‘Aad­haar is use­less for iden­ti­fi­ca­tion’

FrontLine - - FRONT PAGE - BY DIVYA TRIVEDI

AN ex­pert on com­plex sys­tems, gov­er­nance and informatics, Anu­pam Saraph ad­vises gov­ern­ments and busi­nesses across the world. A teacher and former IT Ad­viser to Goa Chief Min­is­ter Manohar Par­rikar, he chal­lenged Aad­haar as part of the Na­grik Chetna Manch. In the wake of the Supreme Court judg­ment, he spoke to Front­line on its im­pli­ca­tions. Ex­cerpts from the in­ter­view.

How will the Supreme Court verdict af­fect com­pa­nies such as Paytm that re­quire Aad­haar for au­then­ti­ca­tion?

Com­pa­nies that use Aad­haar for au­then­ti­ca­tion are now saved from the mis­taken be­lief that Aad­haar au­then­ti­ca­tion is more se­cure than tra­di­tional user­name and pass­word chal­lenges. Unlike Aad­haar bio­met­rics which are nei­ther cer­ti­fied nor con­trolled by the per­son to whom they be­long, pass­words are in the con­trol of users. Unlike bio­met­rics, which can’t be changed if com­pro­mised, pass­words can be re­set.

Aad­haar bio­met­rics are not cer­ti­fied by the UIDAI [Unique Iden­ti­fi­ca­tion Au­thor­ity of In­dia] as be­long­ing to the per­son who is be­ing au­then­ti­cated. The bio­met­rics as­so­ci­ated with an Aad­haar num­ber can be changed by pro­cesses (both le­git­i­mate and il­le­git­i­mate) out­side the con­trol of fin­tech com­pa­nies. They, there­fore, had no way of guar­an­tee­ing risk-free out­comes with Aad­haar.

These com­pa­nies will now be re­quired to shift back to a more ro­bust non-aad­haar KYC [know your cus­tomer] that re­duces sig­nif­i­cantly the risk of be­nami, or proxy, bank and wal­let accounts us­ing Aad­haar.

This is a win for fin­tech com­pa­nies that want to pre­vent money laun­der­ing and fi­nan­cial ter­ror­ism. This is a win for the RBI, which prior to 2011 had clearly in­di­cated that the use of Aad­haar in bank­ing was not only against its own ex­tant guide­lines but also against the Pre­ven­tion of Money Laun­der­ing Act, the Basel Stan­dards and the govern­ment’s con­cerns about fi­nanc­ing ter­ror­ism. It had high­lighted that nowhere in the world are third-party iden­ti­fi­ca­tion sys­tems used in bank­ing.

While the Supreme Court verdict does not make Aad­haar com­pul­sory, it still needs to be linked to PAN. Bank accounts need PAN and some other places also recog­nise PAN au­then­ti­ca­tion. Can there be leak­ages through the PAN route?

The UIDAI’S af­fi­davit to the Supreme Court in­di­cates that more than 51 per cent of the Aad­haar num­bers have never been used for bio­met­ric or iris au­then­ti­ca­tion any­where. So, it is ob­vi­ous that most of them are likely to be ghosts or du­pli­cates. Sec­tion 139AA of the In­come Tax Act, which re­quires the link­ing of Aad­haar to PAN for in­come tax pur­poses, if up­held, will con­tinue to generate fake PAN through fake Aad­haar. This will con­tinue to generate be­nami bank accounts that are Aad­haar-en­abled with these fake PAN num­bers.

The con­cern is not about pub­lic ex­po­sure of Aad­haar num­bers. It is about treat­ing these un­cer­ti­fied, un­ver­i­fied and unau­dited num­bers as iden­tity and en­abling money trans­fers to be­nami bank accounts cre­ated through such Aad­haar num­bers.

Can com­pa­nies and banks that have col­lected Aad­haar data de­stroy the data now or will they still be stored some­where? Also how do users know that the data have been deleted?

Delink­ing Aad­haar, while an es­sen­tial process for fi­nan­cial and other in­sti­tu­tions to re­duce risks, is not suf­fi­cient to pro­tect an in­di­vid­ual or those in­sti­tu­tions. Fi­nan­cial in­sti­tu­tions need to run a cam­paign now to cleanse them­selves of the Aad­haar virus to pro­tect them­selves from fi­nan­cial scams and un­prece­dented risks, which are out­side their abil­ity to con­tain. Aad­haar is not KYC.

A per­son’s safety can­not be guar­an­teed by just delink­ing his/her Aad­haar num­ber. As long as un­cer­ti­fied, un­ver­i­fied and unau­dited Aad­haar is treated as iden­tity, it will ex­pose one to iden­tity fraud. As long as Aad­haar num­bers, or any iden­tity doc­u­ment based on Aad­haar num­bers, are used to make Aad­haar-en­abled pay­ments, they will con­tinue to en­able money trans­fers to be­nami bank accounts cre­ated through Aad­haar.

In order to pro­tect against harm from Aad­haar, the RBI needs to en­sure two things. First, that banks re­vert to keep­ing a per­son’s iden­ti­fi­ca­tion doc­u­ments for KYC, as long as they are not gen­er­ated us­ing that per­son’s Aad­haar and, unlike the Aad­haar, are cer­ti­fied, ver­i­fied or au­dited by some govern­ment agency. Sec­ond, the Na­tional Pay­ments Cor­po­ra­tion of In­dia’s [NPCI] Aad­haar-en­abled pay­ments should be deli­censed, and no money trans­fers with Aad­haar or doc­u­ments de­rived from Aad­haar should be al­lowed.

Aad­haar was also linked to the Prime Min­is­ter’s Dig­i­tal In­dia pro­gramme. Now that the court has ruled that pri­vate com­pa­nies can­not use Aad­haar, what hap­pens

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.