The Unique Identification Authority of India (UIDAI) put out the Draft Aadhaar (Authentication and Offline Verification) Regulations, 2021, on May 20th. The draft was released in a very secretive manner, and is open for comments from the public only till today. The small duration allowed for public consultation is less than the 30 day period stipulated by the Pre-Legislative Consultation Policy. Citing the issue, the Software Freedom Law Centre has even urged the UIDAI to extend the consultation period.
With all of that said, let’s take a brief look at what the draft regulations say.
Under the definitions, the regulations talk about an “Aadhaar Number Capture Service Token or ANCS Token”. It means an encrypted Aadhaar number generated for an Aadhaar number by the UIDAI. This token would be used for completion of an authentication transaction and shall be valid for only a short period of time. The UIDAI will prescribe the duration for which it would be valid.
Authentication means the process by which the Aadhaar number along with demographic information or biometric information of the holder is submitted to the Central Identities Data Repository (CIDR) for its verification. Such a repository can verify the correctness on the information already available with it.
It is the process of verifying the identity of the Aadhaar holder without authentication, through offline means.
UIDAI shall provide the following types of offline verifications:
1. QR Code verification
2. Aadhaar Paperless Offline e-KYC verification
3. e-Aadhaar verification
4. Offline paper based verification
5. Any other type of verification that UIDAI may introduce
All of the above types of verification will be carried out as per the specifications that UIDAI will provide from time to time. However, in case of offline paper based verification, it may be carried out by the entity.
It shall be the responsibility of the concerned entity to verify the genuineness of copy of the Aadhaar letter submitted by the holder. Further, entity shall obtain the consent of holder on the paper copy it submits.
The draft rules also say down that the entities which are not allowed to collect or store the Aadhaar number shall ensure that the first 8 digits of the Aadhaar number are redacted in all of the entities’ records, before storing the physical copies.
Modes of Authentication
An authentication can be carried out using 4 methods.
Demographic authentication- it matches demographic information of the Aadhaar holder with the information present in the CIDR.
OTP with a limited time validity can be sent to the mobile number or email address of the holder. Once the Aadhaar holder provides this OTP during authentication, the same shall be matched with the OTP generated by UIDAI.
Biometric authentication- Aadhaar number and biometric information submitted by a holder are matched with the same information stored by the CIDR.
Multi-factor authentication- any combination of the above mentioned methods can be used.
Virtual ID (VID)
The UIDAI shall provide an alternate identification number mapped with the Aadhaar number for the purpose of authentication. This VID can be used instead of Aadhaar number for online authentication. No entity is allowed to store VID on its system.
Consent of the Aadhaar holder
To obtain consent, the entity seeking authentication or offline verification has to inform the holder about the nature of information that will be shared, the uses of the obtained information, as well as alternate means of submission of identification.
The entity shall obtain consent in physical or electronic form. It must also maintain logs or records of consent in the manner and form in which UIDAI specifies.
The Aadhaar holder shall be provided the facility to withdraw consent. Upon withdrawal, the Aadhaar data shall be deleted and its acknowledgement shall be given to the resident. To continue with the service, a beneficiary can opt for any alternate means of identity verification.
Devices and applications used in authentication
UIDAI will issue specification for devices and equipment used for authentication. An entity shall use only devices certified as per the specification.
Regarding applications, client applications shall conform to the standard APIs and specifications laid down by UIDAI.
UIDAI may enable an Aadhaar holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.
Regarding temporary unlocking, biometric shall be unlocked for the time period as UIDAI may specify, or till the completion of authentication transaction, whichever is earlier.
In yet another case of putting the cart before the horse, UIDAI already allows such locking.
An Aadhaar number holder shall be allowed to lock his Aadhaar number and unlock whenever needed for authentication. However, in case of a locked Aadhaar, UIDAI will allow the holder to authenticate using a virtual ID.
The draft rules also include the manner of appointment of requesting entities and authentication/ verification seeking agencies, roles/ responsibilities/ obligations of such entities and agencies. A few important rules regarding data protection include maintenance of authentication logs for two years, archival for next 5 years, and deletion post that.
There is also a provision for audit of requesting entities, authentication service agencies, and offline verification seeking entities. An Aadhaar holder shall have the right to access his authentication records subject to payment of fees prescribed by UIDAI.
You can read the draft here.