As it looks to address concerns regarding privacy of Aadhaar data, the Unique Identification Authority of India (UIDAI) has introduced a concept of ‘Virtual ID’, which is a temporary number that can be generated by users for the purpose of verification and authentication.
The UIDAI has taken a slew of measures to safeguard the privacy of citizens, primarily after reports emerged that Aadhaar data can be accessed by unauthorised means.
The 'Virtual ID', which will be mapped with the Aadhaar number, can be shared with authorities to authenticate identity for availing various services and it will provide users an option of not sharing their Aadhaar number.
The ID will be a temporary, revocable 16-digit number that can be shared with agencies like a telecom operator, for verification of identity. The 'Virtual ID' along with biometrics will furnish limited details like names, addresses, and photographs to the agency concerned for verification.
However, experts feel that though the intention of the government is good, it has to be seen what security parameters are put in place to safeguard the 'Virtual ID'.
According to senior cyber lawyer Pavan Duggal, cybersecurity was not introduced at the start by the UIDAI and that is why there have been so many cases regarding data breach. Also, he said people have become increasingly concerned about privacy and consequently, the UIDAI had come up with the concept of a 'Virtual ID'.
“However, the UIDAI needs to define the security parameters and how it will ensure privacy. As the virtual ID is not covered by the Aadhaar Act and the Information Technology Act, the government needs to amend the law. Technical cybersecurity parameters also need to be defined in detail,” he added.
Duggal also highlighted that the 'Virtual ID' could be misused by cybercriminals as they could create fake IDs based on the Aadhaar number, therefore, a holistic approach was required to be adopted by the government. “The concept is nice but the devil is in the detail,” he added.
PLUGGING LEAKS
* Users can go to the UIDAI website to generate their virtual ID, which will be valid for a defined period of time, or till the user decides to change it
* They can give this virtual ID to service agencies along with the fingerprint at the time of authentication
* Since the system-generated temporary, revocable 16-digit virtual ID will be mapped to an individual’s Aadhaar number itself at the back-end, it will do away with the need for the user to share Aadhaar number for authentication
* It will also reduce collection of Aadhaar numbers by agencies
* The UIDAI will be releasing necessary APIs (application programming interface) by March 1 and all agencies have been directed to make the necessary changes for the use of virtual ID, UID token, and limited KYC to start using the new system by June 1
The UIDAI has to define the technical details as well as the time frame for which the virtual ID can remain active. The authority has only said a user can generate as many 'Virtual IDs' as he or she wants but it is yet to define the time frame. The UIDAI has also introduced the concept of ‘limited know-your-customer (KYC)’ under which it will only provide need-based or limited details of a user to an authorised agency that is providing a particular service.
The UIDAI said it would start accepting the 'Virtual ID' from March 1 and from June 1, 2018, it would be compulsory for all agencies that undertake authentication to accept the 'Virtual ID' from users. Agencies that do not migrate to the new system to offer this additional option to their users by the stipulated deadline will face financial disincentives.
“An Aadhaar number-holder can use the 'Virtual ID' in lieu of the Aadhaar number whenever authentication or KYC services are performed. Authentication may be performed using the 'Virtual ID' in a manner similar to using the Aadhaar number,” a UIDAI notification said.
According to the UIDAI, agencies that undertake authentication will not be allowed to generate the 'Virtual ID' on behalf of the Aadhaar holder.
As many as 1.19 billion biometric identifiers have been issued so far and Aadhaar is required as identity proof by various government and non-government entities.
Dear Reader,
Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.
As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.