Aadhaar and privacy: UIDAI brings Virtual IDs, Limited KYC to protect cardholders

Unique Identification Authority of India (UIDAI), still reeling from damaging news reports about a massive data breach, where Aadhaar details could be bought on WhatsApp for just Rs 500 - and public censure for reportedly targeting the scam's whistleblowers - is busy taking steps to avoid such crisis in future. The body tasked with issuing the 12-digit unique identification number has reportedly just introduced a new two-layer security system to protect Aadhaar cardholders.

To begin with, the UIDAI has introduced the Virtual ID concept. This is a temporary 16-digit, randomly-generated number that an Aadhaar holder can use for authentication along with his/her fingerprint instead of disclosing the Aadhaar number. The Virtual ID together with biometrics of the user would give any authorised agency, say, a mobile company, limited details like name, address and photograph, which are enough for any verification.

"Aadhaar number holder can use Virtual ID in lieu of Aadhaar number whenever authentication or KYC services are performed. Authentication may be performed using the Virtual ID in a manner similar to using Aadhaar number," said a UIDAI circular. Users will have to go to the UIDAI website to generate their virtual ID, which will be valid for a defined period of time, or till the user decides to change it. Officials said a user can generate as many Virtual IDs as he or she wants. The older ID gets automatically gets cancelled once a fresh one is generated.

As an added security measure, agencies that undertake authentication will not be allowed to generate the Virtual ID on behalf of Aadhaar holders. Since the system generated Virtual ID will be mapped to an individual's Aadhaar number itself at the back end, it will do away with the need for the user to share Aadhaar number to sundry service agencies. This will, thus, reduce the collection of Aadhaar numbers by various agencies.

UIDAI will start accepting Virtual IDs from March 1 and is busy instructing all agencies using its authentication and eKYC services to ensure Aadhaar holders can provide the 16-digit Virtual ID instead of Aadhaar number within their applications. From June 1, it will be compulsory for all agencies that undertake authentication to accept the Virtual ID from their users and agencies that do not migrate to the new system by the stipulated deadline will face financial disincentives.

In addition to this, UIDAI has introduced the concept of 'limited KYC' under which it will only provide need-based or limited details of a user to authorised agencies.  According to ET Now, under the limited KYC system, agency-specific UID will be provided and agencies will be able to do their own KYC without banking on Aadhaar details. So agencies will identify users with tokens and your Aadhaar number will reportedly no longer be stored.

This positive bit of news comes the same day that a Chandigarh-based NGO has moved Punjab and Haryana High Court against UIDAI. Human Rights Protection Council in its petition has demanded a probe into the recent data leak allegations. The petitioner and chairman of the NGO, Ranjan Lakhanpal has informed the court that leakage of Aadhaar data is a very serious matter as Aadhaar data provides personal information about the card holder, making it a big security breach. The court will hear the PIL on Thursday.

While security of Aadhaar data has been a subject of debate ever since the idea was floated under the UPA government, repeated allegations of leaks has severely eroded public confidence. In a recent online survey, conducted by social engagement platform LocalCircles, only 23% people said that they were "quite confident" that their Aadhaar data could be protected by UIDAI. A majority-52%-feared that their Aadhaar data might not be safe from unauthorised access by hackers and information sellers. Moreover, the survey, which had received over 15,000 votes, revealed that the public supports restricted access to biometric data. About 43% of the respondents said that access to Aadhaar data should be limited to verification of only name and address for e-KYC where it is mandatory.

The limited KYC system along with the Virtual ID might go a long way in allaying the nation's doubts.

(With PTI inputs)