As it looks to address concerns regarding privacy of Aadhaar data, the Unique Identification Authority of India (UIDAI) has introduced a concept of ‘Virtual ID’, which is a temporary number that can be generated by users for the purpose of verification and authentication.
The UIDAI has taken a slew of measures to safeguard the privacy of citizens, primarily after reports emerged that Aadhaar data can be accessed by unauthorised means.
The 'Virtual ID', which will be mapped with the Aadhaar number, can be shared with authorities to authenticate identity for availing various services and it will provide users an option of not sharing their Aadhaar number.
The ID will be a temporary, revocable 16-digit number that can be shared with agencies like a telecom operator, for verification of identity. The 'Virtual ID' along with biometrics will furnish limited details like names, addresses, and photographs to the agency concerned for verification.
However, experts feel that though the intention of the government is good, it has to be seen what security parameters are put in place to safeguard the 'Virtual ID'.
According to senior cyber lawyer Pavan Duggal, cybersecurity was not introduced at the start by the UIDAI and that is why there have been so many cases regarding data breach. Also, he said people have become increasingly concerned about privacy and consequently, the UIDAI had come up with the concept of a 'Virtual ID'.
“However, the UIDAI needs to define the security parameters and how it will ensure privacy. As the virtual ID is not covered by the Aadhaar Act and the Information Technology Act, the government needs to amend the law. Technical cybersecurity parameters also need to be defined in detail,” he added.
Duggal also highlighted that the 'Virtual ID' could be misused by cybercriminals as they could create fake IDs based on the Aadhaar number, therefore, a holistic approach was required to be adopted by the government. “The concept is nice but the devil is in the detail,” he added.
The UIDAI has to define the technical details as well as the time frame for which the virtual ID can remain active. The authority has only said a user can generate as many 'Virtual IDs' as he or she wants but it is yet to define the time frame. The UIDAI has also introduced the concept of ‘limited know-your-customer (KYC)’ under which it will only provide need-based or limited details of a user to an authorised agency that is providing a particular service.
The UIDAI said it would start accepting the 'Virtual ID' from March 1 and from June 1, 2018, it would be compulsory for all agencies that undertake authentication to accept the 'Virtual ID' from users. Agencies that do not migrate to the new system to offer this additional option to their users by the stipulated deadline will face financial disincentives.
“An Aadhaar number-holder can use the 'Virtual ID' in lieu of the Aadhaar number whenever authentication or KYC services are performed. Authentication may be performed using the 'Virtual ID' in a manner similar to using the Aadhaar number,” a UIDAI notification said.
According to the UIDAI, agencies that undertake authentication will not be allowed to generate the 'Virtual ID' on behalf of the Aadhaar holder.
As many as 1.19 billion biometric identifiers have been issued so far and Aadhaar is required as identity proof by various government and non-government entities.