Page 31 - Proceedings of the 2017 ITU Kaleidoscope
P. 31
Challenges for a data-driven society
However, UIDAI also has access to a number of other data records. The bank would, however, need to utilize the
points that would not be captured by existing restrictions in authentication logs generated through Aadhaar. The current
the Aadhaar Act. For instance, the Authority currently regulatory framework constrains such use by providing that
maintains an online dashboard that offers data about the the authentication logs can only be used for certain
State-wise status of enrolments, including by age and identified purposes. This includes sharing of the logs for
gender and the entities involved in the process. Compared grievance redressal, dispute resolution and audits by
to this, the information that is made available about the UIDAI. The regulations will therefore need to be
usage of the UIDAI authentication / eKYC architecture by appropriately amended, as discussed further in Section 4.
its approved agencies is almost negligible. While the law eKYC: There is marked difference, however, when it comes
restricts UIDAI from recording or disclosing the purpose of to the amount of data made available to and generated by
an authentication request, there is nothing that bars it from authorized eKYC partners. The Aadhaar (Authentication)
disclosing aggregated details of the number of Regulations, 2016 allow the requesting entity to gain access
authentication requests received by it, the authorized entity to the person’s demographic information that is filed with
making the request, the geographic location from where the UIDAI. This information can be used by it “for its own
request was made and so on, on a daily basis. Similarly, purpose”, i.e. for the purposes of its business. It may also
transparency also demands that the number of failed share the e-KYC data with other agencies for a specified
transactions, in terms of generation of Aadhaar number, purpose, with the consent of the individual.
authentication or eKYC requests should also be made With eKYC agencies, there is scope for release of valuable
public. data points. To take an example, it has been reported that
The availability of this information will guide the users of there exists a vast gender divide in the adoption of
Aadhaar, researchers and other third parties in assessing the technology in India (Aneja and Mishra, 2017 [7]). Yet, we
extent of its adoption, the purposes for which it is being do not have any official statistics on the ratio of men and
deployed and the failure rates. The last of these elements women among telecom users in India, either at the country-
can serve a legitimate basis for conducting a systematic wide level or in local areas. The move towards eKYC
audit of the extent and cost of the potential exclusion from verification of all telecom subscribers in India, means that
the benefits that have been linked to Aadhaar. This is a telecom operators will soon have an Aadhaar-verified
prerequisite for an open and informed debate on issues (private) database of telecom users in the country. This
relating to Aadhaar, including in the context of the ongoing would include the gender and geographic information of
litigations on the project. each operator’s user base. Aggregated together, it can be
used to find out the total number of female telecom users in
2.2. Data generated by Aadhaar users every geographic location. Further, periodic disclosure of
such data by all telecom operators will also allow the trends
Authentication: Every day, large volumes of data are being to be tracked over a period of time. A lot of this information
generated through the use of UIDAI’s authentication and may available with the companies today also. However, the
fact that all of this information would now be available in a
eKYC systems, both by government as well as private
entities. In case of an authentication query, the Aadhaar digitally organized and readily available format, will make
it easier to process and compare from the perspective of
repository offers only a positive or negative response to creating open data.
confirm whether the submitted information matches with
the information recorded in UIDAI’s database. None of the The online registration system (ORS), a framework that
Aadhaar information is shared with the requesting entity links various government hospitals across the country to an
although the process of authentication in itself leads to the Aadhaar based online registration and appointment system,
creation of new data. For instance, a bank that uses Aadhaar might be another use case. The ORS facilitates eKYC of the
authentication to verify the identity of a customer prior to patient, which is then used for providing appointments at
authorizing the transfer of funds from her account is various departments of different hospitals. Using the
creating new data in the process. The bank is then in a appointments database along with the Aadhaar
position to use the fact of Aadhaar authentication along identification information, ORS will be in a position to
with customer data already available with it to generate disclose aggregated data about the age and gender profiles
daily details of the number of persons of different age of the patients visiting different departments. This
groups who used Aadhaar authentication to carry out fund information can be sewn together to gain insights into the
transfers of different denominations. broad categories of health problems faced by different
The Aadhaar Act and the regulations framed under it groups, the burden on different departments and the
variations based on the location of the hospital. All of this
circumscribe the manner in which information collected can contribute towards evidence-based research and policy-
through Aadhaar can be used by requesting agencies. As making in the field of healthcare.
per Section 8(2), a requesting entity can use the identity
information of an individual only for submission to the Another notable feature of the Aadhaar database is that it
UIDAI repository for authentication purposes. In the above was among the first government-issued identifications in
example, the bank would not need to (or be able to) use the the country to recognize “transgender” as a separate
customer’s identity information collected by UIDAI, category (Nilekani and Shah, 2014 [12]). The release of
although it would already have similar information in its aggregated data related to use of banking, payments,
telecom, health, education and other Aadhaar linked
– 15 –