Dismissing reports of misuse of Aadhaar biometrics for identity or financial thefts, the Unique Identification Authority of India (UIDAI) on Sunday said personal data held by it were secure.
“There has been no incident of misuse of Aadhaar biometrics leading to identity theft and financial loss during the past five years when more than 400 crore Aadhaar authentication transactions have taken place,” an official statement said.
Recently, a breach of Aadhaar data was reported after the UIDAI sent a notice to three firms for possible unauthorised authentication attempt and storing of biometric data. The notice it had served was shared widely on social media and questions were raised over the safety of Aadhaar data.
Describing the incident as an “isolated case of an employee working with a bank’s business correspondents’ company”, the authority said the employee had attempted to misuse his own biometrics. This was detected by the UIDAI internal security system and subsequently action under the Aadhaar Act was initiated.
The UIDAI said it had “carefully gone into these reports”, and asserted that the “Aadhaar system has the capability to inquire into any instance of misuse of biometrics and identity theft and initiate action. UIDAI uses one of the world’s most advanced encryption technologies in transmission and storage of data. As a result, during the past seven years, there has been no report of breach or leak of residents’ data out of UIDAI.”
Further, the authority said it continuously updated the security parameters and undertook security audits.
Criminal offence
On reports that there were no extant regulations to prevent storage and misuse of e-KYC data, the UIDAI clarified that there were “stringent provisions in the Aadhaar (Authentication) Regulations governing the usage of e-KYC data, including storage and sharing, resident consent being paramount in both the cases.” Any unauthorised capture of iris or fingerprint data or storage or replay of biometrics or their misuse is a criminal offence under the Aadhaar Act.
Further, addressing concerns over private agencies hired by mobile operators and banks for e-KYC leading to creation of parallel database, the statement said Aadhaar authentication or e-KYC was only available to authorised agencies whose appointment, responsibilities and statutory obligations, and penal provisions for contraventions were clearly provided for in the Aadhaar Act and the regulations.
Customer consent
“Banks or mobile operators have to become UIDAI’s authentication user agencies and authentication service agencies to obtain e-KYC data of their customers from the UIDAI. The e-KYC data can be given by the UIDAI to these agencies only after they obtain consent of their customers and can be used only for the purpose for which it was obtained,” it said.
“Violations of the provisions attract strict penalties under the Aadhaar Act which will be enforced strictly,” the statement said.
More than 111 crore people have Aadhaar in India, covering more than 99% of the adult population. According to official data, more than 4.47 crore people have opened bank accounts using Aadhaar e-KYC.
Aadhaar has helped the government transfer LPG subsidy under the PAHAL scheme, MGNREGS payments, scholarships and pensions directly into the accounts of beneficiaries eliminating diversion and leakage of funds by middlemen. The direct benefits transfer has saved the government ₹49,000 crore during two-and-a-half years, the release added.
