lakh rupees.
Explanation.—For the purposes of this section, the expressions “computer contaminant”, “computer virus” and “damage” shall have the meanings respectively assigned to them in the Explanation to section 43 of the Information Technology Act, 2000, and the expression “computer source code” shall have the meaning assigned to it in the Explanation to section 65 of the said Act.
39. Whoever, not being authorised by the Authority, uses or tampers with the data in the Central Identities Data Repository or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, shall be punishable with imprisonment for a term which may extend to three years and shall also be liable to a fine which may extend to ten thousand rupees.
40. Whoever, being a requesting entity, uses the identity information of an individual in contravention of sub-section (3) of section 8, shall be punishable with imprisonment which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.
41. Whoever, being an enrolling agency or a requesting entity, fails to comply with the requirements of sub-section (2) of section 3 or sub-section (3) of section 8, shall be punishable with imprisonment which may extend to one year or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.
42. Whoever commits an offence under this Act or any rules or regulations made thereunder for which no specific penalty is provided elsewhere than this section, shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to twenty-five thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees, or with both.
The only valid use of the Aadhaar number under the Act is to obtain a yes/no answer or obtain the demographic information (an e-KYC record) associated with an Aadhaar number submitted with the consent of its holder. The increasing demand for recording the Aadhaar number in various forms, documents, registers, certificates, and databases is illegal. The increasing number of leaks of Aadhaar numbers and associated peronal information indicate the widespread misunderstanding of the Aadhaar number, its use and the Aadhaar Act. You are within your rights to write to the UIDAI with your complaint. Here is a draft.
Dr AB Pandey
Chief Executive Officer (CEO),
Unique Identification Authority of India -UIDAI
3rd Floor, Tower II, Jeevan Bharati Building,
Connaught Circus,
New Delhi - 110001
Subject: Complaint of violations under The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016
We bring to your attention that the following person/organization
Insert Name and Address of violater:
are indulging in (please tick all that apply)
• Storage or retention of Aadhaar number in their registers or databases
• Linking the Aadhaar number to their databases
• Requesting for the Aadhaar number to be quoted on forms
• Displaying Aadhaar number on certificates and documents,
• Publishing Aadhaar numbers publicly
in violation of
• The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016
• Unique Identification Authority Of India (Transaction Of Business At Meetings Of The Authority) Regulations, 2016 (No. 1 Of 2016),
• Aadhaar (Enrolment And Update) Regualtions, 2016 (No. 2 Of 2016),
• Aadhaar (Authentication) Regulations, 2016 (No. 3 Of 2016),
• Aadhaar (Data Security) Regulations, 2016 (No. 4 Of 2016),
• Aadhaar (Sharing Of Information) Regulations, 2016 (No. 5 Of 2016)
They have, therefore, committed offences under Chapter VII 38, 39, 40, 41, 42 of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 and various sections of the IPC.
We require that you:
1. Immediately file an FIR for maximum penalty under relevant sections of relevant laws.
2. Provide a copy of the the FIR in 7 days, failing which explain the reasons for delay in discharge of duty and officers responsible for the delay.
3. Issue notifications and wide publicity in the electronic and print media including radio and television networks to make it clear that storage, linking, obtaining on forms, displaying on certificates and documents, and publishing of Aadhaar numbers is a crime punishable with fine and imprisonment.
We trust you will do all within Chapter VI of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 to protect our information and not cause us to seek other remedies and relief.
Sincerely yours,
Encl:
Evidence of offence
CC:
1. Shri Nripendra Mishra, Principal Secretary to Prime Minister, 152, South Block, Raisina Hill, New Delhi-110011
2. Chief Justice of India, ℅ Chief Justice's Conference Secretariat, Supreme Court of India, Tilak Marg, New Delhi-110 201
3. You can tweet it to the CEO of UIDAI @ceo_uidai and @uidai
4. You can send emails to UIDAI's DG : dg@uidai.gov.in and alok.shukla@uidai.gov.in more