Report claims UIDAI executives part of private firms profiting from Aadhaar
Current and past employees of the Unique Identification Authority of India (UIDAI), the governing body for Aadhaar, are launching private firms or funding start-ups that are selling Aadhaar-based services and products.
According to a report by The Indian Express, the practice is raising concerns regarding propriety and conflict of interest. For instance, former UIDAI chief product managers Vivek Raghavan (who is on a sabbatical with a tenure until the end of February 2018) and Sanjay Jain, as well as former UIDAI head of technology Srikanth Nadhamuni, collectively founded Khosla Labs in India in September 2012.
In 2015, Khosla Labs went on to launch Aadhaar Bridge, a licensed Authentication User Agency (AUA), for Aadhaar-based authentication services.
As with all AUAs, Khosla Labs is licensed by UIDAI to allow Aadhaar-based authentications to verify a person’s identity. It is authorized to verify its own customers or offer verification as a service to other firms.
A private firm can be licensed as either AUA or Authentication Service Agency, ASA or KUA (Know your Client User Agency).
An ASA is licensed to access the Aadhaar database stored in the Central Identities Data Repository, which contains biometric and demographic data of all individuals enrolled with UIDAI.
Meanwhile, an AUA and KUA can send requests on behalf of clients — for a fee — to ASAs to access this database to authenticate an identity.
Khosla Labs charges private companies a one-time fee, as well as monthly fees, for Aadhaar Bridge.
Additionally, the Khosla Labs-incubated fintech firm Novopay also uses Aadhaar-based authentication to allow clients to access banking services from local retail stores.
Arun Maira, member of the Planning Commission when UIDAI was established under it, said that these kinds of connections are considered a conflict of interest and can potentially impact competition in the market.
She said that having connections to a firm when you are in a position of power to affect policy and regulations raises serious issues of conflict of interest.
She acknowledged that there should be consultations between the private sector and the government, but emphasized that individuals from the private sector should not be involved in developing regulations and schemes. “You cannot have any one of the players more connected into the regulation space than the others are,” Maira said.
Nadhamuni has denied that his involvement in both UIDAI and Khosla Labs is any cause for concern. “There is no conflict of interest in Khosla Labs providing AUA services starting (March) 2015, about two and a half years after we had quit UIDAI,” Nadhamuni said. “[Khosla Labs] went through the due process of applying for a license with the UIDAI like all applicants.”
As of August 31, Aadhaar Bridge is one of the 308 AUAs licensed by UIDAI. The majority of AUAs are central and state government agencies, banks, insurance companies or telecom operators.
In addition to Khosla Labs, venture capital fund AngelPrime announced a “hackathon” in June 2015 to expose developers to Aadhaar.
At least three of the 11 backers/directors of AngelPrime worked with UIDAI in some capacity, including Raghavan, Balaji Parthasarathy and Sanjay Swamy.
Parthasarathy stressed that Aadhaar is an open platform and even as volunteers, “[he and Swamy] have no extra information or access to any resource that is unavailable to everyone in the country on the Aadhaar website.”
“UIDAI has established a nationwide Aadhaar authentication platform which can be used by public as well as private agencies subject to the provisions of the Aadhaar Act and Regulations,” Vikash Shukla, UIDAI’s general manager for media, said. “Anyone meeting the condition of ‘requesting entity’ prescribed under the Aadhaar Act and Regulations are entitled to use this authentication platform.”
Last month, UIDAI declined Indian privacy activist Vivek Velankar’s request to reveal the names of companies responsible for storing sensitive data as well as the manufacturers of the servers over ‘security reasons’.