Unique Identification Authority of India (UIDAI) on Wednesday introduced two new layers of security for Aadhaar-Virtual ID and Limited KYC. These security measures have been launched in the light of the recent media reports alleging Aadhaar data leak for just Rs 500. The media coverage about the possible misuse of Aadhaar data brought the government authority on the back foot, following which the UIDAI has launched a unique option on its website called 'Verify Aadhaar number'. The Aadhaar-issuing body's CEO, Ajay Bhushan Pandey, tweeted: "Virtual [ID] is one of biggest recent innovations in this field."
So, here's a ready reckoner on these new features.
What is Virtual ID (VID)?
This is a temporary 16-digit, randomly-generated number that an Aadhaar holder can use for authentication or KYC services along with his/her fingerprint instead in lieu of the Aadhaar number. The VID together with biometrics of the user would give any authorized agency, say, a mobile company, limited details like name, address and photograph, which are enough for any verification.
Where to get the VID?
Aadhaar holders can go to the UIDAI website to generate their VID, which will be valid for a defined period of time, or till the user decides to change it. You can generate as many VIDs as you want-the older ID gets automatically cancelled once a fresh one is generated. You can also generate/replace VIDs on the Aadhaar mobile app and at enrolment centres.
How is it safer than handing out one's Aadhaar number?
For any given Aadhaar number, there will only be one active VID at any given time and the UIDAI claims that it can't be used to ferret out an individual's 12-digit unique identification number. Since the system-generated VID will be mapped to an individual's Aadhaar number at the back end, it will do away with the need for the user to share Aadhaar number with sundry service agencies. This will, in turn, reduce the collection of Aadhaar numbers by various agencies. VIDs being temporary cannot be de-duplicated and as an added precaution, agencies that undertake authentication will not be allowed to generate VIDs on behalf of Aadhaar holders.
When will VIDs be made available to the public?
UIDAI will be releasing the necessary Application Programming Interface (API) by March 1 and all agencies using its authentication and eKYC services have been instructed to ensure Aadhaar holders can provide the 16-digit VIDs instead of Aadhaar number in their applications. All authentication bodies have to fully migrate to the new system by June 1, and those failing to meet the deadline will face financial disincentives.
What is limited KYC?
While VID allows individuals to avoid sharing their Aadhaar number, UIDAI recognised that storage of Aadhaar numbers within various public and private databases-as proof of identity to avail of services/benefit-also needed to be further regulated. That's where the new concept of limited KYC comes in.
In the new system, UIDAI will evaluate Authentication User Agencies (AUAs) and split them into two categories: Global AUAs and Local AUAs. Agencies whose services, by law, require them to store the Aadhaar number will be qualified as Global AUAs and will enjoy access to full demographic details of an individual along with the ability to store Aadhaar numbers within their system. Though details are still sketchy, it is speculated that banks and income tax authorities will fall in this category.
All the remaining AUAs will be branded as Local AUAs and will neither get access to full KYC, nor can they store the Aadhaar number on their systems. Instead, they will get a tokenised number issued by UIDAI to identify their customers. The 72 character alphanumeric 'UID Token' for your Aadhaar number will reportedly be different for every authentication body you approach. It thus "allows an agency to ensure uniqueness of its beneficiaries, customers etc. without having to store the Aadhaar number in their databases while not being able to merge databases across agencies thus enhancing privacy substantially", as a recent UIDAI circular pointed out.
The Aadhaar-issuing body, however, has said that it will reserve the right to determine what demographic fields need to be shared with the Local AUAs in addition to the UID Token depending upon its need".
When will the limited KYC and UID Tokens be in place?
The deadline for this security layer is the same as that for VIDs, i.e. June 1.
Why did UIDAI feel the need for this new two-tier security system?
While security of Aadhaar data has been a subject of debate ever since the idea was floated under the UPA government, repeated allegations of leaks has severely eroded public confidence. The latest security breach was exposed by The Tribune, where Aadhaar details could be bought on WhatsApp for just Rs 500. The Punjab and Haryana High Court is scheduled to hear a PIL against UIDAI for this data leak today.
In a recent online survey, conducted by social engagement platform LocalCircles, 52% of the respondents said they feared that their Aadhaar data might not be safe from unauthorised access by hackers and information sellers. Moreover, the survey, which had received over 15,000 votes, revealed that the public supports restricted access to biometric data. About 43% of the respondents said that access to Aadhaar data should be limited to verification of only name and address for e-KYC where it is mandatory. The limited KYC system along with the Virtual ID might go a long way in allaying the nation's doubts.
With PTI inputs