NEW DELHI: The Central government on Sunday stated that there has been no incident of misuse of Aadhaar biometrics leading to identity theft and financial loss during the last five years when more than 400 crore Aadhaar authentication transactions have taken place.
The Unique Identification Authority of India (UIDAI), while issuing the clarification with regard to “misinformation in some news items and articles appearing in various print and social media during the last few days alleging breach of Aadhaar data, misuse of biometrics, breach of privacy, and creation of parallel databases”, stated that there has been no breach to the database in any manner whatsoever and personal data of individuals is fully safe and secure.
“Aadhaar based authentication is robust and secure as compared to any other contemporary systems. Aadhaar system has the capability to inquire into any instance of misuse of biometrics and identity theft and initiate action,” the UIDAI maintained in an official statement.
The UIDAI further stated that it uses one of the world's most advanced encryption technologies in transmission and storage of data. “As a result, during the last seven years, there has been no report of breach or leak of residents' data out of UIDAI,” the statement adds.
The UIDAI, the statement stated, is continuously updating its security parameters looking at the new threats in cyber space. “It also undertakes security audits and takes necessary steps to augment its security features. UIDAI has decided to have registered devices for capturing biometrics data and further that such biometrics will be encrypted at the point of capture itself. This will further strengthen the security features of the Aadhaar eco-system,” it added.
With reference to an incident of misuse of biometrics reported in a newspaper, UIDAI said that it is an isolated case of an employee working with a bank's Business Correspondent's company making an attempt to misuse his own biometrics which was detected by its internal security system and subsequently actions under the Aadhaar Act have been initiated.
The UIDAI also said that the regulations under the Aadhaar Act strictly regulate the on-boarding, functioning including the data sharing restrictions imposed on the companies which want to use Aadhaar information.
On reports of misuse of e-KYC data by various agencies and also allegations that the e-KYC API is available in public domain, the Authority said that E-KYC APIs are available only to authorized Authentication User Agencies (AUAs) and e-KYC User agencies (KUAs) through authorized Authentication Service agencies (ASAs) which have established secured network connectivity for the purpose of authentication with the Central Identities Data Repository (CIDR), in compliance with the Regulations, specifications, standards and technology architecture as prescribed by UIDAI.
Reacting to claims that there are no extant regulations available to prevent storage and misuse of e-KYC data while citing instances like capturing IRIS from high resolution photograph, the UIDAI stated that there are stringent provisions in the Aadhaar (Authentication) Regulations governing the usage of e-KYC data including storage and sharing, resident consent being paramount in both the cases. Any unauthorized capture of IRIS or fingerprints or storage or replay of biometrics or their misuse is a criminal offence under the Aadhaar Act.
The statement stated that Aadhaar authentication or eKYC is only available to authorised agencies whose appointment, responsibilities, statutory obligations, penal provisions for contraventions are clearly provided for in the Aadhaar Act and the regulations framed thereunder. “Banks or mobile operators have to become UIDAI's AUA/ASAs to obtain E-KYC data of their customers from UIDAI. The E-KYC data can be given by UIDAI to these agencies only after they obtain consent of their customers and can be used only for the purpose for which it was obtained,” the UIDAI added.