Data security concerns surrounding the government’s Aadhaar project have generated a lot of heated public debate in the past few years.
Last week, a Chandigarh-based publication, The Tribune, published a disconcerting story that detailed “a service being offered by anonymous sellers over WhatsApp” for unrestricted access to details of Aadhaar number holders.
In response, the Unique Identification Authority of India (UIDAI) on Wednesday announced the establishment of a new security system, whereby Aadhaar number holders do not have to submit their unique IDs to verify their personal details when applying for certain services.
When applying for a new phone number, for example, the consumer need not share his/her Aadhaar number at the time of authentication.
In its place, a random and temporary 16-digit Virtual ID number would be generated, which the consumer can use in place of Aadhaar with authorised telecom service providers.
“Virtual ID will be a temporary, revocable 16-digit random number mapped with the Aadhaar number. It is not possible to derive Aadhaar number from Virtual ID,” a circular issued by UIDAI said.
How does this VID system work?
“The last digit of the VID is the checksum using ‘Verhoeff’ algorithm (for error detection) as in Aadhaar number. There will be only one active and valid VID for an Aadhaar number at any given time,” the UIDAI said in a statement.
Citizens with registered UIDs can use this VID instead of their Aadhaar number whenever an agency seeks to authenticate their details or perform know-your-customer (KYC) services.
It’s basically like using your VID as your Aadhaar number – but only for a temporary period, after which a new one will have to be generated.
“VID, by design being temporary, cannot be used by agencies for de-duplication. VID is revocable and can be replaced by a new one by Aadhaar number holder after the minimum validity period set by UIDAI policy,” the authority added.
Users will be able to generate, retrieve and revoke their Virtual ID number from the UIDAI website, mAadhaar mobile app or Aadhaar enrolment centres. Virtual IDs will be issued from March 1, 2018, and service providers will start accepting it from June 1, 2018.
Users will have to log on to the website, app or visit a centre, where they can generate the ID as many times as needed, within a time period to be stipulated by the UIDAI. Only those with a valid Aadhaar number can generate their VID and revoke it after the UIDAI stipulates the minimum validity period.
“UIDAI will provide various options to Aadhaar number holders to generate their VID, retrieve their VID in case they forget, and replace their VID with a new number. These options will be made available via UIDAI’s resident portal, Aadhaar Enrollment Center and mAaadhaar mobile application, etc,” the authority said.
Despite the government’s attempts, critics have seemingly raised some rather valid concerns.
To avoid the chance of an Authentication User Agency (AUA) misusing access to the massive database with the Aadhaar details of a billion people, the UIDAI has split them into two–Global AUAs and Local AUAs.
In its circular, there is very little information on how the government proposes to classify these AUAs except that it will be based on an evaluation process hinging on “laws governing the AUA.”
On March 1, the UIDAI is expected to release the APIs (application programming interface) required to make this system work, and AUAs will be expected to comply with it by June 1.
Those agencies that fail to comply with these directives may be barred from carrying out any authentication services or suffer financial penalties.
Finally, some critics suggest that the new system does not adequately address the real problem, which is the inability of various government and private agencies to protect our data.
“The virtual id is to be used only for local AUAs. Global AUAs, potentially like banks will still need Aadhaar for Direct Benefit Transfers. This does not remove the financial fraud risk that Aadhaar poses. 210 government published at least 13 crore Aadhaar numbers in the past and the risk of people having these numbers already is very high. UIDAI needs to re-issue fresh Aadhaar numbers to solve the problem, which is highly unlikely,” said Srinivas Kodali, an independent data security researcher, to Medianama, a portal for information and analysis on digital and telecom businesses in India.