We missed this earlier: The Unique Identification Authority of India on May 20 put out a draft “Aadhaar (Authentication and Offline Verification) Regulations, 2021,” for public comment on its website. The draft is out for comment until just June 2, giving people hardly two weeks to respond. The Software Freedom Law Center, India urged the UIDAI to reconsider the deadline. We have reached out to a UIDAI spokesperson for comment on if they’d consider an extension, and will update this post if we hear back.
The draft regulations, available here, include references to something called Aadhaar Number Capture Service Tokens or ANCS Tokens, which Aadhaar watcher Srikanth Lakshmanan said resembles OAuth, an authentication standard used on many websites. Lakshmanan also noted that in a first for the government, offline authentication of Aadhaar was being recognized.
What the rules say
- Types of authentication: Authentication can be Yes/No, in which “the identity information and Aadhaar number securely submitted with the consent of the Aadhaar number holder through a requesting entity, is then matched against the data available in the CIDR, and the Authority responds with a digitally signed response containing “Yes” or “No”, along with other technical details related to the authentication transaction, but no identity information.” The other is e-KYC, which is carried out via OTP or biometrics.
- Types of offline verification: Offline verification can be done by QR code (with yet-unpublished specifications); “Paperless Offline e-KYC” (again without specifications as of yet); e-Aadhaar verification; and paper-based verification, which is just collecting a printout of someone’s Aadhaar. First 8 digits of Aadhaar have to be redacted when such copies are stored. UIDAI reserves the right to tell a requesting entity to discontinue offline verifications for any reason, including a change in law, a breach or a default.
- Modes of authentication: Authentication can be demographic (where the Aadhaar number and demographic number are matched with the UIDAI’s database [CIDR]); OTP based authentication; biometric authentication, which can use fingerprints, iris-based authentication, or “other biometric modalities based on biometric information stored in the CIDR”; and multifactor authentication, which combine two or more of the previous modes.
Virtual ID, disclosure, consent
- Virtual ID: The twelve digit Virtual ID that the UIDAI provides as an alternative to Aadhaar number can be used for authentication. “No entity shall store Virtual ID in its system,” UIDAI says. (It is interesting to note that “masked” Aadhaars with the first eight digits redacted that are available for download from the UIDAI’s website, provide a fully visible Virtual ID in the document. The draft regulations do not explicitly require the redaction of this VID if such masked Aadhaars are submitted for paper-based authentication.)
- Disclosure to Aadhaar holders: Offline verifiers (which can be anyone from government agencies to private businesses) need to tell Aadhaar holders they’re verifying the following things, including in a local language: a) what information will be shared with UIDAI when authenticating; b) how this information will be used; and c) what the alternate means of authenticating their identity are; the verifier has to clearly tell the Aadhaar holder that “no service to the resident will be denied for refusing to, or being unable to, undergo authentication or offline verification”.
- Withdrawal of consent: Aadhaar holders have the right to withdraw consent to be verified, and their data has to be deleted by the verifier if they ask for this. “If resident wishes to continue with the service, requesting entity shall provide alternate means of identity verification,” the regulations say.
- Registered Devices only: All biometric devices used for capturing such authentication information have to be approved and compliant with standards notified by UIDAI. “All the biometric devices shall be registered with the server of the requesting entity,” the regulations say. This data should be encrypted and the process followed will be specified by UIDAI.
- API conformity: All software used for authentication has to conform with UIDAI’s standard APIs and specifications. UIDAI will receive duly encrypted authentication requests and return a response based on the information provided.
- Biometric lock notification: If authentication fails for reasons such as a cancelled Aadhaar or biometric lock in place, verifiers should inform users clearly. They should also notify Aadhaar holders when their Aadhaar is verified, whether digitally or physically.
Requesting Entities and Authentication Service Agencies
Any AUA or eKYC User Agency (KUA) that was appointed before these regulations come into force will continue to be considered a Requesting Entity. They will, though, have to comply with the new regulations.
- Who can apply to be an Aadhaar requesting entity: Government organisations, banks, telecom companies, regulated entities, companies, partnerships, non-profits, academic institutions, societies under the Indian Societies Registration Act, and other such organisations may apply for the right to request Aadhaar information for their purposes. They will all have to meet security and technical criteria as specified “from time to time”. UIDAI reserves rights to seek further information, levy charges for this right, and determine if these entities can undertake VID or ANCS authentications.
- What a requesting entity needs to do: REs need to establish systems to enable authentication, connect with the CIDR, make sure the system is technically compliant and secure, ensure confidentiality of Aadhaar data they take and do due diligence on compliance with the terms and conditions of this authentication. They also need to audit their security periodically and “implement exception-handling mechanisms” and “back-up identity authentication mechanisms”. Offline verifiers need to do all this too, and if there is any “knowledge of misuse” of data that comes to their notice, notify UIDAI within 72 hours. Verifiers have to assume responsibility for operations even if they are subcontracted out. They also have to maintain logs, but these logs shouldn’t contain the Aadhaar number itself or biometric data.
- Liability of requesting entity: “The requesting entity shall be jointly and severally liable, along with the entity or agency with which it has shared a license key, for non-compliance with the regulations, processes, standards, guidelines and protocols of the Authority,” the regulations warn.
- Biometric security: Biometric data should not be stored by REs. This information should be transmitted in an encrypted manner. “The identity information of the Aadhaar number holders collected during authentication and any other information generated during the authentication process is kept confidential, secure and protected against access, use and disclosure not permitted under the Act and its regulations,” the regulations add.
Authentication Service Agencies largely have to comply with the same requirements. Offline verifiers have the option of maintaining logs (with the consent of the Aadhaar holder) that contain non-sensitive information.
Discontinuation of Aadhaar requester entity status can be obtained if UIDAI is satisfied that all outstanding monetary and procedural obligations are in the clear. It may also be meted out as a penalty for non-compliance.
What data UIDAI stores
UIDAI says it will store authentication request data, response data, and any server-side configurations. The regulations say it will not store any “metadata (other than process metadata) about any transaction”. Auth transaction data will be stored for 6 months, and UIDAI says it will come up with processes to archive and anonymize data for further storage. Data may be preserved if ordered by a high court judge.
Aadhaar holders can access their authentication data by paying a fee (to be prescribed) by the UIDAI. But this data would only be available within the retention period.
Most regulations before this will continue to be in force. “Notwithstanding the repeal of the Aadhaar (Authentication) Regulations, 2016, anything done or any action taken under the said Regulations shall be deemed to have been done or taken under the corresponding provisions of these Regulations,” the draft says. These regulations supersede the 2016 ones.
- Privacy concerns in the Aadhaar Act, 2016
- The fallibility of biometrics collected by the Aadhaar programme