The Department of Telecommunications wants all authorised/licensed telecom entities to create a biometric identity verification system (BIVS) to verify the identity of their users as per the draft Telecommunications (User Identification) Rules, 2025. This BIVS extensively relies on Aadhaar-based verification for carrying out the mandatory KYC.
These draft rules were released for a 30-day public consultation on September 19.
Thanks for reading The Tech Trace! Subscribe for free to receive new posts and support my work.
All authorised or licensed entities, as the case may be as per Section 3 of the Telecommunications Act, 2023, will be required to conduct either the Aadhaar-based e-KYC or a non-Aadhaar based digital KYC (D-KYC) to enrol and identify users.
This BIVS must be maintained either individually or collectively by all authorised telecom entities, and must be updated with user details in real time. As per the Act, any entity that provides any telecom service; establishes, maintains, operates or expands telecom network; or possesses radio equipment must seek government authorisation to function.
Given the intense ambiguity around whether online services such as those offered by WhatsApp, FaceTime, Signal, etc. constitute telecom services under the act, these proposed user identification rules could potentially be applicable to these online communication services as well. Traditional telecom companies have consistently lobbied for the inclusion of the online services within the scope of the Telecommunications Act.
My commentary has been demarcated from the main text of the article in italics like this.
How will the verification be done?
In case of Aadhaar holders, users must undergo e-KYC. When users do not hold Aadhaar or cannot undergo e-KYC, the D-KYC process must be carried out. Irrespective of the KYC process followed, the users will become a part of the BIVS.
Aadhaar-based e-KYC
e-KYC, as per Aadhaar (Authentication and Offline Verification) Regulations, 2021, refers to “a type of authentication facility in which the biometric information and/or OTP and Aadhaar number securely submitted with the consent of the Aadhaar number holder through a requesting entity, is matched against the data available in the CIDR, and the Authority returns a digitally signed response containing e-KYC data along with other technical details related to the authentication transaction”.
As per the proposed Rule 5, the telecom entity must comply with Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and obtain user consent to click the user’s live photograph or “any other biological attributes of an individual” as specified by the Centre, and to store the live photograph and information along with the unmasked Aadhaar number, “other than core biometric information”, in the CAF and SDR as specified by the Centre on the portal meant for digital implementation of these rules.
The authorised entity can allow users to perform self-KYC through their website or relevant app under the Aadhaar-based e-KYC process.
SDR, or Subscriber Data Record: a comprehensive repository of user information maintained by each authorised entity, in the format as may be specified by the Central Government*
CAF, or Customer Application Form: a form, as may be specified by the Central Government, for recording the user information for the purpose of providing telecommunication services*
*as proposed in the draft Telecommunications (Authorisation For Provision of Main Telecommunication Services) Rules, 2025 released for public consultation on September 5.
D-KYC
D-KYC, or digital KYC, means “the digital process for enrolment and identification of user in accordance with rule 7” as per the proposed rules. The telecom entity must record the reasons in the CAF and SDR why a user underwent D-KYC process.
To perform D-KYC, the telecom entity must obtain user consent to click the user’s live photograph or “any other biological attributes” as specified by the Centre, and to store their live photograph and user details in the CAF and SDR.
The entity must obtain copies of listed documents as proof of identity and proof of address.
Few things are not clear in the proposed KYC processes:
The Aadhaar number needs to be stored in an unmasked form in the CAF and the SDR. Can a user choose to give the 14-digit virtual Aadhaar number instead of their actual 12-digit Aadhaar number? Storing Aadhaar number in the CAF in an unmasked manner is ripe for abuse as CAFs are accessible to multiple people — inclusing the sales people who enrol you for the service — within a telecom entity during the CAF’s life cycle.
Can Aadhaar holders refuse to undergo the e-KYC process and opt for the D-KYC process instead?
What kind of reasons are admissible for opting for D-KYC, if such a choice exists? Who decides whether the reason is legitimate or not at the time of enrolling for a telecom service?
For D-KYC, how is authentication done in real time?
Since consent is required to take a “live photograph” (real-time photograph that can technologically be verified as a photo of a live person and not of a still image or video) in either KYC process, can users refuse to consent?
Are the biometrics in this identity verification process limited to live photographs or are users’ fingerprints and irises also part of it? In case of former, are all photographs being matched against photographs held in the CIDR? Could this be expanded to include fingerprints and irises?
Source: Aadhaar (Authentication and Offline Verification) Regulations, 2021
Business connections
In case of business users, the telecom entity must perform biometric based identification of the business’s authorised representative, and of each of the end users of the business connection. However, the authorised representative of the business can seek an exemption for biometric identification of each end user on a case-to-case basis by making a justified request to the Centre or its authorised agency.
Re-verification
Users’ identities must be re-verified (compare demographic details of the user with existing details in the SDR or BIVS) by the telecom entity either through e-KYC or D-KYC in three circumstances:
When a user wants to replace or upgrade an already subscribed telecom service, including replacement or upgradation of a SIM card;
In cases of mobile number portability; and
The Centre directs so.
Transfer of connection
A service connection can be transferred only between blood relatives and legal heirs either on production of a no-objection certificate from the original user (whose identity must also be re-verified), or on the production of the original user’s death certificate. The transferred connection must be treated as a new connection and fresh biometric based identification must be carried out.
In case of business connections, the end user can be changed as long as the authorised representative of the business informs the telecom entity immediately, and the biometric based identification of the new end user is done within 7 days of intimation of such change.
Telecom entities must update CAF, SDR and BIVS about user changes.
How will the Biometric Identity Verification System (BIVS) work?
Authorised telecom entities can either individually or collectively create a BIVS. This BIVS will be populated with live photographs or “any other biological attributes” specified by the Centre along with their name, gender, date of birth, unique user ID, and any other information specified by the Centre.
The unique user ID will be assigned to each user at the time of enrolment or updating, solely to identity the user or update their number of connections. The Centre can direct the authorised entities to assign the unique user ID in the BIVS in any manner.
The BIVS must update the number of connections of each type of notified telecom service provided to a user by all authorised entities.
The entities must ensure that the BIVS is encrypted and has access controls so that the information is “non-repudiable and immutable”, and ensure that access to such information is restricted only to those authorised entities who have established the BIVS.
The entities must ensure that records of all actions performed on the BIVS are maintained and that data is stored in a secure and safe manner. The entities must be capable of detection non-compliance by any other authorised entities or discrepancies in the information stored in the BIVS.
User information shared by one telecom identity in BIVS must be shared with all other authorised entities that provide notified telecom services, “to enable real-time verifiable biometric based identification of user, while ensuring data integrity and privacy in compliance with the applicable laws along with any directions as may be specified by the Central Government for this purpose”.
While the draft rules allow for telecom entities to individually set up their own BIVS, in effect, the rules are proposing a common, master database for all authorised entities that each entity will continue to populate.
The Centre, either directly or through an authorised agency, periodically audit the BIVS to ensure compliance.
Telecom entities are required to ensure that the biometric information and other information of the user are not stored on the point of sale devices and are securely transmitted to the authorised entity’s relevant systems. They must ensure that the SDR and BIVS are operated as per laws and regulations related to data protection and security.
Requiring the Aadhaar number to be stored in an “unmasked manner” in the CAF is incongruent with the requirement to not store user information on the PoS devices.
When the Centre asks, you must provide … user data!
The authorised telecom entity must provide any data or records related to the BIVS on the Centre or the authorised agency’s request. This data must be given in an “intelligible format, and not in an encrypted manner”.
This, to my mind, is another indicator that end-to-end encrypted services such as WhatsApp are covered as telecom services under the Telecommunications Act.
Additionally, the telecom entities must make access to CAF, SDR and BIVS available to the Centre or an authorised agency in accordance with the draft Telecommunications (Authorisation For Provision of Main Telecommunication Services) Rules, 2025.
Under Rule 45 of the proposed Telecommunications (Authorisation for Provision of Main Telecommunication Services) Rules, 2025, the authorised entity must provide “the traceable identity of each user” to the Centre or the relevant authorised agency on receiving directions make access to CAF, SDR and BIVS available.
When the telecom entity is providing roaming services to foreign users, the authorised entity must “endeavour to obtain traceable identity of such users” from the TSP outside of India, “as a part of its roaming agreement”.
Under Rule 48 of the draft Main Telecom Service Rules, all user information and user accounting information must be localised within India. However, accounting information can be sent abroad for international roaming and billing, and user information can be sent abroad in case of IPLC (international private leased circuit) users, and foreign users using authorised entity’s telecom network while roaming.
If user gives false information, telecom entity can file an FIR
Telecom entities must inform users that the users must give correct information about their identities, and that getting SIMs or other telecom identifiers through fraud, cheating or personation, and providing false particulars or impersonation are punishable under the Telecom Act.
If the telecom entity learns that “false, incorrect, or forged information or documents” were used at the time of enrolment and identification, it must initiate a police complaint or file and FIR; and notify the Centre of the incident along with steps taken.
If the Centre learns that a telecom entity did not act in case of false, incorrect or forged documents, it can take action against the entity under Telecommunications (Adjudication and Appeal) Rules, 2025 (not yet notified, draft was released for public consultation in July 2024), and can direct the entity to file an FIR or a police complaint with the relevant LEA.
If the Centre learns that a user’s telecom services have been activated by the telecom entity in contravention of the rules, the Centre must direct the telecom entity to suspend the user’s services immediately, re-verify the user’s identity within a specified period from the date of the suspension direction, failing which, the telecom services must be disconnected.
On disconnection
User may seek disconnection at any time and the telecom entity must update the SDR and BIVS in real time. It is not clear when (if at all) this data will ever be deleted from these databases but the draft Telecommunications (Authorisation For Provision of Main Telecommunication Services) Rules, 2025, through rule 49, propose maintaining all commercial records, SDR, CDR, EDR, IPDR for all types of telecom services for at least two years.
Oh user, thou shalt not …
Provide false, incorrect, or forged information or documents during the process of user identification
Resell or transfer or lease or share your connection with any other user
I am curious. Am I allowed to give my wifi password to guests who visit my house? Or to my customers if I run Fifth Wave Coffee? Or share my wifi with my flatmate and ask them to pay half the bill?
Oh user, thou shalt …
Immediately inform the telecom entity of any change in their user information “to ensure the accuracy and integrity of the information in the authorised entity’s CAF, SDR and BIVS”.
“Intimate” to the telecom entity of any change in address within one month of such change.
Re-verify your identity through e-KYC or D-KYC process periodically (as prescribed by the Centre).
If you were enrolled for telecom services under the Indian Telegraph Act, 1885 (which is basically every telecom service user in India), you must be re-verified with the authorised telecom entity “in a periodicity and manner” specified by the Centre “in the public interest or for orderly growth of the telecommunication sector”.
… lest
While the Act does not prescribe specific penalties for users for giving false information, in the Third Schedule, contravention of any provision of the Act for which no penalty/punishment is provided will attract a civil penalty of up to ₹25,000 for first offence and further civil penalty of up to ₹50,000 for every day after the first during which the contravention continues.
“The End”
Thanks for reading The Tech Trace! Subscribe for free to receive new posts and support my work.
