New Identity Solutions
Last week the UIDAI initiated a process by which private-sector access to the authentication infrastructure would be restored. I have every hope that this will create a new ecosystem of identity service providers that will enable a range of different services - in particular in relation to obligations under the Digital Personal Data Protection Act.
This is a link-enhanced version of an article that first appeared in the Mint. You can read the original here. If you would like to receive these articles in your inbox every week please consider subscribing by clicking on this link.
As the Aadhaar case was reaching the Supreme Court, the Unique Identity Authority of India (UIDAI) began to restrict private access to its authentication infrastructure. It now seems that hard stand is beginning to soften. A new amendment to Aadhaar authentication rules could finally allow us to leverage our identity infrastructure to better unlock greater efficiencies in digital services.
Applications of Aadhaar eKYC
When Reliance Jio launched telecom services in 2016, it added a staggering 170 million new customers in the first 100 days of its operations. This, frequently referred to as the fastest in the history of the global telecom industry, was only possible because Jio was able to use Aadhaar eKYC to complete its statutory customer acquisition formalities in a fraction of the time that other telecom companies took. At the height of its acquisition drive, it added a new customer every 2 minutes.
At the time, private companies could use Aadhaar for a range of different purposes. Apart from customer acquisition, various startups had designed their services around the many features offered by India’s identity infrastructure. For instance, Yulu Mobility, an e-bike rental business, triggered an Aadhaar authentication request to instantly check whether someone trying to unlock a vehicle was a registered user. This gave insurers the assurance that these e-bikes could not be stolen using fake IDs, in turn justifying a sharp reduction in premiums.
Once the Aadhaar project was challenged in court, however, the government sought to do whatever it took to ensure that the project was not shut down. It began to lock down those aspects of the Aadhaar infrastructure that were seen to threaten the survival of the service as a whole. One of the first features to be turned off was private access to its authentication systems.
Private Sector Access
As it turned out, the Supreme Court upheld the constitutional validity of the Aadhaar Act and the project as a whole. It, however, struck down Section 57, a provision that petitioners believed had enabled private-sector access by allowing Aadhaar to be used for “other purposes.” They were mistaken. In fact, it is Section 8 that deals with authentication, and since it allows all “requesting entities” (a term defined very broadly in Section 2(u) of the Act) to use Aadhaar authentication, private entities can also use the system. Had the apex court intended to prevent private-sector access, it would have read down Section 2(u), making it applicable to government entities. The fact that it did not can only be interpreted to mean that this was not its intention.
In 2019, the Parliament amended the Aadhaar Act to address many of the concerns that had been raised by the top court. This meant that there was now Parliamentary approval for actions that the court had criticized for having been implemented through executive action. Despite this, the UIDAI, scarred by its long battle for survival, remained cautious, choosing not to lift the restrictions it no longer needed to impose.
Last week, we got an indication that this approach might be about to change. The UIDAI notified the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Amendment Rules, 2025, describing how private entities could use the Aadhaar infrastructure for authentication.
All provisions that previously limited Aadhaar authentication to only those purposes that relate to good governance and preventing the leakage of public funds have been deleted, expanding the ways in which the infrastructure can be used for any activity that “promotes the ease of living of residents.”
There is also a process by which private entities can apply to use the infrastructure after submitting a proposal stating what they want to use it for. Once such an application has been approved by the Central government, a private entity will be able to use it for its stated purposes.
New Opportunities
Now that businesses can access the Aadhaar infrastructure, business-to-consumer companies will likely use it for customer acquisition in much the way Jio did. Others will be able to incorporate it into commercial workflows, as Yolo Mobility had shown was possible. Since this use of authentication infrastructure neither gives private entities access to biometric information, nor the UIDAI an ability to track how people are using these private services, there should be no privacy concerns around such use. What’s more, the UIDAI offers various features (such as virtual ID and offline verification) that could further safeguard privacy.
What I am most keen to see is the age-verification solutions that this amendment will catalyse. Now that India’s Digital Personal Data Protection Rules permit the use of age tokens, we need to develop zero-knowledge proof solutions for data fiduciaries to ensure they are not processing the personal data of a child.
This will only emerge from private innovation, as that is the only way we will get workflows that are both effective and privacy-preserving. With private access to our authentication set-up now enabled, I hope to see a marketplace of age verification service providers develop so that healthy competition will see this infrastructure used in the most efficient way to generate solutions based on age tokens.
Age gating on the internet is a wicked problem. But it is only if we unleash market forces can we hope to find an answer.
