March 6, 2017 -
The Unique Identification Authority of India (UIDAI), the governing agency in charge of Aadhaar, announced that they have not found any cases of misuse of Aadhaar biometrics resulting in identity theft and financial loss during the more than 40 billion Aadhaar authenticated transactions that were processed over the past five years, according to a report by Business Today.
The authority also read through various reports and confirmed that there has never been a breach to UIDAI’s Aadhaar database, and emphasized that the personal data of individuals held by UIDAI is completely safe and secure.
“Aadhaar-based authentication is robust and secure as compared to any other contemporary systems,” UIDAI said. “Aadhaar system has the capability to inquire into any instance of misuse of biometrics and identity theft and initiate action.”
Last month, UIDAI lodged criminal complaints with the Delhi Police against three firms for illegal use of Aadhaar biometric data.
UIDAI said the incident is an isolated case where an employee of a bank’s business correspondent’s firm attempted to misuse his own biometrics, which was flagged by UIDAI internal security system and the agency subsequently took the appropriate actions under the Aadhaar Act.
In response to media reports about the on-boarding of ecosystem partners, UIDAI said that the Aadhaar Act strictly regulates on-boarding practices such as placing data sharing restrictions on companies that want to use Aadhaar data.
UIDAI also said that Aadhaar is a key government tool that has enabled more than 44.7 million people to open bank accounts through Aadhaar e-KYC.
It has enabled the government to do Direct Benefit Transfers under various schemes including LPG subsidy and has helped the exchequer save over Rs 49,000 crore (US$7.35 billion) during the last two and half years.
Aadhaar-based Public Distributions System is benefiting people by ensuring that their food grain entitlement are given only to the deserving beneficiaries and are not cornered by unscrupulous and corrupt elements, it said.
In response to reports that state there are no regulations in place to prevent the storage and misuse of e-KYC data, with allegations that the UIDAI captures people’s iris biometrics from high resolution photograph, UIDAI said that the Aadhaar (Authentication) regulations include strict guidelines about the usage of e-KYC data including storage and sharing.
Both cases require the consent of residents, while any unauthorized capture, storage, replay or the misuse of iris or fingerprint biometrics is a criminal offence under the Aadhaar Act, UIDAI said.
UIDAI also responded to reports of misuse of e-KYC data by several agencies and allegations that the e-KYC API can be downloaded in public domain, stating that e-KYC APIs are available only to authorized Authentication User Agencies (AUAs) and e-KYC User Agencies (KUAs) through authorized Authentication Service agencies (ASAs) which have established secured network connectivity for authentication purposes with the Central Identities Data Repository (CIDR).
The authorization adheres to the regulations, specifications, standards and technology architecture as prescribed, with any violation leading to direct penal action, UIDAI said.
Banks or mobile operators are required to achieve AUA/ASA status in order to obtain the e-KYC data of their customers from UIDAI, and are provided with this data only after they obtain the consent of their customers and can be used only for the purpose for which it was obtained.
In a similar vein, once banks obtain the e-KYC information of their account holders, they will retain the data in-house without their biometrics and are only allowed to use it for the purpose of providing banking services. The bank cannot use the information for any other purpose without first obtaining the consent of the customer.
Using one of world’s most advanced encryption technologies in transmission and storage of data, UIDAI is continuously updating its security measures and undergoes regular security audits.
UIDAI said it will use registered devices for capturing biometrics data, and will encrypt the biometrics at the point of capture itself.