Two months after the Supreme Court ruling, Ajay Bhushan Pandey, CEO, Unique Identification Authority of India spoke to Karishma Mehrotra and Krishn Kaushik about the path to full compliance and the issues that remain unclear. He said that all telecom operators have stopped Aadhaar authentications as of November 20, and that UIDAI has put on hold the contracts of Authentication User Agencies (AUA) and KYC User Agencies (KUA) “that should not be using” Aadhaar for authentication. Edited Excerpts:
What will happen to the Aadhaar data that public and private entities stored earlier?
The Supreme Court order doesn’t say anything on this. The fingerprints were not getting stored (by private entities), because it immediately gets encrypted and then comes to UIDAI. What (private entities) had was your KYC information: name, address, photograph, gender and date of birth. The Court hasn’t said anything about what is to be done about the previously stored KYC information. As long as the bank account is operational, the underlying KYC has to be there and you can’t just delete KYC. In fact, it could harm the account holder. However, I have suggested to the banks, telecom operators and other companies that in case somebody comes and says that he/she wants to delete Aadhaar KYC, let him/her provide new KYC alternatively, and delete their earlier (bank accounts).
What steps has UIDAI taken to delete the authentication logs that are more than six months old?
A major part has already been deleted. Data is lying all over the place, so … we can’t just go and press a button and do this. Because there are thousands of places, tapes and computers there. It should be completed over the next few weeks.
Will it become an automated process after that?
Yes. And we have written our own software that will delete logs older than six months.
When a minor becomes an adult and they have the option to ‘opt out’, what will that do?
That is a question we will have to examine very carefully. Right now the legal advice that we have received is that the Aadhaar will have to be deactivated and it will become unusable and remain blocked forever.
Will it also delete the minor’s biometric information?
The Court order doesn’t say anything of that kind. If you delete the whole thing then again there is the question of underlying KYC and that problem will arise.
How many opt out requests have you received?
We haven’t received any. The Supreme Court verdict, upholding Section 59, said that the UIDAI can go back to all the people who were enrolled before the Aadhaar Act was passed, seek their consent and anybody who wants, can opt out. Your opinion on this …
I don’t think that is there. The judgment has validated Section 59 and there is no question of reopening that chapter as far as the previous enrollees are concerned.
Did you meet the Election Commission recently regarding the SC ruling?
Yes, and we explained two things to the Commission: If you want to use Aadhaar authentication on a voluntary basis, then you have to have a law. But physical Aadhaar card can be used anywhere by the person on a voluntary basis. Secondly, based on the opinion we took from the Attorney General, we told them that Aadhaar card in an electronic form can also be used by scanning the downloaded QR code. None of these offline methods involve authentication. Authentication means that a tracking is kept in the Central Identities Data Repository, which is the UIDAI’s central data server.
How many digital signatures have been downloaded till now?
People are downloading 3 to 4 lakh electronic Aadhaar every day which has a QR code among other things. If someone downloads it today, he/she can use it several times and I (UIDAI) wouldn’t know who is using it and for what.
What do you think will happen to the Aadhaar ecosystem that was being used by industries such as Fintech?
The offline verification is a viable option. It gives you the same level of identity confirmation and same level of assurance. It is only a question of switching from authentication to offline verification.
How are private authorities such as AUAs and KUAs still using Aadhaar-based authentication?
If it is being used for any delivery of public services or any bank related work, whether it is a private entity or state government, that is allowed. What the court has discussed is that the purpose of authentication must be sanctioned by law, and not the actors (authentication agencies) involved.
Are you reviewing your contracts with the AUA/KUAs right now?
We are reviewing them one by one. Prima facie, we have put them on hold those that should not be using it and we are asking them, what purpose they are using it for. We have written to everyone.
We don’t want to take some hasty action that may lead people to suffer. We have told them, you have to use it only for purposes allowed by law. If you are using it for other purposes, then it has to stop, else they may be held in contempt.
This month Reliance Jio and Airtel have done 30 million authentications each. Isn’t this in contempt to the SC order?
But now they have stopped. On November 20, they switched over to the new system and this is what I have been told.
Many entities are still insisting on Aadhaar. Is there a possible grievance redressal?
We haven’t made it mandatory. Either the person making it mandatory should be responsible or the regulator who is regulating the sector.