Aadhaar data base fully safe and secure, says UIDAI

The Government has clarified that personal data of individuals held by UIDAI was "fully safe" and "secure" and that there was no misuse of Aadhaar biometrics leading to identity theft or financial loss.

Moreover, savings of over Rs 49,000 crore has been made due to Aadhaar-based Direct Benefit Transfers during the last two-and-a-half years.

In a comprehensive clarification with regard to misinformation in some news items and articles appearing in various print and social media during the last few days alleging breach of Aadhaar data, misuse of biometrics, breach of privacy, and creation of parallel databases, UIDAI said it has carefully gone into these reports and would like to emphasise that there has been no breach to UIDAI database of Aadhaar in any manner whatsoever and personal data of individuals held by UIDAI is fully safe and secure.

UIDAI uses one of the world's most advanced encryption technologies in transmission and storage of data. As a result, during the last seven years, there has been no report of breach or leak of residents' data out of UIDAI, the statement added.

UIDAI is continuously updating its security parameters looking at the new threats in cyber space. It also undertakes security audits and takes necessary steps to augment its security features. UIDAI has decided to have registered devices for capturing biometric data and further that such biometrics will be encrypted at the point of capture itself. This will further strengthen the security features of the Aadhaar eco system.

With reference to an incident of misuse of biometrics reported in a newspaper, UIDAI said it was an isolated case of an employee working with a bank's Business Correspondent's company making an attempt to misuse his own biometrics, which was detected by the UIDAI internal security system and subsequently actions under the Aadhaar Act have been initiated.

Responding to media reports about on-boarding of the ecosystem partners, UIDAI said regulations under the Aadhaar Act strictly regulate the on-boarding, functioning including the data sharing restrictions imposed on the companies which want to use Aadhaar information.

On reports of misuse of e-KYC data by various agencies and also allegations that the e-KYC API is available in the public domain, the Authority said E-KYC APIs are available to authorised Authentication User Agencies (AUAs) and e-KYC user agencies (KUAs) through authorised Authentication Service Agencies (ASAs), which have established secured network connectivity for the purpose of authentication with the Central Identities Data Repository (CIDR), in compliance with the regulations, specifications, standards and technology architecture as prescribed by UIDAI.

With reference to reports that there are no extant regulations available to prevent storage and misuse of e-KYC data while citing instances like capturing IRIS from high resolution photograph, UIDAI states that there are stringent provisions in the Aadhaar (Authentication) Regulations governing the usage of e-KYC data, including storage and sharing, resident consent being paramount in both the cases. Any unauthorised capture of IRIS or fingerprints or storage or replay of biometrics or their misuse is a criminal offence under the Aadhaar Act.

The statement says that news reports also speak of private agencies hired by mobile operators and banks for eKYC leading to availability of these data in parallel database and the vulnerabilities in the scenario where there is no Privacy Law in the country. In this regard, the statement points out that Aadhaar authentication or eKYC is only available to authorised agencies whose appointment, responsibilities, statutory obligations, penal provisions for contraventions are clearly provided for in the Aadhaar Act and the regulations framed thereunder.

Banks or mobile operators have to become UIDAI's AUA/ASAs to obtain E-KYC data of their customers from UIDAI. The E-KYC data can be given by UIDAI to these agencies only after they obtain consent of their customers and can be used only for the purpose for which it was obtained. For example, a telecom operator can obtain the E-KYC data of its subscribers and will keep them in their records without biometrics and use them only for the purpose of proving telecom services.

Similarly a bank, after obtaining the E-KYC information of its account holders, will keep the information without their biometrics within the bank and will use it only for the purpose of providing banking services and cannot use it for any other purpose without obtaining the consent of the customer. Violations of above provisions attract strict penalties under the Aadhaar Act, which will be enforced strictly.

An important tool of good governance and empowerment of people, Aadhaar has helped more than 4.47 crore people to open bank accounts through Aadhaar E-KYC. It has enabled the government to do Direct Benefit Transfer under various schemes such as LPG Subsidy under Pahal, Scholarships, MNREGA, and pensions directly into the bank accounts of beneficiaries eliminating corruption, diversion, and leakages by middlemen.

Through Aadhaar-based Direct Benefit Transfers the government has saved over Rs 49,000 crore during the last two-and-a-half years. The Aadhaar-based Public Distributions System is benefitting people by ensuring that their food grain entitlement is given only to the deserving beneficiaries and are not cornered by unscrupulous and corrupt elements. These are just a few examples of how Aadhaar is changing the lives of common men and women of India, a task that the UIDAI is steadfastly committed to performing in a citizen-friendly, inclusive and secure manner, the statement added.