The government on May 28 created a flutter when it issued guidelines advising against sharing photocopies of Aadhaar in an attempt to curb instances of misuse or identity theft and promptly added to the confusion by almost immediately retracting the advisory.
This, however, served to underscore the very real data security issue surrounding Aadhaar. Here are answers to some frequently asked questions, as shared by N.S. Nappinai, cyber law expert; V Kamakoti, Director, IIT Madras; and Reetika Khera, author, Dissent On Aadhaar, and Professor (Economics), IIT Delhi.
Q. Is Aadhaar mandatory?
A. In September 2018, the Supreme Court delivered a 4-1 majority verdict that upheld the constitutionality of the Aadhaar Act, but maintained that obtaining/sharing it is voluntary.
Q. How secure is Aadhaar?
A. There have been several instances in which photocopy of Aadhaar was misused for KYC. To prevent such instances, verification must be done with the phone number registered with Aadhaar. The onus is on the end agency, such as a bank, to verify the authenticity.
Q. How can Aadhaar data be secured?
A. A cyber vulnerability needs to be regularly carried out. This will help root out frauds that exploit vulnerabilities on the back-end. Regular cyber audits, collective effort is needed to nip misuse of Aadhaar details.
Q. Everyone these days ask for Aadhaar. What is the workaround?
A. Despite the Supreme Court ruling, everyone seems to have forgotten that Aadhaar is voluntary. Photocopies of Aadhaar can be misused. There are other ways of authenticating an individual's identity, such as e-sign, apart from Aadhaar. It has become a convenient way to offer identity proof, but ultimately, what matters is protection of user rights — especially right to share Aadhaar — and privacy. Aadhaar cannot be demanded as a matter of right.
As with any ID proof, Aadhaar should be shared prudently and after taking utmost care, regardless of what the government says.
Q. Was the first circular by the Ministry of Electronics and Information Technology (MeitY) necessary?
A. There was no cause for this knee-jerk reaction by MeitY. A lot of offline, online verification depends on Aadhaar, and this would have been affected had the circular been upheld.
Q. What should the government do instead?
A. The Unique Identification Authority of India (UIDAI) should issue clear guidelines of who can and cannot use Aadhaar. The challenge before the government is inculcating prudent behaviour among citizens as Aadhaar has become such a convenient way for verification.
Q. Who is responsible for identity verification?
A. The end agency that processes the application, such as a bank, telecom service provider, utilities, or even organisations carrying out joining formalities for a new company, need to verify the identity of the applicant using the number registered with UIDAI.
Q. What if the number registered with UIDAI is no longer in use?
A. It is very important to ensure all the information on your Aadhaar card is current. Ensure you update your Aadhaar whenever there is a change in address or phone number.
Q. Such warnings have been issued in the past, but they persist
A. There should be a moratorium on the use of Aadhaar till all these issues are sorted out. Nothing will grind to a halt. Things were done before Aadhaar, and will continue without Aadhaar too. There are way too many issues arising out of a lack of Aadhaar or its misuse — in the public distribution system, for instance, data entry operators have been found to misuse Aadhaar to wrongly say ration was withdrawn. A Comptroller and Auditor General (CAG) report said over five lakh duplicate Aadhaar cards were reported in a Bangalore Regional Centre.