In a notification issued on December 6, the Ministry of Finance (Department of Revenue) asked Unique Identification Authority of India (UIDAI) and National Payments Corporation of India (NPCI) to step up security measures when allowing entities to carry out Aadhaar e-verification. This comes after a private company – Karza Technologies was asked to pause its services for violating the Aadhaar Act, potentially risking Aadhaar details of several users.
Background: A letter shared on Twitter directed to partners of DigiLocker read, “Partners are requested not to initiate any DigiLocker integration with Karza till further notice. Due to these continuous violations and breach of trust by a few, this email is being sent to request all our Partners to strictly adhere in letter and spirit to DigiLocker’s Terms of Services and the relevant provisions of the Aadhaar Act.”
In October, when Medianama reached out to Karza over a phone call, they had declined to comment on the matter.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Considering DigiLocker is the de-facto Aadhaar verification interface for almost all KYC solutions, wonder why a large onboarding player like Karza would take this risk, esp since there are strict guidelines on collecting full Aadhaar number.
If true, could be a big setback. pic.twitter.com/8SoaO0MZHG
— Anirudha Basak (@bankonbasak) October 10, 2022
Why it matters: Aadhaar, which stores biometric data of crores of Indians has often been pitched as the default verification mechanism for identity verification by the government. It’s linked to as many as 1,100 welfare schemes run by the state and central government, Medianama had reported. But despite its wide-spread use in India, the authenticity of Aadhaar and its ability to keep data of citizens secure has come into question from time to time. Karza’s violation of the Aadhaar Act shows how slip ups or inadequate security measures can put personal data of individuals at risk. Although the scale and type of impact through this violation, if any, has not been made public; Medianama has filed an RTI seeking more information on the matter. We have also reported on a petition which said that Aadhaar data of Indians is being shared with foreign companies and this is a threat to national security, you can read more about this here.
How did Karza violate the Aadhaar Act? ( as per the letter mentioned above)
- Karza Technologies Pvt. Ltd. provides Aadhaar verification services to companies. One of its partners was capturing Aadhaar data directly on their user interface and were bypassing the native signin/signup process.
- After a complaint was lodged by UIDAI with DigiLocker, their account was blocked and they were restricted from using Digilocker till further investigation.
- But Karza started “symbiotically” using Digilocker again through their clients who had a DigiLocker Partner account. More details on how this happened are not clear.
- UIDAI then blocked these accounts as well.
- Livemint reported that Karza’s account continues to remain blocked one month after the investigation started.
Ministry of Finance calls for improved security measures
Here’s a summary of the notification issued by the Ministry of Finance:
- e-KYC setu: The notification states that entities will now be permitted to use a new system called e-KYC setu for Aadhaar verification.
- This upcoming system should comply with the standards of privacy and security under the Aadhaar Act.
- The NPCI has to put in place a system called e-KYC setu to enable verification of identity of a client ( the person who’s being verified, like you and me) by a reporting entity (like Karza or any other entity carrying out verification) through authentication under the Aadhaar Act, without disclosing the Aadhaar number of the individual to the reporting entity.
- Here’s how the new verification process will work:
- NPCI shall ensure that authentication is carried out as per regulations laid down by UIDAI, without disclosing the full Aadhaar number to the reporting entity.
- After NPCI does the authentication, it will share the last four digits of the Aadhaar number and certain demographic details made available by UIDAI with the reporting entity. These details are to be digitally signed as well.
- Once the reporting entities gets the details, it will verify the client by matching the details provided by NPCI and the client.
- UIDAI can keep a check on NPCI: “UIDAI may carry out such verification, including physical verification, as it may deem fit to ensure that the system put in place by NPCI is in compliance with the regulations issued by them and the requirements laid down by them,” the notification states. Also, the UIDAI can issue additional directions if it feels that additional measures are required to ensure compliance with “regulations and other requirements”.
- Keep a list of onboarded entities: “A list of entities on boarded for the purpose of carrying out the authentication using the e-KYC setu shall be maintained by NPCI at http://npci.org.in/e-KYCsetu/ including the date from which they have been on-boarded,” the notification states.
- Check entities before onboarding them to e-Setu: “Before on-boarding any entity for this purpose, NPCI shall ensure that the entity satisfies all the requirements for carrying out authentication through the e-KYC setu,” the notification says.
- Check if entities have regulatory clearances: “NPCI shall also ensure that the entity has requisite regulatory clearance, if required, to carry out the financial business for which it intends to authenticate identity of its clients,” according to the notification.
- How to deal with entities flouting the regulations
- NPCI shall discontinue an entity’s access to e-KYC setu system, if it:
- is no longer desirous of carrying out authentication of its clients using e-KYC setu;
- is found to be in breach of the requirements laid down by NPCI or UIDAI for verification of its clients using e-KYC setu;
- is no longer allowed to carry out the financial business by the appropriate regulator; or
- does not carry out verification of any client for a period of six months.
- NPCI also has to maintain a separate list at http://npci.org.in/e- KYCsetu/ including the date from which the access has been discontinued and the reasons for such discontinuation
- UIDAI or any other regulator should inform NPCI “immediately” if it comes to the conclusion that access to the e-KYC setu system to any entity should be discontinued. NPCI can also take such decisions by itself.
- Once NPCI is informed, it “shall deny access to such entity forthwith.”
- NPCI shall discontinue an entity’s access to e-KYC setu system, if it:
Appropriate regulators should be informed when an entity is onboarded: “The details of entities onboarded and entities discontinued shall be notified by NPCI to UIDAI and the appropriate regulator within seven days of such action,” the notification states.
Note: The headline was updated on December 17, 2022 at 4:20 PM for greater clarity and factual accuracy
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Tamil Nadu Pushes For Aadhaar-EB Card Linking Despite Data Risks
- Unique Identification Authority Of India (UIDAI) Says Verify Aadhaar As ID Proof Using QR
- A Petition Asks: Did Citizens Of India Consent To Sharing Aadhaar Data With Foreign Companies?
- Linkage Of Aadhaar And Voter ID Completely Irrational, Says Randeep Surjewala’s Petition To Supreme Court