Listen to this article:
The Unique Identification Authority of India (UIDAI) has earned some well-deserved flak for issuing a press release advising members of the public to avoid sharing a photocopy of their Aadhaar card with anyone and then retracting this statement within 24 hours.
The retraction came with a new piece of advice – people have been told to exercise “normal prudence” with their Aadhaar cards. There is thus understandable confusion among the public now as to what is safe and unsafe as far as sharing Aadhaar cards is concerned.
The confusion is unnecessary. The UIDAI’s rules and regulations are clear on this matter. If someone asks you for your Aadhaar card to verify your identity, this is a case of “offline verification” under the amended Aadhaar Act, and the concerned person or agency is an “offline verification seeking entity” (OVSE). Offline verification is permissible, but it is subject to compliance with the UIDAI’s rules and regulations.
One of these regulations is that the OVSE should seek your consent and inform you about alternative modes of identity verification if you prefer to avoid sharing your Aadhaar card (Aadhaar Authentication and Offline Verification Regulations 2021, Regulation 5).
This regulation, of course, is violated left, right and centre across the country every day – people are routinely told that they must submit their Aadhaar card to apply for some service or facility.
Another regulation (same source, Sections 2(1)(mc) and 16A) is that the OVSE is not allowed to photocopy your Aadhaar card or store your Aadhaar number, except in a “masked” form where only four digits (the last four) are visible. This regulation, again, is being violated non-stop across the country.
By now, you might have noticed that these regulations are consistent with the UIDAI’s initial press release, later retracted. It is the retraction statement, urging “normal prudence” (whatever that means) that is deeply misleading.
The call for normal prudence leaves it to you to decide whether to share a photocopy of your (unmasked) Aadhaar card with an OVSE, when this is explicitly prohibited under the UIDAI’s own regulations.
If the initial press release was correct, then why did UIDAI retract it?
One possible reason is that the press release did contain a factually incorrect statement, namely that OVSEs need a “User Licence”. So far as we can tell from the Aadhaar Act and the UIDAI’s regulations, this is not the case. That makes it all the more important to be careful.
The UIDAI bears full responsibility for all this confusion. Would it be too much to ask for an official clarification?
Meanwhile, this goof-up brings out three larger issues. First, the UIDAI keeps issuing obscure regulations that few people read or understand.
By now, there are at least seven different types of Aadhaar-based authentication and verification – yes/no authentication, e-KYC, demographic authentication, QR Code verification, Aadhaar Paperless Offline e-KYC verification, e-Aadhaar verification and Offline Paper based verification – each with its own rules.
The UIDAI has singularly failed to communicate these rules to the public in a clear and transparent manner. In particular, it has failed to make people aware of their rights under these regulations.
Second, these regulations are routinely violated, but no one seems to be in charge of monitoring the violations let alone taking action against offenders. Today, any number of entities (government and non-government) are insisting on the Aadhaar card as an identity proof without abiding by the rules. Instead of trying to enforce its regulations, the UIDAI is putting the onus on the public to exercise “normal prudence”.
Last but not least, this saga brings out once again the need for greater accountability of the UIDAI. Remember, an entire chapter aimed at ensuring independent oversight of the UIDAI was mysteriously dropped from the Aadhaar Act shortly before it was finalised. The need to reinstate some accountability safeguards is greater than ever.
As far as “normal prudence” is concerned, here is one possible rule of thumb: if you must have an Aadhaar number, share it as little as possible.
There are at least two good reasons for this.
One is that every time you part with some information attached to your Aadhaar number, you add to the trail of personal data that are constantly being used by the government and private corporations to control or manipulate the public.
The other is that if anyone manages to clone your fingerprints (not a difficult job), in addition to getting hold of your Aadhaar number, you are in big trouble. That person will be able to impersonate you for multiple purposes, like withdrawing money from your bank account if your account is linked with Aadhaar. This has already happened to many. Better safe than sorry.
Jean Drèze is Visiting Professor at the Department of Economics, Ranchi University; Ria Singh Sawhney is an advocate and researcher.