Penalties for hacking, sharing or using Aadhaar data without authorization can be levied by the Unique Identification Authority of India (UIDAI) after a new rulemaking decision published by the government and reported by MediaNama (subscription required and recommended).
The Aadhaar Act (Adjudication of Penalties) Rules 2021 puts in place a mechanism for UIDAI to enforce the Aadhaar Act’s rules by punishing entities for civil or criminal violations. Penalties for violations of the Aadhaar Act could reach Rs 10,000 (roughly US$135) for impersonation, unauthorized use, hacking or data tampering, and up to Rs 10 million ($135,000) for compliance violations, at the discretion of an adjudicating officer. Impersonation and unauthorized use can also result in prison terms of up to three years, and hacking and data tampering could be punished with up to ten years in jail, in addition to fines.
MediaNama counts five separate Aadhaar data leaks just in 2017 and 2018.
The UIDAI has also launched a paperless offline digital know your customer (KYC) service based on a digitally-signed document the authority generates as an alternative to biometric or one-time password-based verification, PTI reports.
The Aadhaar (Authentication and Offline Verification) Regulations 2021 sets out a system for Aadhaar Paperless Offline e-KYC based on demographic data, a photograph of the Aadhaar-holder, and the last four digits of their Aadhaar number.
The new rules also allow applicants to revoke their consent for the storage of digital KYC data at any time.
The government is attempting to use regulations and rules to change the scope of Aadhaar, rather than passing new laws, as MediaNama notes in an article on the proposed use of Aadhaar for voter ID.
The Aadhaar Authentication for Good Governance (Social Welfare, Innovation and Knowledge) Rules, 2020 sets out the proposal to link India’s biometrics-backed national ID Aadhaar with the country’s voter registry.
Proof of address
India’s government is considering launching a Digital Address Code (DAC) to enable the digital authentication of individual’s addresses, Financial Express reports. Aadhaar does not support digital proof of address, though address is listed on the cards.
The idea is to link a DAC, created by the Department of Posts, to each physical address in the country. The DAC could be confirmed through an online address authentication service. A draft approach paper has been published by the Department as it solicits feedback on the proposal.
Intended benefits include easier ecommerce transactions and support for KYC checks in sectors like financial services and telecommunications.
Telangana seeks multi-biometric devices for food rations
The government of Telangana is planning to introduce face biometrics as an identity verification method for access to the public distribution system (PDS) used to deliver food aid to poor people in the state, MediaNama writes in a separate article. The biometric modality is being added to provide an alternative in case authentication through iris or fingerprint biometrics is unsuccessful.
A tender for the installation and maintenance for five years of 17,500 point-of-sale devices has been issued by the Telangana Department of Consumer Affairs, Food and Civil Supplies to support user authentication with Aadhaar and iris biometrics. The devices should also be able “to incorporate photo matching and face recognition options,” according to the tender document. Cameras should be a minimum of 5 megapixels, and certified by the UIDAI, as well as India’s Standardisation Testing and Quality Certification body.
The state food security card database was recently seeded with Aadhaar numbers while being digitized, and can be used for the face biometrics checks.
India’s central government is also developing Aadhaar-based facial recognition, according to the report.
Telangana is singled out for its extensive public surveillance system in a recent Amnesty International report.