The Unique Identification Authority of India (UIDAI) has filed a complaint against Ola executive Abhinav Srivastava accusing him of “providing authentication and e-KYC API services in an unauthorised manner”, in violation of the provisions of the Aadhaar Act, signalling theft of data using the ID platform as bait.

The FIR, addressed to the commissioner of police of Bengaluru, mentions that Srivastava has developed a mobile application called Aadhaar e-KYC Verification, which is available on Google Play Store.

APIs are a set of procedures and functions that help in creating applications that are interoperable with an operating system or applications. Typically, they are used to build applications to access data or features from a particular software or platform.

News television channel BTV reported this story first on Thursday evening.

The FIR, dated July 26, states that Srivastava’s mobile application was using the authentication and e-KYC service of the National Informatics Centre (NIC), violating section 29(2) of the Aadhaar Act, and this is a punishable offence. The FIR was filed by Ashok Lenin, deputy director, UIDAI.

Also read: Is the govt anxious about right to privacy for fear of overburdening courts? It’s possible

The section states that any information apart from the core biometric data related to an Aadhaar holder’s identity can only be shared “in accordance with the provisions of this Act and in such manner as may be specified by regulations,” none of which was followed by Srivastava.

The app seemed to have been taken off Google Play Store as of July 27 evening.

The FIR also specified that Srivastava, who calls himself “Hacker @ Ola connected cars platform” on his LinkedIn profile, violated Regulation 14(1)(a) and Regulation 22(4) of Aadhaar (Authentication), which requires any entity requesting e-KYC to comply with all regulations, information security policies, processes, standards, specifications and guidelines as issued by the authority.

The FIR comes at a time when Aadhaar is facing criticism over privacy misuse, with cases in various courts of the country. There have also been instances of data leaks in the past few months, making it urgent for the government to crack down on individuals and firms engaged in data siphoning.

To make matters worse, Srivastava used the MyGov name in the application. MyGov is the government of India’s platform to deliver its services through digital platforms.

In March, the UIDAI had asked India’s Computer Emergency Response Team to act against unauthorised websites and mobile apps that provide Aadhaar-related services. A month before that, the UIDAI had shut down 12 such mobile apps and websites.

Who is Abhinav Srivastava?

In March 2016, Ola bought Qarth, a mobile payments company started by Abhinav Srivastava and Prerit Srivastava. It is not known if the two are related.

FactorDaily tried to get in touch with the accused, but he did not answer calls.

Both the Qarth founders joined Ola Money. Qarth was acquired by Ola to strengthen its mobile payment systems. Qarth’s X-Pay app, according to a report, integrated 26 banks when the company was bought by Ola. It also ensured a unique two-factor authentication.

Srivastava in his LinkedIn profile writes, “We also contributed to RBI’s guidelines on third party mobile payments using IMPS (UPI) under the guidance of Prof. Ashok Jhunjhunwala (Padam Shri holder, IIT-K Grad, Chairman Mobile Payment Committee (RBI).”

A source who knows Srivastava said he is serving his notice period at Ola. “August 15 will be his last day,” he said.

However, it is not clear if Ola has used any of the data that may have been gathered by Srivastava.

Ola and its rival Uber plan to use Aadhaar for both driver verification and digital transactions.

Also read: Dear Mr R S Sharma: Aadhaar has no place on the open web

---