Aadhaar was established as a national Unique Identification number (UID) system. The Unique Identification Authority of India (UIDAI) falls under the purview of the Ministry of Electronics & Information Technology (MeitY), and is audited by the Comptroller & Auditor General (CAG).
This post attempts to review Aadhaar as the verifiable identification and authentication system in India based on a review of relevant provisions within the Aadhaar Act, 2016 and its Regulations.
The next post covers data security.
Authentication & Working
Did you know?
Aadhaar Act, 2016
Authentication & Working
Authentication — the ability to know that you are who you say you are before giving you access to something — is a fundamental tenet in information security. Credibility is infinitely improved when an authorized service provider can genuinely validate you, compared to receiving a photocopy of your passport. In return, you are guaranteed no one else is receiving a service or benefit to which you are entitled.
With this understanding, we explore the Aadhaar concept — a one-way authentication service. A service provider can authenticate you on a) your Aadhaar number and b) either OTP or biometrics, and deliver a service or a subsidy to you. The Aadhaar network does not communicate out of turn with the service provider though, and is not aware of what service was provided to you¹. It only knows which service provider requested your authentication, and logs this for audit purposes.²
To use a specific example, here’s what a headline like ‘mobile phones will now be linked to Aadhaar’ means: instead of storing photocopies of your driver’s license or passport, the telecom provider (via an authorized service agency, explained below) requests authentication using Aadhaar, and upon receiving a ‘Yes’ issues you a SIM.
- Aadhaar logs when the telecom provider asked for your authentication, that it was successful
- The service agency logs the same details but does not save (by law) any other data
- The telecom provider logs the request and the result, and services that were delivered. It does not see any other data used for authentication.
This concept is similar to credit card payments, where the service provider requests to charge you via a payment gateway. The gateway collects & transmits your card details to the issuing bank, both of which only aware of the provider and the total charge. The service provider also does not see your credit card number.
Aadhaar’s core data infrastructure is called The Central Information Data Repository (CIDR). No details regarding its location or type of systems is available.
The CIDR is classified as a Protected System³ under the IT Act, 2000, a Critical Information Infrastructure (CII) by the NCIIPC⁴ and the UIDAI itself is ISO27001:2013 certified⁵.
Key facts regarding the data stored within the CIDR:
- Name, date of birth, address, gender, and (optional) mobile/email constitute demographic information.
- Race, religion, caste, tribe, ethnicity, language, records of entitlement (benefits/subsidies), income or medical history are excluded by law.⁶
- Photograph, fingerprints &/or iris scan constitute biometric information.
- Of this, fingerprints & eye scan data are core biometric data, and excluded by law from being shared with “anyone for any reason whatsoever”.⁷ ⁸
- Biometric data is also ‘sensitive personal data or information’ status per IT Act, 2000.⁹
- Demographic information and biometric information are partitioned into separate databases. A single database does not have all of a holder’s information.
For the Government to request anyone’s Aadhaar logs within the CIDR, it must be:
- in the “interest of national security”
- directed by an officer with minimum rank of Joint Secretary
- reviewed by an Oversight Committee consisting of 1 Cabinet Secretary and secretaries of the Department of Legal affairs & the Department of Electronics & Information Technology.¹⁰
- pursuant to an order of a court not lower than a District Judge.
Such an order is valid for a period of 3 months, with a possible 3 month extension which must be reviewed by the Oversight Committee.
During enrollment, an applicant’s data is validated against the CIDR to ensure that the holder was not previously issued an Aadhaar number, a process known as de-duplication.
Aadhaar de-duplication is mandated by Regulation and is performed using 3 different biometric algorithm softwares.¹²
The penalty clauses under the Aadhaar Act provides for¹³:
- A 3-year term and/or a fine of Rs. 10,000 for impersonation, an attempt to impersonate during enrollment or to change identity information
- A 3-year term and/or Rs. 10,000 fine for individuals and Rs. 1,00,000 for companies for unauthorized collection of identity information, intentionally disclosing, transmitting, copying of information
- A 3-year term and a minimum fine of Rs. 10,00,000 for unauthorized access or attempt to access, download or any play with data within the CIDR
- For companies, each person in charge of, or responsible to the company are also considered guilty unless they can prove otherwise.
- All penalties apply over and above any other penalties charged (such as under the IT Act, 2000 or the Indian Penal Code)
Did you know?
An Aadhaar holder can place a permanent lock on biometric data after which it cannot be used for authentication. This lock can be temporarily removed ahead of a legitimate authentication request, and is automatically locked again once the request is completed or after a specific time, whichever is earlier.¹⁴ When locked, an authentication request results in a ‘No’ response.
You can generate a 16-digit randomized Virtual ID to be used for authentication requests instead of your Aadhaar ID. This allows you to mask your original Aadhaar from the provider while still using it for identification. All providers must accept Virtual IDs for services by June 2018.
The Aadhaar Act mandates that consent of the holder must be taken and recorded for enrollment or an authentication request. The holder must be also be informed about the purpose for which authentication is being requested. Failure to do so is a violation of the Act and can be penalized.¹⁵
There are three types of entities which share a technology relationship with the CIDR:
- Authentication Service Agency (ASA), 27: Entities with established 1-to-1 secure leased line/MPLS connectivity with the CIDR, regulated directly by the UIDAI to provide authentication services.
- Authentication User Agency (AUA), 350: Entities that provide services based on Aadhaar-based authentication performed by a registered ASA¹⁶.
- Electronic Know Your Customer (e-KYC), 271: Entities that perform KYC using Aadhaar. e-KYC, upon successful authentication, receive a digitally signed response containing encrypted demographic information and photograph for instant, non-repudiable KYC.
The current live list of Aadhaar entities is available here, and seems to be updated once a month. Holders are encouraged to ensure they are providing consent to entities on this list alone.
A full breakdown of the ASA-AUA ecosystem, along with the framework to transmit data, is forthcoming.
Aadhaar Act, 2016
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits & Services) Act, 2016 provides legislative backing to Aadhaar as the national unique identification mechanism in the Country¹⁷. The Act superceeds the The Bill for National Identification Authority of India, 2010.
The Aadhaar Act 2016 also provides clear definitions and processes for enrolment, core biometric data specifications, authentication, audits, overall protection of information and the responsibilities of the UIDAI.
As of the writing of this post, Aadhaar cards for non-residents and Overseas Citizens of India (OCI) holders is still in the works. No timeframe for this is yet available¹⁸.
A person who does not have an Aadhaar card but is entitled to any benefit paid from the Consolidated Fund of India will not be denied this benefit until his Card is issued, provided an alternative means of identification is made available to the entity in question¹⁹.
As of the time of writing this post, 113 crore Aadhaar cards have been issued, and the last five years have witnessed over 400 crore authentication transactions²⁰.
Caution when it pertains to data privacy is both desirable and needed. Aadhaar is an ambitious program that seeks to provide a unified, unique, non-repudiable and verifiable form of identity to millions at a near incomparable scale. The world is taking clear notice of this development. As Vivek Wadhwa— distinguished fellow with Carnegie Mellon University — highlights, India is pioneering something the West can learn from:
The instant and non-repudiable proof of identity that Aadhaar’s know your customer technology, e-KYC, provides, gives India a big advantage. Most people in the US have drivers licenses and social security numbers. But these are not verifiable with biometrics or mobile numbers, so complex verification technologies need to be built into every financial system. Indian entrepreneurs building applications don’t need to worry about all this.
Beyond entrepreneurs, the fact that schemes or benefits can be rolled out by governments (both Centre and states) without the need to build separate complex infrastructures which then witness on-boarding delays clearly have numerous benefits.
Some of this is already visible, with Government estimates of Rs. 50,000 crore leakages being plugged so far. The system has helped root out ‘ghosts’ within the system as well, where 87 lakh unknown MNREGA job cards were removed or that 4.4 lakh students in just 3 states only existed on paper.
That said, we must look at the law and the implementation ecosystem to determine whether enough has been done to ensure security, and alleviate privacy concerns of the citizens who will need to subscribe to the national ID.
Legally, The Aadhaar Act, 2016 and expansive Regulations for Enrolment, Authentication, Data Security & Sharing of Information, are serious attempts to tighten legislation and processes related to Aadhaar usage. A first-glance comparison indicates that the 2016 Act is a far cry away — particularly in terms of handling of biometric data, and privacy — from the Bill that was tabled in 2010. For example, under the 2010 Bill, sharing biometric data outside the CIDR would have been perfectly legal.
In some (perhaps, many) ways, the attention and eyeballs on Aadhaar is a good thing, where even the smallest flaw would put the credibility of Aadhaar at stake, and should keep the men and women behind Aadhaar on their toes, as they should be.
- What happens to Aadhaar data upon death? While logs and data itself should be maintained pursuant to legal requirements, a straightforward way to permanently lock (with no option for temporary unlock thereafter) a deceased person’s biometric data should be made available.
- There is ample protection under law for violation by any entity — authorized or unauthorized — that performs unauthorized actions within the Aadhaar framework. No statistics around timeframe to resolving grievances is available at the moment. Beyond grievance redressal, should a special Court or Tribunal be instituted specifically for Aadhaar?
- It makes logistical sense that that UIDAI has engaged with enrollment agencies to help with Aadhaar dispensation. Now that enrolment has crossed 95%, should the UIDAI consolidate the enrolment ecosystem and annex it within direct control of the UIDAI?
As of today, online grievances may be submitted via the Centralized Public Grievance Redressal System.
Additionally, a contact centre has been established:
- Voice: 1947
- Email: email@example.com
- PO Box 1947, GPO Bengaluru 560 001
Grievances can also be addressed through regional offices in Bengaluru, Chandigarh, New Delhi, Guwahati, Hyderabad, Lucknow, Mumbai & Ranchi.
Updated 10 Jan 2018 to include information about Virtual ID and limited KYC.
 The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 Section 32 (3). See also Lok Sabha Unstarred Question 1281, answered 23 Nov 2016.
 Logs must be maintained by the service provider & the authentication agency for (2) years during which the holder may request the logs, followed by an archive for 5 years. The UIDAI maintains logs for a period of (6) months during which they can be accessed by the holder, followed by archiving them for 5 years. Ref: Aadhaar (Authentication) Regulations, 2016 (No. 3 of 2016) Chapters III, IV
 Protected System or a Critical Information Infrastructure (CII), per The Information Technology Act, 2000 Section 70, is a computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health of safety. Accessing or even attempting to access a Protected System is punishable with a 10 year term and/or a fine.
 Any attack on information assets classified as CII is considered an act of cyber terrorism. Ref: Datta, Saiket: The NCIIPC & its evolving framework
 The ISO/IEC 27001:2013 Information Security Management System (ISMS) Certification is the latest version of the global information security standard covering information security controls and their management systems. The UIDAI is certified by the Standarisation Testing & Quality Certification (STQC), a Directorate of the MeitY, an internationally recognized Assurance Service. Ref: Lok Sabha Unstarred Question № 1777, answered 4 May 2016.
 Aadhaar Act, 2016 Section 2 (k)
 Aadhaar Act, 2016 Section 29 (1)(a)
 In August 2016, the State Government of Rajasthan requested the UIDAI for demographic information of residents with the Government, which was refused by the UIDAI. The UIDAI suggested the Government could request to become an authorized eKYC provider to allow for authentication/KYC with necessary consent of the holder but not as a demographic data collector. Ref: Unstarred Question № 2369, answered 30 Nov 2016.
 Aadhaar Act, 2016 Section 30 (c)
 Aadhaar Act, 2016 Section 33. The order, if issued, is valid for 3 months, and may be extended by a further 3 months if approved by the Oversight Committee.
 Aadhaar (Enrolment & Update) Regulations, 2016 Section 13 (2)
 UIDAI: Facts about Aadhaar
 Aadhaar Act, 2016 Sections 39–42, Section 43(1), Section 46 for penalties
 Aadhaar (Authentication) Regulations, 2016 Section 11
 Aadhaar Act, 2016 Sections 3 (2), 8 (2)
 The exception being an AUA that is also an ASA, but then they’d be undergoing the same authorization and certification as other ASAs.
 Except in Jammu & Kashmir
 Lok Sabha Unstarred Question № 18, answered 24 Feb 2016
 Aadhaar Act, 2016 Section 7
 As stated by the UIDAI