As Aadhaar is increasingly used coercively to seek your identity information from Unique Identification Authority of India (UIDAI), the provisions of the Aadhaar Act that require you to provide consent are being pushed aside. Here is a quick guide to your consent rights and how to protect them.
Why does consent matter?
In a civilised society, each individual is entitled to dignity. Dignity of an individual is one of the basic rights of a human being and is guaranteed by the Constitution. When you interact with a person, be it a family member, friend or an outsider, both parties are expected to honour the dignity of the other. A person's willingness to interact is considered as consent. Consent, therefore, is essential to preserve dignity in civilised societies. Consent is also important to preserve the security of individuals.
Is Aadhaar Authentication legal without your consent?
When your Aadhaar number is used to authenticate you, the organisation requesting your Aadhaar information from the UIDAI is expected to obtain your consent. According to Chapter III 8 (2) (a) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, consent has to be restricted for purposes of authentication.
According to the Act (section 8(2)) and Authentication Regulations (section 5), before authenticating, the service provider is expected to provide you the nature of the information that will be available to the requesting organisation upon authentication from the UIDAI, the ways in which the information shall be used by the requesting organisation and alternatives to submission of identity information, should you not wish to use an Aadhaar number.
Once you understand the nature of the information and manner in which it shall be used, according to the Authentication Regulations (section 6), the service provider is supposed to hand you a consent form, which you shall fill. The authentication regulations mandate that the service provider use a template provided by UIDAI to take your consent. The consent may be recorded either in paper form or electronic form. In either case, the requesting organisation is required to offer alternate methods of identification, should you not wish to use Aadhaar. The service provider is supposed to keep a log of consent information. And, according to Aadhaar Act (section 32(2)), you have a right to access that information, if you wish to, in case you are willing to undergo Aadhaar authentication.
The Aadhaar Authentication Regulations (section 16 (5)) gives you the right to revoke your consent to the organisation that has obtained your identity information from the UIDAI. When you revoke your consent, the requesting organisation would be required to delete your identity information that it obtained from the UIDAI. For example, if you decide to stop using your once favourite mobile connection for whatever reason, you can revoke the consent you granted them and inform them accordingly. Once they receive your request for revoking consent, they shall delete all your information received during e-KYC (know-your-customer) process, which you followed to get the connection in the first place. This ensures that your identity information is not misused.
Interestingly, UIDAI, which provides the e-KYC service to authenticate you, does not provide any means to revoke your consent. UIDAI does not mention the turnaround time for completing the revocation request, too. The UIDAI-supplied consent form template does not mention any method to revoke your authentication. There is, therefore, no best practice available to requesting organisations to allow you to revoke your consent. This amounts to denial of your legal rights.
On a related note, neither the UIDAI nor Government of India has defined standards to irrevocably delete your data from a service provider’s systems. Ask a cyber forensic expert, and he will show you how the deleted data can be recovered from disks. Even our Information Technology (IT) Act and subsequent rules are silent on this matter.
So it is illegal use of your Aadhaar number if your Aadhaar number has been used to obtain your identity information from UIDAI without your consent.
Can your identity information be used for any purpose?
There are three actors in the process of your authentication -- you, the service provider and UIDAI. Only two of the actors (you and service provider) know the purpose. You have a right to know how the data will be used by the service provider. The purpose of authentication has to be recorded by the service provider, but it is not sent to UIDAI (Aadhaar Act, section 32(3)). Since you do not digitally sign the purpose, it may be difficult to prove in a court of law whether your identity information obtained from UIDAI has been misused.
Although, the Act says that the information can be used only for the purpose for which it is granted, there is no way for the UIDAI to enforce such requirements. The Act does not provide for an alternate redressal mechanism in case an organisation requesting your identity information misuses it. This leaves the users at the mercy of the service provider, without any remedies. Under section 47 of the Aadhaar Act, you are not allowed to approach courts except under authorisation of the UIDAI. It, therefore, leaves those with grievances without any remedies.
What UIDAI should do?
UIDAI should advertise in the media about the rights of citizens to provide and revoke consent for obtaining and retaining identity information using the Aadhaar number. In addition, UIDAI should learn from the experiences of other regulators to protect the Aadhaar holder from phishing and other frauds that illegally obtain and misuse identity information.
UIDAI should acknowledge the design flaws in the Aadhaar framework, its application-programming interface (API) and various systems and processes built around it. The UIDAI cannot live in denial any longer. The rights of those with Aadhaar numbers depends on the actions of UIDAI to protect them. If users’ identity information is used without consent, it is UIDAI’s problem too. Such unauthorised use amounts to a leak of data from the UIDAI.
Various authentication agencies are audited as required under the Regulations. UIDAI should make the audit findings, particularly on consent, public. Such actions will enhance the trust of ordinary citizens in the processes of UIDAI.
Section 139AA of the Income Tax Act violates the Aadhaar Act and Regulations requirement to obtain consent, to specify purpose of use of identity information as well providing an alternative to authentication using Aadhaar. The UIDAI should move the courts to prohibit such illegal use of the Aadhaar number.
How can you protect your right to informed consent?
You can deny any requesting organisation the use of your Aadhaar number to obtain the identity information stored with the UIDAI if they do not provide you with a form asking for your consent, or do not state the specific purposes to which the information will be used and do not provide you a mechanism to revoke your consent anytime. You can demand an alternate way to submit identity information if you do not wish to use the Aadhaar number.
Now that you are aware of your rights, it is time to demand your rights. Always ask for clarifications, in written mode. When you leave a service, revoke your consent to the service provider and demand that it acknowledge the deletion of all records from its systems. If you have an Aadhaar, call 1947 now and ask them questions. If you are on social media, tweet to @uidai and @ceo_uidai with the hashtag #AadhaarFailures #NoConsent.
(Derick Thomas is a communication engineer with expertise in network architecture, privacy and secure communication technologies. He can be reached on https://twitter.com/derick_thomas)