A project of the Centre for Internet and Society, India
Supported by Omidyar Network India
This series of research maps, based on our global survey of digital identity systems, is for India. Read together with our glossary of core concepts and processes, these maps provide a coherent view of digital identity in India. They shine a light on the pervasiveness of digital identity, as well as dissect digital identity systems in a way that brings attention to the actions of key stakeholders, and to kinds of data and how they are shared. Designed as stepping stones to further research, the maps facilitate the identification of points of accountability and intervention.
The Digital ID system in India, Aadhaar was launched in 2010, with the primary aim to improve the Public Distribution System in the country. It is managed by the Unique Identification Authority of India (UIDAI). The Digital ID system includes the Unique Identification (UID) numbers, called ‘Aadhaar,’ which can be assigned to all residents of India. The Aadhaar number is a random 12-digit number issued by the UIDAI after a verification process. The enrollment and authentication processes are conducted by the UIDAI. The enrolment process includes capturing demographic and biometric data from residents.
Aadhaar is currently used for identity verification in several private and public services by linking the Aadhaar numbers of residents with their mobile SIM cards, bank accounts, and a large number of welfare schemes. Other key digital services that have been planned are in the healthcare and finance sectors. While Aadhaar is envisioned to be used by state and private hospitals for registration and appointments, and for identification in other government healthcare schemes, there is also the proposed National Health Stack, which will include an identifier for beneficiaries. It is not yet confirmed if this identifier will be Aadhaar number itself or a new unique ID. In the finance sector, a set of Application Program Interfaces (APIs) for provision of financial infrastructure for governments, businesses, startups, and developers called India Stack has been created. IndiaStack currently includes the following APIs — DigiLocker, e-KYC, e-Sign, Aadhaar Auth, and UPI.
The core processes within each digital identity system are being mapped in order to evaluate the existing technological and policy decisions. These process maps bring forward the advantages and barriers in the mechanisms of identification, authentication, and authorisation. These maps follow the Swim Lane Model to capture these processes. The use of this technique helps to read the processes with clarity, and also points out the multiple possibilities at different steps.
The Swim Lane Model represents a process as a sequence of steps, and places the entities in different lanes (or columns) to show who is responsible for taking those steps. Each column shows the action taken by the respective entity. The numbered rows establish the sequence of steps. The arrows connect the end of each step to the beginning of the next one. Refer to the key on the right to navigate the process maps. They also indicate multiple routes that can be taken within a step. Additionally, these process maps highlight the data being collected and digital identity artifacts being used in various steps.
The enrolment process is carried out by the UIDAI through registrars and enrolment agencies. Enrolment centres are set up to collect demographic and biometric data. The biometric data captured includes photograph, fingerprint scans, and iris scans. The data is stored in a centralised database, and a unique Aadhaar number is generated upon verification of captured data. Residents can also update their data online through the UIDAI.
DigiLocker is a platform for issuance and verification of digital documents & certificates. On creating a DigiLocker account, residents get a dedicated cloud storage space that is linked to their Aadhaar number. Organizations that are registered with DigiLocker can add digital copies of documents and certificates directly into the residents’ accounts. Residents can also upload scanned documents and use e-Sign to add a digital signature to them. The identification process during signing up on DigiLocker is done through Aadhaar Number and biometrics or OTP, or directly through the website using biometrics.
Unified Payment Interface (UPI) allows residents with bank accounts to make financial transactions using their mobile phones instantly. During the identification process, UPI requires users to create a Virtual Payment Address (VPA) and link it to any bank account. The resident then creates a UPI Pin for transactions.
The UIDAI conducts the authentication process through the Authentication Service Agencies (ASAs) and Authentication User Agencies (AUAs) which have been appointed from various Government and non-Government organisations. When the resident submits their Aadhaar number and biometric data or OTP to a requesting entity, it is encrypted and sent to the Central Identities Data Repository (CIDR). On successful validation by the CIDR, a Yes/No response is sent back to the requesting entity.
In addition to the larger process of authentication for Aadhaar shown above, this process map shows the use of the Point-of-Sale (POS) machine, or the resident’s own device during the authentication process.
The authentication process in DigiLocker is carried out through Aadhaar Number and OTP, or through a username and password created during identification, or through Facebook ID validation.
e-KYC is a digital Know Your Customer (KYC) process, which involves the verification of the identity and address of a resident using a service through Aadhaar authentication. The authentication process in e-KYC can only be done by a KYC User Agency (KUA).
The eSign service allows a resident with Aadhaar to electronically sign a form/ document. The authentication of the resident is carried out using Aadhaar e-KYC services, and the digital signature on a document is carried out on a backend server of the e-Sign provider.
In the UPI authentication process, the login password and further the UPI Pin are validated by the issuer bank. Upon successful validation, the transaction is carried out based on the VPA provided for the receiver.
As part of the systems thinking approach, sectoral use cases have been mapped to understand how the digital identity system in Estonia has been conceptualised and implemented. Studying these sectors allows a closer look at the various purposes of the digital identity, and how the residents, and state and private actors interact with it. The ERAF technique of systems mapping has been used for these maps to give a holistic view of the system and connections within it. It is an analytical tool rather than a representational tool. The ERAF model helps to place the various constituents involved in the system and divides them into entities, relationships, attributes, and flows. This technique of mapping reveals missing connections and flows in a system, and leads to the identification of specific leverage points where a small shift can produce a big impact on the system.
In the ERAF model, entities are the key components. These could be individuals, institutions, laws, places, etc. Relationships describe the way in which different entities are connected to each other. Attributes are characteristics that describe the entities. These could be duration, dimensions, costs, etc. The Flows show the direction of action between entities. This includes transaction of data and resources. Data and its flow within the system, and digital identity artifacts have been highlighted in these maps.
It is envisioned that the healthcare system will use Aadhaar number based registration and appointment system, for both state and private hospitals. Services and schemes such as insurance and maternal health, are also provided based on Aadhaar authentication.
The NITI Aayog in India has proposed a blueprint for the digital health system in the country. The National Health Stack has been envisioned to be a shared digital infrastructure that will facilitate existing and future health initiatives, both private and public. It seeks to have digital personal health records and service provider records on cloud-based services. It also proposes a digital ID for all beneficiaries, an identity and access management system for healthcare staff, and a single registry of health resources and network of hospitals.
The IndiaStack is a set of digital tools on the basis of which digital infrastructure can be built by governments, businesses, and developers. This can be used to build digital services for people with the aim of a paperless, cashless, and presence-less service delivery. It also seeks to provide a consent technological layer.
The Unique Identification Authority of India (UIDAI) is a statutory authority that was established with the objective to issue Unique Identification numbers (UID) to all residents of India. UIDAI is responsible for Aadhaar enrolment and authentication, including operation and management of all stages of the Aadhaar life cycle, developing the policy, procedure and system for issuing Aadhaar numbers to individuals and performing authentication, and the security of identity information and authentication records of individuals.
Registrar is an entity authorised or recognized by UIDAI for the purpose of enrolling individuals. They are primarily various state governments, central ministries, banks and public sector organizations who have signed MOUs with the UIDAI for enrolment of residents.
Enrolment Agencies are appointed by Registrars, and are responsible for collecting demographic and biometric information of individuals during the enrolment process by engaging certified Operators and Supervisors.
The Central Identities Data Repository (CIDR) is a centralised database containing all Aadhaar numbers issued to residents along with the corresponding demographic, biometric and other information of the Aadhaar Number holders.
Authentication User Agency is an entity that provides Aadhaar Enabled Services to a resident with an Aadhaar number, using authentication as facilitated by the Authentication Service Agency (ASA). An AUA may be a government, public or private legal agency registered in India, that sends authentication requests to enable its services or business functions.
Authentication Service Agencies have secured connectivity with the CIDR, which are compliant with UIDAI’s standards and specifications. ASAs offer their UIDAI-compliant network connectivity as a service to requesting entities (such as AUAs/KUAs) and transmit their authentication requests to CIDR.
KYC User Agencies (KUAs) are requesting entities, which are eligible for Aadhaar e-KYC authentication of a resident with an Aadhaar number, from KSAs.
KYC Service Agencies (KSAs) are ASAs that are eligible to provide access to the e-KYC service through their network.
The NITI (National Institution for Transforming India) Aayog is a policy think tank of the Government of India which designs strategic and long term policies and programmes for the Government of India. It also provides relevant technical advice to the Centre and States.
Pradhan Mantri Matru Vandana Yojana is a maternity benefit program run by the government of India, and implemented by the Ministry of Women and Child Development. It is a conditional cash transfer scheme for pregnant and lactating women of 19 years of age or above for the first live birth. It also provides a partial wage compensation to women for wage-loss during childbirth and childcare and to provide conditions for safe delivery and good nutrition and feeding practices.
An Anganwadi centre provides basic health care in a village as part of the Indian public health care system. The basic health care activities at a centre include contraceptive counseling and supply, nutrition education and supplementation, as well as pre-school activities.
Workers at the Anganwadi centre are responsible for showing community support and actively participating in executing this program.
An accredited social health activist is a trained female community health worker instituted by the government of India's Ministry of Health and Family Welfare as a part of the National Rural Health Mission.
Auxiliary nurse midwife is a village-level female health worker in India who is known as the first contact person between the community and the health services.
The Public Distribution System (PDS) in the country facilitates the supply of food grains and distribution of essential commodities to a large number of poor people through a network of Fair Price Shops at a subsidized price on a recurring basis.
Socio Economic and Caste Census (SECC) is a study of socio economic status of rural and urban households that allows ranking of households based on predefined parameters.
Ayushman Bharat Pradhan Mantri Jan Arogya Yojana (AB PM-JAY) is a flagship scheme of the Indian government's National Health Policy which aims to provide free health coverage at the secondary and tertiary level to its bottom 40% poor and vulnerable population.
A Pradhan Mantri Arogya Mitra is a certified frontline health service professional who is to be present at each of the Empanelled Health Care Providers (EHCP) and serve as a first contact point for beneficiaries.
Indian Software Products Industry Round Table (iSPIRT), is a think tank for the Indian software products industry.
The Controller of Certifying Authorities (CCA) provides the required legal sanctity to digital signatures based on asymmetric cryptosystems. CCAs license and regulate the working of Certifying Authorities.
Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users.
The Ministry of Electronics and Information Technology (MeitY) is a standalone ministerial agency responsible for IT policy, strategy and development of the electronics industry.
National Payments Corporation of India (NPCI) is an umbrella organisation for operating retail payments and settlement systems in India. It is an initiative of Reserve Bank of India (RBI) and Indian Banks’ Association (IBA) for creating a robust Payment & Settlement Infrastructure in India.
UIDAI, “The UIDAI Ecosystem,” Unique Identification Authority of India, last accessed May 29, 2020, https://uidai.gov.in/ecosystem/uidai-ecosystem.html
UIDAI, “About Your Aadhaar,” Unique Identification Authority of India, last accessed June 9, 2020, https://uidai.gov.in/my-aadhaar/about-your-aadhaar/aadhaar-enrolment.html
UIDAI, “Aadhaar (Enrolment And Update) Regulations, 2016,” Unique Identification Authority of India, September, 2016: 26, https://uidai.gov.in/images/regulation_1_to_5_15092016.pdf
UIDAI, “Regulations,” Unique Identification Authority of India, last accessed June 9, 2020, https://uidai.gov.in/about-uidai/legal-framework/regulations.html
Vidushi Marda, “Data Flow in the Unique Identification Scheme of India,” The Centre for Internet and Society, September 3, 2015, last accessed June 9, 2020, https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india
UIDAI, “Operation Model,” Unique Identification Authority of India, last accessed May 29, 2020, https://uidai.gov.in/ecosystem/authentication-ecosystem/operation-model.html
UIDAI, “Aadhaar (Authentication) Regulations, 2016,” Unique Identification Authority of India, September, 2016: 54, https://uidai.gov.in/images/regulation_1_to_5_15092016.pdf
UIDAI, “Aadhaar (Data Security) Regulations, 2016,” Unique Identification Authority of India, September, 2016: 70, https://uidai.gov.in/images/regulation_1_to_5_15092016.pdf
UIDAI, “Regulations,” Unique Identification Authority of India, last accessed June 9, 2020, https://uidai.gov.in/about-uidai/legal-framework/regulations.html
UIDAI, “Offline Aadhaar Data Verification Service,” Unique Identification Authority of India, https://uidai.gov.in/images/Offline-Aadhaar-Data-Verification-Service_v1-23082018.pdf
UIDAI, “Aadhaar Generation,” Unique Identification Authority of India, last accessed June 9, 2020, https://uidai.gov.in/my-aadhaar/about-your-aadhaar/aadhaar-generation.html
National Health Stack, NITI Ayog, July 2018, https://www.niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf
National Digital Health Blueprint, MoH&FW, 2019, https://www.nhp.gov.in/NHPfiles/National_Digital_Health_Blueprint_Report_comments_invited.pdf
Trisha Jalan, “Summary: National Digital Health Blueprint proposes new body for digital health mission, health data exchanges and registries,” Medianama, August 6 2019, https://www.medianama.com/2019/08/223-summary-national-digital-health-blueprint-2019/
India Today Web Desk, “India is getting its first public healthcare record system to track the health of all citizens,” India Today, July 16 2018, https://www.indiatoday.in/education-today/gk-current-affairs/story/india-getting-first-public-healthcare-record-system-html-1284914-2018-07-16
Electronic Consent Framework Technology Specifications version 1.1, Digital Locker Authority, http://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf
Electronic Health Standards 2016, MoH&FW, December 30, 2019, https://main.mohfw.gov.in/sites/default/files/EMR-EHR_Standards_for_India_as_notified_by_MOHFW_2016_0.pdf
Omprakash V. Nandimath, “Consent and medical treatment: The legal paradigm in India,” 25(3) Indian Journal of Urology, 343–347 (2009).
The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, https://ijme.in/articles/the-indian-medical-council-professional-conduct-etiquette-and-ethics-regulations-2002/?galley=html
“Data Empowerment and Protection Architecture Explained – Video,” ISpirit, last updated June 23, 2019, https://pn.ispirt.in/data-empowerment-and-protection-architecture-explained-video/
Digilocker
“Digilocker Registration Process: An Ultimate Digilocker App Guide,” Digilocker- Create Digital Locker Account, last accessed May 31, 2020, https://www.digilocker.info/digilocker-registration-process/
Digilocker User Manual, DeiTY, https://digilocker.gov.in/assets/img/DigiLocker-User-Manual.pdf
e-KYC
Aadhaar Authentication API Specification Version 2.0, UIDAI, February 2017, https://uidai.gov.in/images/FrontPageUpdates/aadhaar_authentication_api_2_0.pdf
e-Sign
E-authentication Guidelines for e-Sign Version 1.6, CCA, May 2019, http://cca.gov.in/sites/files/pdf/esign/CCA-EAUTH.pdf
“E-sign- Online Electronic Signature Service,” CCA, last accessed May 31, 2020, http://cca.gov.in/eSign.html
UPI
United Payment Interference Procedural Guidelines Version 1.7, NPCI, January 2016, https://www.npci.org.in/sites/default/files/UPI-PG-17_01_31_RBI_Final%20version%201.7.pdf
Aadhaar Authentication API Specification Version 2.0, UIDAI, February 2017, https://uidai.gov.in/images/FrontPageUpdates/aadhaar_authentication_api_2_0.pdf
Digital Payments Step by Step Instructions, NITI Aayog, https://niti.gov.in/writereaddata/files/Step-by-step_presentation_on_digital_payments-English.pdf