What Aadhaar’s new 16-digit Virtual Identity means, how it seeks to add security

Written by Shruti Dhapola | New Delhi | Updated: January 12, 2018

The Unique Identification Authority of India (UIDAI), which is facing criticism in the light of alleged data breaches, Wednesday announced a new method of identification called Virtual Identity — or VID in short. It also introduced what it described as a system of “Limited KYC” (Know Your Customer) to reduce the storage of Aadhaar numbers with the Authentication User Agencies (AUAs), while still letting them do paperless authentications. Essentially, the new VID system will hide the Aadhaar number from the authenticating agency, while still confirming the identity of the user.

The statutory body, which is mandated to collect personal data of residents of India and to issue them a unique identification number called Aadhaar, says these steps will ensure greater privacy, and limit access to its database. On Thursday, the government pushed back against the critics of Aadhaar, asking them not to “overblow this issue of privacy”. While advocates leading the ongoing legal challenge to Aadhaar in the Supreme Court declined to issue a detailed statement, answers to several questions on the implementation and the impact of the proposed VIDs and Limited KYCs remained unclear.

What is VID? How will it be different from the Aadhaar number itself?

UIDAI has said VID will be a 16-digit number, which will be temporary in nature. So, unlike the 12-digit Aadhaar number that is permanent, the VID will have a certain period of validity, at the end of which it will expire, and the user will have to generate a new one. UIDAI is yet to say what the minimum validity period for the VID will be. A VID will automatically expire when a user generates a new one, as there can only be one valid VID number against a particular Aadhaar number at any given point in time.

While it is not compulsory to use or generate a VID, the UIDAI is pitching it as another option for authenticating identity, which it claims is more secure. Think of the VID as a 16-digit OTP that can be used to validate your identity without actually giving out your Aadhaar number. The VID can only be generated by the user in question and, according to UIDAI’s circular, it is not possible to “derive Aadhaar number from the VID”. The VID cannot be used by agencies for duplication, and it cannot be generated by the Authentication User Agency (AUA) either.

Also Read | Govt moves to firewall Aadhaar with 16-digit virtual ID, token, limited KYC

The UIDAI has said that VID “is only mapped with the Aadhaar number”. So, while the VID will help confirm your identity to the AUA (for example, a bank), it will not necessarily share your Aadhaar number and other data with the AUA. But more on this in the answer to a later question.

How will the public generate the VID? Do we have to submit documents for this all over again?

No documents or proof will be needed to generate a VID. But an Aadhaar number will be essential. UIDAI has said users will be able to generate the VID from the Aadhaar resident portal, Aadhaar Enrolment Centres, and the mAadhaar app on Android. The circular says that once the new system comes into effect, all agencies will have to provide this as an option, instead of just relying on the Aadhaar number. However, UIDAI has not so far listed the detailed steps to generate the VID, and how users can complete the process to mask their Aadhaar number from the agencies that demand it.

So can we generate a VID right away?

UIDAI will implement the VID service only from March 1, so you cannot generate one now. UIDAI expects all authentication bodies to move to the new VID system latest by June 1, 2018. But the deadline to link Aadhaar with services such as banks, mobile phone numbers, etc., remains March 31, 2018 — so while VID might be in place from March 1, it is unclear whether most of these places, too, will start accepting this option from that date. Most agencies will have to upgrade their entire computer systems in order to accept VID, which could take time.

UIDAI says it will start sharing updated technical documents/Application Programming Interfaces, and will also conduct workshops and training sessions for all AUAs soon. But again, it has given no timelines for

The circular says that AUAs need to be on the new system by June 1, 2018, or face discontinuation of their authentication services, and also a fine. But then, AUAs have until June 1 to implement this system, well after the March 31 deadline for Aadhaar-linking, which many customers will have to follow without a choice.

And given that the VID is a long number, what happens if one forgets their VID after they have generated it?

The VID is not permanent, and there is the option of generating another one. UIDAI has said it will be possible to generate this from the mAadhaar app. But there is no clarity yet on the process for doing so. Also, the app is so far limited only to Google’s Android platform, and users of Apple iOS will have to rely on the web site to get the VID every single time they need it.

How will VID help with Aadhaar-linking? Does this mean most agencies will no longer store your Aadhaar data?

Here’s where matters get complicated and confusing. UIDAI has also introduced a Limited KYC, which is supposed to allow “paperless” authentication, while ensuring at the same time that the Aadhaar database is not accessed. But it appears that AUAs will be divided into two separate categories: “Global AUAs” and “Local AUAs”.

The Global AUAs will have complete access to the full eKYC (Aadhaar number), and will also be able to store Aadhaar numbers in their systems. This is something privacy activists have been cautioning against, because the number can used to reveal various other signifiers about an individual.

According to the circular, the Global AUAs will be decided on the basis of “laws governing”, and whether “laws require them to use Aadhaar number”. As of now, it is unclear which agencies will be chosen to be Global AUAs. So, a public sector bank could be a Global AUA, and so could a private player like Paytm, which has its own Payments Bank and expects customers to do an eKYC in order to use it.

Not all customers may be keen to share their Aadhaar data with every single player that demands it. And if this player is a Global AUA, even using a VID will not do much, because that player will still have the option of doing a complete eKYC and storing Aadhaar data. It also remains to be seen whether telecom players will be declared Global AUAs, and allowed to access and store Aadhaar data.

Local AUAs, on the other hand, will have “Limited KYC”, and will only get a UID token which they can use to identify customers. This UID will be unique for each Aadhaar number — a 72-character alphanumeric string, which the circular says will be meant only for system usage. Each Aadhaar will have a unique UID for each particular AUA entity. So, the UID token for your Aadhaar number at one agency will be different from the one at another agency. Every time a Local AUA sends an authentication request, it will rely on this UID token, not the Aadhaar number, to verify identity.

According to the UIDAI, all agencies will need to set up the UID token system. However, Global AUAs will have the freedom to use the UID token as “per their need for authentication and database usage”, according to the circular.

UIDAI also says it will decide what other “demographic fields” will be shared with the Local AUAs other than this UID token — which adds to the confusion. While Local AUAs will not be allowed to store Aadhaar numbers in their systems, it is still unclear who will be designated as a Local AUA.

But what happens to an Aadhaar that has already been shared with several agencies? What if some of these agencies are now declared Local AUAs?

UIDAI’s circular says Local AUAs will have to change their systems to “replace Aadhaar number within the databases with this UID token”. But again, it is unclear by when this change is supposed to take place. And to begin with, UIDAI has to specify who will be a Global AUA and who will be a Local AUA.

Reference

Comments

Post a Comment

Popular posts from this blog

India Joins Russia in Voting Against West-Backed Move to Expand Powers of OPCW

The Wire: June 28, 2018 New Delhi: India voted against a UK-backed move that will allow the global chemical weapons watchdog to apportion blame for illegal attacks, criticising the decision to grant “unchecked powers” to the head of the group which could be used for “partisan” purposes. On Wednesday, more than two-thirds of the member states of the Organisation for the Prohibition of Chemical Weapons (OPCW) voted to authorise the international body to identify the perpetrators and sponsors of a chemical weapons attack. It also specifically called on the OPCW’s technical secretariat to begin work on identifying the perpetrators behind the use of chemical weapons in Syria. The draft decision, sponsored by 30 countries, was adopted at the fourth special session of the conference of the states parties to the Chemical Weapons Convention at the Hague, with 82 in favour and 24 negative votes. While Europe, the United States and their allies voted ‘yes’, there was strong oppo...
Read more

As financial insecurity rises in urban India, so does investment in insurance

Image
Scroll.in March 13, 2020 Urban Indians are becoming less confident about their financial security. Up to 58% of them fret over financial independence post retirement, which is a 4% increase from last year. An equal share of urban Indians worry about meeting their daily medical expenses and sustaining their current lifestyle once they stop working. The findings are part of a survey published by Delhi-based Max Life Insurance in association with London-based consultancy Kantar. The firms surveyed 7,014 respondents in 25 cities, including six metros, nine tier-1 cities, and 10 tier-2 cities, between December 2019 and January 2020. Source: Max Life Insurance via Quartz The trends Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz A significant share of urban Indians also say their families will have no financial support in the event of the breadwinner’s death. In such a scenario, around 57% believe the family sav...
Read more

ED tracks Swiss Bank A/Cs of Agusta scamster

The Poineer February 10,2019 Rakesh K Singh The Enforcement Directorate (ED) has tracked a dozen Swiss bank accounts in the name of Rajiv Saxena, who is key accused in the Rs 3,600 crore AgustaWestland VVIP chopper scam. The ED has also found out accounts held by  his family members and associates where the kickbacks in the now scrapped deal were allegedly parked. Two bank accounts are in the name of Rajiv Saxena’s  associates Pankaj Jain and Sumita Jain who are also the authorised signatories. The  third is in the name of another associate Ajit Singh Bubber, but Rajiv and his family members are authorised signatories. The remaining nine accounts are largely owned and operated by Rajiv, his family members and associates. Rajiv Saxena was deported by the UAE authorities on January 30 and the ED formally arrested him the next day and a court later granted his remand to the agency. He is currently undergoing custodial interrogation by the ED. The agency had in 2017...
Read more