The Unique Identification Authority of India (UIDAI) on Wednesday put in place a two-layer security mechanism to reinforce privacy protection for Aadhaar ID number holders. It introduced a virtual identification for the ID holders so that the actual Aadhaar number need not be shared to authenticate identity. It also places more restrictions on the storage of the Aadhaar number within various databases.
The idea behind the changes is to address privacy concerns which have resulted in a legal challenge to Aadhaar in the Supreme Court, and to also prevent potential misuse of an individual’s Aadhaar details.
UIDAI has been under the scanner over the past few months over allegations of access of personal information by random entities without the consent of individual Aadhaar holders.
The virtual ID will be a 16-digit random number mapped with the Aadhaar number. It can only be generated, replaced or revoked by the Aadhaar number holder from time to time.
“It will not be possible to derive the Aadhaar number from the virtual ID,” a circular issued by UIDAI said.
Till now, a person had to give his/her 12-digit identity number along with other attributes (demographic and/or biometrics and/or through a one-time password) during authentication or e-KYC (know your customer) for accessing various benefits and services from service providers such as banks or telcos.
UIDAI also introduced the concept of a limited KYC category which does not access the Aadhaar number. To enable this, UIDAI has introduced two categories of an Authentication User Agency (AUA)—an entity engaged in providing Aadhaar-enabled services. The limited KYC category is a ‘Local AUA’, compared with a ‘Global AUA’—which will have access to e-KYC using the Aadhaar number.
An AUA may be a government, public or a private legal agency registered in India, using Aadhaar authentication services provided by UIDAI.
To enable the ‘Local AUA’ to uniquely identify customers in a limited e-KYC environment—since the virtual ID is a temporary number and storage of Aaadhaar is restricted—the UIDAI is launching a token mechanism. In response to an authentication request from a ‘Local AUA,’ UIDAI would return a unique identity token–a 72-character alpha-numeric string that will only work in the ‘Local AUA’s’ system.
Experts welcomed the changes initiated by UIDAI to enhance security and protect privacy.
“If someone authenticates you, they will only have the virtual number, and even if their database gets hacked all that gets lost is the virtual ID number which doesn’t put you at risk because you can always change this number,” said Rahul Matthan, partner at law firm Trilegal and a Mint columnist.
“Aadhaar is here to stay! Happy that the @UIDAI has introduced virtual ID and limited KYC in the spirit of continuous innovation to enhance privacy and security,” former UIDAI chairman Nandan Nilekani tweeted on Wednesday.
UIDAI will be releasing necessary APIs (Application Programming Interfaces) by 1 March and all agencies have been directed to make the necessary changes for the use of virtual ID, UID token and limited KYC and operationalise it by 1 June.
“If virtual IDs are made mandatory (and they aren’t) that would address the privacy concern of multiple private entities being able to create detailed profiles of you by using your Aadhaar number. But it wouldn’t address concerns people have relating to security, to exclusion from benefits, to the centralized biometric database, nor to Aadhaar facilitating various governments gaining an overall view of your life,”said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank, pointing out the other gaps to be addressed in the Aadhaar infrastructure