wordpress blog stats
Connect with us

Hi, what are you looking for?

A Month After Karza’s Aadhaar Act Violation, Finance Ministry Calls For A New Verification System

Notification comes a month after an alleged violation of the Aadhaar Act by Karza Technologies which provided Aadhar verification services

In a notification issued on December 6, the Ministry of Finance (Department of Revenue) asked Unique Identification Authority of India (UIDAI) and National Payments Corporation of India (NPCI) to step up security measures when allowing entities to carry out Aadhaar e-verification. This comes after a private company – Karza Technologies was asked to pause its services for violating the Aadhaar Act, potentially risking Aadhaar details of several users.

Background: A letter shared on Twitter directed to partners of DigiLocker read, “Partners are requested not to initiate any DigiLocker integration with Karza till further notice. Due to these continuous violations and breach of trust by a few, this email is being sent to request all our Partners to strictly adhere in letter and spirit to DigiLocker’s Terms of Services and the relevant provisions of the Aadhaar Act.”

In October, when Medianama reached out to Karza over a phone call, they had declined to comment on the matter.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.


Advertisement. Scroll to continue reading.

Why it matters: Aadhaar, which stores biometric data of crores of Indians has often been pitched as the default verification mechanism for identity verification by the government. It’s linked to as many as 1,100 welfare schemes run by the state and central government, Medianama had reported. But despite its wide-spread use in India, the authenticity of Aadhaar and its ability to keep data of citizens secure has come into question from time to time. Karza’s violation of the Aadhaar Act shows how slip ups or inadequate security measures can put personal data of individuals at risk. Although the scale and type of impact through this violation, if any, has not been made public; Medianama has filed an RTI seeking more information on the matter. We have also reported on a petition which said that Aadhaar data of Indians is being shared with foreign companies and this is a threat to national security, you can read more about this here.

How did Karza violate the Aadhaar Act? ( as per the letter mentioned above)

  • Karza Technologies Pvt. Ltd. provides Aadhaar verification services to companies. One of its partners was capturing Aadhaar data directly on their user interface and were bypassing the native signin/signup process.
  • After a complaint was lodged by UIDAI with DigiLocker, their account was blocked and they were restricted from using Digilocker till further investigation.
  • But Karza started “symbiotically” using Digilocker again through their clients who had a DigiLocker Partner account. More details on how this happened are not clear.
  • UIDAI then blocked these accounts as well.
  • Livemint reported that Karza’s account continues to remain blocked one month after the investigation started.

Ministry of Finance calls for improved security measures

Here’s a summary of the notification issued by the Ministry of Finance:

Advertisement. Scroll to continue reading.
  • e-KYC setu: The notification states that entities will now be permitted to use a new system called e-KYC setu for Aadhaar verification.
  • This upcoming system should comply with the standards of privacy and security under the Aadhaar Act.
  • The NPCI has to put in place a system called e-KYC setu to enable verification of identity of a client ( the person who’s being verified, like you and me) by a reporting entity (like Karza or any other entity carrying out verification) through authentication under the Aadhaar Act, without disclosing the Aadhaar number of the individual to the reporting entity.
  • Here’s how the new verification process will work:
    • NPCI shall ensure that authentication is carried out as per regulations laid down by UIDAI, without disclosing the full Aadhaar number to the reporting entity.
    • After NPCI does the authentication, it will share the last four digits of the Aadhaar number and certain demographic details made available by UIDAI with the reporting entity. These details are to be digitally signed as well.
    • Once the reporting entities gets the details, it will verify the client by matching the details provided by NPCI and the client.
  • UIDAI can keep a check on NPCI: “UIDAI may carry out such verification, including physical verification, as it may deem fit to ensure that the system put in place by NPCI is in compliance with the regulations issued by them and the requirements laid down by them,” the notification states. Also, the UIDAI can issue additional directions if it feels that additional measures are required to ensure compliance with “regulations and other requirements”.
  • Keep a list of onboarded entities: “A list of entities on boarded for the purpose of carrying out the authentication using the e-KYC setu shall be maintained by NPCI at http://npci.org.in/e-KYCsetu/ including the date from which they have been on-boarded,” the notification states.
  • Check entities before onboarding them to e-Setu: “Before on-boarding any entity for this purpose, NPCI shall ensure that the entity satisfies all the requirements for carrying out authentication through the e-KYC setu,” the notification says.
  • Check if entities have regulatory clearances: “NPCI shall also ensure that the entity has requisite regulatory clearance, if required, to carry out the financial business for which it intends to authenticate identity of its clients,” according to the notification.
  • How to deal with entities flouting the regulations
    • NPCI shall discontinue an entity’s access to e-KYC setu system, if it:
      • is no longer desirous of carrying out authentication of its clients using e-KYC setu;
      • is found to be in breach of the requirements laid down by NPCI or UIDAI for verification of its clients using e-KYC setu;
      • is no longer allowed to carry out the financial business by the appropriate regulator; or
      • does not carry out verification of any client for a period of six months.
    • NPCI also has to maintain a separate list at http://npci.org.in/e- KYCsetu/ including the date from which the access has been discontinued and the reasons for such discontinuation
    • UIDAI or any other regulator should inform NPCI “immediately” if it comes to the conclusion that access to the e-KYC setu system to any entity should be discontinued. NPCI can also take such decisions by itself.
    • Once NPCI is informed, it “shall deny access to such entity forthwith.”
  • Appropriate regulators should be informed when an entity is onboarded: “The details of entities onboarded and entities discontinued shall be notified by NPCI to UIDAI and the appropriate regulator within seven days of such action,” the notification states.

Note: The headline was updated on December 17, 2022 at 4:20 PM for greater clarity and factual accuracy 

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read:

Written By

I cover privacy, surveillance and tech policy. In my reporting, I try my best to present the most relevant facts, and sometimes add in a pinch of my thoughts.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Amazon announced that it will integrate its logistics network and SmartCommerce services with the Open Network for Digital Commerce (ONDC).


India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples


In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection


The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ