RBI's recent move to mandate that all banks must use Aadhaar as the primary form of authentication for anyone accessing their bank account in any way, in person or electronically, is stirring a debate about the long-term role of the authentication mechanism and associated data security issues.
In its notification, RBI says that linking of Aadhaar to bank accounts is mandatory under the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017 published in the Official Gazette on June 1, 2017.
"But some security practitioners question the wisdom of the mandate, pointing to concerns about whether Aadhaar data can be kept secure"
The 12-digit number, which is linked to demographic and biometric information of all residents and a photograph issued by the Unique Identification Authority of India, on behalf of government of India, is widely used as a proof of identity and address.
RBI had come under pressure from the ministry of finance to enact this mandate to help fight tax and financial fraud and control black money in circulation, as well as plug leaks in subsidized welfare programs, prevent corruption, and protect national security as the country progresses into a cashless economy.
The new mandate has statutory force, so banks must comply by Dec. 31, says Jose J. Kattoor, RBI's chief general manager.
Concerns About the Mandate
But some security practitioners are questioning the wisdom of the mandate, pointing to concerns about whether Aadhaar data can be kept secure.
For example, they point to the Modi government officially acknowledging that individuals' Aadhaar numbers and demographic information, as well as other sensitive personal data, including bank account details, collected by various ministries and departments have been published online, accessible through an easy online search, according to media report. (See: Government Admits Your Aadhaar Data Has Been Leaked)
Although the government repeatedly has assured citizens that proper security practices are in place for Aadhaar, the Supreme Court and the Bar Association, along with cybersecurity agencies have raised concerns over the security features of Aadhaar. They're concerned that the Aadhaar-enabled services are prone to cyberattacks due to lack of security measures, which means the financial sector mandate is premature.
Until the mandate was issued, banks' use of Aadhaar to verify customers' identities was optional. Some security experts predict the new mandate will drive more banks to use Aadhaar to enable growth of online transactions. And that could lead to increased fraud,they fear, because the personal information will be easy prey to attackers as a result of weak security protections.
Cybersecurity lawyer Neeraj Aarora argues that because every transaction will require Aadhaar data, each one potentially creates the risk of data misuse or leakage.
Rewrite the Law
As a result of serious concerns about security, it's time for the government to rewrite the Aadhaar Act to address privacy and data protection issues and direct banks to:
- Deploy specific device verification parameters;
- Conduct biometric vulnerability tests;
- Map the risks associated with linking the Aadhaar number to the account;
- Develop a privacy and information security policy framework to protect the data against leakage
Dr. N. Rajendran, CTO of National Payments Corporation of India, recommends banks make sure they have effective risk and fraud management systems in place. And he urges them to alert UIDAI of any discrepancy in transaction systems.
The wider use of the Aadhaar biometric identity card program has also raised concerns about privacy infringement.
The Supreme Court of India ruled that privacy is a fundamental right of Indian citizens under Article 21 of the constitution, which aims to protect individuals against misuse of data by government or private agencies.
So how will the government guarantee an individual's data is protected and privacy is respected if Aadhaar use becomes more widespread?