It’s been nearly a month since the Supreme Court (SC) judgment on Aadhaar. Let’s take stock of where we are.
Within a week of the judgment, the Unique Identification Authority of India (UIDAI) issued notices to telecom companies asking them to work out a plan to comply with the order of the SC. Though the department of telecommunications regulation requiring telcos to link mobile numbers with Aadhaar was struck down, that, of itself, did not require any overt action on the part of the telcos. However, since most of the telecom operators in the country are private companies, they could no longer use the Aadhaar authentication infrastructure to enrol new subscribers. The UIDAI notice was a reminder that telcos had to unwind their dependence on the authentication infrastructure.
The UIDAI has also issued notices to various non-banking financial companies (NBFCs) asking them to take steps to discontinue their usage of the Aadhaar authentication infrastructure. Thanks to amendments to the provisions of the prevention of money laundering (PML) regulations issued in 2017, all financial institutions (including these companies), were obliged to record the Aadhaar numbers of their customers. Since the SC has struck down the 2017 amendments as unconstitutional, these companies could no longer require applicants to provide their Aadhaar numbers as a prerequisite to receiving financial services.
However, beyond mere compliance with the new know your customer (KYC) obligations mandated by the PML amendments, many NBFCs were leveraging the low cost of Aadhaar-based e-KYC and e-Sign to offer small ticket size loans to people previously excluded from the financial system. Now that the private sector can no longer access any part of the authentication infrastructure, it is no longer commercially viable for them to provide these loans to the poor.
In a previous column, I pointed out that a judgment designed to ensure that the less advantaged can continue to use Aadhaar to avail of subsidies and benefits will result in the poorest of the poor being excluded from the financial system. By issuing these notices to NBFCs who use the Aadhaar infrastructure, the UIDAI seems determined to hasten down this path with little thought to the consequences.
If we can agree that there is a need to find ways in which we can continue to include the poor within the financial system, we need to find viable options that the financial industry can deploy to achieve these ends.
The SC judgment clearly prohibits access by the private sector to the Aadhaar authentication infrastructure. This seems to be aimed at ensuring that no-one—other than the government—can ask ordinary citizens to prove themselves by submitting their biometrics and verifying them against the Aadhaar database. However, this does not prohibit the use of Aadhaar as a proof of identity—a proposition that the majority judgment itself tacitly acknowledges in paragraph 367 where it says that a resident can present his or her Aadhaar card as proof of identity. This suggests that so long as biometrics are not requested, the unique identity of an individual as established through the Aadhaar de-duplication process, can still be used.
One way to continue to leverage Aadhaar authentication without violating the SC order is through offline verification. Every Aadhaar number holder can request and obtain a unique QR code from the UIDAI. When scanned, this code provides the demographic information and photograph corresponding to the Aadhaar number associated with that code. This data is digitally signed by the UIDAI, confirming that the identity information provided is certified as authentic by the UIDAI. Since it is a digital, paperless verification process, once offline verification is incorporated into the loan disbursal workflow, it could provide a cost-effective solution that leverages the unique identity established by the Aadhaar system without relying on biometrics or directly accessing the authentication infrastructure.
At present, various laws require regulated entities to use Aadhaar authentication in order to comply with their KYC obligations. This includes the banking regulations that recognise Aadhaar as an officially valid document for the purpose of KYC and obliges financial institutions to use the Aadhaar authentication system to meet their KYC obligations. Now that this infrastructure is inaccessible to private parties, the banking regulator should give offline authentication the same legal status currently accorded to Aadhaar authentication.
Various other government operations that use Aadhaar in their databases (such as the employees’ state insurance and provident fund frameworks) should similarly amend their provisions to declare that authentication carried out using offline QR is just as valid as if it had been done using the Aadhaar authentication system. Businesses that use Aadhaar-established identity for purposes as widely varied as initiating police verification and background checks for enrolling customers quickly should amend their business processes to incorporate offline verification as a means to achieve their commercial purposes.
If this happens, I am hopeful that widespread use of offline QR-based verification will prove to be a viable alternative that will allow us to continue to benefit from the Aadhaar identity system without exposing Aadhaar number holders to the many harms that the SC judgment was at pains to avoid.
Rahul Matthan is a partner at Trilegal and author of Privacy 3.0: Unlocking Our Data Drive Future. Ex Machina is a column on technology, law and everything in between. His Twitter handle is @matthan.