Frequently Asked Questions

The Aadhaar Project and Bill

This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (henceforth, Bill).^[1] It has been authored by Elonnai Hickok, Vanya Rakesh, and Vipul Kharbanda of the Centre for Internet and Society.

This is neither a comprehensive list of questions, nor does it contain fully developed answers. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research.

We will be grateful to receive your comments, criticisms, evidences, edits, suggestions for new answers, and any other responses. These can either be shared as comments in this document, or via tweets sent to the information policy team at CIS: @CIS_InfoPolicy.

This FAQ is shared under Creative Commons Attribution 4.0 International license.

[Published and last updated on April 13, 2016]

General

About the UIDAI

Q.1.1. What is the UIDAI, and what powers and responsibilities does it have?

Section 11(2) of the Bill states that the Unique Identification Authority of India is a body corporate established by the Central Government, which is responsible for the processes of enrolment, authentication and perform such other functions assigned to it under this Bill. Also, section 11(3) of the Aadhaar Bill provides that the head office of the Authority shall be in New Delhi.

The UIDAI will develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and will perform authentication of Aadhaar numbers. The powers and functions of the UIDAI, as per section 23 of the Bill, include:

• Specifying and verifying information for enrollment: Specifying the demographic information and biometric information required for enrolment and the processes for collection and verification of that information.
• Collecting information for enrollment: Collecting demographic information and biometric information from people seeking Aadhaar numbers.
• Appointing entities for CIDR: Appointing of one or more entities to operate the CIDR.
• Assigning Aadhaar numbers: Generating and assigning Aadhaar numbers to individuals.
• Authenticating Aadhaar numbers: Performing authentication of Aadhaar numbers.
• Operating, maintaining and updating the CIDR: Maintaining and updating the information of individuals in the CIDR.
• Deactivating Aadhaar numbers: Omitting and deactivating an Aadhaar number.
• Defining use of Aadhaar numbers: Specifying the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies and other purposes for which Aadhaar numbers may be used.
• Defining terms, policies, and practices for actors in Aadhaar ecosystem: Specifying the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of their appointments as well as defining relevant policies and practices.
• Sharing Aadhaar information: Sharing the information of Aadhaar number holders.
• Auditing and inspecting actors in the Aadhaar ecosystem: Calling for information and records, conducting inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under this Bill.
• Defining security protocols: Specifying processes relating to data management, security protocols and other technology safeguards under this Bill.
• Issuing new Aadhaar numbers: Specifying the conditions/procedures for issuance of new Aadhaar number to existing Aadhaar number holder.
• Collecting relevant fees: Levying and collecting the fees or authorising the Registrar's, enrolling agencies or other service providers to collect fees for the services provided by them under this Bill.
• Appointing committees for assistance when needed: Appointing committees necessary to assist the Authority in discharge of its functions.
• Promoting biometric research: Promoting research and development for advancement in biometrics and related areas.
• Establishing redress mechanisms: Setting up facilitation centres and grievance redressal mechanisms.
• Other powers as prescribed: Other powers and functions as prescribed.

Q.1.2. What is the Aadhaar number?

Aadhaar is a 12 digit individual identification number issued by the Unique Identification Authority of India on behalf of the Government of India to any resident. Each unique Aadhaar number is proof of identity and cannot be re-assigned to any other individual. It is a random number, bearing no relation to the attributes or identity of the Aadhaar number holder.^[2] The number will serve as a proof of identity, and will not guarantee individual rights, benefits or entitlements.^[3]

Q.1.3. What is the purpose and objective of the Aadhaar/UIDAI project?

The objective of the Aadhaar scheme is to ensure effective targeted delivery of subsidies, benefits and services to residents of India in an efficient and transparent manner by assigning unique identity numbers to each individual accessing such benefits.

Q.1.4. Who is eligible for an Aadhaar number?

Every resident of India, regardless of age, is entitled to obtain an Aadhaar number, as stated under section 3(1). An individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment will be considered as a resident, by virtue of Section 2(v) of the Bill.

Q.1.5. For what purposes can the Aadhaar number be used?

The Supreme Court stated in an order dated 11th August 2015 that “the Aadhaar card Scheme is purely voluntary and it cannot be made mandatory”.^[4] However, as per the Statement of Reasons and Objects under the Bill, the primary purpose of  the Aadhaar number is to serve as a mandatory identity for availing government subsidies and benefits. To this end, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity. In the case a person does not have an Aadhaar number, he/she should make an application for enrolment.

Q.1.6. How is the Aadhaar number different from other forms of identity such as a voter ID card or a passport?

The Aadhaar number is different from other forms of identity in the following ways:

• Paperless identity as opposed to a card or hard copy identity document.
• An online identity as opposed to an offline identity.
• Verification is completed online with the help of authentication devices which connect to UIDAI’s Central Identity Repository and return only a ‘yes’ or ‘no’ response to the basic query “Is the person who he/she claims to be?” based on the data available with UIDAI as opposed to in person verification of identity documents.^[5]
• Can be adopted and verified by the UIDAI as an authentication mechanism by any public or private service provider as opposed to being limited in scope as to who can require and request verification of an identity or identity number.^[6]

Q.1.7. Can the Aadhaar be used in place of other forms of identity?

If an organization or service provider adopts the Aadhaar number and platform, then yes, the Aadhaar number can be used in place of other forms of identity.

Q.1.8. Is Aadhaar card mandatory for availment of government services? If yes, which ones and has the Government announced any deadlines for enrolment?

Though the orders by Supreme Court, dated 11th August 2015^[7] and 15th October 2015,^[8] have stated that any use of the Aadhaar number must be voluntary for government schemes like MNREGA, Jan Dhan Yojana, pension and provident fund schemes, distribution of food grains, kerosene oil and for LPG subsidy, according to the Aadhaar Bill, as a condition for receiving subsidy for which the expenditure is incurred from the Consolidated Fund of India, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity by virtue of section 7.

The Government has not announced a list of services which can mandate Aadhaar and has not publicly set deadlines for enrollment. Indeed, enrollment appears to be an ongoing process as the Bill states that any individual without an Aadhaar seeking a subsidy should be directed to enrollment.

Q.1.9. Is there an alternate to Aadhaar for availing government services, benefits, schemes?

Though the Bill allows the government to mandate the Aadhaar number for access to governmental services, the Bill does not exclude other forms of identity from being required or accepted. If a government service requires the Aadhaar, but an individual does not have one, in addition to directing them to enroll, the service must accept an alternative form of identity, by virtue of section 7 of the Bill. If an individual has applied for an Aadhaar number but not been assigned one, they must be provided an alternative choice.

Q.1.10. What will be the implications of not possessing an Aadhaar card?

If the government decides to make Aadhaar mandatory for availing a particular benefit or scheme, then the individual would have to apply for an Aadhaar number if s/he wishes to avail of those benefits. If after applying for an Aadhaar number the person is not assigned one, then such person will be given an alternative means to avail those benefits. Thus, if an individual who does not have an Aadhaar number seeks to access a service which requires an Aadhaar number, there is the risk that they will be denied access to the service.

Q.1.11. What will be the status of the work completed prior to the Aadhaar Bill (contracts entered into, data collected, Aadhaar numbers issued etc.)

All of the work done prior to the Aadhaar Bill will be considered valid and all the assets, liabilities, contracts, etc. shall stand transferred to the UIDAI as established under the Aadhaar Bill. As per section 22 (b) of the Bill, all information collected during enrollment, authentication details, contracts entered into, and all matters and things engaged in with the purpose of the Unique Identification Authority, will be understood as having been entered into or done by with or for the Authority.

Q.1.12. What oversight and accountability mechanisms are applicable to the UIDAI?

The following oversight mechanisms are applicable to the UIDAI and Aadhaar project:

• Oversight of disclosure orders: As per section 33 of the Bill, disclosure of information maintained in the CIDR can only be done on the orders of a District Judge, or if in the interest of national security, on directions of a Joint Secretary to the Government of India. An Oversight Committee is responsible for reviewing every direction issued by a Joint Secretary before it takes effect. The Committee is comprised of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology.
• Oversight of UIDAI accounts: By virtue of Chapter V of the Bill, the UIDAI is subject to audit by the  Comptroller and Auditor-General of India and any person appointed by him in connection with the audit the accounts of the Authority. Also, UIDAI is required to furnish returns and statements to the Central Government.

Q.1.13. Can the UIDAI be held liable, and if so, on what grounds?

While the contractors delegated by the UIDAI to perform various functions such as collection, authentication, etc. could potentially be held liable under section 43A of the Information Technology Bill for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures and they are body corporate, the UIDAI itself cannot be held liable under section 43A. Also, the Registrars, Enrolling Agencies, Requesting entities or any vendors under the UIDAI could be held liable under section 72A of the IT Bill, 2000, which prescribes punishment for any person, including an intermediary having access to material containing personal information about another person, for disclosure of information in breach of a lawful contract and without consent.

About Enrollment

Q.2.1. What is the enrollment process?

According to section 3 of the Bill, individuals undergo the process of enrollment by submitting demographic and biometric information.. The following steps are part of the enrollment process:

1. Go to an enrolling agency,  appointed by the Authority or a Registrar, with required documents. The application form is available online or at the enrolling agency.^[9]
2. Provide application form and demographic and biometric information to the enrolling agency.^[10]
3. Section 3(2) of the Bill provides that at the time of enrolment, the enrolling agency will provide the following details:

1. the manner in which the information shall be used
2. the nature of recipients with whom the information is intended to be shared during authentication; and
3. the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made.

4. The provided information will be submitted to the UIDAI for review and verification.
5. After verification, the UIDAI will issue an Aadhaar number and will store the submitted information and associated Aadhaar number in the CIDR.
6. The individual is intimated via SMS/e-mail and is later posted the printed Aadhaar number.

Q.2.2. What is the dataflow of the enrollment process?

The dataflow of the enrollment process is:

• Consent: The Aadhaar Bill does not mandate consent during the enrollment process, but as per past implementation, it is assumed that consent will continued to be taken via the enrollment application.
• Collection: Enrollment agencies collect demographic information via the application form and biometric information via biometric scanners.
• Notice: During collection, the individual must be notified as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. This has been provided under section 3(2) of the Bill.
• Verification: Collected enrollment information is scrutinized by registrars and sent to the  the UIDAI for verification.
• Storage: UIDAI policies indicate that the UIDAI will store enrollment data in the CIDR and enrolling agencies or registrars, if authorized, may store enrollment data - but will not have access to the CIDR. may store authentication record information of the residents they enrol if they are authorised to do so, but will not have access to the information in the CIDR. The Authority will also enter into contracts with Registrars to ensure the confidentiality of the information they collect and store.^[11]

Q.2.3. Who are the key actors in the Aadhaar enrollment ecosystem (registrars, enrolling agencies etc)?

The Aadhaar enrollment ecosystem comprises of the following bodies/actors:

• UIDAI: The Unique Identification Authority is the central authority responsible for implementing the UIDAI scheme and operating the CIDR.
• Registrar: An entity contracted by the UIDAI for the purpose of enrolling individuals under the Aadhaar Bill.
• Enrolling agency: An agency contracted by the UIDAI or a Registrar for collecting demographic and biometric information of individuals during the enrollment process.

Q.2.4. What are the rights of the individual in the enrollment process?

At the time of enrollment, individuals have the right to know:

• How their information will be used.
• What type of entities the information will be shared with.
• That they have a right to access their information and also the procedure for seeing and editing/updating their information.

It is important to clarify that:

• During the enrollment process there is no clear grievance mechanism that individuals can use to report violations.
• Once individuals enroll for an Aadhaar there is no process for them to leave the Aadhaar scheme and request the deletion of their information.

About Authentication

Q.3.1. What is the authentication process?

Aadhaar authentication is the process wherein the  Aadhaar number, along with demographic and biometric information are submitted by requesting agencies to the UIDAI’s Central Identities Data Repository (CIDR) for verification. Once submitted and a match is verified, the UIDAI will respond with a “yes/no” answer along with any other appropriate response and identity information except for core biometric information.

During the authentication process,  the resident’s record is first selected using the Aadhaar Number, followed by matching of the the demographic/biometric inputs against the stored data  provided by the resident during enrolment/update process. Fingerprints in the input are matched against all stored 10 fingerprints.

Q.3.2. What is the ‘data flow’ of the authentication process?

The data flow of the authentication process is:

1. Consent and notice: A requesting entity takes the consent of an individual and informs the individual of the:

1. nature of information that may be shared upon authentication,
2. uses to which the information received during authentication may be put by  the requesting entity, and
3. alternatives to submission of identity information to the requesting entity.

2. Collection of Aadhaar: The requesting entity collects the Aadhaar numbers and additional attributes from the individuals and sends the same for authentication to the CIDR.
3. Authentication: The UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder but not share any biometric information.
4. Retention: The UIDAI will maintain an authentication record (the record of the time of authentication and identity of the requesting entity and the response provided by the Authority) for each Aadhaar number.
5. Access and correction: Individuals have the right to obtain their authentication record and correct their information stored in the CIDR.

Note: There is no provision for the deletion of authentication records or associated information in the Bill.

Q.3.3. Who are the key actors in the Authentication process?

The key players are the UIDAI, the requesting entity,  and the Aadhaar number holder.

Section 2(u) of the Bill defines a “requesting entity” as an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.

Q.3.4. What are the rights of the individual in the authentication process?

By virtue of section 8 individuals have the right to know:

• What type of information will be shared for authentication.
• What will the information be used for
• Whether there is any alternative to submitting the Aadhaar information to the requesting entity.

Under section 32, individuals also have the right to obtain copies of his/her authentication record and identity information excluding his/her core biometric information.

Q.3.5. What is the 'authentication record' and who can access it?

Section 2(d) defines authentication records as the record of the authentication which will contain the identity of the requesting entity and the response of the CIDR, which is subject to confidentiality by the Authority. Every Aadhaar holder may obtain a copy of his/her authentication record. Authentication records, along with other information stored in the CIDR may be accessed pursuant to an order of a court not inferior to that of a District Judge, or for the purposes of national security, an order by the Joint Secretary to the Government of India under section 33 of the Bill.

Q.3.6. Can an authentication failure (when the Aadhaar number of an individual does not match with the biometric or other data offered by her/him during the authentication process) be acceptable legal basis for denying government and private services to an individual?

Whether or not authentication failure is an acceptable means for denying government and private services to an individual is not clarified in the text of the Bill or UIDAI policies, but as per the objectives stated in the Bill, if the Aadhaar number of an individual is not verifiable by the UIDAI, they are not the correct person to receive the sought service.

Legal

Q.4.1. What laws establish and govern the UIDAI and the use of Aadhaar?

After the coming into effect of the Aadhaar Bill, the UIDAI will be deemed to have been established by the Bill and all the assets and liabilities of the already established UIDAI, which was established by the Central Government by Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/2009-Admin. I, dated the 28th January, 2009 will be transferred to the UIDAI established under the Bill, by virtue of Section 22 of the Bill.

Q.4.2. What are the legal safeguards in place to protect against unauthorized collection and use of data in the Aadhaar project?

• Unauthorized collection: Section 36 provides that any person who is not authorized to collect information under the Bill, and pretends that he is authorized to do so, is punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/-.
• Unauthorized access: Section 38 provides for Penalty for unauthorised access to the Central Identities Data Repository. If anyone, not authorised by the Authority, accesses, deletes, reveals, alters, steals, information is punishable with imprisonment for a term which may extend to three years and shall also be liable to a fine which shall not be less than ten lakh rupees. Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable with imprisonment up to three years and a fine up to ten thousand rupees.

• Unauthorized use by requesting entity: Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

• Unauthorized disclosure: As per section 38 of the Bill, whoever, intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised is punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

Note: When applicable, Section 43A of the IT Bill, 2000 holds a body corporate, who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.

Also, section 72A of the IT Bill, 2000 prescribes punishment for any person, including an intermediary having access to material containing personal information about another person, for disclosure of information in breach of a lawful contract and without consent. The Registrars, Enrolling Agencies, Requesting entities or any vendors under the UIDAI could be held liable under this provision.

Q.4.3. What are the legal safeguards in place to ensure the security and confidentiality of data in the Aadhaar project?

Section 28 of the Bill provides that the UIDAI will ensure the security and confidentiality of identity information and authentication records by taking measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage.The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons.Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone.

Q.4.4. What form of legal remedy do individuals have for mistake, harm or violation incurred through the project?

The Bill does not provide a grievance redressal mechanism for individuals.

Q.4.5. How is each player in the Aadhaar ecosystem governed and held legally accountable?

The Aadhaar ecosystem comprises of the Aadhaar number holder, the UIDAI and its members, Registrar, enrolling agencies, and the requesting entity.

• UIDAI: Governed by the Aadhaar Bill and held accountable to the Central Government and Parliament (to which it must submit annual reports), and the Comptroller and Auditor General India (to which it must submit its accounts for audit).
• Registrars: Governed by the Aadhaar Bill and contracts and held accountable to the UIDAI.
• Enrolling agencies: Governed by the Aadhaar Bill and by contracts and held accountable to the UIDAI.
• Requesting entities: Governed by the Aadhaar Bill.
• Aadhaar number holder: Governed by the Aadhaar Bill.

Q.4.6. What are the legal rights of the individual within the Aadhaar project?

• The individual has the right to access information, which must be informed by the enrolling agency at the time of enrollment.
• The individual has the right to know what information is being collected and for what purposes during the enrollment process.
• Every Aadhaar number holder shall be entitled to obtain his authentication record in such manner as may be specified by regulations.
• Every Aadhaar number holder has the right to know the nature of information that is being shared, the use of received information by the requesting entity, and if there is an alternative form of identity that is applicable.

Q.4.7. Is Aadhaar Constitutionally legal and valid?

The validity of Aadhaar was challenged before the Supreme Court of India, where the Court stated that Aadhaar is not mandatory but voluntary for schemes listed. However, the decision on constitutional validity of Aadhaar, along with Right to Privacy being a Fundamental Right under the Indian Constitution are yet to be decided by the Supreme Court.

Q.4.8. Is the Aadhaar Bill in line with the Justice AP Shah privacy principles?

The Aadhaar Bill does not entirely incorporate all of the Principles laid down in the Report of the Group of Experts on Privacy.^[12] The Bill lacks compliance with the following principles:

• Collection limitation: Although the Bill specifically provides what information can be collected (demographic and biometric information), it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act. Also,the Bill does not provide penalty if a person who is authorized to collect information under the Bill in general, collects some information that he/she is not authorized to collect.
• Notice: The Bill leaves the manner of giving notice during collection as well as authentication in the realm of regulations and does not specify how this notice is to be provided, leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.
• Access and correction: Regarding access to information, the Aadhaar Bill provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, which would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made. Also, regarding alteration of information,the Bill provides for alteration of identity information only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate.
• Disclosure: Regarding restriction on sharing of information, there is no opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent. Provisions regarding disclosure in specific cases, the level of oversight provided  is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.
• Consent: The Aadhaar Bill provides no requirement or standard for the form of consent that must be taken during enrollment.
• Accountability: An essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Bill itself.
• Openness: There does not seem to be any provision in the Aadhaar Bill which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Q.4.9. How long is the information of an individual stored in the CIDR (Central Identities Data Repository?

The Aadhaar Bill does not state the duration for which identity information - including core biometric information and authentication records - of an individual are or can be stored in the Central Data Repository.

Q.4.10. What are the implications of the Supreme Court order for the Aadhaar Bill?

Section 7 of the Aadhaar Bill states that as a condition for receiving subsidy, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity, making it almost mandatory to obtain the Aadhaar number. However, the Supreme Court order on Aadhaar allows its use only for voluntarily availing benefits of pre-defined Government schemes, and has also stated that no person shall be deprived of any benefit on the basis that they do not have an Aadhaar number. Thus, at this point it appears that the Aadhaar Bill is legalizing use of Aadhaar beyond that set out by the Supreme Court.

Technical

Q.5.1. What technologies are involved in the enrollment and authentication process? Are these certified?

The authentication process involves use of the Iris scanner, fingerprint scanner, Face camera. For the Aadhaar project, the biometric devices are provisionally certified by the Standardization Testing and Quality Certification (STQC) Directorate, which  is an attached office of the Department of Information Technology(DIT), Government of India, providing quality assurance services in the area of Electronics and IT through countrywide network of laboratories and centres.

Q.5.2. Does the UIDAI use analytical tools? For what purposes?

A strategic initiative adopted by UIDAI from the design stage has been the extensive usage of Analytics (the structured process of analyzing the data to derive insights that help operations to aid operations). UIDAI’s experience indicates that Analytics delivers concrete benefits to the end-to-end operations, which span tactical, operational and strategic levels, helping move decision making from “intuition based” to “data based”. It leads to increased transparency of the system, improves delivery of services and reduces leakages for delivering it to the right beneficiaries.  Further, Analytics can be used at a strategic level to shape and execute public policy priorities in resident facing applications.

HCL Infosystems Ltd. was awarded the contract for design, development, maintenance and support of intranet and knowledge management portal for the UIDAI project. The Big Data architecture solution for the project  was implemented with 150 nodes using MapR distribution and Pentaho’s PDI for data integration & data processing in Hadoop.   Pentaho PDI was key to connectivity between source system and the Big Data/Hadoop platform, and the Big Data-friendly environment was crucial for the transformation of data into information based on business rules on the Hadoop platform.

Q.5.3. What security features are in place for the enrollment process? authentication process? and communication and storage of data in the CIDR?

The UID website enlists mandatory security requirements as follows.

Enrollment:

• Security precautions are required to be taken by Registrars as they maintain a copy of the enrollment data as well as enrolling agencies as they engage in the collection of enrollment data. As per the Bill, these measures are defined by the UIDAI under section 28.
• The Aadhaar enrolment strategy is based on a multi-registrar model, for which a standardized “Enrolment Client” (EC) software  is needed and created for uniformity of data capture, process, and security, and given to all Registrars to be used by their appointed Enrolment Agencies (EAs). Enrolment client software also has built-in security features such as in-memory data encryption, encrypted data storage, export, etc.
• For the use of E-Aadhaar to access one’s Aadhaar number after enrollment, security features such as captcha, One-Time-Pin (OTP) on mobile, etc are implemented.

Authentication:

• PID block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
• The encrypted PID block should not be stored unless it is for buffered authentication for a short period of time.
• Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
• In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.

Storage of data:

• UIDAI has taken several measures to ensure security of resident data from the time it is captured all the way to how it is stored within CIDR. Usage of 2048-bit PKI encryption and tamper detection using HMAC ensures no one can decrypt and misuse the data, even if they are in possession of enrolment packet. Resident data and raw biometrics is always kept encrypted even within UIDAI data centres. In addition, entire Business Intelligence (BI) sub-system anonymizes all PII to ensure resident personal data is protected across all system components.

• UIDAI may provide security guidelines to Registrars to assist in the implementation but the ownership will always reside with the Registrars. UIDAI will define interfaces for the Registrar System to interact with CIDR.
• Other measures include spanning from strong end-to-end encryption of sensitive data, use of HSM (Hardware Security Module) appliances, physical security, access control, network security, stringent audit mechanism, 24x7 monitoring, etc. Additionally, resident data in the CIDR and BI data store is protected through various security measures like Anti-tampering, Data partitioning, Anonymization.

Q.5.4. Does the Authority and other bodies involved in this comply with any technical standards?

The Aadhaar system is entirely built using open source components and takes heavy advantage of international open standards such as ISO biometric standards, data representation standards such as XML, JSON, Protocol Buffers, security standards such as 2048-bit PKI, AES-256, LDAP, messaging standard AMQP, open protocols such as HTTP, etc.

Q.5.5. Is the Aadhaar system encrypted?

Aadhaar authentication requires the identity data of the resident within the XML (PID block) to be encrypted. AES-256 session key is encrypted using UIDAI's 2048- public key. Also, PID block captured for Aadhaar authentication should be encrypted during capture, should never be sent in the clear over a network and the encrypted PID block should not be stored unless it is for buffered authentication for a short period of time. The data being sent to the Registrar  will be encrypted using the public key provided by the it and they have to manage their pair securely and put the necessary infrastructure in place.

Q.5.6. What is the de-duplication process? How does the deduplication process work? Who all are involved in this? Is it done by machines/algorithms or by human beings?

De-duplication is the process which involves cleaning of databases  using a combination of common unique identifiers such as UID, Name, Father‘s Name, Address, Gender, Date of Birth, etc. is known as the De-Duplication process. The deduplication process can be done either by using demographics or by using biometrics.

Registrars send the applicant's data to the CIDR for de-duplication. The CIDR  performs a search on key demographic fields and on the biometrics for each new enrolment, to minimise/eliminate duplicates in the database. The incentives in the UIDAI system are aligned towards a self-cleaning mechanism. The existing patchwork of multiple databases in India provides scope to individuals to furnish different personal information to different agencies. Since de-duplication in the UIDAI system ensures that residents have only one chance to be in the database, individuals are made to provide accurate data. This incentive will become especially powerful as benefits and entitlements are linked to Aadhaar. The UIDAI recommends that biometric authentication involving the fingerprint + 12 –digit number should be carried out for entering the 12-digit number in the database. However, in the current exercise, as the respective scheme owners had already seeded/ linked the Aadhaar number to the beneficiary database in some cases, the approach of demographic authentication (wherein Aadhaar number + Name/ Gender/ Date of Birth etc. are send to UIDAI for matching) was chosen due to the ability to do bulk authentication in a short time.