The Unique Identification Authority of India (UIDAI) has been facing a lot of criticism over allegations of access to personal information by random entities without the consent of individual Aadhaar holders. Recent media reports also fuelled the general concern about the privacy and security of Aadhaar-related data. The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data-protection law. On Wednesday, the UIDAI sought to reinforce privacy protection for Aadhaar number-holders by unveiling one of the most significant changes since its inception eight years ago. It created a two-layer security system that prevents the possibility of the numbers being stored in many databases.
The first big change is the introduction of a virtual ID or VID that will be used in place of the unique ID or Aadhaar number. The VID will be a 16-digit random number, which an Aadhaar-holder can generate and use in place of his UID. This will ensure that the Aadhaar number is no longer shared, thus obviating any chance of it being leaked. What makes the VID user-friendly is that it is linked to the Aadhaar number and there can only be one VID at any point in time for a particular number. Moreover, only the Aadhaar-holder will be able to generate the VID and it will be a temporary number. In other words, even holding on to someone’s VID will be pointless beyond a time, unlike Aadhaar, which stays the same forever.
The other significant change that the UIDAI has brought about is the introduction of limited e-KYC norms. Typically, service providers will maintain a database to identity their customers and establish their uniqueness. Again, this process is based on the use of Aadhaar numbers. So, just as the UIDAI replaced the UID with VID on the individual Aadhaar-holder’s side, it has replaced the UID with a UID token on the service provider’s side. This UID token is a 72-character alphanumeric string that is meant only for system use. For identifying a customer, most authentication user agencies (AUAs) will only use the UID token, instead of the Aadhaar number. Such AUAs will be called local AUAs, while the few that continue to use the Aadhaar number will be called global AUAs. This structure will ensure that even if a local AUAs database is hacked, the Aadhaar number of customers will not be threatened.