Improved privacy

The new two-layer security for Aadhaar addresses security concerns

The Unique Identification Authority of India (UIDAI) has been facing a lot of criticism over allegations of access to personal information by random entities without the consent of individual Aadhaar holders. Recent media reports also fuelled the general concern about the privacy and security of Aadhaar-related data. The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data-protection law. On Wednesday, the UIDAI sought to reinforce privacy protection for Aadhaar number-holders by unveiling one of the most significant changes since its inception eight years ago. It created a two-layer security system that prevents the possibility of the numbers being stored in many databases. 

The first big change is the introduction of a virtual ID or VID that will be used in place of the unique ID or Aadhaar number. The VID will be a 16-digit random number, which an Aadhaar-holder can generate and use in place of his UID. This will ensure that the Aadhaar number is no longer shared, thus obviating any chance of it being leaked. What makes the VID user-friendly is that it is linked to the Aadhaar number and there can only be one VID at any point in time for a particular number. Moreover, only the Aadhaar-holder will be able to generate the VID and it will be a temporary number. In other words, even holding on to someone’s VID will be pointless beyond a time, unlike Aadhaar, which stays the same forever. 

The other significant change that the UIDAI has brought about is the introduction of limited e-KYC norms. Typically, service providers will maintain a database to identity their customers and establish their uniqueness. Again, this process is based on the use of Aadhaar numbers. So, just as the UIDAI replaced the UID with VID on the individual Aadhaar-holder’s side, it has replaced the UID with a UID token on the service provider’s side. This UID token is a 72-character alphanumeric string that is meant only for system use. For identifying a customer, most authentication user agencies (AUAs) will only use the UID token, instead of the Aadhaar number. Such AUAs will be called local AUAs, while the few that continue to use the Aadhaar number will be called global AUAs. This structure will ensure that even if a local AUAs database is hacked, the Aadhaar number of customers will not be threatened. 

There is no doubt that both the VID and limited e-KYC norms significantly address privacy concerns, mainly because these measures will protect the Aadhaar number from being exposed in day-to-day transactions. Privacy experts and activists also say that more needs to be done to ensure foolproof security for critical personal information. For example, the Aadhaar seeding with all existing databases should be revoked as some database with Aadhaar numbers will still float around. The new system should also ensure how the poor or the illiterate will be able to use the VID process. Overall, however, the decision to firewall Aadhar is likely to hold the UIDAI as well as the government in good stead when the Supreme Court takes up a whole bunch of petitions challenging the Aadhaar Act on January 17.