ADVERTISEMENTREMOVE AD

Offline Aadhaar, QR Codes & Privacy: All Your Questions Answered

Does the new QR Code Offline Aadhaar KYC offer more security? 

Published
Explainers
4 min read
story-hero-img
i
Aa
Aa
Small
Aa
Medium
Aa
Large
Hindi Female

What is offline Aadhaar?

The Unique Identification Authority of India (UIDAI) has launched an offline method of verification that avoids the older method of biometric eKYC. UIDAI’s new QR Code allows an Aadhaar holder to have her unique QR Code scanned and verified in order to complete the process.

This prevents the individual from having to reveal her 12-digit Aadhaar number. The updated QR code contains information such as name, address, photo and date of birth.

According to UIDAI’s website, the QR code will be signed with UIDAI signature. This is meant to make the code tamper proof and ensure its uniqueness to the Aadhaar holder.  The QR Code can be scanned using a scanning application as well specified barcode scanners.

The Aadhaar infrastructure, as it was conceived, was meant to work only when authenticated online using biometric details with UIDAI’s central database. It has no validity as a physical card. However, following the Supreme Court’s verdict, UIDAI has pushed for the use of the QR code on the ‘card’ for verification.

Offline Aadhaar, QR Codes & Privacy: All Your Questions Answered

  1. 1. How will Offline Aadhaar work ?

    The offline Aadhaar procedure can work in two ways;

    1. The Aadhaar ‘card’ (the cutaway portion of the Aadhaar letter posted to us) and the e-Aadhaar PDF

    2. A password protected zip file containing the XML File which can be downloaded from the UIDAI website.

    The e-Aadhaar letter (the one we got delivered as a postal letter with a cutaway portion) contains two QR Codes - a large one and a small one.

    The large one is present on the top portion of the letter and on the rear of the cutaway card. It contains demographic details along with the photograph.

    The small QR Code on the cutaway portion of the e-Aadhaar letter contains only the demographic information.

    For a user choosing to opt for the XML file, she will need to download the offline zip file and pass on the file along with the password to the authenticator.

    The demographic information included in the QR Code contains :

    • Name
    • Address
    • Date of Birth
    • Gender
    • Masked Aadhaar Number
    • Photograph (in the large QR Code)
    Does the new QR Code Offline Aadhaar KYC offer more security? 
    Expand
  2. 2. Does it ensure greater privacy of my information?

    There are certain aspects of the new QR code/XML file which offers more choice and privacy of demographic details.

    1. The offline QR code and the XML file does not display the UID directly.

    2. As an alternative means of authentication it works well.

    3. Within this new system, an individual can have greater control over her demographic information and decide what information she would like to share.

    Expand
  3. 3. But what about Supreme Court orders on Aadhaar?

    The Supreme Court in its 26 September order said Aadhaar would only be mandatory for subsidies and benefits  from the state.

    Section 57 of the Aadhaar Act provided legitimacy to private entities to use Aadhaar and its biometric infrastructure  to perform eKYC and authenticate customers.

    However, the five-judge Supreme Court bench read down this section and thereby the ability of private entities to use Aadhaar to authenticate customers. The apex court observed that as far “Section 57 in its present form is concerned it is susceptible to misuse” because of three provisions –

    1. It allowed ‘anybody – corporate or person’ to use Aadhaar eKYC

    2. ‘for any purpose’

    3. Based on a contract.

    The bench had said that any such use by private entities needs to be backed by law.

    According to Supreme Court advocate Raman Jit Singh Chima, the QR code system would allow any person with a copy of the code to obtain demographic information, still leaving significant privacy concerns since that is personal data.

    “The Supreme Court’s judgment restricted the private sector from making use of section 57 of the Aadhaar Act, which is not merely for biometric authentication – but for usage of Aadhaar as a form of identity,” said Chima who serves as Asia policy director, Access Now, an international non-profit that advocates for human rights in cyberspace.

    “There, the use of any element of an Aadhaar ID –including QR code –would still constitute its usage for establishing identity and be impacted by the judgment’s restrictions on the private sector,” he added.

    Expand
  4. 4. Should I Be Concerned in Any Way?

    Along with the attendant benefits comes a slew of concerns for the Aadhaar card holder. A number of questions arise regarding potential for misuse, the answers to which are still unclear.

    “Being a digital only identity without any purpose attached, it may be prone to replication and misuse. Since the QR code can be read by regular code-reader apps, it can give away demographic data (without authentic it though) if stolen,” said Derick Thomas, an ICT expert who works as an executive in the information and technology sector.

    Since it has no purpose attached, such collection of QR codes can happen on a pen-drive and be sold.

    Moreover, UIDAI recommends printing the e-Aadhaar on high quality paper using a laser printer because of the high information density in the QR Code. This may prove to be be a logistical hurdle for those who do not have easy access to high-end printers.

    “In both the cases, UIDAI and government are not in the loop. So how will you raise a dispute? How will police investigate? There are no trails left by the person using it, unless someone maintains a video of each user using this,” asked Thomas.

    (At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

    Expand

How will Offline Aadhaar work ?

The offline Aadhaar procedure can work in two ways;

1. The Aadhaar ‘card’ (the cutaway portion of the Aadhaar letter posted to us) and the e-Aadhaar PDF

2. A password protected zip file containing the XML File which can be downloaded from the UIDAI website.

The e-Aadhaar letter (the one we got delivered as a postal letter with a cutaway portion) contains two QR Codes - a large one and a small one.

The large one is present on the top portion of the letter and on the rear of the cutaway card. It contains demographic details along with the photograph.

The small QR Code on the cutaway portion of the e-Aadhaar letter contains only the demographic information.

For a user choosing to opt for the XML file, she will need to download the offline zip file and pass on the file along with the password to the authenticator.

The demographic information included in the QR Code contains :

  • Name
  • Address
  • Date of Birth
  • Gender
  • Masked Aadhaar Number
  • Photograph (in the large QR Code)
Does the new QR Code Offline Aadhaar KYC offer more security? 
ADVERTISEMENTREMOVE AD

Does it ensure greater privacy of my information?

There are certain aspects of the new QR code/XML file which offers more choice and privacy of demographic details.

1. The offline QR code and the XML file does not display the UID directly.

2. As an alternative means of authentication it works well.

3. Within this new system, an individual can have greater control over her demographic information and decide what information she would like to share.

0

But what about Supreme Court orders on Aadhaar?

The Supreme Court in its 26 September order said Aadhaar would only be mandatory for subsidies and benefits  from the state.

Section 57 of the Aadhaar Act provided legitimacy to private entities to use Aadhaar and its biometric infrastructure  to perform eKYC and authenticate customers.

However, the five-judge Supreme Court bench read down this section and thereby the ability of private entities to use Aadhaar to authenticate customers. The apex court observed that as far “Section 57 in its present form is concerned it is susceptible to misuse” because of three provisions –

1. It allowed ‘anybody – corporate or person’ to use Aadhaar eKYC

2. ‘for any purpose’

3. Based on a contract.

The bench had said that any such use by private entities needs to be backed by law.

According to Supreme Court advocate Raman Jit Singh Chima, the QR code system would allow any person with a copy of the code to obtain demographic information, still leaving significant privacy concerns since that is personal data.

“The Supreme Court’s judgment restricted the private sector from making use of section 57 of the Aadhaar Act, which is not merely for biometric authentication – but for usage of Aadhaar as a form of identity,” said Chima who serves as Asia policy director, Access Now, an international non-profit that advocates for human rights in cyberspace.

“There, the use of any element of an Aadhaar ID –including QR code –would still constitute its usage for establishing identity and be impacted by the judgment’s restrictions on the private sector,” he added.

ADVERTISEMENT

Should I Be Concerned in Any Way?

Along with the attendant benefits comes a slew of concerns for the Aadhaar card holder. A number of questions arise regarding potential for misuse, the answers to which are still unclear.

“Being a digital only identity without any purpose attached, it may be prone to replication and misuse. Since the QR code can be read by regular code-reader apps, it can give away demographic data (without authentic it though) if stolen,” said Derick Thomas, an ICT expert who works as an executive in the information and technology sector.

Since it has no purpose attached, such collection of QR codes can happen on a pen-drive and be sold.

Moreover, UIDAI recommends printing the e-Aadhaar on high quality paper using a laser printer because of the high information density in the QR Code. This may prove to be be a logistical hurdle for those who do not have easy access to high-end printers.

“In both the cases, UIDAI and government are not in the loop. So how will you raise a dispute? How will police investigate? There are no trails left by the person using it, unless someone maintains a video of each user using this,” asked Thomas.

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Read Latest News and Breaking News at The Quint, browse for more from explainers

Topics:  Privacy   Aadhaar   UIDAI 

ADVERTISEMENTREMOVE AD
Speaking truth to power requires allies like you.
Become a Member
3 months
12 months
12 months
Check Member Benefits
Read More
ADVERTISEMENT
×
×