India, Dec. 9 -- The ubiquity of Aadhaar as identity proof comes from nearly every service provider in the country - government or private - insisting on its use for KYC purposes. And Aadhaar-holders are mostly happy to submit this even when other documents are valid and would have sufficed. Done offline, where the Unique Identity Authority of India (UIDAI)'s servers are not contacted for authentication - think hotels scanning guests' Aadhaar cards and retaining photocopies - this raises several concerns about privacy and data security. It is against this backdrop that UIDAI is seeking to notify fresh regulations on offline verification based on Aadhaar, which will require users - from hotels, societies, and event organisers to car rentals - to register with the authority and carry out Aadhaar verification in a data-secure manner. This is not the first time that the UIDAI has thought along these lines. A PIB release on May 27, 2022, cautioned Aadhaar-holders against offline use and advised greater use of "masked" Aadhaar. It also said that only UIDAI-licensed establishments can use Aadhaar for verification. However, the release was subsequently withdrawn by the Centre, which merely advised Aadhaar-holders to "exercise normal prudence in using and sharing their UIDAI Aadhaar numbers". Indiscriminate soliciting and submission of Aadhaar, especially offline, poses serious privacy and data security risks - American cybersecurity firm Resecurity, in 2023, had flagged the staggering scale of compromised Aadhaar and passport data, affecting 815 million Indians. This data, the firm reported, was on sale on the dark web for all sorts of mala fide actors - from fraudsters to terrorists. As the custodian of Aadhaar data, including biometrics, of over a billion Indians, UIDAI has long claimed that the data remains secure and unbreachable, but as a 2022 report of the Comptroller and Auditor General shows, limited oversight across the data-chain, including client vendors, translates into serious risks of leakage. To that end, UIDAI's proposed move should make the Aadhaar ecosystem more secure than it is today. That said, Aadhaar-holders must get more careful about sharing data. A leaky system holding large volumes of personal data itself is a risk. Casual usage, despite the Digital Personal Data Protection Act covering Aadhaar, exacerbates the risks - especially when few have the time or expertise to read the fine print and check for what purposes the data will be put to use by the establishment soliciting it in the name of KYC or how it plans to safeguard it once collected....