RTI responses reveal the extent of Aadhaar use by the government

In our request to the UIDAI, we asked for information about the proposals received, the proposals approved, and the proposals denied.

16 August, 2023
5 min read

Background

In 2018, the Supreme Court of India pronounced its decision on the constitutional validity of India’s digital ID system Aadhaar. While the Supreme Court did not declare the use of Aadhaar for public service delivery unconstitutional, it did strike down certain provisions of the Aadhaar Act, 2016. One of the provisions that was struck down was Section 57 of the Aadhaar Act, 2016 which allowed any “body corporate or person” or private entity to ask for the Aadhaar details of an individual for the purpose of identification. The Court reasoned that the provision created the risk of surveillance and commercial exploitation.  

While this should have been the end of private entities seeking to use Aadhaar for authentication purposes, it regretfully was not. On April 20, 2023, the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Amendment Rules, 2023 (GG Rules, 2023) were released for public consultation. They amend Rule 3 of the the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020 (2020 Rules) which relates to ‘Purposes for Aadhaar authentication’ to include “promoting ease of living of residents and enabling better access to services for them” as a prescribed purpose.

The amendments also amend Rule 4 of the 2020 Rules to allow any entity, other than a government entity, that seeks to be able to perform Aadhaar authentication, to submit a proposal to the “concerned government Ministry or Department” justifying that their intended purpose falls under Rule 3 of the GG Rules, 2023. If the concerned Union or State government Ministry or Department is of the opinion that the proposal submitted falls under the prescribed purposes under Rule 3 & is in the interest of the State, then it can approve the proposal, allowing the entity to perform Aadhaar authentication. Thus, the GG Rules, 2023 could enable private entities to perform Aadhaar authentication, which goes against the decision of the Supreme Court. Read our joint submission on the draft Aadhaar Amendment Rules, 2023 with Article 21, Rethink Aadhaar, and Access Now here.

RTI findings

Concerned by this proposal, we decided to inquire about the organisations that currently have the authorisation for Aadhaar authentication with the help of the Right to Information Act, 2005. In our request to the UIDAI, we asked for information about the proposals received, the proposals approved, and the proposals denied. In the table below, we have collated and analysed the information received.

Table 1: Proposals approved that may have potential issues

Authority

Purpose

Potential Issues

The Food Safety and Standards Authority of India (FSSAI)

Aadhaar authentication for licensing/ registration of Food Business Operators

It appears as though in order to transact with the government in any commercial manner, Aadhaar authentication has become a necessary step. This could result in vendors who were unwilling or unable to complete Aadhaar authentication being excluded from transacting with the government. 

Ministry of Food

Processing Industries

Use of Aadhaar authentication services for the Identity verification of applicants (Beneficiaries) 

Housing Department, Government of Maharashtra

Aadhaar authentication services for Slum Dweller Owner Verification

Warehousing Development and Regulatory Authority, Ministry of Food and Consumer Affairs

Aadhaar authentication for doing eKYC of depositor

Cyber Law Group, MeitY

Aadhaar authentication services for authenticating the users of Grievance Appellate Committee Portal

Such use could negatively impact anonymity on the internet and as a result, the right to freedom of speech online. 

I-Gov / NIXI, MeitY

To get the authenticated contact details of registrants.

MInistry of Railways

Use of Aadhaar authentication for registration on IRCTC website and for online ticket booking

Such use could be utilised to track the movementsphysical location of an individual and as a result, negatively impact the right to freedom of movement. 

Ministry of External Affairs

Use of Aadhaar authentication as eKYC in Passport related Services

Cochin Shipyard Limited, Ministry of Shipping


Aadhaar authentication services to establish the genuineness of persons entering the CSL

Education Department, Chandigarh

Aadhaar Authentication services for Centralised online admission of children belonging to Economically Weaker Section (EWS) and Disadvantaged Group in Private Unaided Schools as per section 12 (1) (C) of Right to Education Act, 2009

The use of Aadhaar authentication could result in a higher degree of harm when used for categories of people who may be at a higher risk due to the sensitivity of their data, such as children or those sharing health data, and professions which may be at higher risk such as journalism.    

Department of Public Instruction, Karnataka

Aadhaar authentication in Student Achievement Tracking System

Department of School Education and Literacy, Ministry of Education

Aadhaar authentication for for Student, Teacher, and Teacher Educator registry

Department of Health and Family Welfare, Punjab

Aadhaar authentication for Drug De-addiction Registry Portal

GAD, DG Information and Public Relations, Maharashtra

Aadhaar authentication services for Journalist certification portal

Women Safety Division, Ministry of Home Affairs

Aadhaar authentication of prison inmates

Aadhaar authentication has been expanded into a myriad of uses. It is unclear why certain categories of uses were approved and what benefit or purpose Aadhaar authentication would serve. Here, the use of Aadhaar authentication may also contribute to the risk of exclusion, which may be especially harmful in cases of benefit delivery.  


Prohibition, Excise and Registration Department, Bihar

Aadhaar authentication for identifying the repeat offenders under section 37 of the Bihar Prohibition and Excise Act, 2016

Directorate of Public Instruction/ School Education Department, Madhya Pradesh

Authentication services for validation of guest teachers in the Guest Faculty Management System

Railways Claims Tribunal, Ministry of Railways

Aadhaar authentication services for verifying claimants by RCT

Dept of Power/ Kerala State Electricity Board, Kerala


Verifying user identity and new, existing customers and pensioners of Kerala State Electricity Board

Department of Agriculture and Farmers' Empowerment, Odisha

Aadhaar authentication services for authentication of farmers' registration to create a unified database of all farmers of the State of Odisha under 'Krushak Odisha' programme

Employees' State Insurance Corporation, Ministry of Labour and Employment

Identification of beneficiaries for providing social security benefits, including medical and cash benefits

The document containing the list of denied proposals also sheds some light as to the types of proposals where the government drew a line and acknowledged that Aadhaar should not be used. Such uses include the use of Aadhaar authentication in higher education by the Department of Higher Education, Uttarakhand and Aadhaar authentication for the Crime and Criminal Tracking Network System by the Tamil Nadu Police Department.

Takeaways

Firstly, we must appreciate the government for their transparency in sharing these responses with us and for having in place a process to judge whether a specific proposal should be approved, instead of providing blanket approvals. However, a perusal of the documents have further instilled our fears regarding the expanding use of Aadhaar for various uses, which could have severe impact on an individual’s privacy as it could allow the government to profile any individual. Further, with the increasing amount of data collection being done in a legal vacuum, there is little protection against privacy violations through data breaches and the upcoming Digital Personal Data Protection Bill, 2023 gives the Union Government power to exempt any state instumentality from the application of law through notification. Lastly, the use of Aadhaar to access government services and work with government agencies sets a dangerous precedent and could result in the unwarranted exclusion of those who either do not have Aadhaar or are facing technical issues with their Aadhaar.

(This post has been co-authored with Ria Singh Sawhney of Rethink Aadhaar)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!