Govt seeks legal opinion on the validity of Aadhaar-based eSign services

The Union government has sought legal opinion on the validity of Aadhaar-based eSign services from the ministry of law and justice, in a move aimed at complying with the Supreme Court verdict on usage of the unique identification number.

The government has also asked eSign service providers such as eMudhra to come up with an alternative plan to enable Aadhaarbased authentication without the use of biometrics, a senior official said. “We have concerns about eSign… whether it has fallen foul or not,” said a senior government official familiar with the matter. “We can argue that second schedule of the IT Act law allows it, but the court order says that even after law, it cannot be used for contract by private parties. So there is some confusion here for which we are seeking clarity,” the person said.

The government has given itself a month’s time to take a final call on the matter. The Unique Identification Authority of India (UIDAI), the custodian of Aadhaar, did not reply to email queries from ET on the issue.

In 2015, the government launched the eSign project that allowed users to digitally sign a document through Aadhaar-based biometric authentication, making the process real-time and less cumbersome. The state-owned Controller of Certifying Authorities (CCA) has asked empanelled services such as eMudhra, Capricorn Identity Services and (n) Code Solutions for a migration plan that uses offline Aadhaar to verify the identity of users. The service providers, meanwhile, have stopped offering Aadhaar-based eSign services and some of them are enraged at the disruption of the business it has caused.

Girdhar Varliani, general manager of (n) Code Solutions termed the Apex Court order as unfortunate. “All e-Sign providers had invested in IT infrastructure, developed application, trained many external agencies to use e-Sign like housing finance, banks, state government departments and invested in making changes in business process, software application and all that has gone down the drain,” Varliani added.

Separately, the Reserve Bank of India is also looking at alternative methods of enabling offline knowyour-customer (KYC) verification. ET had reported in its December 10 edition that RBI could allow XMLbased KYC and live video-based KYC for fintech companies to onboard customers without paper documentation. Two weeks ago, the CCA also released guidelines on alternative ways to do e-KYC which included options for offline Aadhaar along with a use of different identity-based system hinging on two-factor authentication by applicant.

While Rajesh Mittal, CEO at Capricorn Identity Services, is not too perturbed by the alternative means of authentication, others like (n) Code Solutions argued that the offline proposals will not work in all scenarios. “The alternative methods should not be seen as a bane and every company will implement the new process based on their resources. It is a massive new system that can’t be created overnight,” Mittal told ET.

Under the guidelines by CCA, the two-factor authentication system includes the One Time Password (OTP) sent to the verified mobile and PIN set by the applicant. Once the KYC is complete, the subscriber chooses a “user ID” and a provision is created for an “eSign address” — a system that is similar to United Payment Interface (UPI) for digital transactions. The offline Aadhaar system is, meanwhile, based on capturing demographics through offline Aadhaar and authenticating using OTP.

Varliani argued that the new offline proposal may work where a user has to use it “only once”, say for opening a bank account or buying a SIM but not for multiple transactions with an agency.

“There are revised guidelines for validating QR code from e-Aadhaar, however, ensuring wrong usage is not at all possible. There is no one to verify its uniqueness, its consent and anyone once having a copy of such QR code from Aadhaar of an end user can easily misuse it,” he said. Varliani added that in case of fraud, it may prove to be a risk for the certifying authority.

The government official quoted above said that however, the dominant feeling within the state is to continue with the Aadhaar-based system. “Why kill an idea which is running? Even in a worst-case scenario, someone who doesn’t want to use an Aadhaar can use a dongle. It’s a good application of the platform, which doesn’t deserve to be thrown out. So we have taken some time till end December, we will take a call by then,” added the official.